The most common question we get is also the most poorly answered question in the industry: how much should a company our size spend on security?
Every analyst report cites the same statistic: 7 to 10 percent of IT budget. That number has been recycled in security sales decks for fifteen years. It's also useless, because it doesn't tell anyone what to actually buy or why.
A 200-person fintech and a 200-person law firm have wildly different risk profiles, regulatory loads, and operational realities. They should not spend the same amount or buy the same things. The "7 to 10 percent" advice is the security industry's equivalent of "eat a balanced diet." Technically true. Operationally meaningless.
This post is the answer we wish someone had given us. It's the actual breakdown, by category, with sourced prices, for a 200-person company at four common profiles: SaaS, fintech, healthtech, and professional services.
What changed in how we think about this
The traditional model assumed an in-house security stack that mirrored a Fortune 500's, just smaller. Buy a SIEM, buy an EDR, buy a firewall, buy a vulnerability scanner, hire two analysts, and you're done.
That model breaks at 200 people for two reasons.
First, vendor pricing has stratified. The list price for an enterprise SIEM at 200 employees is now wildly disproportionate to the value extracted. Splunk Enterprise Security at full ingestion volume can cost more than your annual cloud bill. Companies in this size range are making completely different choices than they were five years ago.
Second, threat economics have changed. The threat actors targeting a 200-person fintech are not interested in your network perimeter. They're interested in your identity layer, your developer environments, your SaaS sprawl, and your supply chain. The security stack that defends against the actual threats looks very different from what an Excel model based on Fortune 500 spending would suggest.
The four profiles, with real numbers
We pulled these numbers from CyberTwin's catalog, which sources every price from vendor pages, AWS Marketplace listings, Vendr benchmark data, or reseller listings. Every number below has a citation; we're not making them up.
These are the Balanced-tier stacks, which is what most 200-person companies actually deploy. We're showing the Balanced stack because the Lean stack is the floor (what you can defend in a finance meeting) and the Advanced stack is the ceiling (what you'd buy with full funding).
Profile 1 — 200-person SaaS, US-based, no regulated data
This is the simplest profile. Cloud-native, mostly remote workforce, primary risks are credential stuffing, supply chain attacks via dependencies, and customer data exfiltration.
- Identity (200 seats) — Microsoft Entra ID P2 — $21,600/yr
- Endpoint (200 endpoints) — Microsoft Defender for Endpoint P1 — $7,200/yr
- Email security (200 mailboxes) — Microsoft Defender for O365 P1 — $4,800/yr
- MDM (200 devices) — Microsoft Intune — $19,200/yr
- SIEM — Microsoft Sentinel (usage-priced, ~baseline) — $5,475/yr
- Cloud security — AWS GuardDuty + Security Hub — $4,800/yr
- AppSec — Snyk Team (15 devs) — $4,500/yr
- Backup — Veeam Data Platform Foundation — $6,000/yr
- WAF — Cloudflare WAF Business — $2,400/yr
Total: about $76k/year. Roughly $380 per employee per year. It's the cost of the Microsoft-native stack — one of CyberTwin's named reference architectures. It's chosen here because the integration coherence (everything in the M365 ecosystem) cuts operational overhead substantially.
A best-of-breed alternative (CrowdStrike + Okta + Splunk + Wiz) costs roughly $128,000 at the same scale — about $640 per employee per year — but with meaningfully higher operational overhead.
Profile 2 — 200-person fintech, US-based, PCI DSS scope, payment cards
Different threat model, different regulatory load, different stack.
- Identity (200 seats) — Okta Workforce Identity — $19,200/yr
- PAM — CyberArk Privilege Cloud — $60,000/yr
- Endpoint (220 incl. servers) — CrowdStrike Falcon Pro — $21,998/yr
- Email security — Mimecast M2A — $12,000/yr
- Network/Firewall (HQ + DR) — Two FortiGate 200F — $17,000/yr
- ZTNA — Cloudflare One — $16,800/yr
- SIEM — Microsoft Sentinel (higher ingestion) — $11,000/yr
- Cloud security — Wiz Essential — $24,000/yr
- AppSec — GitHub Advanced Security (20 active committers) — $11,760/yr
- DLP — Microsoft Purview Information Protection — $16,800/yr
- Backup — Rubrik Cloud Vault — $35,000/yr
- WAF — Cloudflare WAF Business — $2,400/yr
Total: about $248k/year. Roughly $1,240 per employee per year, dramatically higher than the SaaS profile. The increase is driven by three things: PAM (a hard regulatory requirement), CNAPP (Wiz, because cloud risk in fintech is a critical control), and DLP (because payment card data triggers it).
