Security-platform agentic AI: evaluating TCO and ROI for the buying committee

The buying committee for a security-platform agentic AI procurement is in a different conversation than the buying committee for a general-purpose agentic AI procurement, and the existing 2026 CFO TCO playbook for the latter (treated at the-hidden-costs-of-agentic-ai-a-cfos-guide-to-true-tco-and-roi-modeling) does not transfer cleanly. The unit of analysis differs, the cost of being wrong differs, and the discount factors that should be applied against vendor-supplied ROI numbers differ. This piece is the security-platform companion to that general CFO playbook, calibrated for the CISO, the head of security operations, and the chief compliance officer who are co-owning the procurement.

The publicly disclosed pricing for the two largest security AI platforms is the starting point of the TCO calculation, not the end. Microsoft Security Copilot lists at $4 per Security Compute Unit hour with a 1 SCU minimum provisioning; CrowdStrike Charlotte AI is bundled into the Falcon Insight tier at the published per-endpoint subscription, with the higher-context features gated to the Enterprise tier. The public per-unit rates are the platform-fee line. The full TCO is typically 4 to 7 times the platform-fee line in year one for a mid-sized SOC, and the buying committee that prices only the platform fee is pricing the smallest of the five cost components.

Why the unit of analysis is the alert and the analyst hour

A general-purpose agentic AI platform is priced and evaluated against seat-based productivity. The CFO playbook models the gain as productive hours recovered per knowledge worker, against a per-seat subscription. The unit is the seat, the metric is the hour, the comparison set is the labour cost of the seat versus the subscription cost.

A security-platform agentic AI inverts the structure. The dominant scaling variable is alert volume, not seat count. The dominant productivity variable is alerts-per-analyst-hour, not hours-per-seat. A security AI platform that processes 10x the alert volume after deployment is not a 10x cost increase if alerts-per-analyst-hour is held flat; it is a productivity multiplier. Conversely, a security AI platform that doubles the alert volume without changing the throughput per analyst-hour is a doubling of the SOC headcount requirement priced as a software subscription.

The asymmetry that makes the calculation harder than the CFO playbook handles is the cost of the false negative. A general-purpose agentic AI that produces an incorrect knowledge-work output produces a cost in the rework category and in the trust-erosion category, both of which are recoverable. A security-platform AI that misses a real incident produces a cost in the breach-cost category; the IBM Cost of a Data Breach Report 2024 put the average per-incident cost at USD 4.88 million globally, USD 9.36 million in the United States, and USD 9.77 million in the healthcare sector. The ROI calculation has to model the false-negative tail rather than the average-case throughput improvement, because the tail is where the cost lives.

The five cost components of security-platform agentic AI TCO

The order-form line, the platform fee, is the first and smallest component. The other four are typically larger in aggregate.

One, the platform fee. The per-SCU-hour, per-endpoint, per-event, or per-investigation subscription that the vendor’s order form quotes. Microsoft Security Copilot’s SCU model lists at $4 per hour with a 1 SCU minimum, which prices out at roughly $35,040 per year per SCU at continuous provisioning; mid-sized SOCs typically provision 3 to 6 SCUs for production workloads, putting the platform-fee line in the USD 105,000 to 210,000 range before negotiation. CrowdStrike’s Charlotte AI is bundled into the Falcon platform tiers, so the platform-fee line is the per-endpoint subscription differential between the tier the customer is on and the tier that includes Charlotte. Vendor-disclosed list pricing is the upper bound; mid-sized enterprise procurement typically negotiates 20 to 40 percent off list at first contract.

Two, the integration cost. A security AI platform that does not ingest SIEM, EDR, identity, IAM, ticketing, and case-management telemetry is a feature, not a platform. The integration cost is the dominant first-year line. The internal engineering cost for the connector mesh is typically 200 to 800 hours, billed at the customer’s full-loaded engineering rate (USD 150 to 250 per hour at mid-market, USD 200 to 400 per hour at enterprise scale). The vendor’s professional services line, billed separately, typically adds USD 50,000 to 200,000 for a connector mesh of moderate complexity. The realistic first-year integration line for a mid-sized SOC is USD 100,000 to 400,000.

Three, the analyst retraining cost. The existing SOC team must be retrained on the new triage workflow, the new investigation surface, and the new escalation logic. The retraining is not a one-week course; it is a 30 to 90 day period of partial productivity loss for the L1 and L2 tier, during which both the old and new workflows are running in parallel. A 12-analyst SOC with a fully-loaded analyst cost of USD 120,000 per year is absorbing a productivity loss of roughly 15 to 25 percent across the team for 8 to 13 weeks, which costs USD 60,000 to 150,000 in opportunity terms. The cost is often hidden because it does not appear on an invoice; it appears in slower ticket throughput during the transition quarter.

Four, the tuning cost. The first 6 months of operation produce false positives and false negatives that require model tuning, alert-threshold adjustment, and detection-engineering rework. The cost is 0.5 to 1.5 FTE of detection engineering for the first year. At a fully-loaded detection-engineering cost of USD 180,000 to 280,000 per year, this is USD 90,000 to 420,000 in the first 12 months. Vendors who price this as “included” in professional services are pricing a fraction of it; the structural tuning load is borne by the customer’s detection-engineering function regardless of who is writing the rules.

