The Cisco Secure Access License Model: Essentials vs. Advantage
Learning Objectives
Describe the two-tier Essentials and Advantage packaging model, including exactly which security features live in each tier and why Advantage is a strict superset of Essentials.
Explain how Cisco Secure Access is licensed and metered on a per-user ("Covered User") basis, including the 20 GB-per-user monthly data pool and how to size it.
Understand what is included in the base subscription versus what is sold as an optional add-on, how Enterprise Agreements and true-forward billing apply, and how integrations like Duo and Talos are licensed.
Section 1: Packaging Overview
Pre-Reading Check — Packaging Overview
How many primary SSE tiers does Cisco package Secure Access into?
One flat tier for everyoneTwo tiers: Essentials and AdvantageThree tiers: Basic, Pro, and EnterpriseFour tiers, one per use case
What does "Advantage is a strict superset of Essentials" mean in practice?
Advantage removes some Essentials features to add premium onesAdvantage keeps everything in Essentials and only adds more on topAdvantage and Essentials share no featuresEssentials contains everything Advantage does, plus extras
Which capability is Advantage-only and NOT part of Essentials?
DNS-layer securityCloud firewall (FWaaS) L3/L4 controlContent-aware multimode DLPSecure Web Gateway with TLS decryption
How does Remote Browser Isolation (RBI) differ between the two tiers?
Essentials has no RBI; Advantage isolates any siteEssentials isolates any site; Advantage only risky sitesEssentials isolates only risky sites; Advantage isolates any siteBoth tiers isolate only risky sites
When the data sheet and the ordering guide disagree on which tier includes DLP, which source is authoritative?
The data sheetThe ordering guideWhichever was published most recentlyA Reddit thread
Cisco Secure Access is sold as a subscription to an SSE platform that covers two use cases under one contract: Secure Internet Access (SIA) — protecting user access to the internet and SaaS applications via SWG, FWaaS, DNS security, and CASB — and Secure Private Access (SPA) — Zero Trust Network Access and VPN-as-a-Service to your private applications. Both use cases are available in either tier. The tier you choose (Essentials or Advantage) determines the depth of the controls, not which use cases you get.
Think of Essentials and Advantage the way an airline thinks of Economy and Business class on the same aircraft. Both seats fly the identical route — you reach the same city either way, just as both tiers cover both SIA and SPA. The difference is what you get in the seat. Advantage is the Business-class cabin of Secure Access: same flight, richer inspection and control.
Key Points
Secure Access ships in two SSE tiers — Essentials and Advantage — and both cover SIA and SPA. The tier sets control depth, not use-case coverage.
Essentials is already a complete SSE stack: SWG, FWaaS (L3/L4), DNS security, CASB, ZTNA, VPNaaS, DEM, TLS/HTTPS decryption, and the Secure Client — not a stripped-down starter tier.
Advantage is a strict superset ("in addition to Essentials capabilities…"): nothing is removed, it only adds features on top.
On DLP, the ordering guide is authoritative over the data sheet: DLP requires Advantage. Do not let data-sheet phrasing suggest otherwise.
Essentials tier scope
The ordering guide enumerates Essentials explicitly, and it is already a full SSE stack: Secure Private Access (client and clientless ZTNA plus VPNaaS with posture assessment), Secure Internet Access (roaming security, IPsec/VPN tunnels, PAC files, proxy chaining, SD-WAN DIA), DNS-layer security, cloud firewall (FWaaS L3/L4), Secure Web Gateway with TLS/HTTPS decryption, CASB, RBI for risky sites only, sandboxing capped at 500 samples/day, Digital Experience Monitoring (DEM), and the Secure Client license. The three things Essentials notably lacks are content-aware DLP, an IPS, and Layer 7 application control — plus its RBI and sandbox are constrained.
