The Cisco Secure Access License Model: Essentials vs. Advantage

Learning Objectives

Section 1: Packaging Overview

Pre-Reading Check — Packaging Overview

How many primary SSE tiers does Cisco package Secure Access into?

One flat tier for everyone Two tiers: Essentials and Advantage Three tiers: Basic, Pro, and Enterprise Four tiers, one per use case

What does "Advantage is a strict superset of Essentials" mean in practice?

Advantage removes some Essentials features to add premium ones Advantage keeps everything in Essentials and only adds more on top Advantage and Essentials share no features Essentials contains everything Advantage does, plus extras

Which capability is Advantage-only and NOT part of Essentials?

DNS-layer security Cloud firewall (FWaaS) L3/L4 control Content-aware multimode DLP Secure Web Gateway with TLS decryption

How does Remote Browser Isolation (RBI) differ between the two tiers?

Essentials has no RBI; Advantage isolates any site Essentials isolates any site; Advantage only risky sites Essentials isolates only risky sites; Advantage isolates any site Both tiers isolate only risky sites

When the data sheet and the ordering guide disagree on which tier includes DLP, which source is authoritative?

The data sheet The ordering guide Whichever was published most recently A Reddit thread

Cisco Secure Access is sold as a subscription to an SSE platform that covers two use cases under one contract: Secure Internet Access (SIA) — protecting user access to the internet and SaaS applications via SWG, FWaaS, DNS security, and CASB — and Secure Private Access (SPA) — Zero Trust Network Access and VPN-as-a-Service to your private applications. Both use cases are available in either tier. The tier you choose (Essentials or Advantage) determines the depth of the controls, not which use cases you get.

Think of Essentials and Advantage the way an airline thinks of Economy and Business class on the same aircraft. Both seats fly the identical route — you reach the same city either way, just as both tiers cover both SIA and SPA. The difference is what you get in the seat. Advantage is the Business-class cabin of Secure Access: same flight, richer inspection and control.

Key Points

Essentials tier scope

The ordering guide enumerates Essentials explicitly, and it is already a full SSE stack: Secure Private Access (client and clientless ZTNA plus VPNaaS with posture assessment), Secure Internet Access (roaming security, IPsec/VPN tunnels, PAC files, proxy chaining, SD-WAN DIA), DNS-layer security, cloud firewall (FWaaS L3/L4), Secure Web Gateway with TLS/HTTPS decryption, CASB, RBI for risky sites only, sandboxing capped at 500 samples/day, Digital Experience Monitoring (DEM), and the Secure Client license. The three things Essentials notably lacks are content-aware DLP, an IPS, and Layer 7 application control — plus its RBI and sandbox are constrained.

Advantage tier scope

The ordering guide describes Advantage with a single load-bearing phrase: "In addition to Secure Access Essentials capabilities, it includes…". On top of the entire Essentials stack, Advantage layers in multimode DLP, an IPS, Layer 7 application visibility and control (e.g., allow Slack messaging but block Slack file uploads), unlimited sandboxing with full console access, and RBI for any website (proactive, broad isolation — not just risky sites).

Advantage = Essentials + 5 The complete Essentials SSE stack nests inside Advantage; five Advantage-only capabilities stack on top — nothing is removed.
Advantage (strict superset) Essentials (complete SSE stack) SIA + SPA: SWG, FWaaS L3/L4, DNS, CASB, ZTNA, VPNaaS TLS/HTTPS decryption + DEM + Secure Client RBI: risky sites only Sandboxing: capped 500 samples/day + Multimode DLP + Intrusion Prevention (IPS) + Layer 7 app control + Unlimited sandboxing + RBI for any website

Figure 4.1: Tier composition — Advantage wraps the complete Essentials SSE stack and adds five capabilities on top.

graph TD subgraph ADV["Advantage (strict superset)"] direction TB subgraph ESS["Essentials (complete SSE stack)"] direction TB E1["SIA + SPA (SWG, FWaaS L3/L4,
DNS security, CASB, ZTNA, VPNaaS)"] E2["TLS/HTTPS decryption + DEM
+ Secure Client"] E3["RBI: risky sites only"] E4["Sandboxing: capped 500 samples/day"] end A1["+ Multimode DLP"] A2["+ Intrusion Prevention System (IPS)"] A3["+ Layer 7 application visibility & control"] A4["+ Unlimited sandboxing (full console)"] A5["+ RBI for any website"] end

The comparison table below is the single most useful reference in this chapter. Keep it handy during any sizing conversation.

