2026 zero trust pricing benchmarks: per-user costs and YoY changes
This page is the 2026 reference set for zero trust pricing benchmarks. It compiles per-user and per-workload pricing by organisation size, summarises year-over-year changes since 2024-25, tracks the Forrester Wave and Gartner Magic Quadrant shifts in the dominant categories, and identifies the three new categories emerging in 2026 that will reshape future benchmarks. Refreshed annually as the analyst cycles update.
Per-user per-month and year-one cost by org size
2026 benchmarks across the cohort scale points. The lower bound for each row is the bundle-leaning path; the upper bound is best-of-breed multi-vendor.
| Org size | Path | Year 1 cost | Per user / month | YoY change | Notes |
|---|---|---|---|---|---|
| 100 users | Microsoft-bundled | $40K - $80K | $35 - $70 | -5% to flat | Bundle path stable. ZTNA component cheaper than 2024. |
| 100 users | Best-of-breed | $200K - $400K | $170 - $330 | Flat to -10% | Best-of-breed at this scale is over-buy; not recommended. |
| 500 users | Bundle-leaning | $800K - $1.0M | $135 - $170 | -5% to flat | M365 E5 plus Entra Private Access plus minimal additions. |
| 500 users | Best-of-breed | $1.2M - $1.5M | $200 - $250 | Flat to +5% | Okta plus CrowdStrike plus Zscaler plus standalone DLP plus PAM. |
| 1,000 users | Bundle-leaning | $1.5M - $2.0M | $125 - $170 | Flat | Adds identity fabric, PAM, IGA in scope. |
| 1,000 users | Best-of-breed | $2.4M - $3.0M | $200 - $250 | Flat to +5% | Multi-vendor stack typical at upper mid-market. |
| 5,000 users | Mid-path | $4M - $7M | $65 - $115 | Flat | Multi-vendor standard, microsegmentation in production. |
| 5,000 users | Best-of-breed-regulated | $7M - $10M | $115 - $165 | +5% to +10% | Financial services / healthcare / federal contractor premium. |
| 10,000+ users | Mid-path | $8M - $14M | $65 - $115 | Flat | Per-user lower than 5,000 users due to volume discount. |
| 10,000+ users | Best-of-breed-regulated | $14M - $20M+ | $115 - $165 | +5% to +10% | Multi-region, regulated industry, full stack. |
What has moved since 2024-25
The dominant pricing trend across 2024 through 2026 has been stability at the enterprise tier and modest decline at the entry tier. Identity pricing has flattened: Microsoft Entra ID P1 and Okta Workforce Identity Starter pricing has held roughly flat at $6 to $8 per user per month since 2024, despite both vendors adding meaningful features (better conditional access in Entra, better lifecycle workflows in Okta). Microsoft Entra ID P2 at $9 per user per month and Okta Workforce Identity at $15 per user per month have similarly held. The category has matured enough that vendors are competing on feature breadth rather than per-user price.
ZTNA entry-tier pricing has dropped meaningfully. Focused ZTNA platforms (Cloudflare Zero Trust, Twingate, Tailscale, OpenZiti commercial variants) have squeezed the entry price from $8 to $12 per user per month in 2024 down to $5 to $10 in 2026, a 10 to 30 percent drop depending on tier. The drop has come from category commoditisation: ZTNA features that differentiated platforms in 2022 are table-stakes in 2026. Competitive pressure on the new entrants forces price discipline.
SSE bundle pricing has held. Full SSE platforms (Zscaler, Netskope, Palo Alto Prisma Access, Cisco SSE, Cloudflare One) remain at $15 to $25 per user per month for the full bundle. Bundle differentiation has reduced the incentive to discount, and the bundles include enough capability that customers committing to a bundle stick with it. The bundle premium over focused ZTNA has grown from 2x in 2024 to 2.5 to 3x in 2026, which makes the SSE-versus-ZTNA-only decision sharper than in earlier years.
CNAPP pricing has held within the range of $15 to $40 per workload per month for mid-market deployments, with some downward pressure from Wiz's growth (Wiz tends to be priced at the lower-mid of the range) and upward pressure from Prisma Cloud's feature expansion (more capabilities included in the platform, justifying higher per-workload pricing). The range has widened rather than shifted in one direction.
Regulated-industry premium has grown slightly from roughly 25 to 40 percent over commercial equivalents in 2024 to roughly 30 to 50 percent in 2026. The growth reflects FedRAMP authorisation maintenance cost increasing for vendor platforms, plus more stringent audit expectations from federal customers post-2024 incidents.
