Vendor framework
Zero trust vendor evaluation - framework and named-vendor pricing
A framework for evaluating zero trust platforms without falling into the vendor-marketing trap: vendor categories, what each is best at, deployment complexity, lock-in risk, and how to map vendors to your scenario. For the named vendors that publish or have well-sourced pricing, we now maintain dedicated, dated pricing pages, linked below. Where a vendor publishes no list price, we say so rather than invent one.
Named-vendor pricing
Pricing pages for the major platforms
Dated, sourced pricing for the vendors buyers ask about most. Each page lists per-user ranges, the add-on traps, the renewal cliffs, and the negotiation levers.
Zscaler pricing
ZIA + ZPA, where the bill spirals
Microsoft Entra pricing
P1/P2/Suite + M365 bundle math
Okta pricing
Workforce Identity suites
Cloudflare ZT pricing
Free tier + $7/user
Netskope pricing
SSE bundles + module creep
Palo Alto Prisma Access
SASE cost + editions
Cisco Secure Access + Duo
Duo tiers + SSE quote band
Categories
Six vendor categories cover the zero trust market
Most platforms fall into one of six archetypes. Each is strong in one or two pillars and weaker in others. Recognising the archetype is the first step in evaluation.
Identity-centric platforms
Identity
PrimaryNetwork
SecondaryDevice
SecondaryWorkload
Not coreData
Not core- Deployment
- Moderate. Heavy on directory integration, SSO migration, conditional access rule design.
- Best for
- Heterogeneous estates not committed to a single productivity suite. Multi-cloud SaaS-heavy organisations.
- Lock-in risk
- High - identity is the deepest integration point in any zero trust stack. Switching IdPs is the most expensive vendor migration.
- FedRAMP
- Major identity vendors typically offer FedRAMP Moderate at minimum, FedRAMP High variants exist for federal estates.
Microsoft-suite platforms
Identity
PrimaryNetwork
SecondaryDevice
PrimaryWorkload
SecondaryData
Secondary- Deployment
- Lowest if already on M365. Bundle integration is largely click-through. Highest if migrating from non-Microsoft identity.
- Best for
- Microsoft 365-centric organisations. Mid-market and enterprise already paying for E3 / E5.
- Lock-in risk
- Very high - bundle economics make leaving expensive. M365 commercial dependence creates indirect identity lock-in even if technically portable.
- FedRAMP
- Multiple FedRAMP authorisations including High tiers for government estates.
Network-centric / SSE platforms
Identity
Not coreNetwork
PrimaryDevice
SecondaryWorkload
SecondaryData
Secondary- Deployment
- High. Network platform implementations require connector deployment in every private app environment, parallel VPN running, and policy migration from IP-based to identity-based rules.
- Best for
- Large enterprises replacing complex on-premise proxy and VPN infrastructure. Heavy private-app estates.
- Lock-in risk
- Moderate. ZTNA can be migrated more easily than identity, but SSE bundles (ZTNA + SWG + CASB + FWaaS) create platform-level lock-in once policy depth grows.
- FedRAMP
- Most major SSE platforms have FedRAMP Moderate authorisations; some have High.
Lightweight ZTNA platforms
Identity
Not coreNetwork
PrimaryDevice
Not coreWorkload
Not coreData
Not core- Deployment
- Lowest. Modern ZTNA-only platforms deploy in days for SMBs, weeks for mid-market.
- Best for
- SMBs and developer-centric organisations. ZTNA replacement of legacy VPN without need for full SSE.
- Lock-in risk
- Low. Standards-based, easy to swap. Pricing is transparent.
- FedRAMP
- Variable. Most consumer-focused ZTNA platforms do not pursue FedRAMP. Enterprise variants increasingly do.
Endpoint-centric platforms
Identity
SecondaryNetwork
Not coreDevice
PrimaryWorkload
SecondaryData
Not core- Deployment
- Moderate. EDR agent deployment, exclusion tuning, MDR onboarding for managed-response variants.
- Best for
- Estates where endpoint visibility is the priority concern. Organisations with mature SOC operations.
- Lock-in risk
- Moderate. Agent-based architecture creates operational dependency. Switching requires removing one agent and deploying another, with parallel-run period.
- FedRAMP
- Major endpoint vendors typically have FedRAMP Moderate; High tier available from select vendors.
Cloud-native / CNAPP platforms
Identity
Not coreNetwork
SecondaryDevice
Not coreWorkload
PrimaryData
Secondary- Deployment
- Moderate. API-based deployment, cloud account integration, IaC scanning hookups.
- Best for
- Cloud-native organisations. AWS / Azure / GCP-heavy estates with significant container or Kubernetes footprint.
- Lock-in risk
- Low to moderate. Most CNAPP platforms support all major clouds and standards-based output formats.
- FedRAMP
- Variable. CNAPP is a newer category, FedRAMP authorisations are still growing.
