Network pillar

Network pillar cost: ZTNA, microsegmentation and secure web

The network pillar replaces perimeter trust with identity-based access for users and workload-aware segmentation for lateral movement. This page breaks down the per-component cost across ZTNA, microsegmentation, secure web gateway, DNS filtering, browser isolation and network detection, sizes the pillar by organisation, and surfaces the single most common Phase-1 over-spend.

What's in the pillar

The network pillar in CISA terms

The CISA Zero Trust Maturity Model v2.0 defines the network pillar across five capability areas: network segmentation, traffic management, traffic encryption, network resilience, and visibility and analytics. NIST SP 800-207 frames the network in zero trust as a low-trust transport: the network itself should be assumed compromised, and trust should be made and enforced at the application access point rather than at the perimeter. This is a fundamental architectural shift from the decades-old castle-and-moat model.

The pillar has six cost-bearing components in practice. Zero trust network access verifies user identity and device posture on every application connection. Microsegmentation contains lateral movement east-west, that is, between workloads inside the data centre or cloud account. Secure web gateway enforces policy on outbound traffic to the public internet. DNS filtering blocks resolution of malicious or policy-violating domains.Browser isolation renders untrusted content in a remote container so malicious code never executes locally.Network detection and response applies behavioural analytics to network telemetry for late-stage threat detection.

The pillar economics vary widely depending on how much existing network infrastructure can be reused versus replaced. An organisation with a fully depreciated VPN appliance, an end-of-life proxy and a flat layer-3 data centre is looking at full replacement cost; an organisation with a modern cloud-first estate already partly on a SASE platform is looking at extension cost on the existing license. The 20 to 30 percent budget share quoted above is the steady-state average across maturity profiles.

Component pricing

Cost by network sub-component

Per-user per-month or per-workload pricing for the six network components. Pricing is market-typical; expect 15 to 30 percent discount at multi-year enterprise term.

Component	List price range	Sized on	Notes
ZTNA	$5 - $20 / user / month	Workforce accessing private apps	Identity-based app access. Lightweight ZTNA at lower end, full SSE at upper. See /ztna-cost for tier-by-tier breakdown.
Microsegmentation	$20K - $1M+ / year	Servers and containers in scope	Agent-based (Illumio, Akamai Guardicore) or fabric-based (VMware NSX, Cisco ACI). Cost scales with workload count, not user count.
Secure web gateway	$3 - $8 / user / month	Workforce browsing the public web	Outbound traffic policy, malware scanning, URL filtering. Often bundled with ZTNA in SASE.
DNS filtering	$1 - $3 / user / month	Workforce + sometimes IoT	Quick-win zero trust control. Cisco Umbrella, Cloudflare Gateway, Quad9. Deploys in days.
Browser isolation	$3 - $8 / user / month	Risk-tier users or sensitive sessions	Renders untrusted web content in remote container. Often bundled into SWG or SASE platforms.
Network detection and response	$30K - $400K+ / year	Network estate	Network behaviour analytics, lateral-movement detection. Often deferred to Phase 3.

Sizing

Network pillar cost by organisation size

Organisation	Workforce	Year 1 license	Year 1 total	Ongoing / year	Notes
SMB	100 users	$12K - $30K	$30K - $70K	$18K - $42K	ZTNA-only at the low end, basic SWG + DNS at the high end. Microsegmentation usually deferred.
Mid-market	500 users	$60K - $180K	$180K - $420K	$100K - $250K	Add SWG, DNS filtering. Microsegmentation pilot in Phase 2. SASE consolidation tempting if existing tooling is dated.
Enterprise	2,000 users	$250K - $600K	$650K - $1.6M	$400K - $1.0M	Full SSE bundle. Microsegmentation in production. Network detection and response added in Phase 3.
Large enterprise	10,000+ users	$800K - $2.4M	$2.5M - $7.0M	$1.6M - $4.5M	Multi-vendor stack, microsegmentation at full data-centre scale, NDR mandatory. Connector deployment is the dominant cost.

