Nobody talks about what a security budget actually looks like. You hear general advice about investing in security, but the specific line items and realistic costs often stay vague.

For a growth-stage startup or emerging mid-market company with 200 employees that is getting serious about security, budgets typically range from $500K to $2 million annually. That covers staff and consultants, as well as security products and services. The higher end gets there primarily through staff costs, because two or three experienced security professionals can add up fast.

Here’s what the actual line items look like for a 200-person company.

24/7 Monitoring: $45 - 150K

Monitoring, usually packaged with security event and incident response assistance, is both critical and the component most often neglected by startups and emerging mid-market companies. Even technical non-security decision-makers often think of security as prevention and keeping the attacker out. They tend to miss that detection and response matter as much or more than prevention. This is because prevention is never absolute and is rarely enough to keep a determined and competent attacker out of your systems.

The longer an attacker dwells undetected in your environment, the more damage they can do. Before you spend the budget on more prevention, you need to get solid monitoring in place.

A managed detection and response (MDR) provider for a 200-person B2B SaaS company runs $45-150K annually. That includes:

• Endpoint Detection and Response (EDR, the replacement technology for antivirus)
• SaaS infrastructure monitoring (e.g., Microsoft 365 or Google Workspace)
• Identity provider integration (think Okta or similar)
• Cloud control plane monitoring (cloud logs for companies that use AWS, Azure or GCP). If you don’t have a cloud infrastructure, you’ll be in the lower end of the range.

The MDR provides 24/7 coverage, escalates when they encounter issues, and filters alerts to cut through unnecessary noise. The good ones will work with you to automatically respond to certain types of threats (such as quarantine infected hosts or reset credentials) if you provide the necessary permissions, and will help run investigations and manage active security incidents.

Getting this functioning is foundational. A company with any infrastructure that doesn’t have real monitoring is running blind.

Endpoint Security: $25K

There are two components worth calling out here:

Device management (MDM). You need control over laptops. Mobile device management lets you configure machines consistently, force updates, and turn stolen devices into paperweights. Rippling’s business model bundles this with other IT and HR tools and services. Most managed service providers deploy a Remote Monitoring and Management (RMM) tool instead; if and when you insource IT, you’ll need to replace it.

This is technically an IT function, but security often forces the investment. It’s typically first deployed by startups transitioning employees off personal machines onto corporate devices you can actually control.

Endpoint detection and response (EDR). This often means SentinelOne, CrowdStrike, or Microsoft Defender if you’re a Microsoft shop. The lower-tier options aren’t sufficient for regulated B2B SaaS. With a few notable exceptions like Sophos, endpoint security packaged exclusively for the mid-market is rarely sufficient.

Full-feature EDR pricing runs at about $100 per endpoint at list, but these are hyper-competitive markets. At 200 seats, you can purchase good MDM and EDR products for that range from $20 to $40K per year.

Cloud Security Posture Management: $30-500K

For cloud-first companies, you need tools looking at AWS, Azure, or GCP configuration. This isn’t attack detection, but instead proactive security posture management.

This is the Wiz, Orca, and similar Cloud Native Application Protection Platforms (CNAPP) tools market. They plug into your cloud APIs and optionally deploy agents on workloads to examine:

• Storage configuration
• Load balancer and network configuration
• Virtual machine and compute resources
• Container and Kubernetes configuration
• Dependencies and third-party components
• CVEs and vulnerability data

The cost varies with cloud scale. A lean cloud environment with managed services around the tools runs around $30K. A more significant cloud infrastructure hosting a dozen applications can easily hit $500K.

One way to think about it is security as a percentage of cloud spend. If you’re spending $2M annually on cloud infrastructure, what percentage goes to actually securing it? Is it five percent? Ten percent?

There’s no universal answer, but it’s a useful frame for evaluating whether you’re investing appropriately. The more regulated or risk-averse you are, the higher the percentage.

SaaS Security Posture: $40K

Beyond cloud infrastructure, you need visibility into corporate SaaS: identity management, Microsoft 365 or Google Workspace configuration, and the sprawl of third party SaaS tools across your organization.

The common problems are unmanaged file sharing (publicly accessible documents and spreadsheets with sensitive data), identity and permissions management correlation across SaaS tools, offboarding that misses accounts in various services and unmanaged set-it-and-forget-it integrations between third party platforms.

