Pillars

Zero trust cost by NIST CISA pillar

The CISA Zero Trust Maturity Model defines five pillars that drive cost. This page breaks each one down: what it covers, what you need to buy, what it costs at SMB / mid-market / enterprise scale, vendor categories competing in the pillar, and the most common over-spend traps.

30-40%

15-20%

20-30%

10-15%

Identity

30-40% of budget

The foundation. Every other zero trust pillar depends on a strong identity layer to make access decisions. SSO consolidates application access. Phishing-resistant MFA addresses the dominant attack vector. PAM contains the blast radius of compromised privileged accounts. Identity governance ensures access stays correct over time.

Component pricing

SSO + basic MFA$3-$7 / user / month
Conditional access, group-based provisioning. Often bundled into productivity suites.
Identity P2 / advanced$6-$12 / user / month
Risk-based MFA, just-in-time admin (PIM), identity protection signals.
PAM$15-$40 / user / month
Privileged session recording, secrets vault, just-in-time elevation. Cost based on privileged user count, not total workforce.
Identity governance$7-$20 / user / month
Access reviews, entitlement management, lifecycle automation, attestations.
FIDO2 hardware keys$25-$50 / user one-time
Phishing-resistant MFA hardware. Required for federal contractors and highly recommended for privileged accounts.

Annual licensing by org size

SMB (100 users)$60K-$140K / yr

Mid-market (500 users)$280K-$520K / yr

Enterprise (2,000+ users)$1.0M-$2.4M / yr

Vendor categories

Microsoft Entra, Okta Workforce Identity, Ping Identity, JumpCloud, ForgeRock. PAM: CyberArk, BeyondTrust, Delinea. Governance: SailPoint, Saviynt.

Common over-spend traps

Buying full PAM before stabilising basic MFA. Phase identity in this order: SSO consolidation, MFA on privileged accounts, MFA universal, then PAM.
Underestimating the lifecycle automation effort. Joiner / mover / leaver flows touch HR, ITSM, and every connected app. Allocate 30-50% of identity-pillar PS to lifecycle.
Skipping identity governance. Without quarterly access reviews and entitlement management, the MFA and SSO investment degrades within 18 months as access drift accumulates.

Device

15-20% of budget

Devices accessing corporate resources must be known, configured, and continuously assessed for compliance. MDM/UEM enrols and configures. EDR detects active threats. Posture signals feed conditional access decisions. The pillar is comparatively cheap once you accept that every endpoint must be enrolled and protected.

Component pricing

MDM / UEM$4-$9 / device / month
Configuration policies, certificates, app deployment, compliance reporting.
EDR$3-$15 / endpoint / month
Behavioural detection, response actions, threat hunting. Premium tiers add managed response (effectively MDR).
Mobile threat defence$3-$6 / mobile device / month
Phishing protection on mobile, OS exploit detection. Optional in low-risk verticals.
Asset / posture management$2-$5 / endpoint / month
Continuous configuration drift detection, hardware inventory, vulnerability state.

Annual licensing by org size

SMB (100 users)$25K-$60K / yr

Mid-market (500 users)$140K-$320K / yr

Enterprise (2,000+ users)$520K-$1.2M / yr

Vendor categories

MDM: Microsoft Intune, Jamf, Workspace ONE, Kandji. EDR: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR.

Common over-spend traps

Buying separate MDM and EDR when M365 E5 already includes both via Intune and Defender for Endpoint P2. For Microsoft estates, audit existing licences before buying.
Treating BYOD as out of scope. Personal device access to corporate apps is a meaningful zero trust risk and requires either MAM (app-level controls) or device-trust enforcement. Either way, add 10-20% to device-pillar cost.
Skipping mobile. Mobile threat defence is often deprioritised, then re-introduced after a phishing incident on a personal phone. Budget for it in the initial scope.

Network

20-30% of budget

Replace IP-based perimeter trust with identity-based application access. ZTNA verifies user, device, and policy on every connection rather than granting network-level access. Microsegmentation contains lateral movement east-west once an intrusion lands. Secure web access (SWG, DNS filtering) enforces policy on outbound traffic.

