Reference

SASE Licensing & Pricing Guide

January 20, 20269 min readUpdated Feb 2026

TL;DR

SASE licensing is deliberately confusing — vendors use per-user, per-device, and bandwidth tiers to obscure true costs. Expect $15-45/user/month for full SASE. Watch for hidden costs: DEM often requires a separate license, DLP advanced features are premium tier, and bandwidth overages trigger surprise charges. Always negotiate multi-year commits for 20-30% discounts.

SASE licensing and pricing refers to the commercial models vendors use to charge for cloud-delivered security and networking services, typically structured as per-user, per-device, per-site, or bundled subscriptions with annual or multi-year terms. The honest reality of SASE pricing is that every vendor's published price list is a starting point for negotiation, and the total cost of ownership is typically 30-60% higher than the initial quote once you account for add-on features, premium support, professional services, and overage charges that surface after contract signature. This guide breaks down the pricing models, identifies the hidden costs, and gives you the negotiation leverage to avoid the most common traps.

Pricing models explained

Per-User Licensing

Per-user licensing charges a fixed annual fee for each named user who accesses the SASE platform. This is the most common model for SSE deployments where the primary use case is securing remote and office workers. Per-user pricing typically ranges from $8-30 per user per month depending on the vendor, license tier, and feature bundle. The advantage is predictability: you know your cost based on headcount. The trap is that 'user' definitions vary. Some vendors count every identity in your IdP directory, including service accounts and shared mailboxes. Others count only users who actually authenticate to the SASE agent. Clarify the counting method before signing.

Per-Device Licensing

Per-device licensing charges based on the number of endpoints running the SASE agent. This model penalizes organizations where users have multiple devices: a user with a laptop, tablet, and phone counts as three licenses. Per-device pricing ranges from $5-20 per device per month. Some vendors offer a hybrid model where a single user license covers 2-3 devices. Verify whether headless devices (IoT sensors, printers, conference room systems) that route traffic through the SASE platform require device licenses.

Per-Site Licensing

Per-site licensing is used for SD-WAN and branch connectivity, charging based on the number of sites connected to the SASE fabric. Pricing depends on bandwidth tier and site size, typically ranging from $500-5,000 per site per month. Large hub sites with multiple WAN links and hundreds of users cost more than small branch offices with a single broadband connection. The hidden cost here is bandwidth overage: if your site exceeds the licensed bandwidth tier, you pay premium rates for the excess or the vendor throttles your traffic.

Bundled and Tiered Pricing

Most vendors package SASE features into tiers: a base tier covering SWG and basic ZTNA, a mid tier adding CASB and DLP, and a premium tier including DEM, advanced threat prevention, and sandbox. The challenge is that the features you actually need often span multiple tiers. You might need base-tier SWG plus premium-tier DLP, forcing you into the premium tier and paying for features you will not use. Some vendors allow a la carte add-ons to lower tiers, which can be more cost-effective but creates licensing complexity.

Hidden costs that inflate TCO

Hidden Cost	Typical Impact	How to Avoid
DEM as a premium add-on	+10-20% of base license cost	Negotiate DEM inclusion in the base license or get a bundled price during initial contract
Premium support tier (TAC priority, dedicated CSM)	+15-25% of base license cost	Include premium support in the RFP requirements so it is priced into the initial quote
Professional services for deployment and migration	$50K-$200K one-time for mid-market	Negotiate PS credits as part of the deal, especially for multi-year commitments
API access at higher rate limits	+5-10% or separate metered pricing	Verify API rate limits in the base license; request unlimited API for automation use cases
Log retention beyond default period	$0.50-2.00 per GB/month for extended retention	Understand default retention (often 30-90 days) and budget for SIEM-based long-term storage
Overage charges when user count exceeds license	110-150% of per-user rate for excess users	Negotiate a 10-15% buffer above licensed count before overage pricing applies
SSL/TLS inspection certificate management tools	Sometimes requires separate PKI product	Confirm that root CA certificate generation and distribution is included in the platform
Advanced DLP features (EDM, IDM, OCR)	Only in highest license tier at some vendors	If DLP is a priority, test EDM/IDM during PoC and verify which tier includes them
Multi-tenant management for MSPs	May require separate management SKU	MSPs should request multi-tenant pricing as part of the partner agreement, not retail SKU pricing
Training and certification for operations team	$2K-5K per person for vendor certification	Negotiate training credits into the contract, especially for multi-year commitments

Market pricing benchmarks (2026)

SASE pricing data is deliberately opaque — vendors do not publish list prices because every deal is negotiated. The ranges below are compiled from publicly available sources, industry benchmarks, and deployment experience as of early 2026. According to Gartner, enterprises should expect $15 to $40 per user per month for comprehensive SASE solutions encompassing the full SSE stack plus SD-WAN. SSE-only deployments cluster in the $8 to $25 range. These benchmarks give you a sanity check on any vendor quote: if a vendor quotes significantly above these ranges without clear justification (advanced DLP, premium support, global PoP requirements), you have room to negotiate.

