Cisco Licensing · Security Portfolio · 2026

Cisco Security Licensing: Umbrella, Duo and Beyond

Cisco security licensing spans Duo, Umbrella, Secure Access, XDR and Secure Endpoint — each sold in its own per-user tiers, then repackaged into suite bundles that commit you to three products at once. This guide explains what each tier costs, where the suites genuinely save money, and how to negotiate a Cisco Security Enterprise Agreement without buying protection your users never switch on.

📋 1,340 words ⏱ 7 min read 📅 Updated June 2026 🔗 Cisco Licensing Cluster
By Morten Andersen
In This Article
  1. The Cisco Security Portfolio
  2. Duo MFA Licensing Tiers
  3. Umbrella and Secure Access Tiers
  4. XDR and Secure Endpoint
  5. The Security Suite Bundles
  6. Negotiating the Security EA

The Cisco Security Portfolio

Cisco security licensing is no longer a single product line — it is a portfolio of separately-licensed services, each with its own per-user tiers, that Cisco increasingly sells as pre-packaged suites. The four pillars an enterprise buyer meets most often are Duo for multi-factor authentication, Umbrella (now folded into Secure Access) for DNS and web security, XDR for detection and response, and Secure Endpoint for endpoint protection. Email Threat Defense and the broader Secure Access SSE platform sit alongside them.

The commercial pattern is consistent: every product is offered in Essentials, Advantage and sometimes Premier tiers, priced per named user per year, and every product has a "standardise on Advantage" recommendation from the Cisco account team that rarely matches actual usage. Because these licences usually land inside a wider Cisco Enterprise Agreement, the tiering decisions compound exactly the way switching tiers do — a theme covered across the Cisco Enterprise Agreement and licensing guide and the device-side DNA licensing tier breakdown.

Duo MFA Licensing Tiers

Duo is the most widely deployed piece of the portfolio and the easiest to over-buy. It lists at roughly $3 per user per month for Essentials, $6 for Advantage, and $9 for Premier, billed per named user with no concurrent or device-based option. Essentials covers MFA and single sign-on for most knowledge workers; Advantage adds risk-based policy, trusted endpoints and the Duo Network Gateway; Premier adds Duo Passport for VPN-less remote access and privileged access controls.

The 2025–2026 pricing cycle widened the gap between tiers and tightened the active-user definition, so the cost of putting the entire workforce on Advantage "to keep it simple" roughly doubled. In practice most organisations need Essentials for the bulk of users and Advantage only for the regulated or high-risk subset — the same right-sizing logic the Cisco EA negotiation and pricing guide applies to the rest of the estate.

Umbrella and Secure Access Tiers

Umbrella is sold in four tiers, and the names matter because the price gaps between them are large.

TierWhat It AddsIndicative List (per user/yr)
DNS EssentialsDNS-layer security, basic web filtering$30–$40
DNS AdvantageAdds granular filtering, intelligent proxy, app visibility$40–$55
SIG EssentialsAdds secure web gateway, firewall, basic CASB$60–$90
SIG AdvantageAdds full CASB, DLP, remote browser isolation$95–$135

The DNS tiers protect every user cheaply; the SIG (Secure Internet Gateway) tiers add the heavy web-proxy, CASB and DLP machinery and cost two to four times as much. Umbrella now also ships inside the Cisco Secure Access SSE package, which combines it with zero-trust access in one subscription and dashboard. The buyer trap is licensing the whole population at SIG Advantage when only a subset of users — typically those handling regulated data — need DLP and isolation. Tier the DLP-heavy minority at SIG and leave the rest on DNS.

XDR and Secure Endpoint

Cisco XDR is licensed per user across Essentials, Advantage and Premier, starting at roughly $69 per user per year for Essentials. Advantage adds curated third-party integrations; Premier delivers the platform as a Cisco-managed service with Talos incident response and validation testing built in. Secure Endpoint follows the same Essentials/Advantage/Premier structure and is frequently bundled with XDR because the two share telemetry.

The decision that drives XDR cost is whether you need the managed Premier service or can run detection in-house on Essentials. Premier can cost several times Essentials, and many enterprises already run a SOC that makes the managed tier redundant. As with the rest of the portfolio, the tier should match operational reality, not the account team's preference — the discipline set out for suite migrations in the Cisco subscription licensing transition guide.

