In a representative 1,200 seat estate, the opening proposal totals $1.21M a year. Eight buyer levers recover $388.2K, or 32.0 percent, before signature.
Prepared by Redress Compliance · June 2026 · Representative GitHub Enterprise estate (benchmark scenario, not a quote).
GitHub Enterprise prices on five separate meters, and four of them bill on counts you control. Enterprise Cloud lists at $21 per user per month on annual billing. Advanced Security now splits into Code Security at $30 and Secret Protection at $19 per active committer per month. Copilot Business adds $19 per user per month on top.
The opening renewal proposal almost always bills the full provisioned directory, attaches Copilot base wide, and meters security on every committer. In our worked 1,200 seat estate that opening number is $1.21M a year. Matched to real activity, the same estate costs $823.8K.
The gap is $388.2K a year, 32.0 percent, and it sits inside the buyer's reach without a single feature cut. The levers are seat reconciliation, committer based security metering, a Copilot pilot, Actions and Codespaces governance, renewal uplift caps, a credible alternative, and a deliberately short term.
One date frames the term decision. On June 1, 2026 every Copilot plan moved to usage based billing with a monthly GitHub AI Credits allotment. Pricing on the AI line is still moving, so locking a long Copilot commitment now trades flexibility for a discount that a shorter term would also deliver.
This paper works one representative estate end to end so every lever lands on a number, not a slogan. The estate provisions 1,200 GitHub Enterprise seats, of which 950 developers pushed or reviewed code in the last 90 days.
About 1,000 of those are billed as security committers today, and the account team has proposed Copilot Business across all 1,200 seats. The table below is the full opening proposal against the right sized baseline.
| Line item | Basis | Opening proposal | Right sized |
|---|---|---|---|
| GitHub Enterprise Cloud | 1,200 seats vs 950 active developers | $302.4K | $239.4K |
| GitHub Code Security | 1,000 vs 700 active committers | $360.0K | $252.0K |
| GitHub Secret Protection | 1,000 vs 700 active committers | $228.0K | $159.6K |
| Copilot Business | 1,200 base wide vs 600 adopters | $273.6K | $136.8K |
| Actions and Codespaces | metered overage, governed down | $48.0K | $36.0K |
| Total annual | $1,212.0K | $823.8K |
Benchmark scenario, not a quote. Benchmark ranges: Redress Compliance advisory engagement file, 2024 to 2025.
Annual cost by line item, in thousands of dollars. Navy is the opening proposal, green is the right sized baseline. Numbers match the table above.
Total annual cost. The $388.2K gap is 32.0 percent of the opening proposal and matches the table total.
In the worked estate, the eight levers cut $1.21M to $823.8K with no loss of capability for active developers.
The 250 seat gap between 1,200 provisioned and 950 active is the single largest source of recoverable spend.
Start every GitHub renewal by reconciling provisioned seats against active developers, because the seat count, not the unit rate, sets your real exposure. GitHub bills Enterprise per seat on an annual subscription. A seat that no one used in 90 days still bills the full $21 a month.
A single Enterprise license covers both GitHub Enterprise Cloud and GitHub Enterprise Server under one per user count. You do not buy the platform twice when you run a hybrid estate. That is a non obvious mechanic the account team rarely volunteers.
Pull commit and pull request activity for the trailing 90 days. Reclaim seats for dormant accounts, service accounts, and leavers still in the directory. In the worked estate that moves the billed base from 1,200 to 950 and trims Cloud from $302.4K to $239.4K.
An active developer is one who pushed a commit, opened or reviewed a pull request, or commented in the period you choose. Provisioning identity is not consumption. Bill against proven activity and the dormant 21 percent falls out of the baseline.
Seat reconciliation funnel. Provisioned seats fall to active developers, then to proven Copilot adopters after a pilot. Numbers carry into the cost table.
Bill GitHub Advanced Security on active committers, never on the full seat count, because the meter is per committer and the gap is large. On April 1, 2025 GitHub unbundled Advanced Security into two products you can buy independently. Code Security lists at $30 per active committer per month. Secret Protection lists at $19.
An active committer is anyone who pushed to a repository with the feature enabled in the last 90 days. One push in the window bills the full month for that committer. Enable the feature only on the repositories and organizations that need it, not estate wide by default.
| Security product | List per active committer | What it covers |
|---|---|---|
| GitHub Code Security | $30 per month | Code scanning, Copilot Autofix, Dependabot, security campaigns and overview. |
| GitHub Secret Protection | $19 per month | Secret scanning, push protection, AI detection, custom patterns. |
| Legacy bundled GHAS | Retired for new buys | Do not let a renewal carry the old bundle forward if you only use one half. |
Buy only the half you use. Many estates run secret scanning broadly but code scanning on a subset of repositories. Splitting the two and metering on 700 committers rather than 1,000 cuts security from $588.0K to $411.6K in the worked estate.