Scenario fit
Which category goes where
Map vendor categories to the scenarios most CISOs face. Multi-vendor combinations are normal and often optimal, single-vendor zero trust is rare outside the Microsoft ecosystem.
| Scenario | Identity | Network | Device | Workload | Data |
|---|---|---|---|---|---|
| 100-user SMB on M365 | Microsoft suite | Lightweight ZTNA | Microsoft suite (Defender) | Native cloud tooling | Microsoft suite (Purview) |
| 500-user mid-market, Google Workspace | Identity-centric platform | Lightweight ZTNA or SSE | Endpoint-centric platform | CNAPP | CASB layer |
| 2,000-user enterprise, Microsoft-centric | Microsoft suite | SSE platform or Microsoft Entra | Microsoft suite or endpoint specialist | CNAPP | Microsoft suite (E5) or specialist DLP |
| Federal contractor, CMMC L2 | FedRAMP-High identity platform | FedRAMP-authorised SSE | FedRAMP endpoint platform | FedRAMP CNAPP | FedRAMP DLP / classification |
| Cloud-native dev-led estate | Identity-centric platform | Lightweight ZTNA | Cloud-managed MDM | CNAPP (primary investment) | Cloud-native KMS + selective DLP |
| Heavy regulated data (healthcare, finance) | Identity-centric platform with PAM | SSE with microsegmentation | Endpoint-centric with MDR | CNAPP | Specialist DLP + classification (heavy investment) |
Decision framework
Eight dimensions to score every vendor
- Pillar coverage depth. For each of the five pillars, score primary / secondary / not core. Bolt-on modules count as secondary at best.
- Deployment complexity. Average rollout duration for organisations your size. Reference customers of comparable scale are essential here.
- Existing-stack fit. Native integration depth with your IdP, SIEM, ITSM, HR system. SCIM provisioning, SAML / OIDC SSO, OPA policy, OpenTelemetry export.
- Lock-in risk. Standards-based config export, contract-level data extract rights, switching cost as percentage of new platform first-year licensing.
- FedRAMP / compliance authorisation. FedRAMP Moderate or High, ISO 27001, SOC 2 Type II, HIPAA, PCI DSS. Required for regulated estates.
- 3-year total cost. Licensing + professional services + integration + tuning over 3 years. Year-one licensing is often the smallest line.
- Vendor stability. Financial position, product roadmap clarity, M&A risk, leadership turnover. Public companies disclose more; private vendors require careful diligence.
- Reference customer fit. Three references of comparable size, sector, and existing-stack composition. Phone calls, not case studies.
Frequently asked
Vendor evaluation questions
Where do I find specific vendor pricing?
We maintain dated, sourced pricing pages for the vendors buyers ask about most: Zscaler, Microsoft Entra, Okta, Cloudflare Zero Trust, Netskope, Palo Alto Prisma Access and Cisco Secure Access (Duo), all linked at the top of this page. Where a vendor publishes list pricing (Microsoft, Cloudflare, Okta suites) we cite it directly; where pricing is quote-only (Zscaler) we use clearly-attributed third-party ranges and label them as negotiation reference points rather than quotes. Two caveats apply to any vendor number: enterprise contracts negotiate 20-40% off list on multi-year terms, and regional pricing varies between US, EU and APAC. We never publish a figure we cannot source. This category framework complements the named-vendor pages for archetypes not covered individually.
How do we evaluate a zero trust platform vendor?
Eight dimensions matter. (1) Pillar coverage - which of the five pillars does the platform genuinely cover, and which is bolt-on? (2) Deployment complexity - how long is the average rollout for an organisation your size? (3) Existing-stack fit - does the platform integrate cleanly with your IdP, SIEM, ITSM, HR system? (4) Lock-in risk - is policy configuration extractable in standard formats? (5) FedRAMP / compliance authorisation if regulated. (6) Total cost (licensing + services + integration + tuning over 3 years), not just year-one licensing. (7) Vendor financial stability and product roadmap clarity. (8) Reference customer fit - request references from organisations of comparable size, sector, and existing-stack composition.
Is best-of-breed or single-vendor better?
Single-vendor (typically Microsoft-suite) is cheaper in licensing, faster to deploy, and easier to operate for organisations already committed to that vendor's productivity suite. Best-of-breed is more expensive in licensing and integration but gives you better-in-class capability per pillar and lower vendor lock-in. The practical answer for most mid-market: single-vendor for identity and device pillars (where bundle economics dominate), best-of-breed for network (where pure ZTNA platforms can be substantially cheaper than bundled SSE) and workload (where CNAPP specialists outperform generic security suites). Pure best-of-breed multi-vendor is best for organisations with mature security teams who can absorb the integration overhead.
How important is FedRAMP authorisation?
Mandatory if you are a federal contractor or process federal data. Important if you intend to bid on federal contracts within 2-3 years (the procurement cycle requires authorised tools to be already in place). Largely irrelevant for non-government estates. FedRAMP authorisations restrict the vendor pool to roughly the top 8-12 zero trust platforms in each category. FedRAMP Moderate is the minimum tier; FedRAMP High is required for higher-sensitivity federal data. Authorisation is a moving target, validate current status with each vendor.
Should we issue a formal RFP?
Yes for purchases above $250K annual licensing or any platform that will run for 3+ years. RFPs force vendors to commit in writing to the dimensions that matter (deployment time, integration depth, FedRAMP status, support response SLAs) and produce a comparable evaluation across vendors. The RFP should explicitly require: pillar-by-pillar coverage attestation, three reference customers of comparable size, deployment timeline guarantee, contract-level lock-in protections (data extract on exit), and total-cost-of-ownership pricing including services and integration. Skip RFPs for purchases under $50K annual or for tooling that will be replaced within 2 years.
What is the worst evaluation mistake?
Pillar conflation. Vendors that primarily address one pillar often claim coverage of all five through bolt-on modules. The bolt-ons are typically immature compared to dedicated platforms in those categories. The worst evaluation mistakes confuse breadth with depth. A network-centric SSE platform may technically include identity through an OEM SSO, but the identity capability will not match a dedicated identity platform. A Microsoft suite includes ZTNA via Entra Private Access, but the ZTNA capability is newer than dedicated ZTNA vendors. Evaluate each pillar separately and pick the right tool for each, even if it means multi-vendor.