The Cisco Secure Portfolio: What You Are Licensing

Cisco's security portfolio, branded as Cisco Secure, encompasses products across five major security domains: network security (firewall and IPS), cloud security (Umbrella, CASB), identity and access (Duo), endpoint security (Cisco Secure Endpoint, formerly AMP), and extended detection and response (XDR, SecureX). Each domain has a distinct licensing architecture, and many products within each domain have their own tier structures, feature add-ons, and consumption-based components.

The complexity is not accidental. Cisco has grown its security portfolio through acquisition — Sourcefire (Firepower), Meraki (cloud-managed security), Observable Networks (network analytics), Duo Security, Umbrella/OpenDNS, and AppDynamics all originated outside Cisco and retain distinct product architectures and licensing conventions. Buyers who have assembled their Cisco security stack piecemeal over time often find themselves managing six or more separate renewal streams with different term dates, different account management contacts, and no consolidated view of their Cisco Secure spend.

Client Example: In one recent engagement, a financial services organization was paying $8.7M annually for fragmented Cisco Secure products with misaligned renewal dates and over-tiered Umbrella deployments. Through spend audit and Security EA consolidation, Redress negotiated a 23% reduction in total annual cost while improving license co-termination. The engagement fee was less than 8% of the first-year cost recovery.

The SecureX Integration Platform

Cisco SecureX is a cloud-native platform designed to integrate the Cisco Secure portfolio into a unified management, investigation, and automation interface. SecureX is included with every Cisco Secure product licence at no additional charge — it is not a separate SKU that must be purchased. However, maximising value from SecureX requires active integration of the underlying products, and organisations with fragmented Cisco security deployments often find that SecureX's integration value is limited until the connected product set reaches a critical mass.

SecureX is evolving into Cisco XDR (Extended Detection and Response), which provides a more comprehensive threat detection and response capability beyond the integration function of the original SecureX platform. The transition from SecureX to Cisco XDR introduces new licensing considerations that buyers should clarify when negotiating new Cisco Secure agreements.

Managing fragmented Cisco security renewals across multiple products?

We consolidate and benchmark Cisco Secure spend across the full portfolio.
Get a Review →

Cisco Umbrella Licensing

Cisco Umbrella is a cloud-delivered secure web gateway and DNS security platform that provides internet security and visibility for users on and off the corporate network. Umbrella is licensed on a per-user, per-month subscription basis across four tiers: DNS Security Essentials, DNS Security Advantage, SIG Essentials, and SIG Advantage (where SIG stands for Secure Internet Gateway).

Umbrella Tier Structure

DNS Security Essentials provides foundational DNS-layer security with malware blocking, phishing protection, and basic content filtering. This is the minimum tier for organisations seeking to use Umbrella for DNS-based threat protection and is priced from approximately $2.25 per user per month at enterprise volume.

DNS Security Advantage adds threat intelligence integration, identity-based policies, and more granular URL filtering — appropriate for organisations that require policy enforcement at the URL level rather than only at the DNS layer. SIG Essentials extends the offering to a full secure web gateway capability with SSL inspection, cloud-delivered firewall, and CASB functionality. SIG Advantage is the top tier, adding data loss prevention (DLP), remote browser isolation, and the full Cisco SASE integration.

The commercial implication of this tier structure is that organisations which initially deploy Umbrella for DNS security and later require SIG-level capabilities face a material mid-term upgrade cost. Buyers should model future capability requirements before committing to a DNS-only tier on a three-to-five-year term.

Umbrella Roaming Client and AnyConnect Integration

For mobile and remote users, Cisco Umbrella integrates with the Cisco AnyConnect Secure Mobility Client (now Cisco Secure Client) to extend DNS security coverage to off-network devices without requiring a full VPN connection. This integration is a key selling point for the Umbrella DNS tiers, but requires AnyConnect licences and the Umbrella Roaming Security module, which is an add-on to standard Umbrella subscriptions and adds per-user cost.

Cisco Duo Licensing

Cisco Duo is a market-leading identity security platform providing multi-factor authentication (MFA), device trust, single sign-on, and zero trust access enforcement. Duo was acquired by Cisco in 2018 and has grown significantly in enterprise adoption, with a licensing model that has evolved from a relatively simple per-user structure to a tiered product with distinct feature sets at each tier.