Sequencing

Why microsegmentation in Phase 1 is the most expensive zero trust mistake

Microsegmentation is the most-marketed and most-misordered component in zero trust. Vendors sell it as a foundation control because they sell microsegmentation platforms and that is what they have to sell. The CISA maturity model treats it as a Phase 2 or 3 control, requiring identity context, asset inventory, and workload-to-workload behavioural baselines before it can be deployed effectively. Deploying it in Phase 1, before identity context is mature, produces policy that has to be substantially rewritten within twelve to eighteen months. The wasted policy work and re-implementation cost is consistently 40 to 60 percent of the initial microsegmentation investment.

The correct sequence is to deploy ZTNA first as the user-facing network control. ZTNA is straightforward to scope (the universe of private apps is finite and discoverable), it produces immediate value (VPN replacement, faster remote access, no on-prem appliance refresh), and it builds the identity-context muscle that microsegmentation later depends on. After ZTNA stabilises (typically six to twelve months), the network pillar can move on to microsegmentation with a mature identity layer behind it and a working ZTNA-derived inventory of who accesses what.

The other common network-pillar over-spend is buying SASE for a small ZTNA need. SASE bundles ZTNA, SWG, CASB and FWaaS at $15 to $25 per user per month. A focused ZTNA-only platform at $5 to $10 per user per month is a third the cost. If you already have a working SWG, CASB and FWaaS, paying SASE premium is paying for capabilities you already have. Audit existing tooling and contract renewal dates before assuming SASE is the right consolidation play.

VPN replacement

VPN to ZTNA migration economics

VPN replacement is the most common network-pillar entry point and the one with the cleanest cost-justification path. A traditional enterprise VPN appliance (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiGate SSL VPN, Pulse Connect Secure) costs $15K to $100K upfront in hardware plus $5K to $30K per year in maintenance and per-user licensing. Cloud ZTNA is zero hardware and $60 to $240 per user per year in licensing. For a 100-user organisation, ZTNA break-even versus a typical VPN deployment is 18 to 24 months. For a 500-user organisation with a soon-to-refresh VPN appliance, ZTNA pays back in 8 to 14 months because the avoided hardware capex is folded in.

The migration cost most organisations under-budget is the parallel-run period. Running VPN and ZTNA simultaneously for 60 to 180 days while users transition is mandatory; rolling forward to ZTNA-only without parallel is the single most common cause of migration failure. The parallel-run cost is roughly $20K to $80K in additional licensing for the overlap period, plus 200 to 800 hours of help-desk and engineering time to handle the transition. Plan for it explicitly.

The full ZTNA-versus-VPN breakdown lives on the dedicated VPN replacement cost page on this site, with per-VPN-vendor comparison and migration-step costing.

ROI

What the network pillar buys you

The network pillar buys two compound risk reductions. First, ZTNA eliminates broad lateral-movement opportunity from the user-to-app path: a compromised laptop on ZTNA can reach only the specific applications its identity is authorised for, not the whole VPN subnet. Second, microsegmentation eliminates broad lateral-movement opportunity from the workload-to-workload path: a compromised web server cannot reach the database server unless explicit policy allows it. Together these two changes contain blast radius by an order of magnitude in well-executed deployments.

The IBM 2024 Cost of a Data Breach report found organisations with network segmentation in scope contained breaches at lower cost, with the segmentation effect concentrated in the lateral-movement and exfiltration phases. The dollar value is harder to attribute precisely than identity-pillar ROI, but the directional effect is consistent across the breach-economics literature.

On an operational basis, the network pillar produces real productivity gains. ZTNA replaces brittle VPN client behaviour with identity-aware web access; users connect once and stay connected, eliminating the VPN-disconnect class of help-desk ticket. SWG and DNS filtering eliminate the manual URL-blocking work that legacy proxy tools require. These savings rarely show up as a discrete line item but add up to 200 to 800 hours per year of help-desk and engineering time saved at mid-market scale.

Cross-links

Related cost references

ZTNA cost

ZTNA tier-by-tier pricing and SASE bundle economics.

Microsegmentation cost

Agent vs fabric, per-workload pricing.

