How do I price a security/compliance feature — bundled or upsell?

Bundle baseline security and compliance into every paid tier; reserve only advanced security for Enterprise upsell. The non-negotiable bundled set in 2026: TLS 1.3, AES-256 at rest, SSO via SAML 2.0 and OIDC, MFA, audit log export (>=90 days), RBAC with role granularity, breached-password screening. The legitimately upsellable set: SOC 2 Type II artifacts, ISO 27001, HIPAA BAA, GDPR DPA with sub-processor controls, FedRAMP Moderate/High, customer-managed encryption keys (BYOK), SCIM 2.0 provisioning, IP allowlists, custom data residency, SIEM streaming, dedicated security review SLA. The decision is empirically settled by buyer behavior data; the cost of getting it wrong is measurable in close rate, discount depth, and NRR.

Sourced Reality (2025-2026 buyer data)

• Gartner Buyer Behavior Survey 2024 (https://www.gartner.com/en/sales/insights/b2b-buying-journey): 79% of mid-market buyers require SOC 2 Type II before contract negotiation; ~12% will pay a line-item premium for it. Compliance is a gate, not a revenue lever.
• Vendr 2025 SaaS Benchmark Report (https://www.vendr.com/blog/saas-trends): deals with paywalled SSO close 18-24% slower and discount 7-11 points deeper. Procurement explicitly weaponizes "SSO tax" as a leverage point.
• OpenView 2024 Product Benchmarks (https://openviewpartners.com/2024-product-benchmarks/): PLG companies that moved SSO from Enterprise-only to all paid tiers gained 4-9 NRR points within two quarters via reduced security-driven churn at renewal.
• Bessemer State of the Cloud 2026 (https://www.bvp.com/atlas/state-of-the-cloud-2026): vendors that bundle baseline security expand into Enterprise 1.6x faster because procurement removes the security questionnaire from the critical path.
• IDC SaaS Pricing Index 2025 (https://www.idc.com/): "SSO tax" and "audit-log paywall" are the top two buyer complaints in mid-market RFPs, both correlated with elevated year-two logo churn.
• sso.tax (https://sso.tax): the public shaming list has driven Asana, Notion, Linear, and others to move SSO down-tier since 2022, citing procurement friction as the trigger.
• Latacora 2024 SaaS Security Posture (https://www.latacora.com/blog/): vendors bundling MFA + SSO + audit logs report 30-40% fewer security-questionnaire revisions per deal, compressing average sales cycle by ~12 days.
• AICPA SOC 2 framework (https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2): the canonical reference for what "SOC 2 Type II" actually requires - useful when sales tries to upsell something that's already in scope.

Bundling Mechanics

1. Baseline (every paid tier). TLS 1.3, AES-256, SAML 2.0 + Google/Microsoft OIDC SSO, audit log export with 90-day retention floor, MFA enforcement, RBAC with >=3 roles, breached-password screening, session timeout. One-time engineering cost: 2-4% of platform R&D. Ongoing cost: near-zero. Trust upside: passes ~80% of mid-market security questionnaires unchanged on first pass.
2. Enterprise upsell. SOC 2 Type II under NDA, ISO 27001, HIPAA BAA, GDPR DPA, FedRAMP Moderate/High, custom data residency (EU/US/APAC/in-country), BYOK with KMS integration, SCIM 2.0, IP allowlisting, audit-log retention >1 year with SIEM streaming (Splunk, Datadog, Sumo Logic), security review SLA, dedicated CISO contact. These cost real operating dollars - auditors $40-120K/year, regional infra, security engineering FTEs - and Enterprise budgets absorb them by design.
3. Never paywall. SSO, audit logs, MFA, basic encryption. Each one on the upsell side becomes a documented procurement objection. Move them down. Always.
4. Compliance as a credibility asset, not a SKU. Replace "Buy SOC 2 add-on" with "We're SOC 2 Type II - request the report via Trust Center under NDA." Vanta, Drata, and SafeBase trust portals institutionalize this: security becomes a self-serve credibility asset that *eliminates* RFP friction rather than monetizing it. The Trust Center pattern in 2026 is now expected; vendors without one are flagged in mid-market RFPs.

The Pricing Inversion Trap

Security-native vendors (Cloudflare, Okta, 1Password, CrowdStrike) gate security because security *is* the product - granular SKUs are expected, and the depth of coverage *is* the value driver. Horizontal SaaS (CRM, analytics, project tracking, collaboration) inherits none of that license. When a horizontal SaaS paywalls SSO, the buyer reads: "the base product is unsafe and the vendor knows it." The negotiation re-anchors on risk rather than value, and the next competitor with SSO bundled wins on the trust differential alone.

