Cybersecurity vendors have mastered the art of complexity-based pricing. CrowdStrike, Palo Alto Networks, Zscaler, Splunk, and Okta all use different licensing models designed to expand spend over time. This guide breaks down every major platform's cost structure and the negotiation tactics that actually move the needle.
Enterprise cybersecurity software spending has become one of the fastest-growing line items in IT budgets, yet it is also one of the least strategically managed. Most organisations have accumulated cybersecurity tools through reactive procurement — a breach response here, a compliance mandate there — without an integrated licensing strategy. The result is typically 30–50% higher spend than necessary, with significant capability overlap.
This pillar guide covers the licensing architecture and negotiation strategy for enterprise cybersecurity. Each major platform — CrowdStrike, Palo Alto Networks, Zscaler, Splunk, Okta, SentinelOne, CrowdStrike, and the major SIEM platforms — has its own dedicated sub-page with detailed pricing tables and vendor-specific tactics. Here we focus on the cross-cutting strategy that applies to all cybersecurity software negotiations.
Unlike traditional enterprise software categories like ERP or CRM, cybersecurity vendors benefit from an additional negotiation asymmetry: the fear factor. Sales cycles exploit the implicit threat of breach to accelerate decisions and prevent competitive evaluation. Experienced negotiators recognise this tactic and counter it by separating the capability evaluation from the commercial negotiation — treating both as professional processes that deserve adequate time.
For guidance on specific vendor negotiations, see our articles on CrowdStrike Falcon Platform licensing, Palo Alto Networks licensing, Zscaler enterprise pricing, and Splunk enterprise licensing. Our broader IT contract negotiation strategy guide covers the foundational principles that apply across all vendor categories.
Cybersecurity vendors use at least six distinct licensing models, and most large platforms use different models for different product lines. Understanding the underlying unit economics — what the vendor is actually measuring and why — is the foundation of any negotiation strategy.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| Licensing Model | Typical Vendors | Unit of Measure | Negotiation Lever |
|---|---|---|---|
| Per Endpoint | CrowdStrike, SentinelOne, Carbon Black | Protected devices | Device count, module bundling, tier structure |
| Per User | Okta, Microsoft Entra, Ping Identity | Active directory users | Active vs total users, external identity pricing |
| Data Ingest Volume | Splunk, Elastic, Sumo Logic | GB/day or TB/year | Data tiering, compression, source filtering |
| Per Seat | Zscaler, Netskope, Lacework | Named or concurrent users | Peak vs average seat count, service bundling |
| Subscription Tier | Palo Alto Prisma, Cortex | Platform subscription level | Module selection, term length, commit discount |
| Network Throughput | Palo Alto NGFW, Fortinet, Juniper | Gbps/throughput capacity | Sizing methodology, burst allowance, HA discount |
| Workload/VM | Prisma Cloud, Lacework, Orca | Cloud workloads or containers | Active vs deployed, ephemeral workload treatment |
| API Calls | Some security analytics platforms | API transactions | Batch processing, caching, rate limits |
Many cybersecurity vendors are transitioning from point-product pricing to platform subscription models — CrowdStrike's Falcon Complete, Palo Alto's XSIAM, Microsoft's Defender suite. These bundles typically include capabilities you don't need, at a blended price that looks lower per-unit but higher in aggregate. Always model the cost of buying only what you need versus the platform bundle before committing to the platform deal.
Endpoint Detection and Response (EDR) is the most competitive cybersecurity category, with CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and Carbon Black (now Broadcom) all competing aggressively. This competition creates genuine negotiation leverage — the strongest available in any cybersecurity category.
EDR licensing is almost universally per-endpoint, but the definition of "endpoint" and the module structure varies significantly. CrowdStrike Falcon uses a modular architecture where the base platform is relatively inexpensive, and additional modules (IT Hygiene, Horizon, Identity Protection, etc.) stack on top. The average CrowdStrike enterprise deal includes 4–6 modules, making the total per-endpoint cost 2–4x the advertised base price.
SentinelOne uses a similar but somewhat simpler tier structure (Singularity Core, Control, Complete, Commercial, Enterprise). Microsoft Defender for Endpoint is licensed as part of Microsoft 365 E3/E5, making it extremely competitive for organisations already in Microsoft's ecosystem — though the security capability comparison with CrowdStrike is nuanced and highly deployment-dependent.
| EDR Platform | Base Price/Endpoint/Year | Full Platform Est. | Key Negotiation Lever |
|---|---|---|---|
| CrowdStrike Falcon | $8–15 | $25–55 | Competitive bids from SentinelOne; module unbundling |
| SentinelOne Singularity | $6–12 | $18–45 | CrowdStrike competition; tier rightsizing |
| Microsoft Defender E5 | Bundled ($57/user) | Included in M365 E5 | E3 vs E5 analysis; Defender vs third-party comparison |
| Broadcom Carbon Black | $10–18 | $20–40 | Post-acquisition confusion; switch threat credible |
| Palo Alto Cortex XDR | $12–20 | $25–50 | XSIAM platform deal bundling discount |
For detailed CrowdStrike module pricing, tier structures, and negotiation tactics, see our CrowdStrike enterprise licensing guide. For endpoint protection comparison including Microsoft Defender, see endpoint protection licensing comparison.
