The Per-Asset Pricing Trap: Why Your Vulnerability Scanner Bill Keeps Growing
Vulnerability management vendors love per-asset pricing. It's predictable recurring revenue for them. It scales with your infrastructure growth, and it creates a natural renewal conversation every year. For you, it creates a set of incentives that are quietly working against your security program.
Here's how the trap works, and why the organizations most conscious of per-asset costs are often the ones with the worst scan coverage.
How Per-Asset Pricing Works
Most enterprise vulnerability management platforms charge per asset, typically per IP address, per device, or per "asset unit" (which can include cloud instances, containers, and virtual machines). Common models:
- Flat per-asset: $X per asset per year, regardless of how often it's scanned
- Tiered per-asset: Lower rate per asset at volume thresholds, creating licensing cliffs
- Per-IP scanned: You pay for every IP address in your scan scope, cloud bursting gets expensive fast
- Module-based: Base license per asset + add-on costs for web scanning, container scanning, cloud connectors
The Perverse Incentives
Incentive 1: Scope Creep Avoidance
Every new asset added to your environment is a potential additional license cost. Dev and test environments, cloud workloads, containers, the natural impulse is to exclude them from scan scope to manage costs. The result: your fastest-growing, most dynamic attack surface is your least-scanned.
Incentive 2: The Scan Frequency Dilemma
Some platforms charge per scan rather than per asset. The right scan frequency for a critical internet-facing server is weekly or continuous. The billing-conscious decision is monthly. Weekly scanning on 1,000 assets at $X per scan adds up quickly, so it doesn't happen.
Incentive 3: Coverage Gaps at Renewal
When your asset count exceeds your licensed count, which happens in growing environments, you face a choice: pay for the overage, or reduce your scan scope to fit your license. Procurement conversations often resolve in the direction of reduced scope, not expanded budget.
Incentive 4: Module Tax
Base vulnerability scanning often excludes web application scanning, container scanning, cloud posture management, and infrastructure-as-code scanning. Each capability is a separate add-on. Organizations end up with full visibility in one domain and blind spots everywhere else, not because the capability doesn't exist, but because they didn't buy that module.
The Math at Scale
| Organization Size | Asset Count | Annual License | 3-Year TCO |
|---|---|---|---|
| Small | 500 | ~$15,000 | ~$50,000+ |
| Mid-market | 2,500 | ~$60,000 | ~$200,000+ |
| Enterprise | 10,000+ | $200,000+ | $600,000+ |
And this doesn't include professional services, training, SIEM integrations, or the annual "true-up" conversation when your asset count exceeds your licensed tier.
What a Better Model Looks Like
The alternative to per-asset pricing isn't free; it's a fundamentally different license structure that aligns vendor incentives with customer outcomes.
Perpetual license + local deployment: You own the software. You run it on your hardware. Your asset count doesn't appear in a vendor's billing system. You can scan 500 assets or 50,000, the cost is the same. This model works because the vendor's cost (development, support) doesn't scale with your infrastructure the way a SaaS vendor's infrastructure costs do.
The trade-off: you're responsible for updates, infrastructure, and maintenance. For organizations with in-house security engineering, this is a good trade. For organizations that need fully managed service, a SaaS model may genuinely make more sense.
Questions to Ask Your Current Vendor
- What happens to my license if my asset count grows 30% next year?
- Are cloud instances, containers, and ephemeral workloads counted separately?
- Does web application scanning cost extra?
- What's the per-asset rate if I want weekly scans instead of monthly?
- What's in the base license vs. add-on modules?
The answers to these questions will tell you your actual three-year cost, not the number on the first contract.