Zero trust cost for 100 employees: $40K to $400K depending on path
A 100-employee organisation has the cleanest zero trust economics in the cohort because the Microsoft 365 productivity bundle already covers most of what zero trust requires. This page walks through the credible cost paths, what to skip at this scale, the per-user per-month budget, and the most common over-buy pattern that wastes $150K to $300K of budget without proportional security value.
The Microsoft-first zero trust stack for 100 employees
The dominant zero trust path for 100-employee organisations in 2026 is Microsoft 365 Business Premium plus a lightweight ZTNA overlay. The bundle at $22 per user per month includes Microsoft Entra ID P1 (single sign-on, multi-factor authentication, conditional access, group-based provisioning), Microsoft Intune (mobile device management and unified endpoint management), Microsoft Defender for Business (endpoint detection and response), Exchange Online Protection (email security and anti-phishing), and basic Microsoft Purview Information Protection (data classification and DLP). For 100 users that is $26,400 per year for the identity, device, and basic data pillars of zero trust, which is roughly one-third to one-quarter of best-of-breed alternatives covering the same scope.
The ZTNA capability is the one piece not included in Business Premium. The cheapest credible option is Cloudflare Zero Trust, which is free for up to 50 users and adds a small per-user monthly fee above 50, working out to roughly $3,600 per year for a 100-user organisation. Alternatives at similar pricing include Twingate (starting at $5 per user per month at the Business tier) and Tailscale (starting at $6 per user per month at the Premium tier). All three are mature platforms suitable for production zero trust deployment at this scale.
The bundle path total is roughly $30,000 per year in licensing plus $10,000 to $25,000 in one-time implementation services for year one, totalling $40,000 to $55,000. Add a small budget for FIDO2 hardware keys for privileged accounts ($300 to $750) and end-user security training ($3,000 to $10,000 per year), and the year-one budget lands at $43,000 to $66,000. Ongoing annual cost in steady state is roughly $35,000 to $45,000.
The full 100-user zero trust budget
Representative year-one budget for a 100-employee organisation on the Microsoft-bundled path.
| Budget line | Year 1 cost | Notes |
|---|---|---|
| M365 Business Premium (identity, device, basic data) | $26,400 / year | $22 / user / month x 100 users x 12 months. Includes Entra P1, Intune, Defender for Business. |
| Cloudflare Zero Trust (ZTNA) | $0 - $3,600 / year | Free for first 50 users. $7 / user / month above 50. Or Twingate / Tailscale equivalent. |
| FIDO2 hardware keys (privileged accounts) | $300 - $750 one-time | 10-15 keys for privileged accounts at $25-$50 each. |
| Implementation services | $10K - $25K one-time | SSO migration of 5-15 apps, conditional access policy authoring, EDR rollout. 80-200 hours of external work. |
| Virtual CISO (optional, recommended) | $30K - $60K / year | Fractional senior security leadership. Alternative: 20-30% allocation of existing IT director role plus periodic consulting. |
| End-user training | $3K - $10K / year | MFA rollout training plus quarterly security awareness. KnowBe4 or similar at $30-$80 / user / year. |
The capabilities a 100-user organisation should not buy
At 100 users, several capabilities that mid-market and enterprise organisations consider table-stakes for zero trust are over-spec and should be deferred or skipped entirely. Microsegmentation at this scale is not worth the platform cost or operational overhead; the workload count is too low to justify the spend and basic cloud security groups cover the requirement. Standalone CNAPP or CWPP is over-spec; use Microsoft Defender for Cloud at the basic tier for cloud workload posture, or AWS Security Hub if AWS-native. Standalone PAM platforms like CyberArk or BeyondTrust are over-spec; use Microsoft Entra PIM for just-in-time admin (included in Entra ID P2, a small upgrade from P1 if needed). Standalone identity governance platforms like SailPoint are over-spec; use Microsoft Entra access reviews quarterly, also included in Entra ID P2.
Standalone DLP platforms like Symantec or Forcepoint are over-spec; basic Microsoft Purview DLP included in Business Premium covers email and OneDrive, which is roughly 70 to 80 percent of the data-pillar requirement at this scale. Standalone classification tools are over-spec; basic Purview Information Protection labelling is sufficient. Standalone API security platforms are over-spec; basic API gateway controls in AWS API Gateway, Azure APIM, or Cloudflare cover the requirement. SIEM platforms at full enterprise tier (Splunk, Sentinel-at-enterprise-scale) are over-spec; use Defender for Endpoint built-in alerting plus Microsoft Sentinel at the entry tier for centralisation.
The principle: at 100 users, every standalone enterprise security platform represents at least $30,000 per year in licensing plus significant operational overhead, and the marginal security value over bundled capabilities is small. Right-size to the bundle.
The over-buy pattern that wastes $150K to $300K
The most common zero trust mistake at 100 users is taking mid-market best-practice content at face value and buying the full recommended stack. A 100-user organisation that buys Okta Workforce Identity ($72,000 to $150,000 per year), CrowdStrike Falcon Pro ($59,000 per year for 100 endpoints at list), Zscaler ZIA plus ZPA ($60,000 to $120,000 per year), and a separate DLP platform ($30,000 to $60,000 per year) is spending $220,000 to $390,000 per year on tooling that delivers modest incremental security value over the Microsoft 365 Business Premium bundle plus Cloudflare Zero Trust. The waste is $150,000 to $300,000 per year, every year.
The over-buy is rarely a deliberate decision. It usually emerges from a combination of vendor sales pressure (every major vendor has a downmarket motion targeting the 100-user segment), best-practice content that doesn't downscale (most analyst guidance implicitly assumes mid-market scale), and CISO career incentives (running a best-of-breed stack is more impressive on a CV than running the productivity-suite bundle). The fix is unglamorous: audit the actual security capability the bundle delivers, set the bundle as the baseline, and only add standalone tools where the bundle gap is real and the standalone delivers meaningful value per dollar.
The exception: organisations with regulated-industry compliance requirements (financial services with NYDFS Part 500, healthcare with HIPAA, federal contractors with CMMC) sometimes genuinely need capabilities beyond the bundle. Even in those cases, the right pattern is bundle plus selective standalone additions for the specific compliance gap, not full best-of-breed replacement.
Triggers for moving beyond the bundle
Three triggers indicate it is time to move beyond the Microsoft-bundled path. Heterogeneous workforce growth. Once a meaningful share of the workforce (more than 20 percent) is on non-Windows endpoints or non-Microsoft productivity tooling, the bundle economics weaken. Best-of-breed identity and device starts to make sense. Regulated industry entry. Taking on regulated work (healthcare contracts, financial services, federal contracts) often introduces capability requirements (specific DLP coverage, dedicated PAM, audit-grade IGA) that the bundle does not cover. Headcount growth past 250. Above roughly 250 users, mid-market sub-components become economically justifiable and the bundle gap widens. Plan for a re-evaluation at this threshold.
Until one of these triggers fires, stay on the bundle. The per-user economics are too favourable to justify the upgrade for an unchanged use case. Continue investing in operational maturity (clean SSO inventory, MFA enforcement, conditional access refinement, regular access reviews) rather than tool expansion.