COMMENTARY: In 2024, global spending on Software-as-a-Service (SaaS) applications was projected to reach $247.2 billion, according to Statista, and the category could soar to $1.3 trillion by 2030.
A major driver of this growth has been rising prices. Research from Vertice shows a 12.3% increase in SaaS costs for 2024. The report notes a troubling trend: “It doesn’t help that 60% of vendors deliberately mask their rising prices, making cost clarity in negotiations more difficult and thus meaning companies are likely to be overpaying.”
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Some of this price inflation is because of charges for security features — and of course, it comes as no surprise. However, not all security-related charges appear justified. In some cases, these add-ons appear designed more to pad profit margins than deliver real value. This raises concerns about the SaaS business model and its long-term sustainability.
The security tax
A clear sign of the dissatisfaction with the pricing for security features in SaaS apps is the emergence of websites that highlight the problem. Just take a look at sso.tax and ssotax.org, which call out the costs for single sign-on (SSO).
For small organizations — say with five employees or more — SSO has become a critical security capability. But SaaS companies seem to think that it’s only for larger customers. The result: the pricing often gets made only for the enterprise editions. This leaves smaller businesses with little choice but to purchase expensive licenses packed with unnecessary features. The pricing often costs 2X to 4X more than the base product offering.
SSO is just one example. Similar pricing practices apply to other core security capabilities. For example, audit trails to track application and user changes are often locked behind higher-tier plans. Compliance with frameworks like SOC2 or ISO 27001 represents another area where smaller businesses are excluded. The same goes for permission schemes, such as role-based access controls, as well as System for Cross-domain Identity Management (SCIM), which simplifies user provisioning and de-provisioning.
Charging premium prices for this type of technology has increasingly become out-of-step with broader trends in the security industry. Take digital certificates for HTTPS as an example. A decade ago, companies often paid significant fees for these certificates to enable secure, encrypted connections. Today, services like Let’s Encrypt have revolutionized the market by offering digital certificates for free.
The impact
For small and mid-sized businesses, the high costs of essential security features like SSO may force them to forgo these capabilities altogether. It means they will be much more vulnerable to breaches.
That’s why the industry should not treat core security features as luxury add-ons. Vendors should include SSO, audit trails, SCIM and permission schemes for compliance as part of the core product for all customers. It could also get offered as an optional paid add-on, but the cost increase should stay reasonable and proportionate to its value. If SSO gets tied to higher pricing tiers, we should only see a modest gap between the non-SSO tier and those offering the feature.
By rethinking the business model and the realities of the marketplace, SaaS providers can better support their customers’ security needs while advancing a larger goal: making business software — and the internet itself — more secure, resilient, and protective of end users’ data. Ultimately, prioritizing affordable access to security features is a win-win: companies benefit from stronger protection, and the broader digital ecosystem becomes safer for everyone.
The potential for disruption
Today’s SaaS pricing model, particularly for essential security features, could leave incumbents vulnerable to disruption. Customer dissatisfaction with opaque pricing and unnecessary upcharges creates an opportunity for new, more agile competitors to enter the market with fairer, customer-centric models. If smaller, innovative SaaS providers offer core security features at accessible price points, they could quickly gain traction. This kind of customer-led disruption mirrors other industries where pushback against pricing excess has forced changes.
Take BMW, for instance. The company’s attempt to charge customers a subscription fee for heated seats received widespread backlash, forcing it to scale back the controversial practice. It was a clear signal that customers won’t tolerate being nickel-and-dimed for features they consider fundamental. SaaS companies should heed this lesson: the subscription model has its limits.
Besides customer-driven disruption, technological advancements — particularly agentic AI — could further challenge the current SaaS pricing model. Agentic AI refers to systems that can autonomously or semi-autonomously perform tasks by reasoning, planning, and executing actions across multiple workflows. This could eliminate the need for pricing models tied to individual users and shift the focus toward value delivered rather than the number of licenses purchased.
Agentic AI’s ability to manage workflows independently diminishes the reliance on features like SSO. If AI agents can securely interact with systems and data without requiring individual logins, SSO becomes far less relevant. This change would force SaaS providers to rethink how they package and price their offerings. Instead of locking features behind expensive tiers, companies would need to compete based on performance, outcomes, and innovation.
We should no longer treat core security features like SSO as premium luxuries, but as essential components accessible to businesses of all sizes. SaaS companies that proactively embrace these changes will protect their market position, and play an important role in fostering a safer, more innovative digital ecosystem.
Omer Cohen, chief security officer, Descope
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
