Migration scenario

VPN to ZTNA replacement cost: pricing and break-even

Replacing legacy VPN with zero trust network access is the most common zero trust entry point and the one with the cleanest cost-justification path. This page walks through the migration cost, per-VPN-vendor specifics, break-even versus continued VPN, the parallel-run period, the connector deployment cost most CISOs under-budget, and the security-value angle that often dominates the decision regardless of economics.

Cost structure

What VPN-to-ZTNA migration actually costs

Year-one VPN-to-ZTNA migration cost for a 500-user mid-market organisation breaks down into five components. ZTNA platform licensing is $30K to $120K for the first year, depending on tier (lightweight ZTNA at the lower end, full SSE bundle at the upper). Migration professional services is $20K to $80K covering policy translation from IP-based VPN rules to identity-based ZTNA rules, connector architecture design, and rollout coordination. Parallel-run licensing overlap is $15K to $40K for the 60 to 180 day period where both VPN and ZTNA are licensed. End-user training is $5K to $15K for materials, sessions, and help-desk preparation. Connector deployment is $10K to $30K, varying with the number of private app environments needing ZTNA connectors. The five components total $80K to $285K, which is the year-one VPN replacement budget at this scale.

Ongoing annual cost in steady state is roughly $40K to $140K, which is substantially lower than maintaining VPN appliances plus VPN per-user licensing. The dominant ongoing line is ZTNA licensing at $30K to $120K per year. Hardware maintenance, VPN per-user licensing, and the operational labour around VPN appliances all disappear.

A useful sanity check: total three-year cost of ownership. Continued VPN at the same 500-user scale runs roughly $60K to $200K per year in licensing plus maintenance plus operational labour, totalling $180K to $600K over three years. ZTNA at $80K to $285K year one plus $40K to $140K per year ongoing totals $160K to $565K over three years. ZTNA is broadly cost-neutral over three years and noticeably cheaper after that, with the security-value benefit on top.

By VPN vendor

Migration cost by incumbent VPN vendor

Migration cost is similar in absolute terms across major VPN vendors. The differences are in what is replaced (firewall function, hardware refresh avoidance) and how the migration is sequenced.

Incumbent VPN	Appliance replaced	Refresh capex avoided	Per-user VPN licensing avoided	Migration notes
Cisco AnyConnect	Cisco ASA hardware	$15K - $80K avoided	$2 - $6 / user / month	Migration typically also retires Cisco ASA firewall. Sequence the firewall function replacement carefully.
Palo Alto GlobalProtect	PA firewall ZTNA module	$25K - $150K avoided	$3 - $8 / user / month	ZTNA function lives on PA firewalls. Migration often paired with Palo Alto's own SASE platform (Prisma Access).
Fortinet FortiGate SSL VPN	FortiGate firewall	$10K - $60K avoided	$2 - $5 / user / month	SSL VPN function on FortiGate. Migration sometimes paired with Fortinet's ZTNA platform.
Pulse Connect Secure / Ivanti Connect Secure	Dedicated SSL VPN appliance	$20K - $100K avoided	$3 - $7 / user / month	Pure SSL VPN appliance. Migration urgency from repeated zero-day vulnerabilities in recent years.
OpenVPN Access Server	Self-hosted	Limited capex avoided	$3 - $9 / user / month	Open source variant has zero license cost but operational overhead. Migration often paired with operational simplification.
Citrix NetScaler Gateway	NetScaler ADC + Gateway	$30K - $200K avoided	Varies	Often co-resident with Citrix Virtual Apps; migration sequencing more complex.

Break-even

When VPN replacement pays back

Break-even calculations depend on three variables: the current annual VPN total cost of ownership (licensing plus hardware maintenance plus operational labour), the ZTNA year-one and ongoing cost, and the timing of the next VPN hardware refresh cycle.

