CyberTwin
← All posts
April 8, 2026· 11 min read · CyberTwin team

How much should a 200-person company spend on security? (Real numbers)

$

The most common question we get is also the most poorly answered question in the industry: how much should a company our size spend on security?

Every analyst report cites the same statistic: 7 to 10 percent of IT budget. That number has been recycled in security sales decks for fifteen years. It's also useless, because it doesn't tell anyone what to actually buy or why.

A 200-person fintech and a 200-person law firm have wildly different risk profiles, regulatory loads, and operational realities. They should not spend the same amount or buy the same things. The "7 to 10 percent" advice is the security industry's equivalent of "eat a balanced diet." Technically true. Operationally meaningless.

This post is the answer we wish someone had given us. It's the actual breakdown, by category, with sourced prices, for a 200-person company at four common profiles: SaaS, fintech, healthtech, and professional services.

What changed in how we think about this

The traditional model assumed an in-house security stack that mirrored a Fortune 500's, just smaller. Buy a SIEM, buy an EDR, buy a firewall, buy a vulnerability scanner, hire two analysts, and you're done.

That model breaks at 200 people for two reasons.

First, vendor pricing has stratified. The list price for an enterprise SIEM at 200 employees is now wildly disproportionate to the value extracted. Splunk Enterprise Security at full ingestion volume can cost more than your annual cloud bill. Companies in this size range are making completely different choices than they were five years ago.

Second, threat economics have changed. The threat actors targeting a 200-person fintech are not interested in your network perimeter. They're interested in your identity layer, your developer environments, your SaaS sprawl, and your supply chain. The security stack that defends against the actual threats looks very different from what an Excel model based on Fortune 500 spending would suggest.

The four profiles, with real numbers

We pulled these numbers from CyberTwin's catalog, which sources every price from vendor pages, AWS Marketplace listings, Vendr benchmark data, or reseller listings. Every number below has a citation; we're not making them up.

These are the Balanced-tier stacks, which is what most 200-person companies actually deploy. We're showing the Balanced stack because the Lean stack is the floor (what you can defend in a finance meeting) and the Advanced stack is the ceiling (what you'd buy with full funding).

Profile 1 — 200-person SaaS, US-based, no regulated data

This is the simplest profile. Cloud-native, mostly remote workforce, primary risks are credential stuffing, supply chain attacks via dependencies, and customer data exfiltration.

Total: about $76k/year. Roughly $380 per employee per year. It's the cost of the Microsoft-native stack — one of CyberTwin's named reference architectures. It's chosen here because the integration coherence (everything in the M365 ecosystem) cuts operational overhead substantially.

Identity (Entra ID P2) $21,600 MDM (Intune) $19,200 Endpoint (Defender) $7,200 Backup (Veeam) $6,000 SIEM (Sentinel baseline) $5,475 Cloud (GuardDuty + Hub) $4,800 Email (Defender O365) $4,800 AppSec (Snyk Team) $4,500 WAF (Cloudflare Business) $2,400
SaaS profile — annual spend per category, sorted descending.

A best-of-breed alternative (CrowdStrike + Okta + Splunk + Wiz) costs roughly $128,000 at the same scale — about $640 per employee per year — but with meaningfully higher operational overhead.

Profile 2 — 200-person fintech, US-based, PCI DSS scope, payment cards

Different threat model, different regulatory load, different stack.

Total: about $248k/year. Roughly $1,240 per employee per year, dramatically higher than the SaaS profile. The increase is driven by three things: PAM (a hard regulatory requirement), CNAPP (Wiz, because cloud risk in fintech is a critical control), and DLP (because payment card data triggers it).

PAM (CyberArk) $60,000 Backup (Rubrik Cloud Vault) $35,000 Cloud (Wiz Essential) $24,000 Endpoint (CrowdStrike Pro) $21,998 Identity (Okta Workforce) $19,200 Network (FortiGate 200F ×2) $17,000 ZTNA (Cloudflare One) $16,800 DLP (Purview IP) $16,800 Email (Mimecast M2A) $12,000 AppSec (GH Adv Security) $11,760 SIEM (Sentinel) $11,000 WAF (Cloudflare Business) $2,400
Fintech profile — PAM, backup, and CNAPP dominate the spend curve.

