Cisco Security Licensing Guide 2026: Umbrella, Duo, XDR and the Security EA Explained

Cisco Security Portfolio Overview

Cisco's security portfolio has consolidated significantly since the acquisitions of Duo Security (2018), CloudLock (2016), and the development of Cisco XDR from its SecureX platform. The result is a portfolio that spans every layer of enterprise security — from DNS filtering at the network edge, through identity and device trust, to detection and response at the SOC level — sold either as individual products or as a unified Security Enterprise Agreement.

For enterprise procurement teams, the challenge is not evaluating the security capability — it is understanding a licensing landscape where each product has its own tier structure, its own pricing model, and its own renewal calendar, and where the bundled Security EA can appear to simplify things while actually concealing total cost from buyers who do not model it carefully.

Understanding how Cisco's security products interact with the broader Cisco Enterprise Licence Agreement structure is essential before any purchase decision. The Security EA is a subset of the full ELA framework, and enterprises that have an existing ELA relationship with Cisco should understand how security product purchases interact with their overall spend commitment.

Cisco Umbrella: DNS Security and SIG Tiers

What Umbrella Does

Cisco Umbrella provides cloud-delivered security at the DNS layer and, in its higher tiers, a full Secure Internet Gateway (SIG) that includes cloud firewall, intrusion prevention, cloud access security broker (CASB), and data loss prevention (DLP). The product originates from the acquisition of OpenDNS and remains the market-leading DNS security platform for enterprise environments.

Umbrella enforces security policies at the DNS resolution stage — before a connection is established to a malicious domain, command-and-control server, or phishing site. This makes it effective at blocking threats that evade endpoint-level controls and provides coverage for unmanaged devices, IoT, and guest network segments that cannot run endpoint agents.

The Four Umbrella Tiers

DNS Security Essentials is the entry tier, providing DNS-layer threat intelligence, basic content filtering, and reporting. This tier covers the fundamental use case — blocking connections to known malicious domains — at the lowest price point. At list prices, DNS Security Essentials runs approximately $2.25 to $3.70 per user per month depending on volume, with enterprise negotiated rates typically 20 to 30 percent below list.

DNS Security Advantage adds intelligent proxy for deep inspection of risky domains, cloud delivered firewall (layer 3 and 4), and integration with Cisco Talos threat intelligence. This tier is appropriate for enterprises requiring more than basic DNS filtering — particularly those with branch offices, remote workers, and IoT infrastructure needing consistent policy enforcement without a VPN dependency.

SIG Essentials introduces full Secure Internet Gateway capabilities: application-layer cloud firewall (layer 7), CASB for cloud application visibility and control, interactive threat investigation via Cisco Investigate, and remote browser isolation. SIG Essentials is the starting point for organisations adopting SASE (Secure Access Service Edge) architecture, replacing traditional on-premises firewalls and web proxies with cloud-delivered controls. Pricing at SIG Essentials tier runs approximately $4.15 to $6.50 per user per month at enterprise volumes.

SIG Advantage is Cisco's most comprehensive Umbrella offering, adding advanced DLP, cloud malware detection and remediation, user and entity behaviour analytics (UEBA), and the full suite of CASB controls for managed and unmanaged applications. SIG Advantage is positioned as the complete SASE solution within the Cisco portfolio, typically priced at $6.50 to $9.00 per user per month at enterprise negotiated rates. For the full tier-by-tier breakdown, see our dedicated Cisco Umbrella SIG and DNS Security licensing guide.

Umbrella Pricing Dynamics

All Umbrella pricing is quote-based — Cisco does not publish list prices for SIG tiers. The practical effect is that the starting point for any commercial negotiation is Cisco's initial quote, which is invariably above where the deal will land. Enterprises with 5,000 users or more have genuine leverage to push SIG Advantage pricing to the lower end of the range. Multi-year commitments (three-year deals are Cisco's preference) unlock additional discount in the 10 to 15 percent range above one-year pricing.

Umbrella is also available within the Cisco Security EA, where the per-user blended rate across the full Security EA often makes SIG Essentials or SIG Advantage more cost-effective than purchasing Umbrella standalone, particularly when Duo is also being purchased.

Cisco Duo: MFA and Zero Trust Access Editions

What Duo Does

Cisco Duo provides multi-factor authentication, single sign-on, device trust, and — in higher tiers — zero trust network access (ZTNA). Acquired by Cisco in 2018, Duo has maintained its position as the market's most widely deployed MFA platform, with a reputation for ease of deployment, broad application support, and user experience quality that distinguishes it from enterprise IAM alternatives.

Duo's licensing architecture has evolved significantly since its acquisition. The current tier structure reflects Cisco's integration of Duo into its broader Identity and Access Management strategy, with higher tiers now including capabilities from Cisco's Identity Intelligence platform that go beyond pure MFA into identity security posture management (ISPM) and identity threat detection and response (ITDR).