The mechanic in a competitive RFP: every gated security feature becomes a column in procurement's scoring grid where you score zero. Three gated items - SSO, audit logs, MFA - and you're functionally disqualified before price is discussed. This is why the Vendr discount-depth differential (7-11 points) shows up even on deals you eventually close: you closed from a weakened position.

Decision Heuristic (the 60-second test)

Before deciding to gate any security feature, run this four-step test:

1. Is your product security-native? (Okta, Cloudflare, CrowdStrike, 1Password.) If yes, gating is fine - it's expected. If no, continue.
2. Will this feature appear on a procurement scoring grid? SSO, MFA, audit logs, basic encryption all do. If yes and you're not security-native, do not gate.
3. Is the operating cost meaningful per-customer? Auditors, regional infra, certifications, dedicated security engineering FTEs - yes. Self-serve SAML config - no. If meaningful per-customer, you have a defensible Enterprise upsell. If not, bundle it.
4. Would gating this feature appear on sso.tax? If yes, the brand cost outweighs any premium captured. Bundle.

Three "no, bundle" results out of four = bundle into the lowest paid tier. Three "yes, gate" results = legitimate Enterprise upsell.

Worked Example (mid-market SaaS, $30M ARR)

A horizontal CRM at $30M ARR considers a $15/seat/month SSO add-on (~8% ACV uplift on Pro tier deals). Forecasts capture: 30% attach at full price = +$0.7M ARR. Forecasts ignore: (a) ~12% close-rate drop on competitive deals where the next vendor bundles SSO (Vendr range, midpoint), worth -$1.4M ARR at current pipeline volume; (b) 8-point average discount erosion on deals that do close, worth -$0.9M ARR over the year; (c) sso.tax listing within ~6 months of paywall launch (probability ~70% per historical pattern), with brand spillover affecting top-of-funnel conversion ~5%. Net first-year impact: roughly -$1.6M ARR. The "obvious" 8% uplift is a -5% revenue trade once second-order effects are priced in. This is the canonical pattern - the upside is visible on the pricing page; the downside is distributed across the funnel and renewal cohort.

Bear Case (adversarial)

Counter-argument: "Bundled security gives away pricing power. Enterprise procurement will pay an SSO premium because they have to, and we're leaving 8-15% of ACV on the table by not charging." Three narrow conditions where this holds:

1. Security-native vendor. Granular SKUs are expected (Okta, Cloudflare, CrowdStrike, 1Password). Buyer measures value in security depth.
2. Pure Fortune 500 motion. Buyers have explicit line-item budget for SSO, sales cycles are 6-12 months, and procurement friction doesn't compound across a high-velocity mid-market funnel.
3. Pre-PMF willingness-to-pay discovery. Using SSO paywalls as a forced-upgrade signal to learn tier elasticity before locking structure.

For everyone else - horizontal SaaS, mid-market, PLG-influenced funnel, competitive RFP - the bear case fails. The SSO premium captured is dwarfed by: (a) deals lost to bundled competitors, (b) 7-11 point discount erosion on deals you do close (Vendr), (c) 1.6x slower Enterprise expansion (Bessemer), (d) brand damage from sso.tax exposure, (e) compounded NRR drag at year-two renewal (IDC). The worked example above quantifies the asymmetry on a representative $30M ARR mid-market profile.

The bear case is also asymmetric over time. You can always *add* premium security SKUs - BYOK, FedRAMP, custom data residency - later, when a buyer with budget asks. Removing a paywall after procurement has been told it exists is materially harder; you create a public retreat that signals weakness, and the buyers who already paid the SSO tax become a vocal anti-promoter cohort.

Cross-references

• [/knowledge/q77](/knowledge/q77) - 3 vs 4 vs 5 tier pricing structure (security bundling is downstream of tier count).
• [/knowledge/q71](/knowledge/q71) - handling a security review threatening to kill a deal (bundled baseline security prevents this).
• [/knowledge/q189](/knowledge/q189) - security review process with limited resources.
• [/knowledge/q339](/knowledge/q339) - designing 3-tier SaaS structure when competitor tiers blur.
• [/knowledge/q594](/knowledge/q594) - deal-desk approval authority for security-feature pricing exceptions.
• [/knowledge/q1106](/knowledge/q1106) - public vs private SaaS pricing (security bundling is a public-pricing trust signal).
• [/knowledge/q288](/knowledge/q288) - positioning concessions as scope-creep trades vs. discounts (relevant when an Enterprise buyer asks for advanced security at base-tier pricing).
• [/knowledge/q95](/knowledge/q95) - building a federal/public-sector motion (FedRAMP is the canonical advanced-security upsell).
• [/knowledge/q283](/knowledge/q283) - pricing deals with hidden multi-year volume commitments (intersects with security-feature commitment timing).

TAGS: security-pricing,compliance,trust-signals,bundling-strategy,saas-positioning,sso-tax,soc2,enterprise-tier,procurement,decision-heuristic,worked-example