SaaS security posture tools build connectors to all these different applications and give you one single view. IT teams love using them because they’ve never had this level of visibility before.

The market currently focuses on larger organizations (which means over a thousand users). Smaller companies might struggle to buy these tools directly due to vendor price minimums. However, service providers offer these enterprise tools bundled with assessments and managed services packaged for startups and emerging midmarket companies.

Compliance Platform: $25-75K

If you’re pursuing SOC 2 or ISO certification, you need a compliance automation platform (think Vanta, Drata, or similar) because running compliance on spreadsheets is painful and inefficient. The platform organizes evidence, automates collection, and makes audits dramatically easier. The ROI on manual effort saved is obvious, likely hundreds of man-hours a year or more.

Base pricing runs $25-30K annually. Multiple compliance frameworks and more users pushes that up. At 600 seats with multiple frameworks, you can expect $75K or more.

Add audit costs on top: $10-50K for straightforward SOC 2 audits and possibly even higher for complex situations.

Penetration Testing: $30-100K

External security testing validates your defenses. This means pen tests of your core application, external attack-surface assessments, or ongoing bug-bounty programs (like Bugcrowd).

For most mid-market companies, the budget is $30-100K, depending on scope (number of applications and lines of code). Large cloud footprints with multiple applications can run into the hundreds of thousands of dollars.

The widespread adoption of AI in offensive security continues to reshape this market, so pricing may continue to shift.

Code Security: $30-100K

While many companies undergo pen tests before implementing Code Security due to compliance requirements, organizations must eventually invest in systemic and ongoing measures to secure their software-based products and services. This includes tools for scanning code, integrating into CI/CD pipelines, and catching vulnerabilities before deployment.

Semgrep and similar tools fit here. Costs scale with the number of developers and the volume of code. Open-source options are available for getting started, but significant production deployments may require commercial licensing. We note that Anthropic just released Claude Code Security and, if the published performance holds, Anthropic and other LLM providers integrated directly into the development pipeline have the potential to disrupt this industry segment in 2026.

Fractional Security Leadership: $10-40K Monthly

A fractional CISO provides strategic leadership at a fraction of full-time cost. The range depends on hours needed and whether you add on fractional security engineers.

$10-15K gets you 40 hours of vCISO service per month. vCISOs at these rates have in house security leadership experience and executive acumen. You can add hands-on fractional security engineering support depending on your needs. This means someone configuring and tuning your security controls, connecting them to your MDR, and doing the ongoing analysis and technical work required in a functioning security program.

Firms like IOmergent also provide fractional Product Security assistance to help engineering teams conduct threat modeling and design and manage security throughout their development pipelines. A three-person fractional security team at 40 hours each will cost between $30 and $40K per month depending on required experience.

Secure Email Gateway: $25-40K

Business Email Compromise (BEC) is the single most common and successful security incident that causes startups and midmarket companies to invest in security. In our experience, these are often Microsoft 365 shops that haven’t locked down their settings and haven’t purchased and deployed Microsoft’s more advanced security feature sets.

The fastest way for many such companies to secure their email against BEC is a modern, API-connected, secure email gateway. These AI-assisted tools improve detection, response and prevention and will cost you between $25 to $35K for 200 seats.

The Full Picture

Here’s the holistic math for a 200-person startup or emerging mid-market company getting serious about security:

If you are a Google shop with a small cloud footprint, an IT resource to handle most of the tool integration and daily management, good negotiation skills and the right partners, your security program will cost in the neighborhood of $350K per year.

Alternatively, if you operate a large cloud infrastructure, maintain multiple externally reachable applications, need both executive and technical fractional security experts and a modern email gateway for good measure, you can expect an annual security program budget of approximately $1.5M.

The DIY Alternative

If you decide to go for the DIY alternative, you can stitch together open source tools: Prowler for your AWS cloud, open source Semgrep for your code, and Fleet DM for device management.

But this approach shifts more cost to people. You need a technical security leader with experience running these tools, plus security team members who can build, operate, integrate, and not just maintain the deployed systems, but keep tabs on or participate in multiple open source security projects.

The DIY model works for advanced tech companies with security expertise and unique requirements that off-the-shelf tools can’t easily solve. For most companies, commercial tools and fractional leadership are more cost-effective.