For a typical mid-market 500-user organisation with continuing VPN at $120K per year all-in and ZTNA at $150K year one plus $80K per year ongoing, payback is roughly 18 to 24 months. The first-year ZTNA premium ($30K above continuing VPN) is recovered in years two onwards through the $40K per year saving. Organisations facing imminent VPN hardware refresh see much faster payback because the avoided capex pulls into the year-one calculation. A 500-user organisation that would otherwise spend $80K on Cisco ASA refresh next quarter is comparing $150K ZTNA year-one (cumulative cost $150K) against $80K refresh plus $120K ongoing (cumulative cost $200K) over the same period; ZTNA breaks even in months 8 to 14.

Organisations with low VPN usage (under 30 percent of workforce regularly connecting via VPN) see slower payback because the per-user VPN savings are smaller. A 1,000-user organisation where only 200 users regularly use VPN is saving less than a 1,000-user organisation where all 1,000 use VPN. Payback in low-usage scenarios stretches to 30 to 40 months. In those cases the security-value argument (described below) typically dominates the cost argument.

Connector deployment

The hidden cost most CISOs under-budget

Every ZTNA platform requires a software connector deployed in each environment that holds private applications. On-premise data centres, AWS VPCs, Azure VNets, GCP projects, branch-office networks, partner-facing app environments, regulated-data isolation environments, all need their own connector. The connector advertises which private apps are available behind it and routes authenticated user traffic to those apps.

Each connector deployment is 4 to 16 hours of professional services work, depending on the complexity of the environment, the firewall rules that need to allow the connector outbound, the integration with the identity provider, and the testing of the apps behind the connector. For an organisation with eight distinct private app environments, that is 32 to 128 hours of professional services labour. For an organisation with thirty private app environments (typical at upper mid-market or enterprise), 120 to 480 hours of labour, costing $24K to $96K depending on rates.

The labour cost is real but the larger issue is calendar time: each connector deployment takes a day or two of dedicated attention from the team that owns that environment. Eight connectors across eight different teams in a 500-user organisation is typically a four to eight week stream of work, not a single sprint. Plan the connector deployment as a sustained workstream, not a single deployment event, and resource the professional services accordingly.

Cloud-native organisations with all apps in SaaS need fewer connectors (often just one or two: one for any remaining private app, one for identity-aware proxy fronting legacy systems). The migration is much faster and cheaper for these organisations. Hybrid estates with significant on-premise app footprint are the slowest and most expensive to migrate, with connector deployment dominating the year-one timeline.

Security value

The argument that often dominates the cost economics

VPN appliances have been a dominant ransomware initial-access vector across multiple high-profile incidents in 2023-2025. CISA and the FBI have published joint advisories specifically calling out exploited vulnerabilities in Pulse Connect Secure (now Ivanti Connect Secure), Fortinet FortiOS, Citrix NetScaler, and others. The pattern is recurring: VPN appliance is internet-exposed by necessity (remote users need to reach it), the appliance has occasional severe vulnerabilities (the codebase is mature but large), and exploited vulnerabilities provide unauthenticated remote access to the internal network. The risk-reduction value of moving off internet-exposed VPN appliances onto cloud-delivered ZTNA is meaningful and often the strongest single argument for the migration regardless of cost economics.

The IBM 2024 Cost of a Data Breach report attributes lateral-movement-reduction value to identity-based access controls; the value is concentrated in environments that have successfully retired the VPN as an attack surface. The reduction in breach cost from removing the VPN exposure plus implementing per-app access policy is typically 15 to 30 percent of expected breach cost over a five-year window. For a mid-market organisation with 2 to 4 percent annual breach probability and $4.88M average breach cost (the IBM 2024 figure), the expected breach-cost reduction value is $30K to $120K per year. This is on top of the operational cost savings and is usually the largest single value line in the VPN replacement business case.

Cross-links

Related cost references

ZTNA cost

ZTNA platform tier-by-tier pricing.

Network pillar

Broader network-pillar cost context.

SSE bundle cost

Whether to consolidate to SSE during the VPN migration.

ZT for 500 employees

Where VPN replacement fits in mid-market budget.

Hidden costs

Including connector deployment and parallel-run.

Cost calculator

Model VPN-to-ZTNA payback for your org.

Frequently asked

VPN replacement cost questions

What does it cost to replace VPN with ZTNA?