Advantage tier scope
The ordering guide describes Advantage with a single load-bearing phrase: "In addition to Secure Access Essentials capabilities, it includes…". On top of the entire Essentials stack, Advantage layers in multimode DLP, an IPS, Layer 7 application visibility and control (e.g., allow Slack messaging but block Slack file uploads), unlimited sandboxing with full console access, and RBI for any website (proactive, broad isolation — not just risky sites).
Advantage = Essentials + 5 The complete Essentials SSE stack nests inside Advantage; five Advantage-only capabilities stack on top — nothing is removed.
Figure 4.1: Tier composition — Advantage wraps the complete Essentials SSE stack and adds five capabilities on top.
graph TD
subgraph ADV["Advantage (strict superset)"]
direction TB
subgraph ESS["Essentials (complete SSE stack)"]
direction TB
E1["SIA + SPA (SWG, FWaaS L3/L4, DNS security, CASB, ZTNA, VPNaaS)"]
E2["TLS/HTTPS decryption + DEM + Secure Client"]
E3["RBI: risky sites only"]
E4["Sandboxing: capped 500 samples/day"]
end
A1["+ Multimode DLP"]
A2["+ Intrusion Prevention System (IPS)"]
A3["+ Layer 7 application visibility & control"]
A4["+ Unlimited sandboxing (full console)"]
A5["+ RBI for any website"]
end
The comparison table below is the single most useful reference in this chapter. Keep it handy during any sizing conversation.
Table 4.1 — Cisco Secure Access: Essentials vs. Advantage (feature-by-feature)
Capability
Essentials
Advantage
Notes
Secure Internet Access (SIA)
Yes
Yes
Roaming security, tunnels, PAC, proxy chaining, SD-WAN DIA
Advantage adds full console, glove box, manual submissions
Multimode DLP
No
Yes
Content-aware data protection — Advantage only
Intrusion Prevention System (IPS)
No
Yes
Blocks exploits, incl. decrypted traffic
Layer 7 application visibility & control
No
Yes
Granular app-level allow/block
A precision note on DLP. The data sheet describes multimode DLP in general terms, but the ordering guide explicitly assigns DLP to the Advantage tier only. When these two sources conflict on tiering, the ordering guide is authoritative. The correct, purchasable answer is: if you need content-aware DLP, you need Advantage.
Figure 4.2: Tier-decision flowchart — any single Advantage-only requirement forces Advantage; otherwise Essentials suffices.
flowchart TD
START["Choosing a Secure Access tier"] --> Q1{"Need content-aware DLP? (inspect payloads leaving org)"}
Q1 -->|"Yes"| ADV["Choose Advantage"]
Q1 -->|"No"| Q2{"Need IPS? (block exploits on allowed sites)"}
Q2 -->|"Yes"| ADV
Q2 -->|"No"| Q3{"Need L7 app control, any-site RBI, or high-volume sandboxing?"}
Q3 -->|"Yes"| ADV
Q3 -->|"No"| ESS["Essentials is sufficient (upgrade in place later if needed)"]
Key Takeaway
Both SSE tiers cover SIA and SPA; Advantage is a strict superset of Essentials. Essentials is a complete SSE stack, but DLP, IPS, Layer 7 control, unlimited sandboxing, and any-site RBI are Advantage-only. Where the data sheet and ordering guide disagree on DLP, the ordering guide — which places DLP in Advantage — wins.
Post-Reading Check — Packaging Overview
How many primary SSE tiers does Cisco package Secure Access into?
One flat tier for everyoneTwo tiers: Essentials and AdvantageThree tiers: Basic, Pro, and EnterpriseFour tiers, one per use case
What does "Advantage is a strict superset of Essentials" mean in practice?
Advantage removes some Essentials features to add premium onesAdvantage keeps everything in Essentials and only adds more on topAdvantage and Essentials share no featuresEssentials contains everything Advantage does, plus extras
Which capability is Advantage-only and NOT part of Essentials?
