Home/Cisco Hub/White Papers/Cisco Security Licensing 2026
Cisco Secure  |  Security Licensing & Renewal White Paper

The Cisco Secure licensing negotiation playbook for 2026

One relationship now spans six to nine priced security products. The 20 percent Enterprise Agreement growth allowance is the clause that quietly resets your baseline upward at the year three anniversary.

Prepared by Redress Compliance  ·  June 2026  ·  Representative Cisco security estate scenario (benchmark scenario, not a quote)

Executive Summary

Cisco rebuilt its security portfolio between 2022 and 2026 around three pillars, Umbrella for DNS and secure web, Duo for identity and zero trust, and XDR for detection and response, then wrapped them in suites and two Enterprise Agreement vehicles. A workforce of 12,000 now buys from six to nine separate price meters under one Cisco relationship.

List prices anchor the conversation. Duo runs 36, 72, and 108 dollars per user per year across Essentials, Advantage, and Premier. XDR runs 36, 60, and 120 dollars per asset per year. The User Protection Suite carries a 15 to 30 percent discount against the standalone tier sum, which is the bundle most enterprises sign.

The trap is structural, not numeric. The Cisco security Enterprise Agreement absorbs growth inside a roughly 20 percent allowance, then resets the committed baseline upward at the next anniversary and never resets it down. Over a three year term that one mechanic can add 19 percent to the committed spend regardless of actual usage.

This paper decodes every product meter, the suite math, the Duo and XDR tier traps, the Splunk integration economics, and the seven renewal clauses we negotiate. A disciplined buyer side posture reaches roughly 35 percent below list on a representative 12,000 user estate.

6 to 9
Separately priced security meters under one Cisco relationship: Umbrella, Duo, Secure Endpoint, XDR, Secure Firewall, Secure Email, Secure Access, and Splunk
15 to 30%
User Protection Suite discount against the sum of the standalone Umbrella, Duo, and Secure Endpoint tiers
+19%
Committed baseline increase a 20 percent EA growth allowance can lock in by the year three anniversary, usage aside
35%
Reduction against list a disciplined buyer side posture reaches on the representative estate in this paper
1

What does the Cisco Secure commercial model actually contain?

The Cisco Secure portfolio is not one product with tiers. It is a set of independent meters, each with its own unit, that Cisco prices alone, in suites, or inside an Enterprise Agreement. Knowing which meter governs which product is the first buyer side move, because the meter, not the brand, drives the bill.

Cisco organizes the portfolio around three pillars and a set of platform products. The table below maps each product to its meter and its 2026 list anchor from current reseller quotes.

ProductWhat it coversMeter2026 list anchor
Cisco UmbrellaDNS layer security, secure web gateway, SIGPer user per year36 to 55 (DNS tiers), 80 to 150 all in with SIG
Cisco DuoMulti factor authentication, zero trust accessPer user per year36 / 72 / 108 (Essentials / Advantage / Premier)
Secure EndpointEndpoint protection and EDRPer device per yearFrom about 81 per device
Cisco XDRCross product detection and responsePer asset per year36 / 60 / 120 (Essentials / Advantage / Premier)
Secure FirewallFirepower threat defense, IPS, URL filteringPer appliance plus subscriptionHardware plus per throughput subscription
Secure AccessSSE, ZTNA, cloud delivered accessPer user per yearQuoted per user, SSE bundle
SplunkSIEM, security analytics, SOARIngest (GB per day) or workload (SVC)Volume based, see section 4

The first non obvious mechanic. Cisco rarely publishes security list prices, so every number above is a reseller anchor, not a rate card. That opacity is a lever, not a nuisance. When the seller controls the only visible price, the buyer who arrives with independent benchmark ranges resets the anchor before the first quote lands.

List price, US dollars per unit per year 0 40 80 120 36 72 108 36 60 120 Duo (per user) XDR (per asset) Essentials Advantage Premier Essentials Advantage Premier
Cisco Duo and XDR tier list prices, 2026 reseller anchors. Numbers match the section 3 and section 5 tables.
2

How do the Secure Choice and Suite bundles really price?

Bundles are where the discount lives and where the lock in starts. Cisco offers product suites that group meters for one population, plus two Enterprise Agreement vehicles that wrap the whole relationship. The discount is genuine. The question is whether you deploy enough of the bundle to earn it.

The Secure Choice Enterprise Agreement combines security, connectivity, network, and observability into one subscription. The User Protection Suite bundles Umbrella SIG, Duo, and Secure Endpoint and is the most common workforce vehicle in 2026.