The Security Suite Bundles

Cisco packages these products into three suites: the User Protection Suite (Umbrella/Secure Access + Duo + Secure Endpoint), the Breach Protection Suite (XDR + Secure Endpoint + Secure Email Threat Defense), and the Cloud Protection Suite. Each carries a bundle discount of roughly 15–30 percent against the standalone tier sum.

A 5,000-user estate buying SIG Essentials, Duo Advantage and Secure Endpoint Advantage separately lists at about $252 per user per year. The User Protection Suite at the same scope lists near $192 — a 24 percent saving, worth roughly $300,000 a year before any EA discount. But the suite commits you to all three components for the full term: it only saves money if you would have bought all three anyway.

The risk with suites is the same as with over-tiering: a bundle that includes a product you do not use is not a discount, it is shelfware with a discount sticker. Before signing a suite, confirm every component maps to a real deployment plan, and check the Cisco Smart Licensing compliance position so you are not paying support on entitlements that sit dormant. Where only two of three components are wanted, standalone tiers with negotiated discount often beat the bundle.

Negotiating the Security EA

A Cisco Security Enterprise Agreement is negotiated on the same mechanics as any Cisco EA: discount bands track committed value, with roughly 20–23 percent typical for a $1M–$2M annual commitment and 24–28 percent above $2M. The single highest-impact term is True Forward — Cisco's default assumes 5–8 percent annual growth in your committed user count; negotiating that cap down to around 3 percent, and adding suite reallocation rights so unused entitlement can move between products, protects you from paying for growth that never happens.

Right-sizing the user count before signing — rather than covering every employee Cisco recommends — typically removes 15–25 percent of avoidable spend, the largest single lever in the whole exercise. Pair that with documented utilisation evidence and the discount conversation moves in your favour. To run a security-portfolio utilisation review before your next renewal, request a confidential briefing, or download our Cisco EA Playbook.

Common Questions

Cisco Security Licensing: FAQ

How much does Cisco Duo cost per user?
Cisco Duo lists at roughly $3 per user per month for Essentials, $6 for Advantage, and $9 for Premier, billed per named user with no concurrent or device-based option. Essentials covers MFA and single sign-on for most knowledge workers; Advantage adds risk-based policy, trusted endpoints and the Duo Network Gateway; Premier adds Duo Passport for VPN-less access. The 2025–2026 cycle widened the gap between tiers, so over-tiering the whole user base to Advantage or Premier is now a more expensive mistake than it was.
What are the Cisco Umbrella licensing tiers?
Umbrella is sold in four tiers: DNS Security Essentials, DNS Security Advantage, SIG Essentials and SIG Advantage. DNS tiers cover DNS-layer security and basic filtering at roughly $30–$55 per user per year; the SIG (Secure Internet Gateway) tiers add secure web gateway, CASB, DLP and remote browser isolation at roughly $60–$135 per user per year. Umbrella now also sits inside the Cisco Secure Access SSE package. Most enterprises only need the SIG tier for the subset of users who require full web proxy and DLP.
Are the Cisco security suites cheaper than buying products separately?
Usually, if you genuinely use every component. The User Protection Suite bundles Umbrella/Secure Access, Duo and Secure Endpoint; the Breach Protection Suite bundles XDR, Secure Endpoint and Secure Email Threat Defense. Bundle discounts run roughly 15–30 percent against the standalone tier sum. A 5,000-user estate buying SIG Essentials plus Duo Advantage plus Secure Endpoint Advantage separately at about $252 per user per year can drop to roughly $192 in the User Protection Suite — a 24 percent saving. The catch is that the suite commits you to all three components for the full term, so it only saves money if you would have bought all three anyway.
How do you negotiate a Cisco Security Enterprise Agreement?
Treat the Security EA like any Cisco EA: discount bands are driven by committed value, with roughly 20–23 percent typical for a $1M–$2M annual commitment and 24–28 percent above $2M. The highest-impact term is True Forward — cap assumed growth at around 3 percent rather than accepting Cisco's 5–8 percent default, and negotiate suite reallocation so unused entitlement can move between products. Right-sizing the user count before signing, rather than covering every employee Cisco recommends, typically removes 15–25 percent of avoidable spend.

Don't Buy Security You Never Switch On

Our advisors size the Cisco security portfolio to real usage, test the suite bundles against standalone tiers, and negotiate the Security EA discount on your behalf.

Request a Confidential Briefing Explore the Cisco Hub

Cisco Licensing Intelligence

Monthly briefings on Cisco security licensing, suite economics, and EA negotiation tactics — from advisors who negotiate Cisco agreements on behalf of buyers.