Table 4.1 — Cisco Secure Access: Essentials vs. Advantage (feature-by-feature)

CapabilityEssentialsAdvantageNotes
Secure Internet Access (SIA)YesYesRoaming security, tunnels, PAC, proxy chaining, SD-WAN DIA
Secure Private Access (SPA)YesYesBuilt on ZTNA/VPNaaS for private apps
ZTNA (client + clientless)YesYesBoth browser-based and client-based access
VPN-as-a-Service (VPNaaS)YesYesCloud VPN integrated with ZTNA
Posture assessmentYesYesManaged and unmanaged devices
DNS-layer securityYesYesInherited from Umbrella
Cloud firewall / FWaaS (L3/L4)YesYesL3/L4 control of web and private traffic
Secure Web Gateway (SWG)YesYesProxy, URL/content filtering, advanced app controls
TLS/HTTPS decryptionYesYesDeep inspection in both tiers
CASB (discovery, risk, SaaS controls)YesYesDiscovery, risk scoring, blocking, malware detection
Digital Experience Monitoring (DEM)YesYesSame base feature set in both tiers
Remote Browser Isolation (RBI)Risky sites onlyAny siteAdvantage enables proactive/broad isolation
Malware analytics / sandboxing≤ 500 samples/dayUnlimitedAdvantage adds full console, glove box, manual submissions
Multimode DLPNoYesContent-aware data protection — Advantage only
Intrusion Prevention System (IPS)NoYesBlocks exploits, incl. decrypted traffic
Layer 7 application visibility & controlNoYesGranular app-level allow/block

A precision note on DLP. The data sheet describes multimode DLP in general terms, but the ordering guide explicitly assigns DLP to the Advantage tier only. When these two sources conflict on tiering, the ordering guide is authoritative. The correct, purchasable answer is: if you need content-aware DLP, you need Advantage.

Figure 4.2: Tier-decision flowchart — any single Advantage-only requirement forces Advantage; otherwise Essentials suffices.

flowchart TD START["Choosing a Secure Access tier"] --> Q1{"Need content-aware DLP?
(inspect payloads leaving org)"} Q1 -->|"Yes"| ADV["Choose Advantage"] Q1 -->|"No"| Q2{"Need IPS?
(block exploits on allowed sites)"} Q2 -->|"Yes"| ADV Q2 -->|"No"| Q3{"Need L7 app control,
any-site RBI, or
high-volume sandboxing?"} Q3 -->|"Yes"| ADV Q3 -->|"No"| ESS["Essentials is sufficient
(upgrade in place later if needed)"]

Key Takeaway

Post-Reading Check — Packaging Overview

How many primary SSE tiers does Cisco package Secure Access into?

One flat tier for everyone Two tiers: Essentials and Advantage Three tiers: Basic, Pro, and Enterprise Four tiers, one per use case

What does "Advantage is a strict superset of Essentials" mean in practice?

Advantage removes some Essentials features to add premium ones Advantage keeps everything in Essentials and only adds more on top Advantage and Essentials share no features Essentials contains everything Advantage does, plus extras

Which capability is Advantage-only and NOT part of Essentials?

DNS-layer security Cloud firewall (FWaaS) L3/L4 control Content-aware multimode DLP Secure Web Gateway with TLS decryption

How does Remote Browser Isolation (RBI) differ between the two tiers?

Essentials has no RBI; Advantage isolates any site Essentials isolates any site; Advantage only risky sites Essentials isolates only risky sites; Advantage isolates any site Both tiers isolate only risky sites

When the data sheet and the ordering guide disagree on which tier includes DLP, which source is authoritative?

