What You Actually Licence
Cloud CASB licensing is confusing because the cloud access security broker is sold three different ways at once: as a standalone product priced per user, as a module bundled into a secure service edge platform alongside the secure web gateway and ZTNA, and as a feature already included in Microsoft 365 E5. Standalone CASB runs roughly $2–$8 per user per month — Microsoft Defender for Cloud Apps lists at about $5 standalone — while CASB consumed inside Netskope or Zscaler is quote-based and folded into a broader per-user rate, where Zscaler Internet Access alone runs $8–$12 per user per month. For a 5,000-user enterprise a dedicated CASB lands between $120,000 and $300,000 a year before discounting. The first task, as across the whole cloud security stack, is to establish which of those three routes you are already paying for.
The Four Pillars and How Each Is Priced
Gartner's original CASB definition rests on four pillars — visibility, compliance, data security and threat protection — and vendors increasingly licence them separately, which is where module creep enters the bill. The table below maps each pillar to what it does and where the capability typically already exists in an enterprise estate.
| Pillar | What It Covers | Typical Licensing | Often Already Owned In |
|---|---|---|---|
| Visibility | Shadow IT discovery, app catalogue | Per user, sometimes free tier | Defender for Cloud Apps (E5) |
| Compliance | SaaS posture, config benchmarks | Per user / per app | SSPM module, E5 add-on |
| Data security | Inline & API DLP for SaaS | Per user + inspected volume | Existing DLP / Purview licence |
| Threat protection | Anomaly detection, session control | Premium tier, per user | XDR / endpoint platform |
The most common CASB mistake is buying inline data security as a CASB module when the enterprise already licenses DLP through Microsoft Purview or a dedicated engine — paying twice to inspect the same SaaS traffic. We routinely find a third of a proposed CASB spend duplicates capability already owned through E5 or the existing DLP contract.
The Defender for Cloud Apps Anchor
For Microsoft-centric enterprises, the cheapest CASB foundation is usually already paid for. Microsoft Defender for Cloud Apps is included in Microsoft 365 E5 and available as the E5 Security add-on at roughly $12 per user per month for E3 estates, or standalone at about $5. It covers shadow IT discovery, SaaS security posture management, session control through conditional access, and data policy across Microsoft and many third-party applications. Before buying a standalone CASB or paying for a CASB tier inside an SSE platform, map what Defender for Cloud Apps already enforces — net-new spend is usually justified only for inline proxy coverage of non-Microsoft traffic. This is the same owned-capability discipline that governs the identity provider decision and sits within the broader Microsoft commercial relationship.
CASB Is Disappearing Into SSE
The standalone CASB category is in structural decline. Most enterprises now consume CASB as one capability inside a secure service edge or SASE platform rather than a dedicated tool, and Gartner expects 60% of new SD-WAN purchases to be part of a single-vendor SASE offering by 2026. In a typical SSE-to-SASE migration, on-premises web proxies and standalone CASB tools fold into the SSE platform and DLP policy unifies across web, SaaS and private-application traffic. The commercial consequence is that the CASB decision is now a platform-consolidation decision, not a point-product selection — and bolting a separate CASB onto an SSE contract you already hold is exactly the kind of duplicated layer we flag in our zero trust licensing analysis. Dedicated CASB still earns its place for deep API-mode SaaS governance, but inline proxy CASB belongs inside the SSE deal.
Contract Terms That Decide the Bill
Because CASB is metered inconsistently, the contract terms matter more than the headline rate. Pin the licensing metric first — per user, per app connector, or per inspected volume — because connector and module creep is where CASB bills inflate after signing. Cap inspected-traffic and API-call volume against your measured baseline, since data-security tiers often meter throughput and a quote priced on today's volume can rise sharply as SaaS adoption grows. Fix professional-services scope inside the licence deal rather than a follow-on statement of work, and secure co-termination with the wider SSE or Microsoft agreement so the CASB line cannot be renewed in isolation at uplift. These are the same governance disciplines set out in our cloud contract framework, and they apply equally to the data-security overlap with cloud DLP licensing.
Inline Proxy vs API Mode: What You Are Really Buying
A CASB enforces in two fundamentally different ways, and the choice drives both cost and contract risk. API mode connects to SaaS applications out of band through their published APIs, scanning content and configuration after the fact — it is lighter to deploy, does not sit in the traffic path, and is the mode in which Microsoft Defender for Cloud Apps covers most of its catalogue at no extra infrastructure cost. Inline (forward or reverse proxy) mode sits in the live traffic path to block actions in real time, which is where the secure service edge platforms concentrate their value and their per-user pricing, and where turning on full TLS inspection raises the compute the vendor must provision.
The commercial implication is that you should not pay inline-proxy pricing for capability you only need in API mode. Sanctioned-app governance, posture management and retrospective DLP scanning are well served by API mode, which an E5 estate often already owns; real-time inline enforcement is the genuinely net-new spend and should be scoped to the specific traffic that needs it. Most CASB over-spend comes from licensing inline coverage across the whole estate when API-mode governance plus targeted inline enforcement on a defined set of applications would meet the requirement at a fraction of the per-user cost. Map each control to the mode it actually requires before signing, the same maturity-to-requirement discipline we apply to the zero trust layers and the endpoint security module stack.
Negotiation Levers That Work
The first lever is owned-capability mapping: every control you can demonstrate you already licence through Defender for Cloud Apps, Purview or your endpoint platform is a CASB module you refuse to pay for again. The second lever is platform consolidation — pricing the CASB capability as part of an SSE renewal, where bundling improves the rate for the whole platform, almost always beats a standalone CASB line, and the threat of consolidating onto a single SSE vendor is itself a discount lever. The third lever is the competitive alternative: a documented evaluation of Netskope, Zscaler, Skyhigh or Defender for Cloud Apps typically unlocks 15–30% beyond standard volume discounting, and it must be a real evaluation, not a verbal bluff. To map your CASB overlaps against what you already own and benchmark the SSE platform, request a confidential briefing or read our price benchmarking research.