SMB guide
Zero trust for small business - practical stack under $50/user/month
Most zero trust content assumes enterprise budgets. For a 75-person professional services firm, that is irrelevant. This page covers what zero trust looks like for SMBs (25-200 users): a Microsoft-first stack at $29-$33 per user per month, a Google Workspace alternative, three budget tables (50 / 100 / 200 users), and the trade-off between DIY and MSP delivery.
Microsoft-first stack
The most common SMB path
If you are already on Microsoft 365 - 60-70% of SMBs are - the Microsoft path is the cheapest and fastest. Roughly $29-$33 per user per month all-in.
| Component | Product | Per user / month | Pillar coverage |
|---|---|---|---|
| Productivity + identity + device | Microsoft 365 Business Premium | $22.00 | Identity (Entra ID P1, conditional access), Device (Intune MDM, Defender for Business EDR), Email security (Defender for O365) |
| Network (ZTNA) | Cloudflare Zero Trust Teams | $0 - $7.00 | Network. Free tier covers 50 users; Teams tier $7/user/month above that. |
| Identity upgrade (optional) | Entra ID P2 add-on | $3.00 (delta) | Adds risk-based MFA, PIM, identity protection. Recommended at 100+ users. |
| Hardware MFA (one-time) | FIDO2 keys for admin accounts | $25-$50 / user one-time | Phishing-resistant MFA on tier-0 accounts. |
| Total per-user / month | - | $29 - $33 | Identity + Device + Network + basic Data via Defender for Cloud Apps |
Google Workspace alternative
If you are not on Microsoft 365
Google-first stack runs slightly cheaper but with narrower bundled zero trust capability. Compensated for with a stronger ZTNA overlay.
| Component | Product | Per user / month | Pillar coverage |
|---|---|---|---|
| Productivity + identity + basic device | Google Workspace Business Plus | $18.00 | Identity (Google IdP, basic conditional access), Device (Endpoint Management), BeyondCorp Enterprise Essentials (basic ZTNA for Google apps) |
| EDR | SentinelOne or CrowdStrike SMB tier | $5 - $9 | Device pillar EDR. Google Workspace does not include endpoint detection. |
| ZTNA for non-Google apps | Twingate Teams or Cloudflare Zero Trust | $5 - $10 | Network pillar. BeyondCorp Essentials is Google-app focused; non-Google apps need overlay ZTNA. |
| Total per-user / month | - | $28 - $37 | Identity + Device + Network. Data pillar coverage thinner than Microsoft path. |
Budget by org size
Total cost at 50, 100, and 200 users
Microsoft-first stack at intermediate maturity. Implementation is the one-time cost paid in year 1. Year 2+ ongoing assumes no major change.
| Workforce | Annual licensing | One-time implementation | Year 1 total | Year 2+ ongoing |
|---|---|---|---|---|
| 50 users | $17.4K - $19.8K | $8K - $15K | $25K - $35K | $18K - $22K |
| 100 users | $34.8K - $39.6K | $10K - $25K | $45K - $65K | $36K - $44K |
| 200 users | $69.6K - $79.2K | $15K - $40K | $85K - $120K | $72K - $88K |
Implementation includes M365 licensing migration if needed, Intune enrolment for the existing fleet, conditional access policy design, MFA rollout, ZTNA connector deployment, and 4-8 weeks of MSP-supervised setup. Year 2+ ongoing is licensing only (4% growth assumed) plus modest tuning labour.
Skip these
What SMBs should not buy
Three categories that are over-engineered for SMB risk profile and should wait until 200+ users.
- Microsegmentation. Complexity not worth it under 200 users. ZTNA covers most lateral-movement risk; microsegmentation adds 2-4 weeks of policy work and ongoing maintenance overhead. Defer.
- Standalone PAM platform. Microsoft Entra Privileged Identity Management (free with P2 add-on at $9/user/month) covers tier-0 just-in-time admin and session recording adequately for organisations with under 50 privileged users. Dedicated PAM (CyberArk, BeyondTrust) is overkill.
- Standalone CASB. Microsoft Defender for Cloud Apps (included in M365 Business Premium for sanctioned-app coverage) covers most SMB SaaS data needs. Standalone CASB platforms are designed for enterprise SaaS sprawl that SMBs do not have.