Vendor	Typical range (per user/month)	Notes
Cisco Secure Access	$15-22	Mid-tier SSE pricing. ThousandEyes DEM and Catalyst SD-WAN licensed separately, adding $3-8 per user.
Fortinet FortiSASE	$7-16	Most aggressive pricing in market. ZTNA-only starts at $7/user/month with 25-user minimum and 12-month term. Full FortiSASE bundle at $10-16.
Palo Alto Prisma Access	$14-28	Enterprise benchmarks show $14-22 for mid-tier. Premium tier with advanced DLP, sandboxing, and CASB API mode pushes to $22-28.
Zscaler ZIA + ZPA	$8-15	SSE-only (no native SD-WAN). Base ZIA+ZPA bundle around $8-10. Advanced features (DLP, CASB inline, browser isolation) push to $12-15.
Check Point Harmony SASE	$10-18	Competitive mid-market pricing. Simpler tier structure but fewer advanced features at lower tiers.

Vendor pricing model comparison

Dimension	Cisco Secure Access	Fortinet FortiSASE	Palo Alto Prisma SASE	Check Point Harmony SASE
Primary model	Per-user, tiered	Per-user and per-device	Per-user, tiered	Per-user, flat
Typical per-user/month (mid tier)	$15-22	$10-16	$20-28	$10-18
DEM included	No (ThousandEyes separate)	Basic included, advanced extra	Included in higher tiers	Basic only
DLP included	Mid tier and above	All tiers (basic)	Mid tier and above	Mid tier and above
CASB API mode	Mid tier and above	Higher tiers	Mid tier and above	Limited
SD-WAN licensing	Separate (Catalyst SD-WAN)	Bundled with FortiSASE	Separate (Prisma SD-WAN)	Separate (Quantum)
Multi-year discount	15-25% for 3-year	10-20% for 3-year	15-30% for 3-year	10-20% for 3-year
Minimum commit	Varies by deal size	Often 100 users	Often 200 users	Often 50 users
True-up frequency	Annual	Annual	Annual or quarterly	Annual

These price ranges are based on publicly available data, Gartner benchmarks, and industry sources as of early 2026. Actual pricing varies significantly based on deal size, existing vendor relationship, competitive pressure during negotiation, and regional market conditions. Always get a custom quote based on your specific requirements and run a competitive process with at least two vendors.

Negotiation strategies

First, always negotiate with at least two vendors in active competition. SASE vendors will drop pricing 15-30% when they know a competitor is in the final round. Second, negotiate the three-year TCO, not the year-one price. Vendors often offer a steep year-one discount that increases in years two and three. Get price caps in writing for the full contract term. Third, bundle everything into the initial deal. DEM, premium support, professional services, and training credits are easier to negotiate during the initial purchase than as add-ons after you are already deployed and locked in.

Fourth, challenge the user count. If the vendor counts IdP directory users, push back with 'active user' counting that only bills for users who authenticate to the SASE agent at least once per month. This alone can reduce your license cost by 20-30% if you have seasonal workers, inactive accounts, or a large contractor population. Fifth, negotiate exit terms before you sign. SASE contracts with 12-month notice periods and no data portability provisions trap you into renewal. Push for 90-day termination notice, data export in standard formats, and migration assistance credits if you switch vendors.

TCO modeling template

Build your three-year TCO model with these line items to capture the full cost picture. Sum all categories and compare across vendors using the same assumptions.

Base license: per-user or per-device fees times your user/device count times 36 months
Site licensing: per-site fees times your site count times 36 months (if SD-WAN is included)
Add-on features: DEM, advanced DLP, sandbox, RBI, and any feature not in the base tier
Support: standard vs. premium tier times 36 months
Professional services: deployment, migration, policy design, and integration
Training: vendor certification for your operations team (typically 2-4 people)
Internal labor: FTE time for deployment, ongoing operations, and policy management
Log storage: overage charges if log retention exceeds the default included period
Overage buffer: 10% contingency for user count growth and unplanned add-ons

Sources & further reading

Gartner, "Market Guide for Single-Vendor SASE" — gartner.com/reviews/market/single-vendor-sase
Cisco, "Cisco Secure Access Ordering Guide" — cisco.com/c/en/us/products/security/secure-access/ordering-guide
Fortinet, "FortiSASE Licensing Overview" — fortinet.com/products/sase
Palo Alto Networks, "Prisma SASE Licensing" — paloaltonetworks.com/sase
Check Point, "Harmony SASE Pricing" — checkpoint.com/harmony/sase

Vendor pricing estimates 2026

These are estimated price ranges based on publicly available data, peer reviews, and enterprise deal reports. Actual pricing varies by user count, contract term, feature tier, and negotiation. Always get a direct quote from the vendor.

