Cloud security licensing has undergone a fundamental commercial transformation in the past three years. What was once a set of free or low-cost native cloud security tools has evolved into a layered, complex, and expensive licensing category that rivals compute costs for security-conscious enterprises. AWS Security Hub, Microsoft Defender for Cloud, Google Security Command Center, plus the dozens of ISV security tools that run on each platform — the combined cloud security budget for a $30M cloud-spending enterprise now routinely reaches $4–8M annually.

The problem is not that enterprises are spending too much on security — that is a business decision based on risk appetite. The problem is that they are systematically paying more than necessary for the security coverage they have, deploying tools they do not need or use, and failing to negotiate the commercial terms that would reduce their security spend significantly without reducing protection. Having worked on the vendor side of both cloud platform security product teams and the enterprise sales organisations that sell security tooling to large accounts, our team has a precise view of where the overpayment occurs. For broader cloud commercial context, see our Cloud Contract Negotiation Guide.

The Cloud Security Cost Structure

Enterprise cloud security costs fall into four categories, each with different commercial dynamics and optimisation opportunities. Understanding the category structure is the first step to identifying where savings are achievable.

Native platform security services — AWS GuardDuty, AWS Security Hub, Microsoft Defender for Cloud, GCP Security Command Center — are priced by resource count, data volume, or event volume. These costs are largely consumption-driven and scale with cloud usage, but pricing tier thresholds create step-changes that can be managed through workload architecture decisions. For enterprises with very large environments, custom pricing for native security services is achievable in enterprise agreements and should be negotiated explicitly.

Identity and access management — AWS IAM Identity Center, Azure Entra ID (formerly Azure AD), GCP IAM — is where some of the most significant budget overruns occur. Microsoft's Entra ID licensing, in particular, has become expensive at scale as organisations deploy premium identity features. The Entra ID licensing tier decisions — P1 versus P2 versus Microsoft 365 E5 bundled licensing — have substantial cost implications that are frequently not optimised. See our Microsoft Security Licensing guide for Entra ID-specific detail.

Third-party security ISV tools — CSPM (cloud security posture management), CWPP (cloud workload protection), CNAPP (cloud-native application protection), SIEM tools receiving cloud log data — represent the largest opportunity for savings. These products are typically purchased independently by security teams, often without the commercial discipline applied to infrastructure spending, and the combined portfolio frequently includes significant capability duplication.

Compliance and audit tooling — tools for SOC 2, PCI DSS, HIPAA, ISO 27001, and other compliance frameworks — has expanded rapidly as cloud compliance requirements have grown. This category includes both native cloud tools and specialised third-party compliance platforms. The compliance tooling market has consolidated, and many organisations are now paying premium prices for tools that overlap substantially with native platform capabilities.

Platform-by-Platform Security Cost Analysis

Amazon Web Services

AWS Security Service Cost Optimisation

AWS security services — GuardDuty, Security Hub, Inspector, Macie, CloudTrail, Config — are priced independently and costs accumulate quickly for large environments. GuardDuty, which analyses VPC Flow Logs, DNS logs, and CloudTrail events for threats, costs based on data volume analysed. For environments with high log volume, GuardDuty costs can reach $500K–$2M annually. The optimisation approach involves: identifying and excluding low-value log sources from GuardDuty analysis, implementing intelligent log filtering before ingestion, and right-sizing log retention policies to reduce Config and CloudTrail storage costs.

AWS Security Hub, which aggregates findings from GuardDuty, Inspector, Macie, and third-party tools, is priced per finding and per account per month. For large multi-account AWS organisations, Security Hub costs can reach $100K–$500K annually — and a significant proportion of findings in most environments are low-severity or informational. Implementing finding suppression rules and severity-based filtering before ingestion to Security Hub dramatically reduces per-finding costs without reducing security visibility.

AWS Macie — the S3 data discovery and classification service — is among the most frequently over-deployed AWS security services. The pricing model charges per GB of S3 data scanned. Organisations that scan their entire S3 estate monthly are often paying five to ten times what a risk-based selective scanning approach would cost, with minimal incremental security benefit on the additional coverage.

Microsoft Azure

Microsoft Defender for Cloud and Security Licensing

Microsoft Defender for Cloud (formerly Azure Security Center) is the most complex cloud-native security pricing environment of the three major providers. The per-resource pricing for Defender plans — covering servers, databases, containers, storage, App Service, Key Vault, and DNS — compounds quickly for large Azure deployments. Enterprises commonly enable all Defender plans at deployment and never revisit the coverage decision, resulting in Defender costs of $1–4M annually on environments where selective plan coverage would provide equivalent protection at half the cost.

The specific optimisation opportunities in Defender for Cloud are: auditing which Defender plans are enabled and whether the covered resource types contain data or workloads that justify the protection level; evaluating whether Microsoft Sentinel (the SIEM product) or Defender XDR (the extended detection and response product) subscription levels are appropriate for actual usage patterns; and renegotiating Microsoft 365 E5 bundles where Defender capabilities are being licensed twice (once through the bundle and once through standalone Defender for Cloud plans).