DNS-layer securityCloud firewall (FWaaS) L3/L4 controlContent-aware multimode DLPSecure Web Gateway with TLS decryption
How does Remote Browser Isolation (RBI) differ between the two tiers?
Essentials has no RBI; Advantage isolates any siteEssentials isolates any site; Advantage only risky sitesEssentials isolates only risky sites; Advantage isolates any siteBoth tiers isolate only risky sites
When the data sheet and the ordering guide disagree on which tier includes DLP, which source is authoritative?
The data sheetThe ordering guideWhichever was published most recentlyA Reddit thread
Section 2: Buying and Bundling
Pre-Reading Check — Buying and Bundling
What is a "Covered User" license metered on?
Per device connected to Secure AccessPer individual person protected, regardless of device countPer gigabyte of traffic consumedPer branch site
How is the monthly data limit calculated under per-user metering?
A flat 20 GB per tenant regardless of user countNumber of Covered Users × 20 GB, pooled tenant-wide20 GB hard cap per individual user, no poolingUnlimited — there is no data limit
If you buy SIA for 1,200 users and SPA for 800 users, the shared pool is sized on…
Which of the following is a genuine paid add-on (not bundled) in the Secure Access model?
ISE/SGT integrationThe AI AssistantReserved IP egressXDR Connect
Under Cisco's true-forward billing, what happens to growth above your contracted quantity between anniversaries?
You are back-billed retroactively for every over-deployed monthYou are reconciled going forward at the anniversary, with no punitive back-billYour service is throttled until the next renewalYou must sign a brand-new contract immediately
Knowing what is in each tier tells you what to buy. This section covers how to buy it: the per-user metering that determines your quantity and traffic entitlement, the Enterprise Agreement vehicles enterprises purchase through, the handful of genuine add-ons, and the term lengths and true-forward mechanics that govern the contract over time.
Per-user subscription metering (the 20 GB pool)
Secure Access is licensed per user, using the concept of a "Covered User." The Offer Description is unambiguous: "You must purchase one Covered User license for each individual protected…" This is per person, not per device — a user's laptop, phone, and tablet are all covered by one seat.
Each seat does two things. First, it entitles that person to the tier's security services. Second — the part buyers routinely miss — each seat contributes 20 GB per month into a single, shared, tenant-wide pool. The math is simple: Monthly Data Limit = Number of Covered Users × 20 GB.
Key Points
Licensing is per Covered User (per person, not per device): one seat covers all of a user's devices.
Monthly Data Limit = Users × 20 GB, and the 20 GB is a shared pool, not a per-user throttle — one heavy user can consume far more than 20 GB.
The pool counts inbound + outbound and absorbs non-user traffic (servers, IoT, cameras, branch proxies) — so machine traffic can silently drain it. To grow the pool, add seats.
When SIA and SPA quantities differ, the pool is sized on the higher of the two counts.
Genuine add-ons are few — Investigate API tiers, Reserved IP egress, and a paid support SKU — because most modules (AI Assistant, ISE/SGT, XDR, Talos) are bundled.
Enterprises buy via an EA / Security Choice EA on 12/36/60-month terms, reconciled by true-forward billing.
The 20 GB pool fills — and spills Every seat drops 20 GB/month into one shared tank; non-user IoT/server traffic drinks from it too. Exceed the limit and you spill into overage — the fix is more seats.
