ZTNA cost - zero trust network access pricing and VPN migration
Zero Trust Network Access (ZTNA) is the network-pillar control most organisations buy first. This page covers ZTNA pricing tiers, VPN-to-ZTNA break-even analysis, the migration cost most CISOs underestimate, hidden deployment costs, and how SASE bundle economics change the calculus.
What ZTNA actually costs
Three tiers cover most of the market. Tier-1 (lightweight ZTNA-only) is the cheapest and fastest to deploy. Tier-3 (full SSE) is the most comprehensive and most expensive. Tier-2 (ZTNA-plus) sits in the middle.
| Tier | Per user / month | What it includes | Best for |
|---|---|---|---|
| Tier 1 - Lightweight ZTNA | $5 - $10 | Identity-based application access. Simple connectors. SaaS and private app coverage. | SMBs, developer-centric organisations, VPN replacement only. |
| Tier 2 - ZTNA Plus | $10 - $18 | ZTNA + DNS filtering + basic SWG. Some include CASB-lite. | Mid-market without separate SWG. Tier where bundle value starts to bite. |
| Tier 3 - Full SSE / SASE | $15 - $25 | ZTNA + SWG + CASB + FWaaS + DLP integration. Often called Secure Service Edge or full SASE. | Enterprises replacing complex on-premise proxy infrastructure. |
| Free / freemium | $0 (capped) | Limited ZTNA seats. Often DNS filtering free, ZTNA capped at 50 users. | Pilots, very small businesses, evaluation. |
Tier ranges aggregate published list pricing across 12+ ZTNA platforms. Negotiated enterprise pricing typically runs 20-35% below list at high seat counts. For specific quotes, contact vendors directly.
ZTNA vs VPN total cost
Comparing 3-year total cost for a 250-user organisation. ZTNA is more expensive in year 1 (no hardware sunk cost to amortise) but cheaper in years 2 and 3 with no maintenance and no hardware refresh.
| Cost line | Traditional VPN (250 users) | Cloud ZTNA (250 users) |
|---|---|---|
| Hardware (year 1) | $30K - $60K | $0 |
| Implementation services | $15K - $35K | $25K - $60K |
| Year 1 licensing | $12K - $25K | $24K - $45K |
| Year 2 licensing + maintenance | $18K - $35K | $24K - $45K |
| Year 3 licensing + maintenance | $18K - $35K | $24K - $45K |
| Hardware refresh year 4-5 | $30K - $60K (looming) | $0 |
| 3-year total | $93K - $190K | $97K - $195K |
At 250 users, 3-year total cost is roughly comparable. The difference becomes material when (a) the VPN faces a hardware refresh in year 4-5, (b) the organisation is growing and would need additional VPN appliances, or (c) the organisation has multiple geographic regions requiring separate VPN concentrators. ZTNA scales linearly with users; VPN scales in steps with hardware.
The hidden VPN-to-ZTNA migration cost
Beyond ongoing licensing, migration is a discrete project with its own budget. Most organisations underestimate it by 30-50%.
Connector deployment. Most ZTNA platforms require software connectors deployed in every private application environment. For a typical mid-market estate with 4-8 distinct private environments (on-premise data centre, two AWS regions, one Azure subscription, three on-premise office locations), connector deployment is 32-128 hours of professional services labour at $200-$400/hour. Budget: $8K-$50K.
Policy migration. VPN policies are typically IP-based, allow-list source IPs to destination subnets. ZTNA policies are identity-based, allow-list user groups to specific applications. The translation is non-trivial. For a typical mid-market estate with 50-200 VPN policies, policy migration is 80-200 hours of professional services labour. Budget: $15K-$60K.
Parallel running. Run VPN and ZTNA in parallel for 60-180 days. Both licences active. Users transition gradually, business-critical apps last. Skipping parallel running is the most common cause of migration failure and typically more expensive than running the parallel because rollback under pressure is more costly.
Training and change management. ZTNA UX differs from VPN. Users accustomed to a full-tunnel VPN experience may not understand why some apps appear and others don't. Document the transition, provide a migration FAQ, run office-hours sessions during the cutover. Budget: $50-$150 per employee in training time.
Monitoring and alerting overhead. ZTNA generates significantly more telemetry than VPN. Plan to integrate ZTNA logs into the SIEM and tune alerts. First-month alert volume is typically 5-10x what the SOC expects.
ZTNA-only vs SASE - which is cheaper?
ZTNA-only platforms are dramatically cheaper than full SASE if you only need ZTNA. SASE wins when you genuinely need the bundled capabilities and do not have them already.
| Scenario | ZTNA-only platform (annual) | Full SASE platform (annual) | Best fit |
|---|---|---|---|
| 500 users, ZTNA-only need | $48K - $72K | $108K - $156K | ZTNA-only |
| 500 users, ZTNA + SWG need | $48K + $30K SWG = $78K | $108K - $156K (bundle) | Tier 2 ZTNA-Plus |
| 500 users, ZTNA + SWG + CASB + FWaaS | $48K + ~$120K bundled | $108K - $156K (bundle) | Full SASE |
| 2,000 users, full SSE need | $192K + ~$480K bundled | $432K - $612K (bundle) | Full SASE |
The economics flip as you genuinely need more components. Buy ZTNA-only if ZTNA is all you need. Buy SASE if you need three or more of the bundled components and would otherwise buy them separately.