Zero trust cost for 1,000 employees: $1.5M to $3M year one

At 500 users a single identity provider can serve most use cases adequately. At 1,000 users the architecture starts to creak. The legacy-application population (apps that do not speak SAML or OIDC) is typically large enough at 1,000 users that point fixes do not scale; you need a coherent identity-aware proxy strategy spanning multiple apps. The service-account population typically exceeds 300 to 500 accounts, which is past the practical limit for manual management and forces secrets-vault adoption. The workforce-identity-store complexity grows: most 1,000-user organisations have at least two HR systems of record (legacy plus current), multiple Active Directory forests, and federated cloud identity, which a single IdP cannot serve coherently.

The identity-fabric approach addresses this complexity. The fabric stitches together cloud IdP, on-premise AD, identity-aware proxies for legacy apps, secrets vaults for service accounts, PAM for privileged human accounts, IGA for lifecycle and access review, and workload identity for cloud-native. The full fabric runs $450K to $1.0M in year-one cost at this scale, which is the biggest single line in the 1,000-user zero trust budget. The deep dive on architecture and component cost lives on the identity-fabric-cost page.

Organisations that try to stay on a single-IdP architecture past 1,000 users typically hit a wall at 1,500 to 2,500 users when the legacy-app and service-account problems become acute enough to force the fabric transition under time pressure, which costs materially more than planning the transition deliberately at 1,000 users.

At 500 users PAM and IGA are often deferred to year two or three. At 1,000 users they are typically Phase 1 or early-Phase-2 requirements. The privileged-account population at 1,000 users is roughly 120 to 250 accounts (10 to 25 percent of workforce depending on technical density). Manual privileged-account management at this scale is not viable: privileged access reviews alone consume two to four hours per week of senior engineer time, and the audit evidence trail is incomplete. PAM platforms (CyberArk, BeyondTrust, Delinea) automate session recording, just-in-time elevation, password rotation, and audit evidence generation. Cost: $20K to $120K per year in licensing plus $200K to $600K in implementation services for a typical 120-day rollout.

IGA becomes unavoidable for two reasons. First, the access-review workload at 1,000 users is unmanageable manually; SOC 2 and ISO 27001 audits expect quarterly reviews with demonstrable evidence trails, and at 1,000 users plus 50 to 150 applications, the review matrix is too large for spreadsheets. Second, joiner-mover-leaver volume reaches 200 to 500 events per year (roughly 25 percent annual turnover plus internal moves), each of which touches HR, ITSM and dozens of connected applications. IGA platforms (SailPoint, Saviynt, Microsoft Entra Identity Governance) automate the lifecycle and produce audit-ready evidence. Cost: $80K to $300K per year in licensing plus $150K to $400K in implementation services.

PAM and IGA together add $300K to $1.0M to year-one zero trust cost over the 500-user baseline. The cost is real; the alternative (manual privileged-access and lifecycle management at this scale) is more expensive in operational time and audit risk than the platform investment.

At 500 users a single security architect plus part-time engineering allocation can run the programme. At 1,000 users the team needs to grow. The dominant pattern is one architect (programme ownership, architecture decisions, vendor management), one to two security engineers (tool deployment, integration, policy authoring, day-to-day operations), and managed detection and response for 24x7 SOC coverage. Total cost: $350K to $600K per year for the in-house headcount plus $250K to $600K per year for MDR.

In-house SOC at this scale is rarely cost-justified. A 24x7 in-house SOC needs 6 to 10 analysts (three shifts plus overlap), which runs $700K to $1.5M loaded annually. MDR providers (Arctic Wolf, Expel, Red Canary, eSentire, CrowdStrike Falcon Complete, SentinelOne Vigilance) offer equivalent or better coverage for $250K to $600K at this scale. mdrcost.com has deeper MDR pricing. The hybrid pattern (MDR for tier-1 and tier-2, in-house for tier-3 incident response and threat hunting) is increasingly common and combines the cost advantage of MDR with the institutional knowledge of in-house.

The most common zero trust mistake at 1,000 users is starting the programme without a dedicated security architect, on the assumption that the IT director can absorb the responsibility while running everything else. The IT director cannot, for straightforward reasons of bandwidth and specialisation. Zero trust architecture decisions (which IdP, which ZTNA, which EDR, PAM rollout sequence, microsegmentation timing, data-pillar deferral or acceleration) require dedicated focus and current subject-matter expertise. The IT director making these decisions in 20 percent of their time typically gets six to twelve months into the programme before realising the decisions need re-doing, at which point the cost has been incurred and the timeline has slipped.

The fix is straightforward: hire the security architect before starting the programme, accept the three to six month hiring timeline, and use that time for stakeholder alignment and procurement preparation rather than premature vendor selection. The architect-first pattern adds three to six months to programme start but typically delivers Phase 1 capabilities six to twelve months earlier than the architect-late pattern because Phase 1 decisions are made once rather than twice.