Five, the exit cost. The cost of migrating the trained model context, the case history, and the connector mesh to a successor platform if the relationship ends. Realistic exit timelines are 2 to 4 quarters of dual-running, during which both the legacy platform and the successor are paid for and operating in parallel. The exit cost is the second-most-underpriced line in the model, after the integration cost. The procurement clause that prices the exit at signing is the procurement clause that determines whether the relationship is bilateral.

The aggregate of components two through five is typically 3 to 6 times the platform-fee line in year one. The compounding ratio is what produces the 4-to-7x first-year multiplier on the order-form figure.

The three discount factors against vendor-supplied ROI

The vendor’s ROI deck is the marketing artefact, not the procurement artefact. Three structural discounts should be applied before the headline figures are treated as a target.

The demo-environment discount. The vendor’s claimed alert-triage acceleration is usually measured on a curated test corpus rather than the customer’s live alert stream. The test corpus typically excludes the long tail of low-quality alerts, the noise from misconfigured detection rules, and the volume bursts that characterise production operation. The realistic discount against headline triage-acceleration figures is 30 to 50 percent.

The alert-quality discount. The vendor’s ROI math typically assumes the existing SOC’s alert backlog contains a high signal-to-noise ratio. In practice, the SANS 2024 SOC Survey found median SOCs reporting 40 to 60 percent of alerts as false positives, with the long-tail SOCs at 70 to 80 percent. A productivity gain measured against the false-positive-adjusted backlog is materially smaller than one measured against the headline backlog. The discount against headline productivity figures is 20 to 40 percent at the median SOC, larger at the high-noise tail.

The survivorship discount. The case studies the vendor publishes are by definition from customers whose deployments succeeded. The published claim is the success-conditioned outcome rather than the expected outcome across the deployment population. The MIT NANDA GenAI Divide research finds the broader agentic AI population at roughly 5 percent success at the “measurable P&L impact” threshold; the security-platform sub-segment is not directly broken out in that research, but the structural conditions (high integration complexity, asymmetric cost of failure, mature competitive substitutes) suggest the success rate is in the same single-digit range. The survivorship discount on vendor-published case-study outcomes is typically 60 to 80 percent before the expected-value calculation closes against the cost.

The compounding effect of the three discounts is sobering. A vendor claiming 40 percent triage acceleration, against a high-quality alert corpus, with a survivor-biased case study, may map to an expected-value acceleration of 10 to 15 percent in the median deployment. That number is still useful; it is not the headline number.

The 90-day evaluation gate

The structural answer to the discount factors is a contractual evaluation period structured as a paid pilot with a documented decision protocol, not a vendor proof-of-concept.

Four baseline measurements are pre-defined before the pilot starts. Current mean-time-to-triage at the L1 tier. Current false-positive rate per detection class. Current analyst-hours per closed incident. Current backlog age (days from alert to resolution). All four are measured for the 30 days preceding the pilot and treated as the comparison baseline; vendor-supplied “industry average” figures are not the baseline.

The pilot runs at production scope, not curated subset, for 60 to 90 days. The customer’s live alert stream is the input. The customer’s L1 and L2 analysts work the platform in parallel with the legacy workflow for the first 30 days, transitioning to platform-primary for the second 30 days, with the legacy workflow as fallback. The detection-engineering team tunes the alert thresholds and false-positive rules against the live data, not the demo data.

At the 90-day gate, the buying committee evaluates the four baseline deltas against the documented success criteria. The success criteria are pre-agreed; typically a 25 to 40 percent reduction in mean-time-to-triage, a 15 to 30 percent reduction in false-positive rate, and a 20 to 35 percent reduction in analyst-hours per closed incident. The criteria are evaluated against the customer’s pre-pilot baseline, not the vendor’s headline figures.

The contract carries a documented walk-away clause that returns the customer to the pre-pilot operating state without successor-platform commitment. The walk-away clause is the procurement instrument that prices the demo-environment and survivorship discount factors at signing; without it, the customer is committed to a platform whose actual performance against its specific environment is unknown until after the budget is spent.

What this means for the Q3 2026 security-platform procurement agenda

The procurement calendar for a 2026 security-platform AI is materially longer than the procurement calendar for a SaaS security tool. The 60-to-120-day cycle that the AM-167 NHI procurement clause work describes for general agentic AI MSAs applies here too, with two additional weeks for the buying-committee assembly (CISO + head of security operations + chief compliance officer + CFO) and four to eight weeks for the 90-day evaluation gate.

The IT leader leading this procurement in Q3 2026 should expect to spend the budget envelope conversation on the 4-to-7x first-year multiplier, not the platform-fee line. The CFO conversation should walk through the five cost components and the three discount factors; the procurement counsel conversation should walk through the 90-day evaluation gate and the walk-away clause. The CISO conversation should walk through the false-negative-tail cost model and the breach-cost asymmetry that the IBM Cost of a Data Breach 2024 data anchors.

The buying committee that completes this evaluation discipline produces a procurement that is defensible at audit and operationally measurable in production. The buying committee that prices only the platform fee and accepts the vendor’s headline ROI is preparing for a Q4 2026 surprise.

The sibling piece on the IAM TCO model at the 2,000-employee scale (planned, AM-180) walks through the analogue calculation for the agent-identity layer; the procurement clause work at AM-167 covers the contract instruments that make the operational story possible at all. Together the three pieces describe the buying-committee discipline for the security-and-identity slice of the agentic AI portfolio.