Figure 4.3: Per-user metering — each Covered User seat feeds 20 GB into one shared tenant-wide pool that all traffic, including non-user devices, draws from.
flowchart TD
U1["Covered User 1 +20 GB/mo"] --> POOL
U2["Covered User 2 +20 GB/mo"] --> POOL
UN["Covered User N +20 GB/mo"] --> POOL
POOL["Shared tenant-wide data pool = Users × 20 GB/month (inbound + outbound)"]
DEV["Non-user traffic servers, IoT, cameras, branch proxies"] -->|"consumes from same pool"| POOL
POOL --> CHK{"Total traffic > pool limit?"}
CHK -->|"No"| OK["Within entitlement"]
CHK -->|"Yes (overage)"| FIX["Add Covered User seats (+seats × 20 GB enlarges pool)"]
FIX --> POOL
The analogy is a shared family mobile data plan: every line adds a fixed allowance, but the total is pooled — one heavy streamer can burn through allowance contributed by several light users, and the carrier only cares about the aggregate. Two details widen the scope: the limit applies to all traffic, inbound plus outbound, and it includes traffic from non-user devices protected by Secure Access. Heavy IoT/server traffic may force you to buy additional seats to enlarge the pool even though no new humans were added.
Worked Example — Sizing the pool for Contoso Health
Step 1 — Count the humans. 1,200 employees = 1,200 Covered Users. Their laptops, phones, and tablets share those seats.
Step 2 — Base pool. 1,200 × 20 GB = 24,000 GB = 24 TB/month.
Step 3 — Add non-user traffic. 300 IoT devices + 40 servers push ~3 TB/month against the same 24 TB pool.
Step 4 — Check headroom. ~18 TB human + 3 TB device = ~21 TB against 24 TB — comfortable. A new 5 TB workflow would push it to ~26 TB — over the limit.
Step 5 — Remediate. +150 Covered Users raises the pool by 3 TB to 27 TB/month. The lever is seats, not a separate bandwidth SKU.
One more rule: if SIA and SPA are bought in different quantities, the data limit uses the higher of the two counts. A site-based (bandwidth) licensing alternative also exists for some packages (SIA Essentials today) but excludes features like Experience Insights and the Secure Client; this chapter focuses on the default per-user model.
Enterprise Agreements and Cisco Security Cloud
Large enterprises frequently buy through a Cisco Enterprise Agreement (EA) — often the Security Choice EA — bundling Secure Access with other Cisco security under one contract and anniversary date. Each customer has one Secure Access subscription spanning SIA, SPA, and/or DNS Defense. The subscription bundles far more than SSE features: rights to the ThousandEyes Web Platform and Endpoint Agent (behind DEM), unlimited file analysis, three Secure Malware Analytics portal users, and Security Cloud Control and Security Cloud Sign-On.
Add-on modules and capacity
The Secure Access model is "batteries included" — genuine commercial add-ons are few: Investigate API rate-limit tiers (only one active per subscription; e.g., SA-INV-API-S), Reserved IP egress (dedicated egress IPs — described as "probably the only item a customer would pay extra for"), and Support SKUs (a base one auto-added at $0, plus a paid higher tier). Secure Access – DNS Defense is a parallel DNS-only package. Notably not add-ons: the AI Assistant, ISE/SGT integration, XDR Connect, enterprise browser, hybrid ZTA, and SaaS-API-based DLP/malware detection are all bundled into the tiers.
Term lengths and true-forward
Secure Access sells in 12-, 36-, and 60-month terms. The key commercial mechanic over the contract's life is true-forward: you may deploy above your contracted quantities during the term; at the EA anniversary Cisco measures actual usage and adjusts your go-forward billing to match; and there is no punitive retroactive true-up. Contrast with a traditional true-up, which charges retroactively. True-forward lets a fast-growing org onboard a new division mid-term without a surprise back-invoice.
True-forward reconciles at the anniversary Deploy above contract mid-term; at the EA anniversary usage is measured and billing adjusts going forward — no retroactive back-bill for the over-deployed months.
