Cisco Security Licensing Guide 2026: Duo, Umbrella, Secure Endpoint, XDR & What You Are Actually Paying For

Cisco Security Is a Portfolio Play — Which Means the Pricing Is Too

Cisco's security business has been built largely through acquisition — Duo Security (MFA), Umbrella (DNS/web security, formerly OpenDNS), Sourcefire (now Cisco Secure Endpoint and Firepower NGFW), and Observable Networks (now part of Cisco XDR). The result is a security portfolio of significant breadth but historically inconsistent licensing models, with each product carrying its own metric, tier structure, and purchasing mechanism.

Cisco's answer to this complexity is the Cisco Security Enterprise Agreement (Security EA), which bundles the major security products into a single per-user or per-device subscription with ELA-style discounting. Understanding what each product costs, how the Security EA bundle compares to individual product pricing, and where Cisco's per-suite model competes and loses against point-solution vendors from CrowdStrike and Palo Alto is essential before signing any Cisco security agreement.

For the broader ELA framework, see our Cisco ELA guide. For the competitive security platform comparison, see our Cisco vs Palo Alto vs Fortinet guide. For Cisco advisory support, our Cisco advisory team covers security licensing as a core competency.

Product-by-Product Licensing Breakdown

The Cisco Security EA: What It Bundles and What It Does Not

The Cisco Security Enterprise Agreement brings Duo, Umbrella, Secure Endpoint, and Secure Email together into a single per-user annual subscription with a committed user population. The Security EA is designed to make Cisco security pricing look competitive against individual product purchases — and at enterprise user volumes (5,000+), the bundle discount is genuine. The list price for individual products purchased separately is typically 25 to 35% higher than the Security EA per-user blended rate at equivalent volumes.

What the Security EA does not include is equally important. Secure Firewall (the Firepower NGFW hardware and software subscription) is not included in the per-user Security EA — it is priced separately per appliance. Cisco XDR platform integration is available with qualifying Security EA components, but advanced XDR analytics and automation capabilities may require additional licensing. And Cisco's emerging AI-driven security capabilities — Cisco AI Defense, Hypershield — are not included in current Security EA terms and are priced as add-ons.

Security EA evaluation question: Before committing to a Cisco Security EA, map which products in the bundle your organisation will actually deploy within the contract term. If you are already committed to CrowdStrike Falcon for endpoint detection and have no plan to replace it with Cisco Secure Endpoint, paying Security EA pricing that includes Secure Endpoint for every user is pure shelfware spend. The EA bundle only delivers value for the products you will genuinely use. Our Cisco advisory team conducts Security EA value assessments as part of every security engagement.

Cisco Duo Tiers: The MFA Product Most Enterprises Under-Evaluate

Cisco Duo is frequently the highest-utilisation product within a Cisco Security EA because MFA deployment is effectively universal — every user who authenticates to enterprise applications is a Duo user. This makes Duo tier selection the single most commercially impactful decision within the Security EA: the difference between Duo Essentials ($3/user/month) and Duo Beyond ($9/user/month) is a 200% per-user premium, and the zero-trust network access (ZTNA) capabilities at the Premier and Beyond tiers are genuinely differentiated from the base MFA at Essentials.

The Duo tier evaluation should be driven by the organisation's zero-trust architecture ambitions rather than by Cisco account team recommendations. Organisations implementing identity-based network segmentation and device trust verification need Duo Premier or Beyond. Organisations that need only MFA for application access can operate effectively on Duo Essentials or Advantage. A tier mismatch in either direction creates compliance or commercial problems.

Where Cisco Security Loses to Point-Solution Alternatives

Cisco's security suite model performs best for organisations that want a single vendor relationship, integrated management across Duo, Umbrella, Endpoint, and Email, and the operational simplicity of unified support. It loses commercial ground to point-solution alternatives in three specific areas.

First, endpoint detection and response (EDR/XDR): CrowdStrike Falcon's threat intelligence and response capabilities are widely considered superior to Cisco Secure Endpoint at the Essentials and Advantage tiers — and CrowdStrike's pricing at enterprise volumes is often competitive with Cisco's bundled endpoint rate. See our competitive security platform guide for TCO comparison frameworks.

Second, SASE: Palo Alto Prisma Access and Zscaler Internet Access offer more mature SASE architectures than Cisco's Umbrella-based secure internet gateway approach, and at large roaming user populations their per-user pricing can undercut Cisco's SIG tiers.

Third, NGFW: Palo Alto and Fortinet NGFW hardware-plus-software TCO comparisons often favour those vendors over Cisco Firepower at equivalent performance tiers. For the full three-way comparison, see our Cisco vs Palo Alto vs Fortinet guide.

To discuss your Cisco security licensing position, book a call with our advisory team. For Smart Licensing management of Cisco security products, see our Cisco Smart Licensing guide.