The Cisco Secure licensing negotiation playbook for 2026
One relationship now spans six to nine priced security products. The 20 percent Enterprise Agreement growth allowance is the clause that quietly resets your baseline upward at the year three anniversary.
Prepared by Redress Compliance · June 2026 · Representative Cisco security estate scenario (benchmark scenario, not a quote)
Executive Summary
Cisco rebuilt its security portfolio between 2022 and 2026 around three pillars, Umbrella for DNS and secure web, Duo for identity and zero trust, and XDR for detection and response, then wrapped them in suites and two Enterprise Agreement vehicles. A workforce of 12,000 now buys from six to nine separate price meters under one Cisco relationship.
List prices anchor the conversation. Duo runs 36, 72, and 108 dollars per user per year across Essentials, Advantage, and Premier. XDR runs 36, 60, and 120 dollars per asset per year. The User Protection Suite carries a 15 to 30 percent discount against the standalone tier sum, which is the bundle most enterprises sign.
The trap is structural, not numeric. The Cisco security Enterprise Agreement absorbs growth inside a roughly 20 percent allowance, then resets the committed baseline upward at the next anniversary and never resets it down. Over a three year term that one mechanic can add 19 percent to the committed spend regardless of actual usage.
This paper decodes every product meter, the suite math, the Duo and XDR tier traps, the Splunk integration economics, and the seven renewal clauses we negotiate. A disciplined buyer side posture reaches roughly 35 percent below list on a representative 12,000 user estate.
What does the Cisco Secure commercial model actually contain?
The Cisco Secure portfolio is not one product with tiers. It is a set of independent meters, each with its own unit, that Cisco prices alone, in suites, or inside an Enterprise Agreement. Knowing which meter governs which product is the first buyer side move, because the meter, not the brand, drives the bill.
Cisco organizes the portfolio around three pillars and a set of platform products. The table below maps each product to its meter and its 2026 list anchor from current reseller quotes.
| Product | What it covers | Meter | 2026 list anchor |
|---|---|---|---|
| Cisco Umbrella | DNS layer security, secure web gateway, SIG | Per user per year | 36 to 55 (DNS tiers), 80 to 150 all in with SIG |
| Cisco Duo | Multi factor authentication, zero trust access | Per user per year | 36 / 72 / 108 (Essentials / Advantage / Premier) |
| Secure Endpoint | Endpoint protection and EDR | Per device per year | From about 81 per device |
| Cisco XDR | Cross product detection and response | Per asset per year | 36 / 60 / 120 (Essentials / Advantage / Premier) |
| Secure Firewall | Firepower threat defense, IPS, URL filtering | Per appliance plus subscription | Hardware plus per throughput subscription |
| Secure Access | SSE, ZTNA, cloud delivered access | Per user per year | Quoted per user, SSE bundle |
| Splunk | SIEM, security analytics, SOAR | Ingest (GB per day) or workload (SVC) | Volume based, see section 4 |
The first non obvious mechanic. Cisco rarely publishes security list prices, so every number above is a reseller anchor, not a rate card. That opacity is a lever, not a nuisance. When the seller controls the only visible price, the buyer who arrives with independent benchmark ranges resets the anchor before the first quote lands.
How do the Secure Choice and Suite bundles really price?
Bundles are where the discount lives and where the lock in starts. Cisco offers product suites that group meters for one population, plus two Enterprise Agreement vehicles that wrap the whole relationship. The discount is genuine. The question is whether you deploy enough of the bundle to earn it.
The Secure Choice Enterprise Agreement combines security, connectivity, network, and observability into one subscription. The User Protection Suite bundles Umbrella SIG, Duo, and Secure Endpoint and is the most common workforce vehicle in 2026.
| Vehicle | What it groups | Discount posture | Lock in |
|---|---|---|---|
| User Protection Suite | Umbrella SIG, Duo, Secure Endpoint | 15 to 30% vs standalone tier sum | Medium, per user commitment |
| Breach Protection Suite | XDR, Secure Endpoint, Email Threat Defense | Volume discount on detection stack | Medium |
| Security Enterprise Agreement | Duo, Umbrella, Secure Endpoint, Secure Email | Per user, deepens by population | High, growth allowance and coverage rule |
| Secure Choice EA | Security plus network, connectivity, observability | Cross domain, flexible drawdown | High, multi domain commitment |
The second non obvious mechanic. The Cisco security EA typically requires near full population coverage. You cannot license half the workforce on Duo Advantage and the rest on Essentials inside one enrollment without Cisco pushing the whole count to the higher tier. Coverage uniformity is a packaging rule, not a discount, and it inflates the count before the discount applies.