Duo Edition Breakdown

Duo Free covers up to 10 users with push notifications, SMS passcodes, and basic application integrations. This tier is suitable for testing and small team deployments but has no commercial viability at enterprise scale.

Duo Essentials at $3 per user per month is the entry commercial tier, providing phishing-resistant MFA, passwordless authentication, single sign-on, Duo Directory for user management, and an AI-powered assistant. Essentials is the right tier for organisations whose primary requirement is strong authentication with SSO — covering the core zero trust identity verification use case without the additional overhead of advanced device trust or network access controls. Enterprise volumes (5,000+ users) typically achieve 15 to 25 percent below the published $3 rate.

Duo Advantage at $6 per user per month adds Cisco Identity Intelligence (cross-identity visibility, ISPM, ITDR), Duo Passport (continuous session verification), session theft protection, Active Directory Defence against credential attacks, and risk-based authentication that adapts to contextual signals. Advantage is appropriate for organisations that have deployed MFA broadly and are now seeking identity threat detection capabilities — particularly those in regulated industries where ISPM audit trails are a compliance requirement.

Duo Premier at $9 per user per month unlocks the full Cisco Zero Trust access stack: VPN-less remote access to private applications (ZTNA), agentic IAM capabilities for automated identity lifecycle management, comprehensive device trust with endpoint posture checking, and full zero trust architecture coverage. Premier is the appropriate tier for organisations replacing traditional VPN infrastructure with zero trust network access, or those whose zero trust roadmap requires unified policy enforcement across user identity and device health. For the full tier cost analysis, see our Cisco Duo MFA licensing tiers and cost guide.

Duo Pricing Considerations

Duo's published pricing is unusual in that it is actually published — unlike most Cisco security products. The $3/$6/$9 per user per month structure is Cisco's current published list pricing. Enterprise negotiated rates at 5,000+ users typically achieve 20 to 30 percent below list, bringing Essentials to approximately $2.25 to $2.55 per user per month and Premier to approximately $6.30 to $7.20.

Duo is also one of the products where the Security EA delivers meaningful value: the per-user blended rate in a Security EA that includes Duo, Umbrella, and Cisco Secure Endpoint typically represents 25 to 35 percent savings versus purchasing each product independently at negotiated standalone rates.

Cisco XDR: Extended Detection and Response Licensing

What Cisco XDR Does

Cisco XDR is the company's extended detection and response platform, built on the SecureX technology foundation and extended with native integration across the full Cisco security portfolio. XDR aggregates telemetry from Secure Endpoint, Umbrella, Meraki, Duo, and third-party sources into a unified detection and response interface, applying Cisco's Talos threat intelligence to prioritise and automate SOC response workflows.

XDR is not a SIEM — it does not replace log ingestion and long-term data retention. It is designed as a detection and response layer that operates on top of existing data sources, reducing alert noise, providing automated playbooks for common incident types, and integrating with SIEM platforms (including Splunk) where long-term forensic capability is required. For enterprises weighing Cisco XDR against Splunk as a SIEM replacement, our dedicated Cisco XDR versus Splunk comparison guide covers the architectural and cost differences in detail.

XDR Tier Structure

XDR Essentials provides core cross-product correlation, automated investigation workflows, integration with Cisco security portfolio telemetry, and basic response automation. Essentials is appropriate for organisations that are already deploying Cisco security products and want to consolidate detection into a unified view without the full analytics engine of Advantage.

XDR Advantage adds advanced analytics, full playbook automation, deeper third-party integrations, and AI-driven threat scoring across all telemetry sources. Advantage is the appropriate tier for mature SOC operations that need to automate tier 1 and tier 2 analyst workflows, not just aggregate alerts.

XDR Premier includes all Advantage capabilities plus the most advanced AI analytics, extended third-party data source coverage, and enterprise-grade SLA commitments for the platform itself.

XDR vs Splunk: The Architectural Question

The most common question in enterprise SOC planning is whether Cisco XDR complements or competes with Splunk. The honest answer is both, depending on the use case. XDR operates as a detection and response layer — it is optimised for fast, automated triage and response, not for long-retention forensic search or compliance logging. Splunk Enterprise Security is optimised for exactly those capabilities: search, retention, custom detection content, and compliance reporting.

Cisco's position is that XDR and Splunk are complementary: XDR handles real-time detection and automated response while Splunk provides the long-retention analytics and compliance backbone. Given that Cisco acquired Splunk in 2024, the commercial incentive to present them as complementary is significant. The independent view is more nuanced: for organisations that are already deeply invested in Splunk, XDR Essentials or Advantage is a genuine force multiplier. For organisations starting a SOC programme without existing Splunk investment, the combined Cisco XDR plus Splunk stack represents a substantial licensing commitment — typically $200,000 to $800,000 per year for mid-market SOC scale — that should be benchmarked against purpose-built XDR-only alternatives.