Network security licensing has undergone fundamental transformation with the rise of SASE (Secure Access Service Edge). Traditional on-premise next-generation firewall vendors (Palo Alto, Fortinet, Cisco) now compete with cloud-native SASE platforms (Zscaler, Netskope) for the same enterprise security budget. This creates cross-category negotiation leverage that sophisticated buyers exploit.
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
Palo Alto Networks has the most complex licensing portfolio in the cybersecurity industry, spanning Strata (next-generation firewall), Prisma (cloud security), and Cortex (XDR, XSOAR, XSIAM). Each division has its own pricing model and sales team. The Palo Alto "platform" pitch bundles all three, but most enterprises actually need a coherent strategy for each layer before deciding whether the platform discount justifies the lock-in.
Palo Alto Networks licensing on the NGFW side is capacity-based (throughput tiers), while Prisma Access is per-seat and Cortex XDR is per-endpoint. Zscaler's licensing is per-seat across its Internet Access and Private Access products, with Business, Business Plus, Transformation, and Unlimited tiers. Zscaler enterprise pricing is highly negotiable at enterprise scale, with 30–40% discounts achievable for multi-year, multi-product commitments.
SIEM (Security Information and Event Management) licensing is the most contentious category in enterprise cybersecurity procurement. Splunk's data-ingest pricing model is notorious for creating cost surprises as organisations grow their security monitoring scope. A security team that starts with 50GB/day of ingestion can easily reach 500GB/day within two to three years as they onboard cloud logs, endpoint telemetry, and application security data — driving a 10x cost increase on a product where base cost is already high.
The SIEM market has fractured significantly. Traditional vendors include Splunk (now part of Cisco), IBM QRadar, and Micro Focus ArcSight. Cloud-native alternatives include Microsoft Sentinel, Google Chronicle, and Elastic Security. Each has fundamentally different pricing models that create competitive pressure in renewal negotiations.
| SIEM Platform | Pricing Model | Indicative Cost | Key Negotiation Point |
|---|---|---|---|
| Splunk Enterprise/Cloud | Data ingest (GB/day) | $150–250/GB/day/year | Data tiering; workload pricing model; Cisco integration discount |
| Microsoft Sentinel | Data ingest (GB/day) | $2.46/GB (PAYG), lower committed | Defender 365 E5 bundle; Microsoft 365 entitlements |
| Google Chronicle | Per user + data | $45/user/month base | GCP EDP integration; flat-rate model for high-volume |
| IBM QRadar | Events per second (EPS) | $50K–200K+/year | EPS optimisation; Qradar On Cloud vs on-prem |
| Elastic Security | Ingest volume or hosts | $40–95/host/year | Open source alternative; host-based pricing |
| Exabeam / LogRhythm | Per user endpoint | $20–60/user/year | Splunk displacement pricing; MSSP partnership |
For detailed Splunk negotiation tactics and the workload pricing model explained, see our Splunk enterprise licensing guide. For a full comparison of SIEM platforms and total cost of ownership analysis, see SIEM platform cost comparison.
Identity and Access Management (IAM) has become a battleground between Okta, Microsoft Entra ID, and a range of challengers including Ping Identity, SailPoint, and CyberArk. For many enterprises, the IAM decision is entangled with the broader Microsoft licensing strategy — Entra ID P1 and P2 are included in Microsoft 365 E3 and E5 respectively, making Microsoft identity extremely cost-competitive for Microsoft-heavy shops.
Okta's licensing is per-user for its Workforce Identity Cloud (IT use case) and per-user or per-monthly active user for its Customer Identity Cloud (formerly Auth0, for customer-facing applications). Okta vs Azure AD licensing comparison should always include the cost of Microsoft licensing already in place — for most enterprises paying for M365 E3, the incremental cost of Entra ID is zero, changing the economic case for Okta dramatically.
CyberArk's Privileged Access Management (PAM) licensing uses a per-account model for vault licenses and per-user for Endpoint Privilege Manager. CyberArk is consistently the most expensive IAM sub-category but also faces the least competition due to its dominant position in PAM — making renewal negotiation harder than other identity platforms.