The worked estate below makes the bundle math concrete. Meridian Logistics is a representative 12,000 user, 9,000 endpoint enterprise. The table is a benchmark scenario, not a quote, and the rows sum to the totals shown.
| Line | Standalone list | Suite posture | Negotiated buyer side |
|---|---|---|---|
| Duo Advantage, 12,000 users | 864,000 | 674,000 | 561,000 |
| Umbrella DNS Advantage, 12,000 users | 576,000 | 449,000 | 374,000 |
| Secure Endpoint Advantage, 9,000 devices | 729,000 | 569,000 | 369,000 |
| XDR Advantage, 9,000 assets | 540,000 | 459,000 | 460,000 |
| Annual total (US dollars) | 2,709,000 | 2,151,000 | 1,764,000 |
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
How should you rationalise Duo authentication tiers?
Most enterprises over buy Duo. The tier you sign should match the features the population actually uses, not the features Cisco demonstrates. Mapping the deployed population against real feature use is the single fastest Duo saving, and it needs no renegotiation, only an enrollment audit.
Cisco Duo prices in three tiers. The jump from Essentials to Advantage doubles the per user cost for identity intelligence and risk based authentication that many users never trigger.
| Tier | Per user per year | Adds over the prior tier | Who genuinely needs it |
|---|---|---|---|
| Essentials | 36 | MFA, SSO, passwordless, Trusted Endpoints | The broad workforce |
| Advantage | 72 | Identity Intelligence, risk based auth, Passport | Privileged and high risk roles |
| Premier | 108 | Agentic IAM, access without a VPN, device trust | A small admin and remote tier |
The third non obvious mechanic. Enabling an Advantage only feature for one pilot group can trip the whole enrollment to the Advantage rate at renewal, because Cisco counts the entitlement, not the active users. Keep advanced features fenced to a named sub population with its own line, never switched on across the master enrollment.
What are the Splunk integration economics under Cisco?
Splunk is the most volatile line in the Cisco security relationship. Cisco is folding Splunk into the Secure framework and reworking how it prices, so the meter you sign today may not be the meter you renew on. Lock the consumption model and a ceiling before you commit.
Splunk Enterprise Security needs an underlying Splunk platform license, metered either by daily indexing volume in gigabytes per day or by workload in SVC units. Choosing the wrong meter for your data pattern is the costliest single error in the stack.
| Meter | How it counts | Best for | The trap |
|---|---|---|---|
| Ingest (GB per day) | Volume of data indexed daily | Predictable, steady log volume | Spiky ingest blows the daily band |
| Workload (SVC) | Compute consumed by searches | Heavy search, lighter ingest | Opaque, hard to forecast and cap |
| ES edition | Essentials or Premier feature set | Premier folds SOAR in 8.x | Edition uplift on renewal |
The fourth non obvious mechanic. Splunk Enterprise Security 8.x consolidated separate tools into Essentials and Premier editions, and SOAR moved into Premier. That repackaging can quietly move you up an edition at renewal for capability you already owned. Hold the edition and meter to the signed terms.
How do Secure Endpoint and XDR fit together?
Secure Endpoint is the agent. XDR is the correlation layer above it. Cisco prices them separately and also inside the Breach Protection Suite, so the deployment scope and the cross product detection commitment are two distinct negotiations that buyers often blur into one.
Secure Endpoint protects devices and starts at roughly 81 dollars per device per year at the Advantage tier. Cisco XDR prices per asset across three tiers, and the asset count is not the same as the device count, which is where the bill surprises buyers.
| XDR tier | Per asset per year | Adds |
|---|---|---|
| Essentials | 36 | Endpoint and network detection |
| Advantage | 60 | Cloud and email correlation |
| Premier | 120 | Managed detection and response |
The fifth non obvious mechanic. XDR counts assets, which can include servers, cloud workloads, and network sources, not only laptops. An estate with 9,000 endpoints can present far more than 9,000 XDR assets. Define the asset basis in writing and grandfather the scope so a telemetry expansion cannot silently grow the count.