Attach Copilot to proven adopters after a measured pilot, not across the whole base on day one. Copilot Business lists at $19 per user per month and Copilot Enterprise at $39. The Enterprise tier adds knowledge bases and pull request summaries that most developers never touch.
On June 1, 2026 every Copilot plan moved to usage based billing. Each plan now includes a monthly allotment of GitHub AI Credits, and premium requests beyond the allotment bill at about $0.04 each. Unused monthly credits do not roll over, so a base wide attach to light users is paid capacity that evaporates each month.
Pilot on a representative cohort, measure acceptance and active use, then attach only the developers who clear a usage bar. In the worked estate that takes Copilot from 1,200 seats at $273.6K to 600 proven adopters at $136.8K, the single largest line item saving.
Default to Business at $19, not Enterprise at $39, unless a named team needs the Enterprise features. Tie the seat count to pilot evidence and keep the Copilot term short, because the AI price line is still moving.
Govern GitHub Actions on runner type and minutes, because the included allotment is measured in Linux equivalent minutes. GitHub Enterprise includes 50,000 Actions minutes a month. Windows runners burn that allotment at twice the rate and macOS runners at ten times the rate.
The same discipline applies to Copilot code review, which consumes Actions minutes at standard rates once enabled. Govern the meter and the worked estate trims Actions and Codespaces overage from $48.0K to $36.0K.
Treat Codespaces as metered cloud compute, because it bills per core hour plus storage, not per seat. Storage runs about $0.07 per gigabyte per month, and compute scales with the machine size a developer picks. A four core codespace costs twice a two core codespace for every hour it runs.
Codespaces overage rarely shows in the opening proposal, then surfaces on the first true up invoice. Put governance in before adoption climbs, not after the bill arrives.
The five clauses that decide whether your commitment protects the budget are the uplift cap, the co term rule, the price hold on adds, the true up window, and the exit ramp. Without an uplift cap, the renewal resets to prevailing list and the negotiated discount quietly expires.
| Clause to win | Why it protects the budget |
|---|---|
| Renewal uplift cap | Fixes the maximum percentage increase at renewal so the discount does not reset to list. |
| Price hold on mid term adds | Holds added seats at the original unit price rather than prevailing list on the add date. |
| Co term rule | Aligns mid term adds to the master anniversary without re pricing the whole estate. |
| True up window | Defines when and how growth is reconciled, so you are not billed retroactively at list. |
| Exit and reduction ramp | Permits a defined seat reduction at renewal instead of a flat or growth only floor. |
Here is the contrarian view. The standard account team and reseller pitch is to standardize Copilot across the whole organization and bundle security on every seat for coverage. We disagree.
Those two moves are the largest sources of overspend we see. Attach Copilot to proven adopters and meter security to active committers. Put the savings into uplift caps and a reduction ramp that protect the budget at the next renewal.
Discount depth tracks the credibility of your alternative, so build one before the first pricing call. The realistic alternatives to GitHub Enterprise are GitLab Ultimate and Azure DevOps, each with its own security and pipeline story. You do not have to migrate to use the alternative as leverage.
An alternative that the account team believes changes the math on every line item. The recovery band of 18 to 32 percent in our engagement file is widest where the buyer brought a costed, staged alternative to the table.
Keep the term short on the AI line and align the order to the anniversary, because both protect flexibility while pricing moves. A multi year commit can lower list by roughly 12 to 20 percent, but it locks the Copilot rate while usage based billing is still settling after the June 2026 change.
Pull 90 day activity, set active seat and committer baselines, and price the GitLab or Azure DevOps alternative.
Run the Copilot pilot, benchmark the rate against comparable renewals, and draft the five protective clauses.
Table the right sized baseline, hold the uplift cap and reduction ramp, and time signature to the anniversary.
Split the platform from the AI line where you can. A longer platform term in exchange for a real discount can sit alongside a one year Copilot commitment that you revisit once the AI Credits model settles. That is the buyer side move that keeps both the discount and the flexibility.
Verify every rate against GitHub's own published pricing before you model. The platform plans sit on github.com/pricing, Copilot plans on the Copilot plans page, the security split on the GitHub changelog, and the billing mechanics in the GitHub billing documentation.
Reconcile first, then negotiate. Do not open on rate. Open on a verified active seat and active committer baseline, with a costed alternative already on the table.
We benchmark the proposal against comparable GitHub renewals, model the right sized baseline, and run the negotiation with you. We are glad to tie a meaningful part of the fee to delivered value.
Once a month. Audit patterns, renewal benchmarks, vendor commercial signals across Oracle, Microsoft, SAP, Salesforce, IBM, Broadcom, AWS, Google Cloud, ServiceNow, Workday, Cisco, and the GenAI vendors. No follow up sales pressure.
Free providers (Gmail, Yahoo, Outlook) cannot subscribe. Work email only. Unsubscribe in one click.