VehicleWhat it groupsDiscount postureLock in
User Protection SuiteUmbrella SIG, Duo, Secure Endpoint15 to 30% vs standalone tier sumMedium, per user commitment
Breach Protection SuiteXDR, Secure Endpoint, Email Threat DefenseVolume discount on detection stackMedium
Security Enterprise AgreementDuo, Umbrella, Secure Endpoint, Secure EmailPer user, deepens by populationHigh, growth allowance and coverage rule
Secure Choice EASecurity plus network, connectivity, observabilityCross domain, flexible drawdownHigh, multi domain commitment

The second non obvious mechanic. The Cisco security EA typically requires near full population coverage. You cannot license half the workforce on Duo Advantage and the rest on Essentials inside one enrollment without Cisco pushing the whole count to the higher tier. Coverage uniformity is a packaging rule, not a discount, and it inflates the count before the discount applies.

The worked estate below makes the bundle math concrete. Meridian Logistics is a representative 12,000 user, 9,000 endpoint enterprise. The table is a benchmark scenario, not a quote, and the rows sum to the totals shown.

LineStandalone listSuite postureNegotiated buyer side
Duo Advantage, 12,000 users864,000674,000561,000
Umbrella DNS Advantage, 12,000 users576,000449,000374,000
Secure Endpoint Advantage, 9,000 devices729,000569,000369,000
XDR Advantage, 9,000 assets540,000459,000460,000
Annual total (US dollars)2,709,0002,151,0001,764,000
Annual security spend, US dollars millions 0 1.5 3.0 2.71M 2.15M 1.76M Standalone list Suite posture Negotiated -35% vs list
Representative 12,000 user estate. Benchmark scenario, not a quote. Totals match the table above.

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

3

How should you rationalise Duo authentication tiers?

Most enterprises over buy Duo. The tier you sign should match the features the population actually uses, not the features Cisco demonstrates. Mapping the deployed population against real feature use is the single fastest Duo saving, and it needs no renegotiation, only an enrollment audit.

Cisco Duo prices in three tiers. The jump from Essentials to Advantage doubles the per user cost for identity intelligence and risk based authentication that many users never trigger.

TierPer user per yearAdds over the prior tierWho genuinely needs it
Essentials36MFA, SSO, passwordless, Trusted EndpointsThe broad workforce
Advantage72Identity Intelligence, risk based auth, PassportPrivileged and high risk roles
Premier108Agentic IAM, access without a VPN, device trustA small admin and remote tier

The third non obvious mechanic. Enabling an Advantage only feature for one pilot group can trip the whole enrollment to the Advantage rate at renewal, because Cisco counts the entitlement, not the active users. Keep advanced features fenced to a named sub population with its own line, never switched on across the master enrollment.

Buyer side move on Duo. Pull the active authentication logs before renewal. In our engagements a material share of the population only ever uses MFA and SSO, the Essentials feature set. Right tiering that group from Advantage to Essentials cuts 36 dollars per user per year with zero security loss.
4

What are the Splunk integration economics under Cisco?

Splunk is the most volatile line in the Cisco security relationship. Cisco is folding Splunk into the Secure framework and reworking how it prices, so the meter you sign today may not be the meter you renew on. Lock the consumption model and a ceiling before you commit.

Splunk Enterprise Security needs an underlying Splunk platform license, metered either by daily indexing volume in gigabytes per day or by workload in SVC units. Choosing the wrong meter for your data pattern is the costliest single error in the stack.

MeterHow it countsBest forThe trap
Ingest (GB per day)Volume of data indexed dailyPredictable, steady log volumeSpiky ingest blows the daily band
Workload (SVC)Compute consumed by searchesHeavy search, lighter ingestOpaque, hard to forecast and cap
ES editionEssentials or Premier feature setPremier folds SOAR in 8.xEdition uplift on renewal

The fourth non obvious mechanic. Splunk Enterprise Security 8.x consolidated separate tools into Essentials and Premier editions, and SOAR moved into Premier. That repackaging can quietly move you up an edition at renewal for capability you already owned. Hold the edition and meter to the signed terms.

Splunk consumption ceiling. Negotiate a hard annual cap on ingest or SVC growth with overage at the committed rate, not at list. Without a ceiling, the workload meter converts every new data source into uncapped spend, which is the chief complaint enterprises raise about SVC pricing.
5

How do Secure Endpoint and XDR fit together?

Secure Endpoint is the agent. XDR is the correlation layer above it. Cisco prices them separately and also inside the Breach Protection Suite, so the deployment scope and the cross product detection commitment are two distinct negotiations that buyers often blur into one.

Secure Endpoint protects devices and starts at roughly 81 dollars per device per year at the Advantage tier. Cisco XDR prices per asset across three tiers, and the asset count is not the same as the device count, which is where the bill surprises buyers.

XDR tierPer asset per yearAdds
Essentials36Endpoint and network detection
Advantage60Cloud and email correlation
Premier120Managed detection and response

The fifth non obvious mechanic. XDR counts assets, which can include servers, cloud workloads, and network sources, not only laptops. An estate with 9,000 endpoints can present far more than 9,000 XDR assets. Define the asset basis in writing and grandfather the scope so a telemetry expansion cannot silently grow the count.