Year-one VPN-to-ZTNA replacement cost for a 500-user organisation is roughly $80K to $250K all-in. The components are ZTNA licensing ($30K to $120K depending on tier), migration professional services ($20K to $80K), parallel-run period licensing overlap ($15K to $40K), end-user training ($5K to $15K), and connector deployment ($10K to $30K). Ongoing annual cost in steady state is roughly $40K to $140K, which is substantially lower than maintaining VPN appliances plus VPN per-user licensing.

What is the break-even point versus continued VPN?

For a typical mid-market deployment, break-even is 18 to 24 months. For an organisation facing a VPN hardware refresh cycle (typically every five to seven years), break-even is 8 to 14 months because the avoided hardware capex is folded into the calculation. For an organisation with low VPN usage (under 30 percent of workforce regularly connecting via VPN), break-even can stretch to 30 to 40 months as the per-user VPN savings are smaller. The break-even calculation should always include the security risk-reduction value, not just the cost savings, but the cost calculation alone usually justifies the migration.

How long is the parallel-run period?

60 to 180 days is typical. Shorter parallel runs (60 to 90 days) work for organisations with smaller user populations and simpler app estates. Longer parallel runs (120 to 180 days) are required for larger or more complex environments, particularly those with legacy applications that need testing under ZTNA, executives who need extra change-management time, and any environment with critical-business apps that cannot tolerate even brief disruption. Skipping the parallel-run period entirely is the single most common cause of VPN-to-ZTNA migration failure and typically more expensive in the resulting incidents than running the parallel.

What does it cost by VPN vendor (Cisco, Palo Alto, Fortinet, Pulse)?

Migration cost from each major VPN vendor is similar in absolute terms but differs in what is replaced. Cisco AnyConnect: replacing AnyConnect typically also retires Cisco ASA hardware ($15K to $80K avoided refresh), plus per-user licensing ($2 to $6 per user per month avoided). Palo Alto GlobalProtect: replacing GlobalProtect retires the on-prem firewall ZTNA module ($25K to $150K avoided refresh) plus per-user licensing. Fortinet FortiGate SSL VPN: typically retires the SSL VPN function from the firewall ($10K to $60K) plus per-user. Pulse Connect Secure (now Ivanti Connect Secure): the migration is typically simpler because Pulse is purely an SSL VPN appliance, no co-resident firewall function. Pulse migrations also have a security urgency angle given the platform's heavily-reported zero-day history in recent years.

Should we replace all VPN at once or in phases?

Phases, almost always. The typical phasing is: privileged users and high-value app access first (60 days), then knowledge workers accessing SaaS-heavy estates (90 days), then full workforce including users accessing legacy private apps (120 to 180 days). Phased migration limits change-management blast radius, lets the ZTNA platform mature through real-world traffic before full cut-over, and provides a safety net for rolling back specific user populations if issues arise. Big-bang migrations work for very small organisations (under 100 users) but rarely for anything larger.

What is the hidden cost in VPN-to-ZTNA migration?

Connector deployment. ZTNA platforms require a software connector deployed in each private application environment: on-premise data centres, AWS VPCs, Azure VNets, GCP projects, branch-office networks. Each connector deployment is 4 to 16 hours of professional services work. For an organisation with eight distinct private app environments, that is 32 to 128 hours of work. Cloud-native organisations with all apps in SaaS need fewer connectors and benefit accordingly. The other hidden cost is legacy-app testing: ZTNA traffic patterns are different from VPN traffic patterns, and legacy apps sometimes behave unexpectedly. Budget 20 to 80 hours for legacy-app regression testing.

What is the security-value angle on VPN replacement?

VPN appliances have been the dominant ransomware initial-access vector across multiple high-profile incidents in 2023-2025. CISA and the FBI have published advisories specifically calling out exploited vulnerabilities in Pulse Connect Secure, Fortinet FortiOS, Citrix NetScaler, and others. The risk-reduction value of moving off internet-exposed VPN appliances onto cloud-delivered ZTNA is meaningful and often the strongest single argument for the migration regardless of cost economics. IBM's 2024 Cost of a Data Breach report attributes lateral-movement-reduction value to identity-based access controls; the value is concentrated in environments that successfully retire the VPN as an attack surface.