A top-5 U.S. telecommunications carrier operated a cybersecurity stack that had grown organically over seven years through a combination of acquisitions, tactical purchases, and point-solution deployments. By early 2025, the carrier's CISO was managing contracts with six major cybersecurity vendors — each with independent renewal cycles, overlapping capabilities, and pricing structures that had never been benchmarked against market data.
The six-vendor stack represented $31.4M in annual spend: CrowdStrike (endpoint detection and response), Palo Alto Networks (NGFW and Prisma Access SASE), Zscaler (ZIA and ZPA for zero trust access), Splunk (SIEM and observability), Okta (identity and access management), and Cisco (network security, SecureX platform). Three of the six contracts had renewals within the next six months, creating a window to restructure the entire stack simultaneously.
The CISO and CPO jointly commissioned VendorBenchmark to analyze the full stack — benchmarking each vendor independently and identifying consolidation opportunities where capabilities overlapped and platform discounts could be leveraged.
Cybersecurity vendor consolidation benchmarking is among the most complex engagements VendorBenchmark conducts. The challenge is not merely pricing — it is the intersection of pricing, capability overlap, security architecture requirements, and negotiating leverage across vendors who know each other's competitive position. Telcos face additional complexity: their regulatory environment (FCC cybersecurity requirements, CPNI rules, and increasingly NIST CSF alignment) constrains consolidation options in ways that enterprises in other industries do not face.
The benchmark analysis identified three primary findings: all six vendors were priced above market median for comparable telecommunications enterprises; there was significant capability overlap between Palo Alto and Zscaler (both competing for the SASE/zero trust architecture layer); and Cisco's SecureX value was largely duplicated by CrowdStrike's and Splunk's existing platforms. The carrier was paying for three separate security operations centers' worth of tooling with a single-team operational model.
The benchmark analysis covered each vendor independently, normalizing pricing to comparable telco-sector enterprises at equivalent scale, then modeling three consolidation scenarios: minimal consolidation (renew 5 of 6 at market rates, drop one), moderate consolidation (consolidate to 4 platforms), and aggressive consolidation (consolidate to 2-3 platforms with full SASE and platform security strategy).
The benchmark data revealed that both Zscaler and Cisco were significantly overpriced for the telco's use case profile. Zscaler's ZIA and ZPA capabilities were largely replicated by Palo Alto's Prisma Access platform, which the carrier was already running. The incremental cost of expanding Palo Alto's Prisma Access scope was substantially less than Zscaler's standalone contract. Cisco's SecureX and Umbrella functions were similarly duplicated within the Splunk and CrowdStrike platforms that the carrier had already deployed at enterprise scale.
"We had Zscaler and Palo Alto both doing zero trust access. We had Cisco Umbrella and Splunk both doing DNS and network analytics. We were paying for redundancy we didn't need, and no single vendor had told us. VendorBenchmark was the first analysis that looked at the whole stack."— CISO, Top-5 U.S. Telecommunications Carrier
The negotiation strategy was sequenced to create maximum competitive tension. VendorBenchmark advised the carrier to engage Palo Alto and CrowdStrike first — positioning them as the consolidation platforms and making clear that their expanded scope was conditional on pricing at market rates. Both vendors were aware of Zscaler and Cisco's vulnerability to displacement, which created significant commercial motivation to compete on price rather than defend existing contract structures.
Palo Alto Networks moved from $7.8M to $7.6M on the base contract while agreeing to absorb Zscaler's zero trust access workloads under an expanded Prisma Access deployment — a $4.1M annual saving against the Zscaler contract. The negotiation leverage was the benchmark data: VendorBenchmark's analysis showed that Palo Alto had priced consolidated SASE+NGFW deals at an average 28% discount to separate contract pricing for comparable telco enterprises. Palo Alto had limited negotiating room once this data was on the table.
CrowdStrike expanded from $6.2M to $7.4M (reflecting expanded identity threat detection scope that replaced Cisco SecureX functions) — a $2.4M increase on the CrowdStrike contract but a $3.6M saving against the Cisco contract it replaced. Splunk absorbed Cisco Umbrella's DNS security logging at no incremental cost within their existing ingest volume commitment, and renegotiated their total from $5.9M to $4.8M against benchmark data showing a 19% premium versus peer deals. Okta was renegotiated from $3.8M to $3.0M on the basis of user count normalization and benchmark data from comparable enterprise identity deals.
The total annual cybersecurity stack cost was reduced from $31.4M to $22.8M — a $8.6M direct cash saving and an additional $5.6M in operational efficiency savings from reduced vendor management, consolidated licensing administration, and elimination of integration overhead between redundant platforms. The CISO subsequently reported to the board that the consolidated architecture had reduced security tool alert noise by 34% and improved mean time to detect (MTTD) by eliminating duplicate alert paths from overlapping platforms.
The engagement validated a counterintuitive principle that VendorBenchmark's analysis frequently surfaces: platform consolidation often improves security outcomes while reducing cost, because redundant tools generate operational complexity that degrades detection effectiveness. The benchmark process that identified the cost savings also identified the architectural redundancy that was creating security gaps.
"The benchmark did two things simultaneously: it saved us $14M and it made us more secure. We eliminated tools that were creating noise and gaps. I've never seen a cost optimization program that also improved the security posture."— CISO, Top-5 U.S. Telecommunications Carrier
Cybersecurity vendor consolidation driven by benchmark data represents one of the highest-ROI IT sourcing initiatives available to enterprise security teams. Most enterprise security stacks have grown to their current state through years of tactical procurement decisions, acquiring best-in-class point solutions without a coordinated architectural view of capability overlap. Benchmarking these stacks against peer enterprise data surfaces both pricing premiums and structural redundancies simultaneously.
The telco case also illustrates the value of sequencing consolidation negotiations to create competitive dynamics among the vendors being retained and expanded. By positioning Palo Alto and CrowdStrike as consolidation platforms early in the process, the carrier aligned both vendors' commercial interests with the consolidation outcome — creating incentive for Palo Alto to aggressively price the expanded Prisma Access scope and for CrowdStrike to absorb Cisco SecureX functions within their existing deal economics.
For telecommunications enterprises specifically, the scale of typical security stacks — driven by the sector's high threat profile, regulatory requirements, and large employee and contractor populations — means that benchmark-driven consolidation can deliver savings that dwarf those achievable in most other software categories. The carrier in this case study reduced cybersecurity spend by 45% while improving both architecture coherence and detection performance. That combination is only achievable when procurement decisions are grounded in independent market data rather than vendor-supplied comparisons.
Submit your cybersecurity vendor contracts for full-stack benchmarking. We identify pricing premiums, capability overlaps, and consolidation opportunities in 48 hours.