In-house versus vendor zero trust cost: when each wins
Every CISO asks once whether the organisation could just build zero trust in-house with open source. This page is the honest answer. The open-source components exist for every pillar; total cost of ownership rarely favours in-house under 5,000 users; sovereignty is the strongest in-house argument; and a hybrid approach (commercial for differentiated pillars, open source for the rest) is the dominant pattern in 2026.
What open source covers, and what it doesn't
Per-pillar comparison of commercial and open-source options, with the verdict on which typically wins at mid-market scale. The verdict assumes a 500 to 2,000-user organisation without existing deep open-source expertise; specifics shift in either direction at larger scale or with different starting positions.
| Pillar | Commercial | Cost | Open source | OSS cost | Verdict |
|---|---|---|---|---|---|
| Identity | Entra ID P1 / Okta WIA / Ping | $6 - $15 / user / month | Keycloak, Authentik, Zitadel | $100K - $260K / yr (ops) for 500 users | Commercial wins under 5,000 users |
| Network (ZTNA) | Cloudflare, Zscaler, Palo Alto | $5 - $20 / user / month | OpenZiti, Pomerium, Boundary | $60K - $180K / yr (ops) | Commercial wins under 2,000 users |
| Device (EDR) | Defender, CrowdStrike, SentinelOne | $3 - $15 / endpoint / month | Wazuh, osquery | $80K - $200K / yr (ops) | Commercial wins almost always; EDR is hard to build well |
| Applications (workload identity) | Commercial SPIFFE / service mesh | $50K - $300K / yr | SPIFFE / SPIRE, Istio, Linkerd | $80K - $250K / yr (ops) | Open source competitive; many mature programmes use OSS here |
| Data (DLP) | Symantec, Forcepoint, Purview | $5 - $15 / user / month | Limited; gap in OSS coverage | Effectively not feasible at scale | Commercial mandatory; OSS gap is real |
| Policy Engine | Bundled into IdP / ZTNA | Included | Open Policy Agent (OPA) | $40K - $120K / yr (ops) | Open source genuinely competitive; OPA is widely adopted |
| Secrets vault | CyberArk Conjur, AWS Secrets Manager | $30K - $400K / yr + usage | HashiCorp Vault OSS, SOPS | $60K - $150K / yr (ops) | Open source competitive at mid-market scale |
| SIEM | Splunk, Sentinel, Chronicle | $50K - $500K+ / yr | Wazuh, Graylog, OpenSearch | $120K - $400K / yr (ops + infra) | Commercial wins under 10,000 events / sec; OSS competitive above |
What in-house zero trust actually costs at mid-market scale
A 500-user organisation running a full open-source zero trust stack needs roughly 2 to 3 dedicated platform engineers to keep the stack running. The work involves upgrade management (every component has its own release cadence and breaking changes), integration testing (every component needs to keep working with every other component as versions change), CVE response (you patch, not the vendor), capacity planning, log retention infrastructure management, and the long tail of operational debugging when something breaks at 2am. The 2 to 3 FTE estimate is consistent across mid-market in-house zero trust stacks; some claim lower headcount with heroic individual engineers, but those stacks tend not to survive the engineer leaving the organisation.
At fully-loaded cost (salary plus benefits plus tooling plus management overhead), 2 to 3 platform engineers run $300K to $600K per year. Add infrastructure: production-grade deployments of Keycloak, Vault, OpenZiti, Wazuh and supporting services typically run $40K to $120K per year on cloud infrastructure for a 500-user equivalent capacity. Total open-source TCO at 500 users: $340K to $720K per year. Compare with commercial: identity at Entra P1 ($36K), basic ZTNA ($60K), EDR via Defender ($30K incremental over E5), SIEM via Sentinel ($150K), secrets vault commercial ($80K), totalling roughly $356K to $700K for equivalent coverage. The numbers are close enough that the deciding factor is team composition, not nominal price.
The crossover where in-house starts to materially win on cost is roughly 5,000 users for most pillars and 10,000 users for the full stack. At 10,000 users, commercial per-user licensing across the full zero trust stack runs $2M to $4M per year, while in-house operational TCO scales sub-linearly (the engineering team grows slower than the user count). For organisations of this scale that also have existing platform-engineering capability, in-house can save $500K to $1.5M annually in steady state. For smaller organisations the saving rarely materialises.
The dominant pattern in 2026: commercial for some pillars, open source for others
Most mid-market organisations adopting zero trust in 2026 do not choose pure commercial or pure open source. They adopt a hybrid pattern: commercial for the pillars where vendor differentiation is high and the operational cost of self-hosting is steep, open source for the pillars where vendor differentiation is low and the operational cost is manageable.
The dominant hybrid configuration: commercial for identity (vendor differentiation is high, identity is the deepest integration in the stack, switching cost is severe), commercial for ZTNA (operational complexity of self-hosted ZTNA is significant, vendor SLAs matter for user-facing traffic), and commercial for EDR (detection efficacy is highly vendor-differentiated, open-source EDR like Wazuh is workable but operationally heavy). Open source forworkload identity via SPIFFE / SPIRE (mature open source, commercial differentiation low), open source forPolicy Engine via Open Policy Agent (OPA is the de facto standard regardless of commercial wrapping), and open source for secrets vault via HashiCorp Vault OSS or Mozilla SOPS for non-customer-facing services.
The hybrid pattern typically lands at 60 to 80 percent of pure-commercial total cost, with the saving concentrated in workload-identity and secrets-management infrastructure. Operational overhead: roughly 0.5 to 1 platform engineer dedicated to the open-source pieces, versus the 2 to 3 required for full in-house. The pattern is robust to engineer turnover (commercial vendors handle the most-critical pillars) and scales well with org growth (the open-source pieces are at the edges, not the foundation).
Three scenarios where build beats buy
Scenario 1: Very large organisations. Above 10,000 users, commercial per-user licensing becomes a material budget item. A 25,000-user organisation paying $20 per user per month for full zero trust commercial licensing is spending $6M per year on licensing alone. In-house at this scale needs perhaps 5 to 8 platform engineers ($750K to $1.6M loaded) plus $200K to $500K in infrastructure, totalling $1M to $2.1M per year. The saving is $4M to $5M per year, which justifies the in-house operational investment. Most very large organisations either have this capability or build it.
Scenario 2: Deep existing open-source expertise. Organisations with platform-engineering teams already maintaining open-source identity, networking and security infrastructure can absorb additional open-source zero trust components without adding much headcount. The marginal cost of one more open-source component is much lower than the standalone cost. This is the pattern in some tech-forward mid-market organisations and most public-cloud-native enterprises with deep platform teams.
Scenario 3: Sovereignty constraints. Organisations that cannot use commercial cloud-delivered platforms due to data-residency, regulatory, or sovereignty requirements have no commercial choice and must build in-house. EU public-sector with strict data-residency requirements, defence and intelligence contractors with classified environments, and some critical national infrastructure operators fall in this category. In-house is not a cost decision here; it is a feasibility decision, and the operational cost is accepted as necessary. The cost is typically 40 to 80 percent higher than the equivalent commercial-cloud stack would be, but commercial cloud is not available.