Microsoft's security licensing complexity also creates bundling opportunities. Many enterprises pay for E5 Security add-ons without recognising that their existing M365 E5 licensing already includes significant Defender capabilities. A systematic Microsoft security licensing audit typically identifies 20–35% of standalone Defender spend that duplicates E5-included entitlements. See our Microsoft Security Licensing guide and our broader Reducing Microsoft Spend guide for detail.

Google Cloud Platform

GCP Security Command Center and Chronicle

Google Cloud's Security Command Center (SCC) is available in Standard (free) and Premium tiers. The Premium tier — required for most enterprise compliance use cases — is priced as a percentage of total GCP spend, which means it scales automatically as cloud usage grows. For large GCP environments, SCC Premium costs can be significant. GCP enterprise agreement negotiations can include SCC pricing caps or flat-rate SCC arrangements that prevent the percentage-of-spend model from creating runaway costs.

Chronicle, GCP's SIEM and threat intelligence platform, is priced by data ingestion volume. For enterprises consolidating their on-premises and cloud security logs into Chronicle, the data ingestion costs can be substantial. GCP's enterprise commercial team has flexibility on Chronicle pricing for committed use arrangements, and large-scale Chronicle deployments should be negotiated as part of the broader GCP enterprise agreement rather than as a standalone product purchase.

Third-Party Security ISV Rationalisation

The most significant cloud security cost reduction opportunity for most enterprises is not in the native platform tools — it is in the layer of third-party ISV security products that have accumulated over years of decentralised procurement. A typical Fortune 500 enterprise security team will have 40–70 distinct security tools deployed across their cloud environment. Many of these tools address the same capability areas with overlapping coverage.

Common Cloud Security Redundancy Patterns

  • Three or more CSPM tools covering the same cloud environments (one native, one primary ISV, one legacy from pre-cloud era)
  • Separate SIEM tools for cloud and on-premises environments that are both ingesting the same cloud log sources
  • Container security tools overlapping with platform-native container scanning (Amazon ECR scanning, Microsoft Defender for Containers)
  • Identity governance tools duplicating native cloud IAM audit capabilities
  • Compliance tools purchased independently by each regulated business unit, covering the same frameworks across the enterprise
  • Vulnerability scanning tools at multiple layers (OS, container, application) with no clear ownership or non-duplication policy

The rationalisation process starts with capability mapping: catalogue every security tool deployed, map it to its primary security capability (CSPM, CWPP, SIEM, IAM governance, vulnerability management, compliance, etc.), and identify coverage overlaps. In our experience with large enterprise security portfolios, 30–40% of third-party security ISV spend covers capabilities that either duplicate native cloud tools or duplicate other ISV tools in the portfolio.

The rationalisation output — consolidated ISV portfolio with clear capability ownership — also creates commercial leverage. Presenting a rationalised ISV selection to the remaining preferred vendors, with consolidated spend volumes and multi-year commitments, typically delivers 20–30% unit price reductions compared to the fragmented procurement that preceded it. Volume consolidation into fewer ISV relationships is one of the highest-leverage commercial actions available in enterprise security procurement.

Negotiating Security Tooling Commercially

Cloud security procurement is often conducted by security teams rather than commercial procurement teams — and security teams, understandably, prioritise protection coverage over commercial terms. The result is that security tooling is among the most poorly negotiated enterprise software category: single-vendor purchases without competitive alternatives, auto-renewing contracts at list price, and no systematic benchmarking of what comparable organisations pay.

Applying commercial discipline to security procurement does not mean choosing cheaper protection — it means ensuring that the protection you have chosen is purchased at the best available commercial terms. The commercial levers are identical to any enterprise software negotiation: multi-year commitment in exchange for better pricing, volume consolidation across business units, competitive alternatives (real or demonstrated), and timing negotiations to leverage the vendor's quarter-end closing pressure.

For large security ISV relationships — spending $500K+ annually with a single vendor — the potential savings from a disciplined commercial negotiation are substantial. Palo Alto Networks, CrowdStrike, Wiz, Lacework, and other major cloud security platforms have standard pricing that includes significant room for enterprise negotiation. The gap between list price and enterprise negotiated price for major security ISVs is typically 20–40% for buyers engaging professionally.

Our approach: When we advise enterprise organisations on cloud security licensing, we start with a full cost audit — native platform tools, IAM licensing, third-party ISVs — to identify the specific areas of overpayment. In our experience, the combined optimisation across all three categories typically reduces enterprise cloud security spend by 30–50% without reducing coverage. The security posture assessment and commercial negotiation are inseparable: you cannot know what to cut without understanding the technical coverage, and you cannot achieve the best commercial terms without knowing what you are willing to consolidate.

Organisations looking to reduce cloud security spending should start with a structured security licensing audit. Our Cloud Contract Negotiation and SaaS Optimisation practices both cover cloud security cost reduction, and the leading advisory firms in this space — including Redress Compliance, whose team includes former cloud security commercial executives — can identify specific savings opportunities in your current security portfolio. Contact us to discuss your cloud security cost profile.