Zero Trust Is an Architecture, Not a Licence
Zero trust architecture licensing is uniquely difficult to control because zero trust is not a product you buy — it is a design principle that spans identity, network access, endpoint, and data, each licensed separately and each sold by vendors who brand their slice as "the" zero trust platform. The result is that most enterprises licence zero trust three or four times over: once through their identity provider, again through a secure service edge, again through endpoint, and sometimes a fourth time through a network vendor's marketing-led "ZT" bundle. Mapping these overlaps is the first and most valuable step.
The cost spread is wide. Zero trust network access and secure service edge components run $8–$25 per user per month at enterprise scale, while broader zero trust suites stretch from $20 to $150 per user per month depending on how many modules are bundled. For a 2,000-user enterprise, Zscaler or Palo Alto Prisma Access commitments commonly land at $250,000–$400,000 a year before implementation. This sits alongside the identity, SIEM and endpoint lines covered in our cloud security contract guide — and double-counting across them is the most common source of waste.
The Four Licensed Layers of Zero Trust
A defensible zero trust budget starts by separating the architecture into its four licensed layers and identifying what you already own. The table below maps the layers to the dominant vendors and the licensing unit for each.
| Layer | Typical Vendors | Licensing Unit | Often Already Owned In |
|---|---|---|---|
| Identity & access | Microsoft Entra, Okta, Ping | Per user / per MAU | Microsoft 365 E3/E5, existing IdP |
| Network (ZTNA/SSE) | Zscaler, Prisma Access, Netskope, Cato | Per user/month, modular | Rarely bundled — net new |
| Endpoint posture | CrowdStrike, Defender, SentinelOne | Per endpoint | Endpoint security contract |
| Data & policy | Purview, CASB, DLP engines | Per user / consumption | E5, CASB, DLP licences |
The most expensive zero trust mistake is buying a network vendor's "zero trust" bundle that re-licenses identity and data controls you already own through Microsoft Entra or your endpoint platform. We routinely find 20–35% of a proposed zero trust spend duplicating capability already paid for elsewhere in the stack.
The Microsoft Entra Anchor
For Microsoft-centric enterprises, the cheapest zero trust foundation is usually already paid for. Microsoft Entra combined with Defender provides conditional access, device compliance, and identity-based policy that cover the identity and much of the endpoint layer — capability bundled into Microsoft 365 E5 or available through Entra add-ons. Before licensing a third-party zero trust platform, map what conditional access and Defender already enforce; the gap is often narrower than a network vendor's pitch implies. The detail of the identity layer is covered in our identity provider licensing comparison, and the Entra commercial relationship sits within the broader Microsoft vendor negotiation.
The Network Layer: Where the Real Spend Sits
The secure service edge layer is where net-new zero trust spend concentrates, because VPN replacement genuinely requires new licensing. Zscaler sells per user per year in modular bundles — an Internet Access edition (secure web gateway) and a Private Access edition (ZTNA) — with higher tiers stacking CASB, DLP, sandboxing and digital-experience monitoring. Palo Alto Prisma Access runs $14–$22 per user per month and carries the highest total cost of ownership of the major platforms due to fragmented licensing and reliance on additional Palo Alto components. The buyer trap is module creep: each add-on (browser isolation, ZDX, advanced DLP) is individually small but collectively doubles the per-user rate. Itemise every module against a defined requirement and refuse mandatory attach. One cost driver deserves special attention: TLS inspection. Turning on full TLS/SSL inspection — essential for the security value of an SSE platform — materially increases the compute the vendor must provision, and several vendors meter or tier this. A quote priced with inspection off can rise 20–40% once it is switched on in production, so insist that pricing reflects TLS-on from day one and that inspected-traffic volume is capped and benchmarked against your measured baseline.
Implementation Is the Hidden Line Item
Zero trust implementation costs are routinely understated at signing. A serious enterprise SSE deployment carries $100,000–$500,000 in implementation and migration effort — traffic discovery, policy migration, connector design, identity integration, branch rollout, certificate handling, and phased VPN retirement. Vendors and their partners often quote licensing cleanly and leave implementation vague. Insist on a fixed-scope statement of work with milestone acceptance, and negotiate professional-services rates as part of the licensing deal rather than after signing, when leverage has evaporated. The same audit and governance discipline in our vendor audit defence handbook applies to scoping these services.
Mapping Spend to a Maturity Model, Not a Vendor Roadmap
Zero trust budgets spiral when they are driven by a vendor's product roadmap rather than the enterprise's own maturity targets. The reference frameworks — NIST SP 800-207 and the CISA Zero Trust Maturity Model — describe capabilities across identity, devices, networks, applications and data, and crucially they describe a progression from traditional to advanced to optimal. Most enterprises do not need optimal-tier capability across every pillar at once, yet vendor bundles are priced as if they do. Anchoring procurement to a defined maturity target per pillar, rather than the top SKU, is the difference between a $200,000 and a $600,000 annual programme.
This matters commercially because vendors increasingly tie premium modules to maturity language — "advanced posture", "continuous verification", "AI-driven policy" — that maps to higher tiers without a corresponding requirement. Force every premium module to map to a specific maturity gap you have documented. If the module advances a pillar you have already deemed sufficient at a lower tier, it is discretionary spend, not a requirement, and should be treated as annual and cancellable rather than committed for the full term.
The phasing also creates leverage. Because zero trust is a multi-year journey, you control the sequence and timing of each layer's purchase. Stage the network layer to a quarter-end when the SSE vendor is under quota pressure, hold endpoint and data modules for separate negotiations rather than a single bundled commitment, and never let a vendor compress a three-year architecture into a single year-one signature. Sequencing the purchases preserves competitive tension at each stage and prevents the over-commitment that turns a phased rollout into stranded licences.
Negotiation Levers That Work
The first lever is the multi-year commitment. Buyers with multi-year terms achieve 15–30% lower per-user pricing than annual contracts, and bundling ZIA and ZPA together improves the rate for both versus standalone purchase. Commit to term only on the modules you are certain to deploy, and keep speculative add-ons on annual flexibility.
The second lever is the competitive alternative. Buyers who genuinely evaluate Netskope, Cato, Prisma Access or Cloudflare and make clear they are comparing vendors unlock an additional 10–20% beyond standard volume discounting. This is the single most powerful network-security lever, and it requires a documented evaluation, not a verbal bluff. The third lever is owned-capability mapping: every control you can demonstrate you already licence through Entra, your endpoint platform, or a CASB is a module you refuse to pay for again. To map your zero trust overlaps and benchmark the network layer, request a confidential briefing or review our price benchmarking research.