Duo Tier Structure

Duo offers four commercial tiers: Free (up to 10 users), MFA, Access, and Beyond. The MFA tier provides basic multi-factor authentication across on-premises and cloud applications. The Access tier adds device health checks, adaptive MFA policies based on device posture, and basic zero trust access controls. The Beyond tier is the full Duo Zero Trust implementation, including network and endpoint visibility, certificate-based device authentication, and the full Trusted Endpoints framework.

Enterprise pricing for Duo MFA starts from approximately $3 per user per month at volume, with Access tier ranging from $6 to $9 per user per month and Beyond tier pricing negotiated based on deployment scale. Cisco has been increasing Duo list prices since the acquisition, and buyers with older Duo contracts or renewals approaching should validate their current rate against current benchmarks.

Duo Within the Cisco Zero Trust Strategy

Cisco positions Duo as the identity pillar of its Zero Trust architecture, alongside Umbrella (cloud security), Cisco Secure Endpoint (endpoint security), and Cisco SD-WAN (network access). Buyers who are building a Cisco Zero Trust strategy should model the cumulative licensing cost across these components before committing to the architecture, as the combined per-user cost of the full Cisco Zero Trust stack can be significant relative to competing SASE platforms.

"Organisations that assemble the Cisco Zero Trust stack piecemeal often discover at renewal that the cumulative per-user cost exceeds single-vendor SASE alternatives from Zscaler, Netskope, or Palo Alto Prisma. Total cost of ownership modelling should precede architecture commitment."

Cisco Firepower and Secure Firewall Licensing

Cisco's network firewall platform is branded Cisco Secure Firewall and is built on Firepower NGFW technology, originating from the 2013 Sourcefire acquisition. Secure Firewall is sold in both hardware appliance form (Firepower appliances) and as virtual and cloud-native deployments (Cisco Secure Firewall Threat Defense Virtual).

Firewall Appliance and Software Licensing

Physical Firepower appliances include the base hardware cost plus annual subscription licences for threat intelligence, URL filtering, malware protection, and remote access VPN. The key subscription components are Cisco Smart Net Total Care (hardware support), Cisco Secure Firewall Threat Defense (base IPS subscription), and optional add-ons including URL Filtering, Advanced Malware Protection (AMP), and Cisco Secure Client (formerly AnyConnect) for remote access VPN.

Buyers who have purchased Firepower hardware and then add subscription features annually are typically paying significantly above what an EA or multi-year subscription would provide. The cumulative discount available for consolidating Firepower subscriptions into a multi-year agreement with Cisco is often 15 to 25 percent below annual standalone pricing.

Firepower Management Centre Licensing

Cisco Firepower Management Centre (FMC) is the on-premises management platform for Cisco Secure Firewall deployments. FMC is licensed by the number of managed devices, and the per-device licence costs are a frequently underestimated component of the total Firepower deployment cost. Cloud-hosted FMC (Cisco Defence Orchestrator for cloud-managed Secure Firewall) provides an alternative management model with different licensing economics.

Cisco Secure Endpoint Licensing

Cisco Secure Endpoint (formerly Advanced Malware Protection for Endpoints, or AMP) is Cisco's endpoint detection and response (EDR) platform. Secure Endpoint competes directly with CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint in the EDR market, where it consistently ranks as a credible but not market-leading option in independent evaluations such as MITRE ATT&CK and SE Labs.

Secure Endpoint Tier Structure

Cisco Secure Endpoint is offered in Essentials, Advantage, and Premier tiers, corresponding to increasing levels of investigation capability, threat intelligence depth, and response automation. Essentials provides core endpoint protection and basic investigation. Advantage adds extended incident response capabilities and integration with Cisco SecureX/XDR. Premier adds Cisco-managed threat hunting and the highest tier of threat intelligence integration.

Secure Endpoint Versus Market Alternatives

CrowdStrike Falcon and SentinelOne consistently score above Cisco Secure Endpoint in independent EDR benchmark evaluations for detection accuracy, false positive rates, and automated response capability. This is an important consideration for organisations building security architectures: the Cisco security integration story is compelling for organisations already deeply invested in Cisco infrastructure, but the individual endpoint protection capability of Cisco Secure Endpoint is weaker than specialist EDR alternatives at comparable price points.

For organisations where endpoint protection capability is the primary driver — particularly those facing sophisticated threats or in regulated industries with specific EDR requirements — a best-of-breed EDR evaluation alongside Cisco Secure Endpoint is warranted before committing to the Cisco architecture.

Is your Cisco Secure Endpoint pricing competitive versus CrowdStrike or SentinelOne?

