The Licence Is the Start, Not the Bill
Cloud backup and DR licensing trips up buyers because the licence is priced cleanly while the costs that actually dominate — object storage, egress, replica capacity and recovery compute — sit outside it. Enterprise backup has largely moved from per-terabyte to per-workload or per-protected-instance pricing, which makes the licence look predictable, but it tells you nothing about the storage and data-transfer that accumulate over a multi-year retention window. As with every layer of the cloud security stack, the headline metric and the total cost are different numbers, and the gap is where backup budgets overrun.
How the Major Vendors Licence Backup
The leading vendors price on different units, which makes like-for-like comparison hard. Veeam's Universal License (VUL) runs $250–$450 per workload per year across Standard, Advanced and Premium, sold in packs of 5 or 10, and Veeam raised list prices 4–8% in both January 2025 and January 2026 — a recurring uplift to build into any multi-year model. Rubrik and Cohesity are largely quote-only and appliance-oriented, and Commvault publishes little beyond SaaS lines such as Microsoft 365 backup from $1.70 per user per month. The table below sets the models side by side.
| Vendor | Licensing Model | Indicative Price | Cloud Storage |
|---|---|---|---|
| Veeam | Per workload (VUL) | $250–$450/workload/yr | Not included — bring your own |
| Rubrik | Quote-only, appliance/SaaS | ~20–40% above Veeam | Platform-dependent |
| Cohesity | Per data volume | ~15–30% above Veeam | Platform-dependent |
| Commvault | Workload / SaaS per user | M365 from $1.70/user/mo | Varies by SKU |
Veeam typically prices 20–40% below Rubrik and 15–30% below Cohesity for comparable scope — but Veeam excludes cloud storage entirely. The vendor with the lowest licence can carry the highest total cost once you add the storage and egress its competitors fold in, so always compare on total cost across the full retention period.
Storage and Egress: The Real Cost
Software-based backup vendors exclude the object storage that holds the backups. With Veeam you separately buy AWS S3, Azure Blob, Wasabi or another S3-compatible repository, and pay for capacity, API operations and — critically — egress when you recover. Egress is the line that ambushes restore budgets: data is cheap to store and expensive to retrieve, and a large recovery event can generate a data-transfer bill that dwarfs a year of licence cost. Model storage and egress across the full retention period, negotiate committed-storage discounts on the repository, and weigh egress-free or flat-rate storage targets against hyperscaler object storage. This is the same egress discipline we set out for primary workloads in the shared responsibility analysis and our cloud contract framework.
DRaaS: Per-Instance Is a Floor
Disaster-recovery-as-a-service is sold per protected instance, and the instance fee is a floor, not the cost. Azure Site Recovery lists at $16–$25 per protected instance per month after a free first 31 days, but on top of that you pay for replica storage in the target region, egress whenever replication crosses an Azure region, the difference between locally redundant and geo-redundant storage, and compute during both test failovers and a real failover. A DRaaS quote that counts only instances routinely understates true cost once redundancy choices and the disaster-recovery drills your auditors expect are added. Price the whole recovery path — replica storage, cross-region egress, drill compute — not the per-instance headline, and decide tiering deliberately, the same way you would map the zero trust layers to a maturity target rather than a vendor roadmap. The hyperscaler relationship behind ASR or AWS DRS sits inside your broader Microsoft or cloud commercial agreement.
The SaaS Backup Gap
The most dangerous assumption in backup is that the SaaS provider already protects your data. Microsoft guarantees 99.9% platform uptime but provides no contractual RTO or RPO for your content, and its own service agreement recommends you back up your data yourself. Native retention is short — roughly 93 days for SharePoint and 14–30 days for Exchange — which fails for the everyday scenarios that matter: a departed employee's deleted mailbox, a ransomware event that encrypts cloud files, and compliance mandates demanding six to seven years of retention. Most enterprises therefore treat Microsoft 365 as a tier requiring third-party backup at a 1–4 hour RPO and a 4–8 hour RTO. That same shared-responsibility gap applies to Salesforce, Google Workspace and other SaaS estates, and it is precisely the kind of contractual silence our vendor audit defence handbook teaches buyers to close before signing.
Immutability and the Cyber-Resilience Premium
Ransomware has rebranded backup as "cyber resilience", and the rebrand carries a price. Immutable, air-gapped copies that an attacker cannot encrypt or delete are now table stakes, and vendors increasingly tier them — Veeam's hardened repositories and object-lock targets, Rubrik's and Cohesity's immutable architectures and "threat hunting" and "anomaly detection" add-ons positioned as premium cyber-resilience SKUs. Immutable object storage with versioning and object-lock also costs more to operate than plain capacity, because you retain multiple recoverable points rather than overwriting, which inflates the storage line the licence already excludes.
The buyer trap is paying a cyber-resilience premium for capability that should be a baseline. Object-lock immutability is a native feature of S3-compatible storage, and a hardened Linux repository is a configuration, not a separate SKU — so a vendor charging a material uplift for "immutability" is often charging for something the underlying storage already provides. Separate the genuinely differentiated capability (behavioural anomaly detection, automated clean-recovery orchestration, malware scanning of backups) from the immutability that is effectively free at the storage layer, and price each on its own merits. The recovery-assurance questions — can you prove a clean restore, and how fast — matter more than the label, and they are exactly the contractual commitments our vendor audit defence handbook teaches buyers to pin down, alongside the shared responsibility boundaries.
Negotiation Levers That Work
The first lever is total-cost modelling: insist every backup and DRaaS quote is restated to include storage, egress, replica capacity and drill compute across the full retention term, because the vendor with the cheapest licence is frequently the most expensive once those lines are added. The second lever is the recurring uplift clause — with Veeam raising list 4–8% a year, lock multi-year pricing and cap annual increases in the contract rather than absorbing back-to-back hikes. The third lever is the competitive alternative: Veeam, Rubrik, Cohesity and Commvault discount hard against each other, and a documented evaluation plus committed-storage commitments on the repository typically unlock meaningful reductions, the same dynamic that governs the vulnerability management and SIEM layers. To model your true backup and DR cost and benchmark the licence against market, request a confidential briefing or read our price benchmarking research.