Forrester Wave and Gartner Magic Quadrant trends
The Gartner Magic Quadrant for Security Service Edge (the most recent edition in 2025) and the Forrester Wave for Security Service Edge (the most recent in Q1 2024, with the next edition expected late 2025) have shown gradual stabilisation in the SSE category. The Leader quadrant has stabilised around Zscaler, Netskope, Palo Alto Prisma Access, and Cisco (combining Umbrella, Duo and Secure Access). Cloudflare One has moved from Challenger to Leader in some assessments, reflecting maturation of its enterprise feature set. Microsoft has gained ground as a credible SSE vendor as Entra Internet Access and Entra Private Access have matured alongside Defender for Cloud Apps.
The Forrester ZTNA Wave has consolidated similarly. The standalone ZTNA leaders are largely the same as the SSE leaders, which reflects the fact that ZTNA is increasingly a feature of SSE platforms rather than a standalone category. Pure-play ZTNA platforms (Twingate, Tailscale, OpenZiti) compete on price and developer-friendliness at the entry tier rather than on enterprise features against the SSE bundles.
The CNAPP category (Gartner Magic Quadrant for Cloud-Native Application Protection Platforms) has consolidated rapidly. The dominant leaders in 2025 are Wiz, Palo Alto Prisma Cloud, Microsoft Defender for Cloud, and CrowdStrike Falcon Cloud Security. Lacework has been acquired (Fortinet, mid-2024) and is being integrated. Sysdig has held a strong position. The category has stabilised enough that pricing benchmarks are reliable; the volatility of 2022-2023 has subsided.
Three categories changing 2026 benchmarks
Identity Threat Detection and Response (ITDR). ITDR platforms (Authomize, Silverfort, Semperis, Microsoft Defender for Identity) are formalising as a category sitting alongside EDR for identity threats: detecting identity-based attacks (golden ticket, kerberoasting, identity privilege escalation, lateral movement via stolen credentials) and responding to them. Pricing in 2026 runs $5 to $15 per user per month for the protected identity scope. The category is growing roughly 35 to 50 percent year over year as the identity-pillar maturity in zero trust programmes creates demand for identity-specific detection.
AI security. The long tail of organisations adopting generative AI in production workflows has created demand for AI-specific security controls: model security (preventing model exfiltration), prompt injection defence, AI data flow controls (ensuring training data and prompts respect data classification), AI model behaviour monitoring. The category is still early: pricing is volatile but trending toward $50K to $300K per year platform fee plus per-call usage pricing for the most mature vendors. Major incumbents (Microsoft, Cloudflare, Palo Alto, Zscaler) are all rolling out AI security extensions to their existing platforms, which complicates the standalone category economics.
Data Security Posture Management (DSPM). DSPM has matured from a sub-category to a standalone category alongside CSPM. DSPM platforms (Sentra, Cyera, Dig Security acquired by Palo Alto, Laminar acquired by Rubrik, Microsoft Purview Data Map) discover and inventory sensitive data across cloud data stores, assess the posture of access controls protecting that data, and flag misconfiguration or risky data sprawl. Pricing in 2026 runs $40K to $500K per year depending on cloud data store volume. DSPM is increasingly treated as a Phase 3 zero trust investment rather than an optional add-on.
How these benchmarks are compiled
The benchmarks on this page are aggregated from three sources. Vendor public pricing materials for the dominant platforms (Microsoft, Okta, CrowdStrike, Zscaler, Cloudflare, Palo Alto, Cisco, Wiz, Prisma Cloud, Sysdig and others). Where vendors publish per-user or per-workload prices, those numbers anchor the lower-bound estimates. Public analyst summaries from Gartner Magic Quadrant, Forrester Wave, and IDC MarketScape reports. Where analysts publish anonymised range data or category-typical pricing, those inform the mid-range estimates. Aggregated negotiated-deal datafrom publicly available sources like Vendr's buyer guides, G2 reviews with pricing context, and public budget reports from government agencies subject to procurement transparency requirements. Where the same vendor appears in multiple sources with consistent pricing, the figure is treated as reliable.
The benchmarks deliberately exclude single-data-point claims from vendor marketing materials, third-party blog posts citing anonymous sources, and projections that cannot be verified against public sources. Where the underlying data has limitations (negotiated discount varies widely by procurement competence, regional pricing varies, contract length materially affects per-unit price), the benchmark range is widened to reflect that uncertainty rather than narrowed to project false precision.
The page is refreshed annually as the major analyst cycles update and as vendor public pricing changes are published. The methodology page on this site has the full source approach for zero trust cost figures across the reference.