We provide independent head-to-head cost and capability comparisons for enterprise security decisions.
Request Comparison →

The Cisco Security Enterprise Agreement

Cisco offers a Security Enterprise Agreement that consolidates Cisco Secure products under a single multi-year agreement with unified pricing, co-termination, and not-to-exceed pricing for the agreement term. The Security EA is structured similarly to the Cisco networking and collaboration EAs, with full commit suites covering the security domains included in the agreement.

Security EA Structure and Minimum Requirements

The Security EA minimum TCV is $100,000, the same as other Cisco EAs. Customers select the Cisco Secure products to include in the agreement, and Cisco prices the bundle at a discount to the equivalent standalone annual pricing. The discount quantum depends on the size of the commitment, the competitive context, and the range of products included.

Products commonly included in Security EAs include Cisco Umbrella, Cisco Duo, Cisco Secure Endpoint, Cisco Secure Firewall subscriptions, and Cisco Secure Email. Products outside the standard Security EA scope — such as Cisco Identity Services Engine (ISE) or Cisco Stealthwatch (now Cisco Secure Network Analytics) — may be added as supplementary line items or negotiated separately.

Security EA versus Standalone Licensing

The commercial case for a Security EA is strongest when the organisation has a large deployed base of multiple Cisco Secure products with fragmented renewal dates, when renewal negotiations are approaching simultaneously for several products, and when there is genuine multi-year commitment to the Cisco security architecture. In these circumstances, the Security EA consolidation discount of 15 to 30 percent below equivalent standalone pricing is achievable.

The case is weaker when the organisation is still evaluating whether to standardise on Cisco security, when competitive alternatives are under active evaluation for some security domains, or when the organisation's Cisco security deployment is limited to one or two products. In these scenarios, standalone negotiated pricing for individual products often delivers better commercial outcomes with greater flexibility.

Cisco Security Pricing Compared to Best-of-Breed

The Cisco security portfolio competes across all major security domains, but its pricing and capability positioning varies by domain. Understanding where Cisco is competitively priced versus where it carries a premium or capability gap is essential for making informed architecture decisions.

Network Security (Firewall)

Cisco Secure Firewall competes with Palo Alto Networks NGFW, Fortinet FortiGate, and Check Point. Palo Alto Networks is positioned as the premium leader with the highest capability scores in independent evaluations, and correspondingly higher pricing. Fortinet FortiGate is the most cost-effective option at comparable throughput, with a combined NGFW and SD-WAN capability that reduces total WAN infrastructure cost. Cisco Secure Firewall is positioned between these, with strong integration into the Cisco ecosystem but weaker price-performance than Fortinet and lower security effectiveness ratings than Palo Alto in many evaluations.

Cloud Security (Web Gateway and CASB)

In the cloud security gateway market, Cisco Umbrella competes with Zscaler Internet Access and Netskope. Zscaler is the market share leader in cloud-native SASE deployments and is generally regarded as the most scalable cloud security gateway architecture. Netskope offers superior data visibility and DLP capabilities. Cisco Umbrella is competitive for organisations seeking DNS-layer security at lower entry price points and for those already committed to the Cisco security ecosystem.

Identity (MFA and Zero Trust)

Cisco Duo is a strong competitor in MFA and device trust, and is widely regarded as market-leading in usability and deployment simplicity. Its primary competitors — Microsoft Entra ID (formerly Azure AD), Okta, and Ping Identity — are all credible alternatives. For organisations standardised on Microsoft 365, Entra ID P2 provides comparable MFA and conditional access capability that may be included in existing E5 or E5 Security licences, making Duo a duplicative cost.

Common Cisco Security Licensing Mistakes

Based on our advisory work across more than 120 Cisco security licensing assessments, the following mistakes appear consistently and are avoidable with proper commercial management.

  • Over-tiering Umbrella: Purchasing SIG Advantage for all users when DNS Security Advantage meets the actual security requirements of the majority of the user population. Tiered deployment matching Umbrella tier to user role and risk profile typically reduces per-user cost by 20 to 35 percent.
  • Treating Duo as a commodity renewal: Renewing Duo at list pricing without benchmarking against Microsoft Entra ID P2 (potentially already licensed in E5) or alternative MFA vendors. For Microsoft-heavy environments, Duo represents an incremental cost that may be largely avoidable.
  • Separate annual renewals instead of multi-year: Renewing Cisco Secure Endpoint, Umbrella, and Duo separately as annual renewals rather than consolidating into a multi-year agreement. Three-year terms typically deliver 15 to 25 percent additional discount versus one-year renewals.
  • Accepting the first Security EA proposal: Cisco Security EA proposals are negotiable. Line-item pricing visibility is achievable, and independent benchmarking of Security EA pricing against peer transactions consistently identifies improvement opportunities.
  • Not evaluating alternatives at renewal: The competitive security market provides genuine leverage at Cisco renewal. Documenting an evaluation of Palo Alto Networks, Zscaler, or CrowdStrike — even if the outcome is to renew with Cisco — creates commercial pressure that translates into better pricing.

