Zero trust cost for 10,000+ employees: $8M to $20M+ year one

Around 10,000 to 15,000 users, in-house build starts to genuinely compete with commercial on total cost of ownership for specific pillars. The economics shift because per-user commercial licensing accumulates to material dollar amounts at this scale, while in-house operational cost (platform engineering team) scales sub-linearly with user count. A 25,000-user organisation paying $20 per user per month for full zero trust commercial licensing is spending $6M per year on licensing alone, plus enterprise integration and services. In-house at this scale, for the pillars where it is feasible, needs 5 to 8 platform engineers ($750K to $1.6M loaded) plus $200K to $500K in infrastructure, totalling $1.0M to $2.1M per year. The saving on a full-stack basis is $4M to $5M per year, which justifies the in-house operational investment.

The honest answer about which pillars work in-house at this scale: identity (with Keycloak or Authentik) for workforce identity is viable but operationally heavy; most large enterprises stay commercial here due to lock-in and switching cost concerns. Workload identity (SPIFFE / SPIRE) is mature in-house and increasingly the default. Policy Engine (Open Policy Agent) is mature in-house and used by major large enterprises. Secrets vault (HashiCorp Vault open source) is viable for non-customer-facing service accounts. ZTNA (OpenZiti, HashiCorp Boundary) is technically viable but operationally expensive; most stay commercial. EDR is almost never in-house because detection efficacy is highly vendor-differentiated. DLP is almost never in-house because the open-source coverage gap is significant.

The dominant pattern at 10,000+ users is hybrid: commercial for the high-differentiation pillars (identity, ZTNA, EDR, DLP), in-house or open-source for the lower-differentiation pillars (workload identity, Policy Engine, secrets vault for non-customer-facing services, basic SIEM components). This pattern saves $2M to $4M per year compared to pure commercial without the operational complexity of pure in-house. The in-house-vs-vendor-cost pagehas the full pillar-by-pillar comparison.

Financial services, healthcare, and federal contractor large enterprises at 10,000+ users typically pay 30 to 60 percent more than non-regulated equivalents for zero trust at the same user count. The drivers are predictable.

Higher license tiers. Regulated industries need higher identity tiers (P2 versus P1 for risk-based MFA and privileged identity management), higher EDR tiers (managed response, advanced threat hunting), and higher data-pillar coverage (full DLP rather than email-only, full classification rather than top-tier only). The per-user license uplift is roughly 25 to 40 percent versus non-regulated. Pillars that non-regulated organisations defer become mandatory. Full data pillar (DLP across email, web, endpoint, cloud, removable media), full microsegmentation (not just pilot), full IGA (not just access reviews) are required for regulated industries from Phase 1, not deferred to Phase 3. Compliance-grade evidence and audit trails. Regulated industries need tooling to produce audit-ready evidence on demand: SIEM with long-tail retention, IGA with attestation tracking, PAM with full session recording. Each evidence requirement adds tooling cost. Dedicated GRC headcount. Three to eight compliance and GRC specialists at $150K to $250K loaded each adds $450K to $2.0M annually in headcount cost not present in non-regulated equivalents.

The premium is real and largely unavoidable in regulated industries. The fix is not to avoid the premium but to budget for it accurately from the start. Regulated large enterprises that try to budget zero trust at non-regulated rates typically discover the premium in audit-driven scope expansion partway through implementation, which is more expensive than budgeting accurately from the start.

Most 10,000+ user enterprises operate in multiple regions: at minimum a primary region plus EU operations subject to GDPR. Some operate in five to ten regions globally. Multi-region zero trust operations add 20 to 40 percent to infrastructure cost compared to single-region equivalents.

The drivers are multi-region IdP deployment (Entra ID multi-region tenancy, Okta org-per-region for data residency, or a federation architecture across multiple regional IdPs), multi-region SIEM with log routing(logs from each region routed to a regional SIEM instance to satisfy data-residency requirements, with summary data flowing to a global SOC view), multi-region MDR coverage following the sun (24x7 coverage delivered from regional analyst teams rather than a single SOC), region-specific ZTNA gateways for latency (users routed to the nearest ZTNA gateway rather than backhauled to a central one), and compliance overhead for each region (GDPR plus UK plus Canada plus Australia plus Brazil, each with their own data-protection and breach-notification requirements).

Most large enterprises absorb multi-region cost as a regional-operations line rather than a pure security line, which understates the true cost of zero trust at this scale. Realistic budgeting includes the multi-region overhead in the zero trust line item.

The most important shift at 10,000+ users is treating zero trust as a continuous operating model rather than a one-time programme. The large enterprise that scopes zero trust as a four-year programme with a defined end date typically finds the implementation outlives the original sponsors (CISO turnover at large enterprises averages two to three years; executive sponsorship changes; business reorganisation; mergers and acquisitions), and the programme either loses momentum and stalls or gets reinvented under new leadership with significant lost continuity.

The fix is to embed zero trust as an ongoing security operating model with sustained funding, dedicated headcount, and continuous-improvement governance. Specifically: the zero trust architect roles become permanent positions in the security organisation rather than fixed-term programme hires. The platform-engineering function that runs the security infrastructure becomes a permanent capability. The governance forum that makes zero trust decisions becomes a standing committee with rotating business-unit representation. Annual maturity assessments measure progress against CISA tiers and feed back into the next year's investment plan. Programmes structured this way survive leadership change; programmes structured as one-time deliveries often do not.

The cost implication of the operating-model framing is that the year-one number is no longer a hump cost followed by lower ongoing; it is the start of a sustained $5M to $15M+ annual run rate that the organisation commits to indefinitely. For most 10,000+ user enterprises, this is the right framing both because it matches the reality of the work and because it produces better security outcomes than the programme framing.