Figure 4.4: True-forward billing lifecycle — deploy above contract, reconcile forward at anniversary, no retroactive back-bill.
flowchart LR
A["Sign EA / Security Choice EA Initial contracted user count"] --> B["Deploy during term Add users as you grow (above initial quantities OK)"]
B --> C{"EA anniversary reached?"}
C -->|"No"| B
C -->|"Yes"| D["Cisco measures actual usage"]
D --> E["Adjust go-forward billing to match usage"]
E --> F["No punitive retroactive true-up (not back-billed for over-deployment)"]
F --> B
Key Takeaway
Metered per Covered User (per person); each seat adds 20 GB/month to a shared pool (Users × 20 GB) that also absorbs non-user IoT/server traffic; when SIA and SPA differ, use the higher count. Add-ons are few (Investigate API, Reserved IP, paid support). Enterprises buy via EA/Security Choice EA on 12/36/60-month terms under true-forward billing.
Post-Reading Check — Buying and Bundling
What is a "Covered User" license metered on?
Per device connected to Secure AccessPer individual person protected, regardless of device countPer gigabyte of traffic consumedPer branch site
How is the monthly data limit calculated under per-user metering?
A flat 20 GB per tenant regardless of user countNumber of Covered Users × 20 GB, pooled tenant-wide20 GB hard cap per individual user, no poolingUnlimited — there is no data limit
If you buy SIA for 1,200 users and SPA for 800 users, the shared pool is sized on…
Which of the following is a genuine paid add-on (not bundled) in the Secure Access model?
ISE/SGT integrationThe AI AssistantReserved IP egressXDR Connect
Under Cisco's true-forward billing, what happens to growth above your contracted quantity between anniversaries?
You are back-billed retroactively for every over-deployed monthYou are reconciled going forward at the anniversary, with no punitive back-billYour service is throttled until the next renewalYou must sign a brand-new contract immediately
Section 3: Licensing Gotchas
Pre-Reading Check — Licensing Gotchas
Why can an org with few employees but many IoT devices still exhaust its data pool?
IoT devices each require their own Covered User licenseNon-user traffic (IoT, servers, proxies) draws from the same shared poolIoT traffic is billed at a 10× multiplierThe pool shrinks automatically when devices connect
A hospital must block PHI documents from being uploaded to unsanctioned cloud storage. Which tier does it need?
Essentials — CASB app blocking is enoughAdvantage — content-aware DLP inspects payloads and is Advantage-onlyEither tier — DLP is in bothNeither — Secure Access cannot do DLP at all
Because Advantage is a strict superset, an Essentials customer that later needs DLP can…
Only get DLP by ripping out and re-architecting the deploymentUpgrade in place to Advantage without redesigning the deploymentBuy a standalone DLP product from a different vendorNever add DLP — the tier choice is permanent
How is Talos threat intelligence licensed within Secure Access?
Sold as a separate paid feed you must add onBundled — woven into detection logic in both tiersOnly available in AdvantageRequires a separate ThousandEyes contract
What is the correct buyer posture on Duo entitlements per this chapter?
Assume full Duo MFA is bundled into every Secure Access seatTreat Security Cloud Sign-On as included, but confirm the specific Duo edition separatelyDuo cannot integrate with Secure Access at allDuo is always a separate purchase with no sign-on included
The model is clean in outline but has sharp edges in practice. This section collects the three gotchas that most often cause budget overruns, policy dead-ends, or renewal surprises.
User counting and overages
The biggest sizing error is treating the 20 GB pool as a per-user throttle rather than a shared aggregate, and forgetting that non-user traffic counts. Consider an IoT-dense site: 200 employees but 800 IoT devices. Two hundred seats yields only a 4 TB/month pool. If the IoT fleet pushes past 4 TB, the remedy is to add seats (~+100 seats for a 6 TB pool) or route low-value IoT traffic outside Secure Access.
Key Points
Gotcha 1 — overage math. The 20 GB is a shared pool, not a per-user cap; IoT/server/proxy traffic drains it. Profile traffic, not just headcount; heavy video/backup/software-distribution burns the pool. Remedy: add seats.
Gotcha 2 — tier-gated features. DLP, IPS, L7 control, unlimited sandboxing, and any-site RBI are Advantage-only. Assuming a control is available can block an already-designed policy.