Component pricing

ZTNA$5-$20 / user / month
Identity-based application access. Replaces or supplements VPN. Standard tier ZTNA covers web apps; advanced tier adds RDP/SSH and full app segmentation.
Microsegmentation$20K-$60K / yr flat (mid-market)
East-west traffic control. Agent-based (Illumio, Akamai Guardicore) or fabric-based (Cisco ACI, VMware NSX). Cost rises sharply at enterprise scale.
Secure web gateway$3-$8 / user / month
Outbound traffic policy, malware scanning, URL filtering. Often bundled with ZTNA in SASE platforms.
DNS filtering$1-$3 / user / month
Quick-win zero trust control. Cisco Umbrella, Cloudflare Gateway, Quad9. Can be deployed in days.

Annual licensing by org size

SMB (100 users)$30K-$70K / yr

Mid-market (500 users)$180K-$420K / yr

Enterprise (2,000+ users)$650K-$1.6M / yr

Vendor categories

ZTNA: Cloudflare Zero Trust, Twingate, NordLayer, Microsoft Entra Private Access, major SASE platforms. Microsegmentation: Illumio, Akamai Guardicore, VMware. SASE platforms combine ZTNA + SWG + CASB.

Common over-spend traps

Microsegmentation as Phase 1. The most common over-spend: deploying microsegmentation before identity and device pillars are mature. Microsegmentation depends on accurate identity context, deploying it first means re-doing policy work later.
Replacing VPN entirely on day one. ZTNA migrations should run in parallel with VPN for 60-180 days while users transition. Skipping the parallel phase causes outages and rollbacks.
Buying SASE for a small ZTNA need. SASE platforms ($15-$25/user/month) bundle SWG, CASB, FWaaS, and ZTNA. If you only need ZTNA and have separate SWG/CASB, a focused ZTNA platform ($5-$10/user/month) is dramatically cheaper.

Workload

10-15% of budget

Cloud workloads, containers, and APIs are the modern zero trust attack surface. CSPM scans cloud configuration for drift. Container runtime security catches malicious behaviour in Kubernetes. API security enforces policy on internal and external APIs. Service mesh provides identity-aware service-to-service traffic control.

Component pricing

CSPM$5-$15 / workload / month
Cloud configuration scanning, compliance posture (CIS, NIST, PCI), drift detection across AWS / Azure / GCP.
Container security$8-$20 / node / month
Image scanning, runtime detection, admission control. Kubernetes-native options available open-source.
API security$15K-$50K / yr base
Discovery, schema enforcement, rate limiting, abuse detection. Cost rises with API volume.
Service meshOpen-source Istio or commercial $20K+ / yr
Identity-aware service-to-service traffic, mTLS, fine-grained policy. Optional but increasingly common in cloud-native estates.

Annual licensing by org size

SMB (100 users)$15K-$40K / yr

Mid-market (500 users)$80K-$220K / yr

Enterprise (2,000+ users)$320K-$900K / yr

Vendor categories

Wiz, Palo Alto Prisma Cloud, Aqua Security, Sysdig, Lacework, Snyk. Open-source: Falco, OPA, Trivy, Istio.

Common over-spend traps

CSPM agent sprawl. Buying separate point tools for posture, runtime, and IaC scanning when modern CNAPP platforms (Wiz, Prisma Cloud) consolidate them. Audit overlap before adding the third tool.
Underestimating container scale. Per-node pricing assumes long-lived nodes; ephemeral nodes in autoscaling clusters can multiply licensed-node count by 3-5x.
Ignoring identities for workloads. Service-to-service authentication via short-lived tokens (workload identity, mTLS) is a Phase 2 zero trust requirement that vendors often skip.

Data

10-15% of budget

The pillar most organisations defer to Phase 3. Classification labels data by sensitivity. DLP enforces handling rules. Encryption protects data at rest and in transit. CASB controls third-party SaaS data flow. Done well, the data pillar stops sensitive material leaving the perimeter; done poorly, it generates alert fatigue and user frustration.

Component pricing

CASB / SaaS DLP$8-$18 / user / month
SaaS visibility, sanctioned vs unsanctioned app discovery, data flow controls. Often bundled with SASE.
Endpoint DLP$3-$8 / user / month
Local data movement controls (USB, clipboard, print, upload). Performance impact is real, tune carefully.
Data classification$8K-$35K / yr base
Auto-labelling on file create / save based on content. Microsoft Purview, Varonis, BigID. Manual classification is unsustainable beyond a few thousand files.
Encryption (at-rest, in-transit)Mostly included
Cloud platforms include at-rest encryption by default. Customer-managed keys (CMK) add modest cost. Bring-your-own-key adds compliance value.