The data sheet The ordering guide Whichever was published most recently A Reddit thread

Section 2: Buying and Bundling

Pre-Reading Check — Buying and Bundling

What is a "Covered User" license metered on?

Per device connected to Secure Access Per individual person protected, regardless of device count Per gigabyte of traffic consumed Per branch site

How is the monthly data limit calculated under per-user metering?

A flat 20 GB per tenant regardless of user count Number of Covered Users × 20 GB, pooled tenant-wide 20 GB hard cap per individual user, no pooling Unlimited — there is no data limit

If you buy SIA for 1,200 users and SPA for 800 users, the shared pool is sized on…

The sum: 2,000 users The lower count: 800 users The higher count: 1,200 users The average: 1,000 users

Which of the following is a genuine paid add-on (not bundled) in the Secure Access model?

ISE/SGT integration The AI Assistant Reserved IP egress XDR Connect

Under Cisco's true-forward billing, what happens to growth above your contracted quantity between anniversaries?

You are back-billed retroactively for every over-deployed month You are reconciled going forward at the anniversary, with no punitive back-bill Your service is throttled until the next renewal You must sign a brand-new contract immediately

Knowing what is in each tier tells you what to buy. This section covers how to buy it: the per-user metering that determines your quantity and traffic entitlement, the Enterprise Agreement vehicles enterprises purchase through, the handful of genuine add-ons, and the term lengths and true-forward mechanics that govern the contract over time.

Per-user subscription metering (the 20 GB pool)

Secure Access is licensed per user, using the concept of a "Covered User." The Offer Description is unambiguous: "You must purchase one Covered User license for each individual protected…" This is per person, not per device — a user's laptop, phone, and tablet are all covered by one seat.

Each seat does two things. First, it entitles that person to the tier's security services. Second — the part buyers routinely miss — each seat contributes 20 GB per month into a single, shared, tenant-wide pool. The math is simple: Monthly Data Limit = Number of Covered Users × 20 GB.

Key Points

The 20 GB pool fills — and spills Every seat drops 20 GB/month into one shared tank; non-user IoT/server traffic drinks from it too. Exceed the limit and you spill into overage — the fix is more seats.
Seat 1 +20 GB Seat 2 +20 GB Seat N +20 GB Non-user trafficIoT / servers / cameras Shared pool = Users × 20 GB (in + out) OVERAGE over limit Fix: add Covered User seats → +seats × 20 GB enlarges the pool

Figure 4.3: Per-user metering — each Covered User seat feeds 20 GB into one shared tenant-wide pool that all traffic, including non-user devices, draws from.

flowchart TD U1["Covered User 1
+20 GB/mo"] --> POOL U2["Covered User 2
+20 GB/mo"] --> POOL UN["Covered User N
+20 GB/mo"] --> POOL POOL["Shared tenant-wide data pool
= Users × 20 GB/month
(inbound + outbound)"] DEV["Non-user traffic
servers, IoT, cameras, branch proxies"] -->|"consumes from same pool"| POOL POOL --> CHK{"Total traffic
> pool limit?"} CHK -->|"No"| OK["Within entitlement"] CHK -->|"Yes (overage)"| FIX["Add Covered User seats
(+seats × 20 GB enlarges pool)"] FIX --> POOL

The analogy is a shared family mobile data plan: every line adds a fixed allowance, but the total is pooled — one heavy streamer can burn through allowance contributed by several light users, and the carrier only cares about the aggregate. Two details widen the scope: the limit applies to all traffic, inbound plus outbound, and it includes traffic from non-user devices protected by Secure Access. Heavy IoT/server traffic may force you to buy additional seats to enlarge the pool even though no new humans were added.

Worked Example — Sizing the pool for Contoso Health

One more rule: if SIA and SPA are bought in different quantities, the data limit uses the higher of the two counts. A site-based (bandwidth) licensing alternative also exists for some packages (SIA Essentials today) but excludes features like Experience Insights and the Secure Client; this chapter focuses on the default per-user model.