Where the common advice on Cisco security bundling is wrong
The standard reseller advice is to consolidate everything into the User Protection Suite or the Security EA for the headline discount. We disagree.
Across the Cisco security renewals we benchmarked in 2024 to 2025, the suite discount was real. Yet the coverage uniformity rule and the upward baseline reset frequently cost more over three years than a disciplined per product purchase with substitution rights.
The buyer side move is to buy the bundle only where you genuinely deploy three or more components to the same population. Keep thin coverage products on standalone lines you can drop. A discount on a meter you do not use is a premium with better marketing.
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
Which Cisco security renewal contract levers actually hold?
Renewal value is won in the clause language, not the discount line. The seven levers below are the ones we routinely negotiate into Cisco security agreements. Each one closes a specific way the agreement otherwise drifts upward between signature and renewal.
| Lever | What it protects |
|---|---|
| Bundle substitution rights | Swap a deployed product for an equivalent within the suite without a price reset, so a tool you stop using becomes capacity you can redeploy |
| Duo tier preservation | Hold the signed tier mix at renewal so a pilot feature cannot trip the whole enrollment to a higher rate |
| Splunk consumption ceiling | Cap ingest or SVC growth with overage at the committed rate, not at list |
| Umbrella seat protection | Fix the per user rate for the term and bar mid term SIG add on uplifts |
| Secure Endpoint deployment grandfather | Freeze the asset and device basis so a telemetry expansion does not silently grow the count |
| Growth allowance and true forward terms | Pin the growth allowance and bar a retroactive or compounding baseline reset |
| Executive escalation path | Name the escalation route and timeline so a stalled renewal does not lapse into an auto uplift |
The sixth non obvious mechanic. Cisco EA growth is handled by true forward, not true up. You are not billed retroactively for mid term growth, which sounds buyer friendly. The catch is the higher count carries forward into the next baseline and never adjusts down for attrition. Negotiate the right to re baseline to actual usage at renewal.
Median reduction between the first Cisco security Enterprise Agreement quote and the signed deal across renewals we benchmarked in 2024 to 2025.
Roughly one in three Duo populations we reviewed paid Advantage or Premier rates where only Essentials features were in active use.
Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
What is the multi year Cisco security strategy?
The security relationship does not sit alone. It co terms with the wider Cisco networking and Secure Choice commitment, so the security renewal is also a moment to align the whole Cisco enterprise position. Sequence the work across three phases so the security agreement strengthens the larger negotiation rather than fragmenting it.
Baseline and entitlement audit
Pull active Duo logs, XDR asset counts, Umbrella seats, and Splunk ingest. Map deployed use against signed entitlements and flag every over tiered or unused line before any vendor conversation.
Posture and benchmark
Decide bundle versus standalone per product on real deployment. Set independent benchmark ranges, draft the seven clause levers, and align the security timeline with the wider Cisco co term.
Negotiate and lock
Run the renewal against the benchmark, hold the growth allowance and re baseline rights, and sign the substitution, preservation, ceiling, and grandfather clauses into the agreement.
Our recommendation
Audit the deployed estate before Cisco quotes, then buy the bundle only where you deploy it. The discount is real, but the coverage rule and the upward baseline reset turn an unexamined suite into a premium over a three year term.
- Right tier first, discount second. Map Duo, XDR, Umbrella, and Splunk use to actual consumption and strip over tiered lines before you ask for a single discount point.
- Sign the seven clause levers. Substitution, Duo preservation, Splunk ceiling, Umbrella protection, Secure Endpoint grandfather, growth allowance terms, and escalation are where renewal value holds.
Redress Compliance is 100 percent buyer side, with no Cisco affiliation, serving 500+ enterprise clients and more than 2 billion dollars under advisory across 11 vendor practices. We are glad to tie a meaningful part of the fee to delivered value.