VPN replacement cost

Break-even, per-VPN-vendor comparison, migration steps.

SSE bundle cost

When the SASE bundle pays back vs over-buys.

All five pillars

Where network sits in the framework.

Cost calculator

Model network-pillar share interactively.

Frequently asked

Network pillar cost questions

What is the network pillar of zero trust?

The network pillar replaces IP-based perimeter trust with identity-based application access. Per the CISA Zero Trust Maturity Model v2.0 it covers network segmentation, traffic management, encryption, network resilience, and visibility. The dominant control is zero trust network access, which verifies user identity and device posture on every connection rather than granting broad network-level trust. Microsegmentation contains lateral movement east-west once an intrusion lands. Secure web gateway and DNS filtering enforce policy on outbound traffic. Budget share is 20 to 30 percent of total zero trust spend.

How much does ZTNA cost per user?

Per-user ZTNA pricing ranges from five to twenty dollars per user per month. Lightweight ZTNA-only platforms (cloud-native, focused on app access) sit at the lower end, five to ten dollars. Full SSE platforms that bundle ZTNA with secure web gateway, CASB and DNS filtering sit at the higher end, fifteen to twenty-five dollars. Free or near-free tiers exist for small workforces. Add a 1.4 to 1.8 times implementation multiplier to year-one licensing for professional services and connector deployment. The /ztna-cost page on this site has a deeper tier-by-tier breakdown.

How much does microsegmentation cost?

Microsegmentation pricing is hybrid: a flat-fee platform component plus per-workload pricing. Mid-market deployments land at $20K to $60K per year flat for platform license plus $3 to $15 per workload per month for instrumented servers and containers. Agent-based platforms (Illumio Core, Akamai Guardicore, Cisco Secure Workload) charge per agent. Fabric-based platforms (VMware NSX, Cisco ACI) charge per host or per CPU. Enterprise deployments with thousands of workloads land at $200K to $1M per year. Implementation cost is the dominant year-one variable: a typical mid-market microsegmentation rollout is 90 to 270 days of professional services.

Should we buy SASE or just ZTNA?

Buy ZTNA if you only need to replace VPN and you already have a working SWG, CASB and FWaaS. Buy SASE if you need all of those capabilities and you do not already have them. The marginal cost of SASE over a focused ZTNA platform is roughly two to four times. SASE is worth the premium if you would otherwise buy those four point products separately at roughly equivalent total cost. SASE is over-spend if you only need ZTNA and the rest of the bundle is feature-waste. Audit existing tooling before signing a SASE deal.

How much do we save replacing VPN with ZTNA?

Traditional VPN appliances cost $15K to $100K upfront in hardware plus $5K to $30K per year in maintenance and licensing. Cloud ZTNA is zero hardware and $60 to $240 per user per year in licensing. For a 100-user organisation on a typical Cisco AnyConnect or Palo Alto GlobalProtect VPN setup, ZTNA break-even is typically 18 to 24 months. The crossover is faster for organisations facing a VPN hardware refresh cycle (you avoid the refresh capex) and slower for organisations with low remote-access usage where the VPN appliance is barely loaded.

What is the biggest network-pillar over-spend?

Microsegmentation deployed in Phase 1. Microsegmentation depends on accurate identity context to be effective. Deploying it before the identity pillar is mature means re-doing policy work later, which is the single most common cost overrun in network-pillar programmes. The correct sequence is to mature the identity pillar to CISA Initial or Advanced tier first, then layer microsegmentation on top in Phase 2. Skipping ahead typically wastes 40 to 60 percent of the initial microsegmentation investment.

What about east-west microsegmentation versus north-south ZTNA?

ZTNA handles north-south traffic, that is, users connecting to applications. Microsegmentation handles east-west traffic, that is, workloads communicating with each other inside the data centre or cloud account. They are complementary, not substitutes. A mature network-pillar programme deploys ZTNA first (Phase 1 or 2) for the user-to-app problem, then microsegmentation later (Phase 2 or 3) for the workload-to-workload problem. Trying to do both simultaneously in year one is the most common cause of network-pillar budget overruns.