Cisco Identity Services Engine (ISE) Licensing

Cisco Identity Services Engine (ISE) is Cisco's network access control (NAC) and policy enforcement platform, providing device authentication, network segmentation, and zero trust network access enforcement at the infrastructure layer. ISE is licensed separately from the Cisco Secure portfolio's subscription products and represents a significant additional cost for organisations deploying it at enterprise scale.

ISE Licence Structure

ISE is sold in Plus, Apex, and Device Administration add-on licences layered on top of a base ISE licence. ISE Base is required for all deployments and covers basic network admission control. ISE Plus adds profiling, posture assessment, guest access, and BYOD onboarding. ISE Apex adds advanced threat mitigation, Stealthwatch integration for threat-centric NAC, and passive identity sharing. The Device Administration add-on is required for TACACS+ device administration functionality.

ISE pricing is based on the number of concurrent endpoints (devices connecting to the network), and the licences are perpetual with annual Software Support Service (SWSS) maintenance. The shift from perpetual ISE licences to subscription-based ISE (Cisco moved to ISE subscription licensing for new purchases) creates a significant commercial question for organisations with existing perpetual ISE investments: when to migrate to subscription, and at what cost compared to continuing perpetual plus SWSS.

ISE Integration with Cisco Secure Portfolio

ISE integrates with the broader Cisco Secure portfolio through pxGrid, Cisco's context exchange infrastructure, allowing ISE device and user context to be shared with other Cisco security products including Firepower, Secure Network Analytics, and Secure Endpoint. This integration creates genuine architectural value for Cisco-standardised environments, but adds to the complexity of commercial management because ISE, Firepower, and Secure Endpoint have different licensing mechanisms and renewal cycles.

Cisco Secure Email Licensing

Cisco Secure Email (formerly Cisco Email Security) is an enterprise email security gateway available in hardware appliance (ESA — Email Security Appliance), virtual, and cloud-delivered deployment models. Cisco Secure Email Cloud Mailbox is the SaaS delivery model, providing email threat protection integrated directly with Microsoft 365 and Google Workspace via API.

Cisco Secure Email licensing is per user per year, with tiered feature sets covering basic anti-spam and anti-malware, advanced phishing protection and impersonation defence, and cloud-delivered threat intelligence integration. For Microsoft 365 customers, Cisco Secure Email competes directly with Microsoft Defender for Office 365 P2, which is included in Microsoft E5 or available as an add-on. Organisations paying for both Cisco Secure Email and Microsoft Defender for Office 365 should audit whether they are receiving incremental security value or carrying duplicate coverage — a situation we encounter in approximately 30 percent of Cisco security portfolio reviews.

Cisco Security Licensing Optimisation Framework

A structured approach to Cisco security licensing optimisation covers three phases: spend audit, benchmarking, and negotiation preparation. Each phase builds on the previous and ensures that the negotiation is grounded in factual spend data and market-based pricing intelligence.

Phase 1: Spend Audit and Consolidation

Consolidate all Cisco Secure product renewal dates, licence counts, per-unit pricing, and subscription tiers into a single view. Map actual deployment against licence entitlement for each product. Identify renewal date fragmentation and co-termination opportunities. Review tier utilisation to identify over-tiered deployments.

Phase 2: Benchmarking

Compare your per-unit pricing for each Cisco Secure product against our database of comparable enterprise transactions. Identify which products carry the greatest premium above market benchmarks. Model alternative licensing structures — Security EA versus standalone, multi-year versus annual, tier optimisation — and quantify the potential savings for each scenario.

Phase 3: Negotiation Preparation

Develop a negotiation strategy that sequences Cisco commercial conversations to maximise leverage. Where competitive evaluation is warranted, document the evaluation process and timeline. Prepare commercial arguments for each pricing improvement target. Identify the decision stakeholders at Cisco who must approve discount escalation requests, and time the negotiation engagement to align with Cisco's fiscal quarter-end pressure points.