Cloud security platforms — Cloud Security Posture Management (CSPM), Cloud Workload Protection (CWPP), and Cloud-Native Application Protection Platforms (CNAPP) — are among the fastest-growing licensing categories. Palo Alto Prisma Cloud, Wiz, Lacework, and Orca Security all compete in this space with workload-based or resource-based pricing models.
Wiz has disrupted the market with per-workload pricing that's significantly simpler than Prisma Cloud's multi-module model. For cloud-native organisations, Wiz's comprehensive visibility from a single agent-less platform is compelling, but the per-workload cost at scale can exceed Prisma Cloud bundles for large, complex environments. The competition between Wiz and Prisma Cloud is one of the strongest negotiation dynamics currently available in enterprise cybersecurity.
Microsoft Defender for Cloud is another wildcard — often included in existing Azure commitments, providing baseline CSPM coverage at minimal incremental cost. Many enterprises use Defender for Cloud as a baseline with Wiz or Prisma for deeper coverage, creating opportunities to negotiate on depth versus breadth coverage requirements.
Every major cybersecurity vendor is pushing a platform narrative. CrowdStrike's Falcon platform, Palo Alto's Strata/Prisma/Cortex trifecta, and Microsoft's Defender suite all promise integrated security at lower total cost than assembling best-of-breed point solutions. The financial case for platform consolidation is real — but so are the risks.
Before signing a platform deal, evaluate five factors: (1) Coverage completeness — does the platform genuinely cover your requirements or are there critical gaps? (2) Capability maturity — is each module best-in-class or simply "good enough"? (3) Lock-in risk — how costly is it to exit if the vendor raises prices or reduces capability post-consolidation? (4) True TCO — what is the all-in cost including professional services, integration, and management overhead? (5) Competitive dynamics — will platform adoption reduce your negotiation leverage at renewal?
The most sophisticated buyers use a hybrid approach: consolidate within each security domain (one EDR, one SIEM, one IAM platform) to reduce management complexity, while maintaining diversity across security domains (endpoint, network, identity, cloud) to preserve competitive leverage and avoid single-vendor catastrophic failure risk.
Platform bundling is the dominant commercial strategy across cybersecurity. CrowdStrike bundles EDR, identity protection, IT hygiene, and threat intelligence into Falcon Complete and Falcon Go. Palo Alto bundles NGFW, SASE, and XDR into multi-product "platform" deals. Microsoft bundles endpoint security, identity, cloud security, and SIEM into the Defender suite within Microsoft 365 E5.
The economic logic for buyers is real when bundles replace genuine standalone purchases. The risk is paying for bundled capabilities that duplicate existing investments or that represent future aspirations rather than current deployment plans. A disciplined bundle evaluation requires three steps: first, audit what you actually have deployed today; second, map bundle contents to current requirements with honest deployment probability assessments; third, calculate the true per-capability cost versus standalone alternatives for capabilities you will actually use.
For most enterprises, the Microsoft 365 E5 security bundle represents the most compelling value — particularly if already paying for M365 — because it includes Defender for Endpoint, Defender for Identity, Defender for Office 365, Microsoft Sentinel (with generous free data tier), and Entra ID P2 for a per-user price that competes with standalone alternatives at each layer. However, Microsoft security tools consistently underperform in independent capability benchmarks against CrowdStrike, Okta, and Splunk in complex threat scenarios. The cost vs capability tradeoff is a genuine decision that depends on your threat profile and security team maturity.
Managing a complex cybersecurity licensing portfolio?
Explore detailed licensing guides for each major cybersecurity platform:
Falcon platform modules, pricing tiers, and negotiation tactics for EDR platform deals.
Read guide →NGFW, Prisma Access, and Cortex platform pricing with consolidation deal analysis.
Read guide →ZIA and ZPA tier structure, seat count optimisation, and competitive negotiation levers.
Read guide →Ingest vs workload pricing models, data tiering strategies, and Cisco-era negotiation.
Read guide →TCO comparison across Splunk, Microsoft Sentinel, Google Chronicle, and Elastic Security.
Read guide →Workforce identity cost comparison, Customer Identity pricing, and Microsoft entitlement analysis.
Read guide →CrowdStrike vs Microsoft Defender vs SentinelOne: licensing cost and capability analysis.
Read guide →How to evaluate and negotiate platform bundle deals across major security vendors.
Read guide →Our vetted advisors help enterprises optimise CrowdStrike, Palo Alto, Splunk, Okta, and Microsoft Defender licensing — typically saving 20–35% on renewal.