Enterprise Agreements and Cisco Security Cloud

Large enterprises frequently buy through a Cisco Enterprise Agreement (EA) — often the Security Choice EA — bundling Secure Access with other Cisco security under one contract and anniversary date. Each customer has one Secure Access subscription spanning SIA, SPA, and/or DNS Defense. The subscription bundles far more than SSE features: rights to the ThousandEyes Web Platform and Endpoint Agent (behind DEM), unlimited file analysis, three Secure Malware Analytics portal users, and Security Cloud Control and Security Cloud Sign-On.

Add-on modules and capacity

The Secure Access model is "batteries included" — genuine commercial add-ons are few: Investigate API rate-limit tiers (only one active per subscription; e.g., SA-INV-API-S), Reserved IP egress (dedicated egress IPs — described as "probably the only item a customer would pay extra for"), and Support SKUs (a base one auto-added at $0, plus a paid higher tier). Secure Access – DNS Defense is a parallel DNS-only package. Notably not add-ons: the AI Assistant, ISE/SGT integration, XDR Connect, enterprise browser, hybrid ZTA, and SaaS-API-based DLP/malware detection are all bundled into the tiers.

Term lengths and true-forward

Secure Access sells in 12-, 36-, and 60-month terms. The key commercial mechanic over the contract's life is true-forward: you may deploy above your contracted quantities during the term; at the EA anniversary Cisco measures actual usage and adjusts your go-forward billing to match; and there is no punitive retroactive true-up. Contrast with a traditional true-up, which charges retroactively. True-forward lets a fast-growing org onboard a new division mid-term without a surprise back-invoice.

True-forward reconciles at the anniversary Deploy above contract mid-term; at the EA anniversary usage is measured and billing adjusts going forward — no retroactive back-bill for the over-deployed months.
contracted quantity Sign EA initial count Deploy above contract (allowed — grow freely) EA anniversary Bill forward no retroactive true-up

Figure 4.4: True-forward billing lifecycle — deploy above contract, reconcile forward at anniversary, no retroactive back-bill.

flowchart LR A["Sign EA / Security Choice EA
Initial contracted user count"] --> B["Deploy during term
Add users as you grow
(above initial quantities OK)"] B --> C{"EA anniversary
reached?"} C -->|"No"| B C -->|"Yes"| D["Cisco measures
actual usage"] D --> E["Adjust go-forward billing
to match usage"] E --> F["No punitive retroactive true-up
(not back-billed for over-deployment)"] F --> B

Key Takeaway

Post-Reading Check — Buying and Bundling

What is a "Covered User" license metered on?

Per device connected to Secure Access Per individual person protected, regardless of device count Per gigabyte of traffic consumed Per branch site

How is the monthly data limit calculated under per-user metering?

A flat 20 GB per tenant regardless of user count Number of Covered Users × 20 GB, pooled tenant-wide 20 GB hard cap per individual user, no pooling Unlimited — there is no data limit

If you buy SIA for 1,200 users and SPA for 800 users, the shared pool is sized on…

The sum: 2,000 users The lower count: 800 users The higher count: 1,200 users The average: 1,000 users

Which of the following is a genuine paid add-on (not bundled) in the Secure Access model?

ISE/SGT integration The AI Assistant Reserved IP egress XDR Connect

Under Cisco's true-forward billing, what happens to growth above your contracted quantity between anniversaries?

You are back-billed retroactively for every over-deployed month You are reconciled going forward at the anniversary, with no punitive back-bill Your service is throttled until the next renewal You must sign a brand-new contract immediately

Section 3: Licensing Gotchas

Pre-Reading Check — Licensing Gotchas

Why can an org with few employees but many IoT devices still exhaust its data pool?

IoT devices each require their own Covered User license Non-user traffic (IoT, servers, proxies) draws from the same shared pool IoT traffic is billed at a 10× multiplier The pool shrinks automatically when devices connect

A hospital must block PHI documents from being uploaded to unsanctioned cloud storage. Which tier does it need?

Essentials — CASB app blocking is enough Advantage — content-aware DLP inspects payloads and is Advantage-only Either tier — DLP is in both Neither — Secure Access cannot do DLP at all

Because Advantage is a strict superset, an Essentials customer that later needs DLP can…

Only get DLP by ripping out and re-architecting the deployment Upgrade in place to Advantage without redesigning the deployment Buy a standalone DLP product from a different vendor Never add DLP — the tier choice is permanent

How is Talos threat intelligence licensed within Secure Access?