Where the common advice on Cisco security bundling is wrong

The standard reseller advice is to consolidate everything into the User Protection Suite or the Security EA for the headline discount. We disagree.

Across the Cisco security renewals we benchmarked in 2024 to 2025, the suite discount was real. Yet the coverage uniformity rule and the upward baseline reset frequently cost more over three years than a disciplined per product purchase with substitution rights.

The buyer side move is to buy the bundle only where you genuinely deploy three or more components to the same population. Keep thin coverage products on standalone lines you can drop. A discount on a meter you do not use is a premium with better marketing.

Committed EA spend, US dollars millions 0 1.5 3.0 1.76M 1.76M 2.10M Year 1 Year 2 Year 3 +19% reset
Year 2 growth absorbs inside the 20 percent allowance. Year 3 true forward resets the baseline up 19 percent and never resets it down. Benchmark scenario, not a quote.

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

6

Which Cisco security renewal contract levers actually hold?

Renewal value is won in the clause language, not the discount line. The seven levers below are the ones we routinely negotiate into Cisco security agreements. Each one closes a specific way the agreement otherwise drifts upward between signature and renewal.

LeverWhat it protects
Bundle substitution rightsSwap a deployed product for an equivalent within the suite without a price reset, so a tool you stop using becomes capacity you can redeploy
Duo tier preservationHold the signed tier mix at renewal so a pilot feature cannot trip the whole enrollment to a higher rate
Splunk consumption ceilingCap ingest or SVC growth with overage at the committed rate, not at list
Umbrella seat protectionFix the per user rate for the term and bar mid term SIG add on uplifts
Secure Endpoint deployment grandfatherFreeze the asset and device basis so a telemetry expansion does not silently grow the count
Growth allowance and true forward termsPin the growth allowance and bar a retroactive or compounding baseline reset
Executive escalation pathName the escalation route and timeline so a stalled renewal does not lapse into an auto uplift

The sixth non obvious mechanic. Cisco EA growth is handled by true forward, not true up. You are not billed retroactively for mid term growth, which sounds buyer friendly. The catch is the higher count carries forward into the next baseline and never adjusts down for attrition. Negotiate the right to re baseline to actual usage at renewal.

22%
Median gap, first quote to signed

Median reduction between the first Cisco security Enterprise Agreement quote and the signed deal across renewals we benchmarked in 2024 to 2025.

1 in 3
Duo populations over tiered

Roughly one in three Duo populations we reviewed paid Advantage or Premier rates where only Essentials features were in active use.

Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.

7

What is the multi year Cisco security strategy?

The security relationship does not sit alone. It co terms with the wider Cisco networking and Secure Choice commitment, so the security renewal is also a moment to align the whole Cisco enterprise position. Sequence the work across three phases so the security agreement strengthens the larger negotiation rather than fragmenting it.

Phase 1 · Months 1 to 3

Baseline and entitlement audit

Pull active Duo logs, XDR asset counts, Umbrella seats, and Splunk ingest. Map deployed use against signed entitlements and flag every over tiered or unused line before any vendor conversation.

Phase 2 · Months 4 to 8

Posture and benchmark

Decide bundle versus standalone per product on real deployment. Set independent benchmark ranges, draft the seven clause levers, and align the security timeline with the wider Cisco co term.

Phase 3 · Months 9 to 12

Negotiate and lock

Run the renewal against the benchmark, hold the growth allowance and re baseline rights, and sign the substitution, preservation, ceiling, and grandfather clauses into the agreement.

Our recommendation

Audit the deployed estate before Cisco quotes, then buy the bundle only where you deploy it. The discount is real, but the coverage rule and the upward baseline reset turn an unexamined suite into a premium over a three year term.

  • Right tier first, discount second. Map Duo, XDR, Umbrella, and Splunk use to actual consumption and strip over tiered lines before you ask for a single discount point.
  • Sign the seven clause levers. Substitution, Duo preservation, Splunk ceiling, Umbrella protection, Secure Endpoint grandfather, growth allowance terms, and escalation are where renewal value holds.

Redress Compliance is 100 percent buyer side, with no Cisco affiliation, serving 500+ enterprise clients and more than 2 billion dollars under advisory across 11 vendor practices. We are glad to tie a meaningful part of the fee to delivered value.

Prepared by Redress Complianceredresscompliance.com
Network operations center with server racks

Renewing a Cisco security agreement?

Talk to a buyer side advisor. We audit your Duo, Umbrella, XDR, and Splunk position and set the clause levers before Cisco quotes.

Buyer side intelligence, monthly

One letter a month. Negotiation moves, audit signals, and price book shifts.