Annual licensing by org size

SMB (100 users)$15K-$45K / yr

Mid-market (500 users)$100K-$280K / yr

Enterprise (2,000+ users)$420K-$1.0M / yr

Vendor categories

CASB: Netskope, Microsoft Defender for Cloud Apps, Forcepoint, Skyhigh. Classification: Microsoft Purview, Varonis, BigID, Spirion. DLP often part of CASB or endpoint security suite.

Common over-spend traps

Auto-classification without business review. Auto-labels need to map to business categories and handling policies. Without a six-month classification review cycle, false-positive labels generate user friction and policy bypass.
Endpoint DLP too aggressive on day one. Block-mode DLP on day one breaks legitimate workflows. Run in monitor-mode for 60-90 days, tune policies, then move to enforce.
Treating encryption as a checkbox. Encryption matters for breach-disclosure exemptions and compliance. Customer-managed keys with proper key rotation procedure are non-trivial work, allocate budget for the operational overhead, not just licence cost.

Next step

Estimate your pillar split

The full cost calculator applies pillar weightings to your inputs and produces a personalised allocation. Use it together with this page to validate the split for your specific maturity target.

Open calculator ->

Frequently asked

Pillar questions

Why does identity get 30-40% of zero trust budget?

Identity is the foundation that every other pillar relies on. ZTNA decisions are made on user identity and device posture. Microsegmentation policies reference identity attributes. Conditional access ties everything together. Without a strong identity layer, the rest of the zero trust investment is undermined. The 30-40% allocation reflects this dependency: SSO + MFA + governance is the largest single licensing line, and identity governance carries the highest ongoing operational overhead (access reviews, lifecycle, attestations).

Can we skip the workload pillar?

Only if you have minimal cloud or container footprint. For organisations with material AWS / Azure / GCP workloads, CSPM is non-optional, misconfigurations are the #1 cause of cloud-data exposure. For Kubernetes estates, runtime security and image scanning are similarly required. The pillar is small in steady state (10-15% of budget) but skipping it leaves the largest cloud-era attack surface unaddressed. The exception is small organisations with only SaaS workloads (no IaaS / PaaS), where the data and network pillars cover the relevant risk.

How does the pillar split change for SMB vs enterprise?

Identity stays roughly constant at 30-40% across sizes. Network and device pillars are slightly larger as a proportion of SMB budget because the bundled M365 / Google Workspace identity included in productivity suites means the marginal identity spend is small. Workload and data pillars grow as a proportion of enterprise budget because cloud estate complexity and regulated-data overhead scale super-linearly with size. A 100-user SMB might spend 45% on identity, 25% network, 20% device, 5% workload, 5% data. A 5,000-user enterprise might spend 32% identity, 25% network, 15% device, 14% workload, 14% data.

Which pillar is most over-spent?

Network, specifically through SASE platforms bought when only ZTNA was needed. SASE platforms (Cisco Umbrella + ZTNA, Zscaler full SSE, Palo Alto Prisma Access) bundle ZTNA + SWG + CASB + FWaaS at $15-$25/user/month. If you already have a separate SWG and CASB and only need ZTNA, a focused ZTNA platform at $5-$10/user/month is dramatically cheaper. Audit existing tooling before signing a SASE platform deal.

Which pillar is most under-spent?

Data, by a wide margin. Classification, DLP, and CASB are commonly deferred to Phase 3 or skipped entirely. The result is that even mature zero trust estates lack visibility into where sensitive data lives, who accesses it, and how it leaves the perimeter, the failure mode that drives most material breach costs. A modest data-pillar investment (10-15% of total) delivers disproportionate breach-cost reduction.

Should we adopt all five pillars at once?

No. The CISA Zero Trust Maturity Model and most analyst frameworks describe a phased approach. Phase 1 (3-9 months) covers identity and device. Phase 2 (6-18 months) adds network and workload basics. Phase 3 (12-24 months) completes data and advanced telemetry. Trying to deploy all five pillars in parallel creates integration chaos, vendor sprawl, and burnt budget. Sequencing matters because each pillar depends on the maturity of the prior ones, identity must be solid before microsegmentation, device posture must be reliable before conditional access can use it, and so on.