The Cisco Security Enterprise Agreement

What the Security EA Is

The Cisco Security Enterprise Agreement (Security EA) is a per-user, annual subscription that bundles Duo, Umbrella, Cisco Secure Endpoint, and Cisco Secure Email into a single commercial vehicle with a committed user population. The Security EA is designed to make Cisco's security pricing competitive against individual product purchases while creating a three-to-five year revenue anchor for Cisco's account team.

At enterprise volumes — typically 5,000 users and above — the Security EA delivers genuine list-price discount in the 25 to 35 percent range versus purchasing each included product separately at list price. The commercial case is strongest when the organisation genuinely needs all four included products at the tier levels bundled into the EA.

Security EA Structure and Tiers

The Security EA is structured around the same tier progression as the individual products: Essentials, Advantage, and Premier. The EA tier determines which product tiers are included across all bundled products. An Advantage-tier Security EA includes Duo Advantage, Umbrella DNS Security Advantage, Secure Endpoint Advantage, and Secure Email Advantage.

This creates a classic bundling trap: the bundle tier must be set at the highest product tier you need, and you pay the bundle premium even for products where the lower tier would be sufficient. An organisation that needs Duo Premier for zero trust network access but only requires Umbrella DNS Security Essentials ends up paying Security EA Premier pricing — which includes SIG Umbrella capabilities they will not deploy — because the bundle cannot be disaggregated.

Security EA Pricing Benchmarks

Cisco does not publish Security EA pricing. Based on our engagements with enterprise buyers, negotiated Security EA rates at 5,000 users are typically $12 to $18 per user per month for Essentials tier, $18 to $28 for Advantage, and $28 to $38 for Premier. These ranges reflect negotiated rates that are 25 to 40 percent below Cisco's initial Security EA quote.

The key variables that move Security EA pricing are total user count (economies of scale kick in meaningfully at 5,000, 10,000, and 25,000 users), contract term (three-year vs. one-year pricing carries 15 to 20 percent premium for the shorter term), Cisco relationship depth (ELA customers with significant infrastructure spend receive more aggressive Security EA pricing), and fiscal year timing (Q3 and Q4 of Cisco's fiscal year — May through July — deliver the best discounts as teams push toward revenue targets).

Bundle vs Individual Purchase Analysis

The decision to purchase a Security EA versus individual product licences hinges on two questions: are you deploying all four included products, and are you deploying them at the same tier? If the answer to both is yes, the Security EA is typically the right commercial vehicle. If either answer is no, individual product purchase may be more cost-effective.

A common scenario where individual purchase wins: an enterprise needs Duo Premier for zero trust network access (5,000 users), Umbrella DNS Security Essentials for basic DNS filtering (10,000 devices including unmanaged), no Cisco Secure Endpoint (deploying CrowdStrike), and no Cisco Secure Email (deploying Proofpoint). A Security EA would require purchasing four products at Premier tier for 10,000 users. Individual Duo Premier for 5,000 users and Umbrella DNS Essentials for 10,000 devices is materially less expensive — possibly by 40 to 60 percent of the Security EA cost.

A scenario where the Security EA wins: an enterprise is consolidating onto Cisco security across all four product categories at the same tier, replacing incumbent products at renewal. At this point, the Security EA's bundle discount, single commercial vehicle, and simplified renewal calendar make it the optimal structure.

Negotiation Strategy and Benchmarks

Discount Benchmarks by Spend Tier

Cisco's security product discount benchmarks align with the overall Cisco discount structure. The general framework for Cisco security licensing negotiations shows the following patterns at enterprise volumes. At $500,000 to $1 million annual security spend, achievable discounts from list are in the 20 to 30 percent range. At $1 million to $3 million, the range extends to 28 to 38 percent. At $3 million to $10 million, discounts of 35 to 45 percent are achievable with the right commercial pressure. Above $10 million in annual security spend, 42 to 55 percent below list is the reference for the best-negotiated outcomes.

These ranges apply to the Security EA as a whole. Individual product negotiations tend to achieve slightly tighter discounts because the Security EA creates more commercial leverage for Cisco — the bundle locks in more revenue — and the trade for the buyer is that the bundle discount is offered in exchange for the commitment.

Timing and Leverage

Cisco's fiscal year ends 31 July. The Q3 and Q4 windows — May through July — represent the highest-leverage negotiating period for security product purchases. Cisco's account teams are compensated on annual targets and will accept deeper discounts in the final two months of the fiscal year to close deals and achieve quota.

