Independent reference. Not affiliated with any zero trust vendor. Updated Q1 2026.
ZeroTrustCost
True TCO

Zero trust hidden costs - the 40-60% no vendor mentions

Licensing is the visible 40-60% of zero trust spend. The other 40-60% is professional services, integration, the security architect FTE, end-user training, governance overhead, and ongoing tuning. This page breaks each one down with realistic ranges and the operational reality behind them.

Total cost of ownership composition
Licensing 40-60%
Hidden costs 40-60%
The split shifts within the year. Year 1 is heavy on professional services (often 50-100% of licensing). Years 2-3 settle to 25-30% of licensing in services and tuning, but the architect FTE, training refresh, and governance overhead persist indefinitely.

01Professional services

$50K - $500K

Scoping assessment, architecture design, vendor selection support, and integration work. Boutique security consultancies run $1,500-$2,500/day, Big 4 firms $3,000-$6,000/day, internal architects cheaper but slower. Typical mid-market engagement is 50-200 consultant days. Federal contractors and FedRAMP-restricted programmes incur 30-50% premium because the consultant pool is smaller.

02Security architect FTE

$130K - $180K / year base

Mature zero trust requires dedicated ongoing management. One FTE minimum for mid-market organisations; enterprises need 2-4 dedicated staff. First-year hiring overhead and ramp-up time is real, expect 6-month productivity ramp and 25-35% benefit overhead on base salary. The architect's first job is to keep the consultancy honest, second is to own the multi-year roadmap, third is to stop vendor sprawl.

03Integration costs

$20K - $200K

Every new tool needs to integrate with the existing identity store, SIEM, ticketing system, and HR system for provisioning. API integrations, webhook setups, and professional services hours for each connector. Integration cost grows non-linearly with vendor count, every additional vendor adds connectors that touch every prior vendor.

04Pilot and parallel running

$20K - $80K

ZTNA pilots typically run on a subset of users (50-200) for 60-180 days before full rollout. Parallel running costs include the legacy VPN licence continuing during ZTNA cutover, change-management labour, and rollback contingency planning. Skipping the pilot is the most common cause of rollout failure and the most expensive failure mode.

05End-user training

$300 - $800 / employee

Zero trust changes how users authenticate, access applications, and respond to device compliance failures. Phishing-resistant MFA (FIDO2 / passkeys) requires hands-on enrolment training. Conditional access enforcement generates user friction that, untrained, generates support tickets. Poor change management causes productivity loss that is rarely tracked as a zero trust cost but is real.

06Policy documentation and governance

$15K - $50K

Least-privilege access policies need to be written, documented, reviewed by legal and compliance, and maintained. Quarterly access reviews require named reviewers and audit trails. Zero trust policy documentation is typically underestimated by a factor of three, organisations budget for the technical deployment and forget the governance overhead that makes the controls auditable.

07Ongoing tuning and management

15-20% of licensing / year

Policy drift, alert noise, access reviews, conditional access exceptions, microsegmentation policy adjustments. Equivalent to 1-2 security analyst days per week for mid-market. At fully loaded analyst cost of $85K-$110K/year, that is $25K-$45K/year in hidden operational cost across every year of operation.

Worked example

A 500-user mid-market TCO breakdown

Year-one budget for a 500-user mid-market organisation reaching CISA Advanced-tier maturity. Licensing line is roughly $720K. Hidden costs add another $880K. Total year-one programme: $1.6M.

Cost lineYear 1Year 2Year 33-year total
Licensing (5 pillars)$720K$760K$790K$2.27M
Professional services$320K$80K$45K$445K
Security architect FTE (loaded)$210K$220K$230K$660K
Integration work$120K$30K$25K$175K
Pilot + parallel running$45K--$45K
End-user training$280K$60K$60K$400K
Policy + governance$32K$22K$22K$76K
Ongoing tuning$108K$135K$140K$383K
Total programme$1.84M$1.31M$1.31M$4.46M

Worked example for a Microsoft-centric 500-user mid-market organisation reaching CISA Advanced tier across all five pillars. Numbers are mid-range estimates. Actual outcome varies with vendor selection and existing tooling.