Sold as a separate paid feed you must add on Bundled — woven into detection logic in both tiers Only available in Advantage Requires a separate ThousandEyes contract

What is the correct buyer posture on Duo entitlements per this chapter?

Assume full Duo MFA is bundled into every Secure Access seat Treat Security Cloud Sign-On as included, but confirm the specific Duo edition separately Duo cannot integrate with Secure Access at all Duo is always a separate purchase with no sign-on included

The model is clean in outline but has sharp edges in practice. This section collects the three gotchas that most often cause budget overruns, policy dead-ends, or renewal surprises.

User counting and overages

The biggest sizing error is treating the 20 GB pool as a per-user throttle rather than a shared aggregate, and forgetting that non-user traffic counts. Consider an IoT-dense site: 200 employees but 800 IoT devices. Two hundred seats yields only a 4 TB/month pool. If the IoT fleet pushes past 4 TB, the remedy is to add seats (~+100 seats for a 6 TB pool) or route low-value IoT traffic outside Secure Access.

Key Points

Feature availability by tier

The second gotcha is assuming a control is available when it is actually gated behind Advantage — blocking a policy you already designed. The offenders are consistent: DLP, IPS, Layer 7 application control, unlimited sandboxing, and any-site RBI are all Advantage-only. The most dangerous is DLP, because the data sheet's general language can imply inclusion while the authoritative ordering guide places it firmly in Advantage. A healthcare org needing to stop PHI uploads to unsanctioned storage cannot do that with Essentials — content-aware inspection requires Advantage's multimode DLP. Essentials' best levers are coarse URL/category blocking and CASB app controls, which cannot inspect whether this particular document contains a Social Security number. The saving grace: because Advantage only adds, you can start on Essentials and upgrade in place.

Integration licensing (Duo, Talos)

The third area of confusion is integration licensing. Many integrations are included in the tiers: ISE/SGT, XDR Connect, the AI Assistant, hybrid ZTA, the enterprise browser, and SaaS-API-based DLP/malware detection. Talos is the clearest "included" case — it is the engine behind DNS enforcement, risk scoring, and the risky-site determination that triggers Essentials RBI; it is woven into detection, not separately licensed. Duo needs precise scoping: Secure Access includes Security Cloud Sign-On for platform SSO/authentication, but the research does not document Duo's full MFA feature set as bundled into the Essentials/Advantage seat. Correct buyer posture: treat platform sign-on as included, but confirm the specific Duo edition and entitlement separately with your Cisco partner rather than assuming full Duo MFA is folded in.

Key Takeaway

Post-Reading Check — Licensing Gotchas

Why can an org with few employees but many IoT devices still exhaust its data pool?

IoT devices each require their own Covered User license Non-user traffic (IoT, servers, proxies) draws from the same shared pool IoT traffic is billed at a 10× multiplier The pool shrinks automatically when devices connect

A hospital must block PHI documents from being uploaded to unsanctioned cloud storage. Which tier does it need?

Essentials — CASB app blocking is enough Advantage — content-aware DLP inspects payloads and is Advantage-only Either tier — DLP is in both Neither — Secure Access cannot do DLP at all

Because Advantage is a strict superset, an Essentials customer that later needs DLP can…

Only get DLP by ripping out and re-architecting the deployment Upgrade in place to Advantage without redesigning the deployment Buy a standalone DLP product from a different vendor Never add DLP — the tier choice is permanent

How is Talos threat intelligence licensed within Secure Access?

Sold as a separate paid feed you must add on Bundled — woven into detection logic in both tiers Only available in Advantage Requires a separate ThousandEyes contract

What is the correct buyer posture on Duo entitlements per this chapter?

Assume full Duo MFA is bundled into every Secure Access seat Treat Security Cloud Sign-On as included, but confirm the specific Duo edition separately Duo cannot integrate with Secure Access at all Duo is always a separate purchase with no sign-on included

Your Progress

Answer Explanations