For enterprise renewals, the optimal engagement timeline is six to nine months before contract expiry, which allows sufficient time for competitive benchmarking, alternative vendor evaluation (Okta for Duo, ZScaler for Umbrella, CrowdStrike for Secure Endpoint), and multiple commercial negotiation rounds. Renewing within 90 days of expiry removes most of your leverage — Cisco knows you are out of time.

Multi-year commitment is the primary lever Cisco will use to offer additional discount. Three-year deals typically add 15 to 20 percent discount versus one-year. The trade-off is reduced flexibility to right-size at renewal — particularly relevant for security products where user counts and capability requirements can change materially in a three-year window. Our Cisco ELA true-up guide covers how to negotiate mid-term reduction rights and flexible true-up provisions that protect you in multi-year security agreements.

Competitive Leverage

The most effective commercial lever in Cisco security negotiations is credible competitive evaluation. For Umbrella, ZScaler and Netskope are the primary competitive alternatives that move Cisco pricing. For Duo, Okta and Microsoft Entra ID are the credible alternatives. For XDR, CrowdStrike Falcon Complete, Palo Alto Cortex XDR, and Microsoft Sentinel each apply different forms of competitive pressure. For the full ELA negotiation strategy including security product leverage, our Cisco ELA negotiation guide 2026 covers the full commercial framework.

Integration with Cisco ELA

For enterprises with an existing Cisco ELA — covering infrastructure such as Catalyst switching, ASR routing, ISR branch platforms, collaboration, and wireless — the Security EA can be integrated into the ELA as an add-on package or negotiated as a standalone agreement with ELA reference pricing applied.

ELA customers receive more favourable Security EA pricing because their overall Cisco relationship is more valuable to preserve. The ELA commitment demonstrates spend seriousness, and Cisco's account teams are incentivised to keep ELA customers satisfied across all product lines. Enterprises without an ELA negotiating a Security EA standalone will typically pay 10 to 15 percent more than an equivalent ELA customer for the same Security EA configuration.

The interaction between the Security EA and the broader ELA also affects the commercial calendar: if the Security EA renewal date does not align with the ELA renewal date, you miss the opportunity to use each renewal as leverage in the other. Our guidance on Cisco Meraki licensing is relevant for enterprises evaluating whether to include Meraki cloud management in the Security EA or manage it separately.

Eight Recommendations for Cisco Security Licensing

1. Audit what you actually need before choosing a tier. List every required security capability against each product tier. The goal is to identify the minimum tier that satisfies your requirements — and to avoid paying for capabilities you will not deploy.

2. Model the bundle vs individual purchase before any commercial engagement. Run the numbers for Security EA at the required tier versus individual product purchase at negotiated standalone rates. The bundle is not always cheaper.

3. Evaluate competitive alternatives before your first Cisco meeting. Credible competitive evaluations are the primary discount lever. Evaluate ZScaler for Umbrella, Okta for Duo, and CrowdStrike for Secure Endpoint before your first Security EA pricing conversation.

4. Time your negotiation to Cisco's fiscal calendar. Engaging Cisco in the May through July window — Q3 and Q4 of Cisco's fiscal year ending 31 July — is the single highest-impact timing decision available.

5. Negotiate mid-term reduction rights in multi-year agreements. Three-year Security EA deals are common. Ensure the agreement includes provisions for reducing user counts or downgrading tiers mid-term if business conditions change, particularly for Duo and Umbrella where user populations can shift significantly.

6. Understand CSSM requirements for security products. Cisco security products have Smart Licensing dependencies that affect how entitlements are managed and how over-deployments are detected. Our Cisco Smart Licensing guide covers security product compliance obligations.

7. Include contact-us escalation rights in the agreement. Larger Security EA deals should include provisions for pricing review if Cisco launches a comparable product at lower cost, or if market pricing for equivalent competitive products drops materially during the agreement term.

8. Engage independent advisory before signing. Cisco's Security EA proposals are prepared by account teams whose target is the highest possible committed revenue. Independent advisory ensures your commercial outcome is benchmarked against real market data, not Cisco's suggested starting point. Our Cisco security licensing advisory specialists work with enterprise buyers through the full evaluation and negotiation process.

Summary

Cisco's security licensing portfolio is genuinely capable — Umbrella, Duo, and XDR are market-leading products in their respective categories. The licensing complexity is real, but it is manageable with the right framework. Know which capabilities you need at which tier, model the bundle versus individual purchase economics before engaging Cisco commercially, time your negotiation to Cisco's fiscal calendar, and maintain credible competitive alternatives throughout the process.

For detailed guidance on any individual product within this portfolio, explore the specific guides: Cisco Umbrella SIG and DNS Security licensing, Cisco Duo MFA licensing tiers and cost, and Cisco XDR versus Splunk for enterprise SOC. For the full commercial negotiation framework, including how security products interact with your Cisco ELA, contact our Cisco advisory team directly.