Vendor switching

The lock-in cost nobody warns about

Switching zero trust platforms costs 25-40% of the new platform's first-year licensing. Lock-in is the most consequential criterion in vendor selection, and it is rarely surfaced in vendor demos.

Switching from one zero trust platform to another, Zscaler to Microsoft Entra Suite, Okta to Entra ID, Palo Alto Prisma to Cisco Umbrella+ZTNA, requires re-implementing the entire policy stack. Conditional access rules are not portable. SSO integrations to SaaS apps need re-configuring. ZTNA connectors deployed in private application environments need re-deploying. User base needs re-training. The legacy platform must run in parallel during cutover.

For a $1M annual licensing platform, expect $250K-$400K in switching cost spread across 6-12 months. The cost is rarely budgeted because the decision to switch comes after a multi-year deployment, by which point the original platform-selection decision is buried.

Three ways to limit lock-in at platform-selection time: standards-first vendors (vendors who use SAML, SCIM, OIDC, OPA over proprietary APIs), multi-vendor pillar strategies (deliberately picking one vendor for identity, a different one for ZTNA, a third for EDR, no single vendor controls the whole estate), and contract-level audit rights (rights to extract policy configuration in machine-readable format on contract end). Tradeoff: best-of-breed multi-vendor is more expensive in licensing but cheaper in lock-in.

Frequently asked

Hidden cost questions

What percentage of zero trust spend is non-licensing?
40-60% on average. Licensing is only the start. The full hidden-cost stack, professional services, security architect FTE, integration work, pilot running, training, governance documentation, and ongoing tuning, typically equals or exceeds the licensing line. Programmes that budget only for licensing routinely overrun by 60-100% in year one, then stabilise as services taper off but still carry 25-30% of total annual cost in non-licensing categories.
How much does the security architect FTE actually cost?
$130K-$180K base salary plus 25-35% benefits overhead is the US figure. Fully loaded, expect $170K-$250K per FTE. Mid-market organisations need at least one dedicated zero trust architect. Enterprises need 2-4. The role requires deep identity, network, and cloud-security experience, the talent market is tight and candidates frequently command premium offers. Plan for a 6-month productivity ramp on hire and budget for the full first year even if the role is filled in month four.
Can we use an MSP instead of an internal architect?
Yes for SMBs, with caveats for mid-market. Managed zero trust services from MSPs run $35-$55/user/month all-inclusive (licensing plus management) for SMBs, which is competitive with DIY for under 200 users. Mid-market organisations can use MSPs for the operational tuning workstream while retaining an internal architect for strategy and roadmap. Pure-MSP delivery at enterprise scale is rare and typically results in misaligned priorities, the MSP optimises for ticket closure, the enterprise needs strategic posture work.
What integration work is most often underestimated?
HR-to-identity provisioning. Joiner / mover / leaver flows need to flow from HR system (Workday, BambooHR, etc) to the identity provider, then to every connected app. Each leg has its own connector cost (one-time $5K-$30K) and ongoing maintenance overhead. Most programmes budget for the IdP-to-app connectors and forget the HR-to-IdP leg. The result is identity drift within 6 months, stale accounts, missing entitlements, and access reviews that fail audit. Allocate 30-50% of integration budget to lifecycle automation specifically.
What is the vendor switching cost?
25-40% of the new platform's first-year cost. Switching from one zero trust platform to another (e.g. Zscaler to Microsoft Entra Suite or Okta to Entra ID) requires re-implementing all conditional access policies, re-mapping all SSO integrations, re-deploying ZTNA connectors in private app environments, re-training users, and running the old platform in parallel during cutover. For a $1M annual licensing platform, expect $250K-$400K in switching cost spread across 6-12 months. Factor this into the original platform-selection decision, lock-in is real and the cost compounds.
How much does training really cost?
$300-$800 per employee for Phase 1 zero trust training (MFA enrolment, conditional access expectations, ZTNA client setup) and $80-$150 per employee per year for ongoing security awareness. Hardware (FIDO2 keys at $25-$50 per user) is separate from training. Phishing-simulation programmes ($3-$8 per user per year) often run alongside zero trust training. The most expensive failure mode is undertrained users routing around controls, this generates support tickets, policy exceptions, and weakens the security investment by accumulating shadow IT.