A 200-person fintech that tries to spend $75,000 a year on security is going to fail their PCI audit and lose their merchant agreement. The numbers don't lie about that.

The "7-10% of IT budget" rule is wrong by a factor of two in either direction. A SaaS company is closer to 4%. A fintech is closer to 12-15%.

Profile 3 — 200-person healthtech, US-based, HIPAA scope, PHI handling

Similar size, different regulatory regime, different threat profile.

Total: about $158k/year. Roughly $790 per employee per year. The driver is PHI exposure: every component above either prevents PHI exfiltration, contains it when prevention fails, or proves to OCR that the company has reasonable safeguards.

PAM (Delinea Secret Server) $32,000 Identity (Entra ID P2) $21,600 MDM (Intune) $19,200 DLP (Purview) $16,800 Backup (Veeam immutable) $14,000 Endpoint (Defender P2) $12,480 Email (Mimecast M2A) $12,000 Cloud (GuardDuty + Inspector) $10,800 Network (FortiGate 100F + 60F ×2) $7,800 SIEM (Sentinel) $7,500 WAF (AWS WAF + Shield Std) $3,600
Healthtech profile — PAM, identity, and DLP carry the PHI-protection load.

Healthtech companies that go cheaper here typically end up paying it back later in HHS settlements. A single $1.5M HIPAA settlement (the average for breaches over 500 records) pays for ten years of the stack above.

Profile 4 — 200-person professional services firm, US-based, no specific regulatory regime

The lowest spend profile. Lower threat exposure, no specific compliance forcing function, mostly knowledge workers on managed laptops.

Total: about $144k/year. Roughly $720 per employee per year. The Workspace cost dominates because it's bundled — identity, email, productivity, and security in one SKU. For a Mac-heavy professional services firm, it's a meaningfully cheaper architecture than the Microsoft equivalent.

Identity (Workspace Enterprise+) $72,000 SIEM (Sumo Cloud SIEM Ent.) $38,000 Endpoint (Sophos X + XDR) $12,000 MDM (Jamf Pro) $10,000 Cloud (GuardDuty + Hub) $4,800 Backup (Datto SIRIS) $4,800 WAF (Cloudflare Business) $2,400 Email (incl. Workspace) $0
Professional services profile — Workspace + SIEM dominate; everything else is light.

What these numbers tell you

Three observations:

The "7-10% of IT budget" rule is wrong by a factor of two in either direction. A SaaS company is closer to 4%. A fintech is closer to 12-15%. The single number obscures the variance.

Sector matters more than size. A 200-person fintech spends roughly 3.3× what a 200-person SaaS company spends. The difference isn't because fintechs are 3.3× larger or 3.3× more sophisticated — it's because their regulatory load and threat exposure are categorically different.

The Balanced tier exists where it does for a reason. The Lean tier for each of these profiles costs about 60% of Balanced; the Advanced tier costs about 180%. The bell curve of "what most companies actually deploy" centers on the Balanced number because that's where the marginal dollar of spend stops returning meaningful risk reduction.

Why we publish these numbers

The security industry has spent two decades hiding behind "every situation is unique." Pricing pages disappeared, list prices vanished from vendor sites, and analyst firms charged five-figure sums to tell you what your competitors were paying.

That's not real. The numbers above are sourced from public pricing pages, public marketplace listings, and benchmark data from Vendr that's published openly. There's no proprietary information in this post.

The reason most security companies don't publish numbers like this is that the numbers reveal how much markup their products carry. Once you can see that a Sentinel deployment for a 200-person company costs $5,475 a year and that a competing SIEM with similar coverage costs $95,000, the conversation changes.

We think it's better to have that conversation honestly than to keep hiding it. So when CyberTwin produces a recommendation, every product in the stack carries its real list price, the source URL we got it from, and the date we last verified it.

You can argue with our recommendations. You can argue with our priorities. You shouldn't have to argue with our numbers.

That's the point.

Keep reading