DLP is the most dangerous: data-sheet language can imply inclusion, but the authoritative ordering guide places it in Advantage. A HIPAA PHI-upload block needs Advantage DLP; Essentials only offers coarse URL/CASB blocking.
The superset design saves you: start on Essentials, upgrade in place when a DLP/IPS/L7 requirement arrives — no redesign.
Gotcha 3 — integration licensing.Talos is bundled and drives detection. For Duo, treat Security Cloud Sign-On as included but confirm the specific Duo MFA edition separately.
Feature availability by tier
The second gotcha is assuming a control is available when it is actually gated behind Advantage — blocking a policy you already designed. The offenders are consistent: DLP, IPS, Layer 7 application control, unlimited sandboxing, and any-site RBI are all Advantage-only. The most dangerous is DLP, because the data sheet's general language can imply inclusion while the authoritative ordering guide places it firmly in Advantage. A healthcare org needing to stop PHI uploads to unsanctioned storage cannot do that with Essentials — content-aware inspection requires Advantage's multimode DLP. Essentials' best levers are coarse URL/category blocking and CASB app controls, which cannot inspect whether this particular document contains a Social Security number. The saving grace: because Advantage only adds, you can start on Essentials and upgrade in place.
Integration licensing (Duo, Talos)
The third area of confusion is integration licensing. Many integrations are included in the tiers: ISE/SGT, XDR Connect, the AI Assistant, hybrid ZTA, the enterprise browser, and SaaS-API-based DLP/malware detection. Talos is the clearest "included" case — it is the engine behind DNS enforcement, risk scoring, and the risky-site determination that triggers Essentials RBI; it is woven into detection, not separately licensed. Duo needs precise scoping: Secure Access includes Security Cloud Sign-On for platform SSO/authentication, but the research does not document Duo's full MFA feature set as bundled into the Essentials/Advantage seat. Correct buyer posture: treat platform sign-on as included, but confirm the specific Duo edition and entitlement separately with your Cisco partner rather than assuming full Duo MFA is folded in.
Key Takeaway
Three gotchas: (1) user/overage math — the 20 GB is a shared pool, and IoT/server traffic consumes it, so add seats to grow the pool; (2) tier-gated features — DLP, IPS, L7, unlimited sandboxing, and any-site RBI are Advantage-only, with DLP read from the authoritative ordering guide; and (3) integration licensing — Talos is bundled and drives detection, while for Duo you treat Security Cloud Sign-On as included but confirm the specific Duo MFA entitlement separately.
Post-Reading Check — Licensing Gotchas
Why can an org with few employees but many IoT devices still exhaust its data pool?
IoT devices each require their own Covered User licenseNon-user traffic (IoT, servers, proxies) draws from the same shared poolIoT traffic is billed at a 10× multiplierThe pool shrinks automatically when devices connect
A hospital must block PHI documents from being uploaded to unsanctioned cloud storage. Which tier does it need?
Essentials — CASB app blocking is enoughAdvantage — content-aware DLP inspects payloads and is Advantage-onlyEither tier — DLP is in bothNeither — Secure Access cannot do DLP at all
Because Advantage is a strict superset, an Essentials customer that later needs DLP can…
Only get DLP by ripping out and re-architecting the deploymentUpgrade in place to Advantage without redesigning the deploymentBuy a standalone DLP product from a different vendorNever add DLP — the tier choice is permanent
How is Talos threat intelligence licensed within Secure Access?
Sold as a separate paid feed you must add onBundled — woven into detection logic in both tiersOnly available in AdvantageRequires a separate ThousandEyes contract
What is the correct buyer posture on Duo entitlements per this chapter?
Assume full Duo MFA is bundled into every Secure Access seatTreat Security Cloud Sign-On as included, but confirm the specific Duo edition separatelyDuo cannot integrate with Secure Access at allDuo is always a separate purchase with no sign-on included