Vendor	SSE Per-User/Mo	SD-WAN	Full SASE Estimate (5,000 users/yr)	Notes
Cloudflare One	$0 (≤50 users) / $7 PAYG	Magic WAN included	$42K–60K	Only vendor with published pricing and free tier
Fortinet FortiSASE	$6–12	FortiGate hardware separate	$50K–85K	20-40% cheaper than Palo Alto; sovereign SASE options
Cato Networks	$8–14	Included + Socket hardware	$65K–110K	No separate SSE/SD-WAN SKUs — single platform price
Cisco Secure Access	$10–16	Catalyst SD-WAN separate	$80K–120K	ThousandEyes DEM adds $3-6/user; MSP pricing available
Netskope One	$8–16	Borderless SD-WAN included	$60K–110K	Full CASB/DLP in standard tier unlike Zscaler
Zscaler	$8–18	Zero Trust SD-WAN separate	$70K–130K	Price escalates dramatically between Business and Transformation tiers
Palo Alto Prisma SASE	$14–22	Prisma SD-WAN +$3-5/user	$100K–160K	Premium positioning; deepest security features
Check Point Harmony SASE	$8–14	Partner SD-WAN	$55K–95K	Infinity bundle pricing can reduce per-unit cost

Hidden costs to budget for

TLS inspection certificate deployment: Budget 2-4 weeks of engineering time for root CA distribution across all managed devices. Unmanaged devices need a separate strategy (clientless ZTNA or RBI).
Bypass policy maintenance: TLS inspection breaks 5-15% of applications (certificate-pinned apps, financial platforms, healthcare portals). Maintaining bypass lists is an ongoing operational cost.
Agent deployment and support: Every SSE vendor requires an endpoint agent. Budget 30-60 minutes per device for initial deployment, plus ongoing helpdesk tickets for agent conflicts with EDR/AV software.
Professional services: Most vendors recommend 40-80 hours of professional services for initial deployment. At $250-400/hour, that's $10K-32K before users touch the platform.
True-up enforcement: Zscaler and Palo Alto aggressively enforce user count true-ups. If you exceed licensed user counts, expect invoices for the overage at list price within 30-60 days.
DEM licensing: Basic DEM is increasingly included, but advanced features (synthetic monitoring, ISP-level path analysis, historical trending) often require premium DEM licensing at $2-6/user/month extra.

TCO comparison framework

When comparing SASE TCO, use this framework: (1) Per-user SSE licensing × user count × 36 months, (2) SD-WAN hardware or licensing for all branch sites, (3) Professional services for deployment, (4) Internal engineering time for migration (typically 0.5-1.0 FTE for 6 months), (5) Ongoing operational overhead (policy tuning, bypass list management, agent updates), (6) DEM and advanced feature add-on licensing. The per-user price is only 40-60% of total three-year cost — hidden costs account for the rest.

For a 5,000-user organization with 20 branch offices, three-year TCO ranges from roughly $180K (Cloudflare, minimal deployment) to $550K+ (Palo Alto with full SASE, professional services, and premium DEM). The median across all vendors is approximately $300K-400K for three years.

Frequently asked questions

Vendors deliberately avoid publishing list prices because pricing is heavily dependent on deal size, competitive dynamics, and existing vendor relationships. A 500-user deal and a 50,000-user deal have completely different per-user economics. Vendors also want the flexibility to discount aggressively when competing for strategic accounts. The lack of price transparency benefits vendors at the expense of buyers, which is why running a competitive RFP with at least two vendors is essential.

Usually, but not always. Three-year contracts offer 15-30% discounts over annual pricing, but they also lock you in. If the vendor's product quality declines, support degrades, or a better alternative emerges, you are stuck. The sweet spot for most organizations is a 3-year contract with an annual opt-out clause after year one, triggered by documented SLA failures. This is negotiable but vendors will resist it.

Yes. Even experienced network and security teams benefit from vendor professional services during initial deployment. The vendor's PS team knows the platform's quirks, common pitfalls, and optimal configuration patterns. Budget $50K-$150K for a mid-market deployment (1,000-5,000 users) or $150K-$500K for enterprise (5,000-50,000 users). Negotiate PS credits as part of the license deal rather than purchasing them separately at retail rates.

When a SASE contract expires without renewal, vendors typically provide a 30-60 day grace period during which the service continues operating but you cannot make policy changes. After the grace period, enforcement stops: traffic bypasses inspection, ZTNA tunnels drop, and DLP policies cease. Your data (logs, configurations, policies) is retained for a limited period (usually 90 days) before deletion. Start renewal negotiations 6 months before expiration to maintain leverage.

Related on sase.cloud

Cisco Review →Fortinet Review →Palo Alto Review →Check Point Review →

More references

SASE Glossary: Every Term Defined

A comprehensive SASE glossary with 40+ terms defined for network engineers and security practitioners. Covers SASE, SSE,...

SASE RFP Template: What to Ask Vendors

SASE RFP template with categorized requirements for SSE, SD-WAN, management, SLAs, and pricing. Compare vendors on what ...

SASE Vendor Rankings 2026: Independent Scoring

Independent 2026 SASE vendor rankings scoring all 8 major vendors — Cato Networks, Cisco, Fortinet, Palo Alto, Zscaler, ...

Get the next guide in your inbox

One email per publish. Unsubscribe anytime.

ShareLinkedIn X

Was this helpful?

← Previous