MSP vs DIY
Which delivery model fits you
Most SMBs default to MSP for security operations. The economics are similar to DIY but the MSP absorbs the security architect role SMBs cannot afford full-time.
| Dimension | DIY (internal IT) | MSP (managed) |
|---|---|---|
| Per-user / month all-in | $29 - $33 + 0.25-0.5 internal FTE | $35 - $55 (licensing + management) |
| Setup time | 8 - 16 weeks | 4 - 8 weeks |
| Ongoing time burden | 3-8 hours / week internal | Minimal (MSP handles) |
| Customisation | Full control | Limited to MSP playbook |
| Exit cost | Zero (you own everything) | 2-3 months MSP transition cost |
| Best for | SMBs with competent IT manager and 100+ users | SMBs without dedicated security skills, or under 100 users |
Frequently asked
SMB zero trust questions
Can a small business actually afford zero trust?
Yes. The Microsoft-first SMB stack runs $29-$33 per user per month all-in: Microsoft 365 Business Premium ($22/user/month) covers identity (Entra ID P1 with conditional access), device (Intune MDM, Defender for Business EDR), and basic email security. Add a ZTNA overlay (Cloudflare Zero Trust free for up to 50 users, then $7/user/month for Teams, or Twingate at $5-$10/user/month) for the network pillar. For 100 users, total is $35K-$40K/year in licensing plus $10K-$25K one-time implementation. That is one to two orders of magnitude cheaper than enterprise platform approaches.
What is the cheapest credible zero trust for an SMB?
Below the Microsoft-first option, the cheapest credible path uses free or freemium tiers: Microsoft Entra ID Free (basic SSO + MFA, included in M365), Cloudflare Zero Trust free tier (up to 50 ZTNA users + DNS filtering), and free / open-source MDM (Apple Business Manager + Configurator for Mac estates, Microsoft Endpoint Manager included in Business Premium). Add EDR (Defender for Business at $3/user/month if not already on Business Premium). Total cost for a 30-person company: $0-$15/user/month. The trade-off is feature gaps (no advanced conditional access, no PIM, no governance) that become real as the organisation grows past 50 users.
Microsoft or Google Workspace for SMB zero trust?
Microsoft if cost-conscious or already on M365. The Microsoft suite ($22/user/month for Business Premium) bundles substantially more zero trust capability than Google Workspace Business Plus ($18/user/month). Google Workspace covers identity and basic device management well, but the bundled BeyondCorp Enterprise Essentials is narrower than Microsoft Defender. Google estates need a stronger ZTNA overlay (Twingate or Cloudflare) and typically a separate EDR product. Net cost is similar; Microsoft has lower complexity for a typical SMB IT manager.
How long does SMB zero trust take?
4-8 weeks for a competent MSP, 8-16 weeks DIY. The bulk of the work is M365 Business Premium licensing migration (if not already on it), Intune device enrolment for the existing fleet, conditional access policy design and rollout, MFA enrolment for all users, and ZTNA deployment for the 5-15 internal apps an SMB typically has. Compare to enterprise zero trust at 2-4 years, the SMB path is dramatically faster because the scope is smaller and the bundled vendor stack reduces integration work.
Should we use an MSP for zero trust?
MSPs are often the right call for SMBs. Managed zero trust services run $35-$55 per user per month all-inclusive (licensing plus management). For 75 users, that is $32K-$50K per year, comparable to DIY licensing ($29 x 75 x 12 = $26K) plus 0.25-0.5 FTE of internal management time. MSPs add value by absorbing the security architect role that SMBs cannot afford to staff full-time. Trade-off: less customisation, dependent on the MSP for changes, exit costs if the relationship sours. Pick MSPs that publish their stack, support multi-tenant tenancy, and offer transparent pricing.
What should an SMB skip?
Three things SMBs should skip until growth justifies them. (1) Microsegmentation, the complexity is not worth it under 200 users; ZTNA covers most of the lateral-movement risk. (2) Standalone PAM tools, Microsoft Entra Privileged Identity Management (free with P2, $9/user/month) covers tier-0 admin needs for most SMBs without a dedicated PAM platform. (3) Standalone CASB, Microsoft Defender for Cloud Apps (included in Business Premium for sanctioned-app coverage) covers most SMB SaaS data needs. Each of these adds cost and operational overhead disproportionate to SMB risk profile.