A 200-person fintech that tries to spend $75,000 a year on security is going to fail their PCI audit and lose their merchant agreement. The numbers don't lie about that.
The "7-10% of IT budget" rule is wrong by a factor of two in either direction. A SaaS company is closer to 4%. A fintech is closer to 12-15%.
Profile 3 — 200-person healthtech, US-based, HIPAA scope, PHI handling
Similar size, different regulatory regime, different threat profile.
- Identity (200 seats) — Microsoft Entra ID P2 — $21,600/yr
- PAM — Delinea Secret Server Cloud — $32,000/yr
- Endpoint (200 endpoints) — Microsoft Defender for Endpoint P2 — $12,480/yr
- Email security — Mimecast M2A — $12,000/yr
- Network/Firewall (HQ + clinic sites) — FortiGate 100F + 60F × 2 — $7,800/yr
- MDM — Microsoft Intune — $19,200/yr
- SIEM — Microsoft Sentinel — $7,500/yr
- Cloud security — AWS GuardDuty + Inspector + Config — $10,800/yr
- Backup (immutable, RTO-tight) — Veeam + immutable repo — $14,000/yr
- DLP (PHI-specific) — Microsoft Purview — $16,800/yr
- WAF — AWS WAF + Shield Standard — $3,600/yr
Total: about $158k/year. Roughly $790 per employee per year. The driver is PHI exposure: every component above either prevents PHI exfiltration, contains it when prevention fails, or proves to OCR that the company has reasonable safeguards.
Healthtech companies that go cheaper here typically end up paying it back later in HHS settlements. A single $1.5M HIPAA settlement (the average for breaches over 500 records) pays for ten years of the stack above.
Profile 4 — 200-person professional services firm, US-based, no specific regulatory regime
The lowest spend profile. Lower threat exposure, no specific compliance forcing function, mostly knowledge workers on managed laptops.
- Identity (200 seats) — Google Workspace Enterprise Plus (incl. identity) — $72,000/yr
- Endpoint (200 endpoints) — Sophos Intercept X Advanced + XDR — $12,000/yr
- Email security — included in Workspace — $0
- MDM — Jamf Pro (Mac-heavy fleet) — $10,000/yr
- SIEM — Sumo Logic Cloud SIEM Enterprise — $38,000/yr
- Cloud security — AWS GuardDuty + Security Hub — $4,800/yr
- Backup — Datto SIRIS — $4,800/yr
- WAF — Cloudflare WAF Business — $2,400/yr
Total: about $144k/year. Roughly $720 per employee per year. The Workspace cost dominates because it's bundled — identity, email, productivity, and security in one SKU. For a Mac-heavy professional services firm, it's a meaningfully cheaper architecture than the Microsoft equivalent.
What these numbers tell you
Three observations:
The "7-10% of IT budget" rule is wrong by a factor of two in either direction. A SaaS company is closer to 4%. A fintech is closer to 12-15%. The single number obscures the variance.
Sector matters more than size. A 200-person fintech spends roughly 3.3× what a 200-person SaaS company spends. The difference isn't because fintechs are 3.3× larger or 3.3× more sophisticated — it's because their regulatory load and threat exposure are categorically different.
The Balanced tier exists where it does for a reason. The Lean tier for each of these profiles costs about 60% of Balanced; the Advanced tier costs about 180%. The bell curve of "what most companies actually deploy" centers on the Balanced number because that's where the marginal dollar of spend stops returning meaningful risk reduction.
Why we publish these numbers
The security industry has spent two decades hiding behind "every situation is unique." Pricing pages disappeared, list prices vanished from vendor sites, and analyst firms charged five-figure sums to tell you what your competitors were paying.
That's not real. The numbers above are sourced from public pricing pages, public marketplace listings, and benchmark data from Vendr that's published openly. There's no proprietary information in this post.
The reason most security companies don't publish numbers like this is that the numbers reveal how much markup their products carry. Once you can see that a Sentinel deployment for a 200-person company costs $5,475 a year and that a competing SIEM with similar coverage costs $95,000, the conversation changes.
We think it's better to have that conversation honestly than to keep hiding it. So when CyberTwin produces a recommendation, every product in the stack carries its real list price, the source URL we got it from, and the date we last verified it.
You can argue with our recommendations. You can argue with our priorities. You shouldn't have to argue with our numbers.
That's the point.