Calculation framework
How CloudGovernanceCost.com Calculates Cost Ranges
Every cost range on the site traces to one of the public sources documented below. This page walks through which source feeds which number, how the bands are derived, what is explicitly out of scope, and the refresh cadence. The goal is that any reader who disagrees with a figure can look at the same public source and form their own view.
Sources by category
The full source list. Each cost figure on the site is mapped to one of these sources via the calculation framework below.
| Category | Source | What we use it for |
|---|---|---|
| Tooling | Vendor public pricing pages (Wiz, Orca, Prisma Cloud, Vanta, Drata, Sonrai, Tenable Ermetic) | Public list-price bands. We do not republish quoted enterprise discounts; we capture the visible list range and document the public anchor. |
| Tooling | AWS, Azure, GCP public pricing pages | Native CSPM and security tool list prices (AWS Security Hub $0.001/check, Defender for Cloud per-resource pricing, GCP SCC Premium quote-only). |
| Tooling | Vantage cloud cost research | Cloud waste benchmarks (the 28-35% waste rate that powers the ROI page), reserved instance economics, and multi-cloud pricing comparisons. |
| Tooling | Sedai cloud cost benchmarks | Public research on cloud waste, autonomous remediation savings, and FinOps maturity benchmarks. |
| Tooling | CloudQuery | Public pricing for cloud asset inventory and governance data. Reference point for the open-source vs commercial spectrum on the /build-vs-buy page. |
| Tooling | FinOps Foundation State of FinOps and Framework | Authoritative on how cloud cost governance interlocks with the broader FinOps lifecycle. Used on /governance-vs-finops to delineate the overlap. |
| Staffing | BLS Occupational Employment and Wage Statistics (OEWS) | Primary source for cloud security architect, cloud engineer, and compliance analyst wage data. Annual public release. |
| Staffing | Levels.fyi, Salary.com, Glassdoor, Indeed | Consumer salary aggregators. Cross-referenced against BLS OEWS to derive the bands on /staffing. We publish the range, not a point estimate, because each source measures something different. |
| Compliance | AICPA SOC 2 reference materials | Authoritative source for SOC 2 Type II control categories. Drives the SOC 2 +40% multiplier on /compliance. |
| Compliance | ISO 27001 public certification fee schedules | Public certification body fee schedules from BSI, BV, Schellman and other accredited bodies. Used to estimate audit-fee ranges. |
| Compliance | HHS HIPAA publications and PCI Security Standards Council documentation | Authoritative on the control requirements that drive the HIPAA +60% and PCI DSS +80% multipliers. |
| ROI | IBM Cost of a Data Breach Report 2024 | Industry standard for the $4.45M average breach cost figure that powers the /roi page. Annual public release. |
Calculation framework
How public source data becomes the bands published on the site.
Tooling cost band derivation
Where a vendor publishes a list price (AWS Security Hub at $0.001 per check, Defender for Cloud at $5-15 per resource per month, AWS IAM Access Analyzer free, GCP SCC Standard free), we use the public figure directly. Where a vendor publishes per-resource or per-identity pricing without an enterprise floor (Wiz, Orca, Prisma), we publish a range derived from public reseller marketplace listings, public RFP documents, and public case-study disclosures. We deliberately exclude quoted enterprise discounts because they are not reproducible across readers.
The headline annual program cost ($40k-$400k+ on the home page) is the convolution of tooling cost by company size with the Vantage and Sedai public benchmarks on cloud waste recovery and FinOps maturity progression.
Staffing cost band derivation
Base wage data comes from BLS OEWS for the closest matching occupation codes (typically Information Security Analysts, Software Developers, and Computer and Information Research Scientists). We apply a 1.3x loaded-cost multiplier on top of base salary to account for benefits, employer payroll taxes, equipment, and overhead. The 1.3x multiplier is the standard public-sector rule of thumb used by federal cost-modelling guidance and is conservative against the higher 1.4-1.6x multipliers some private-sector employers apply.
For roles where BLS does not cleanly map (cloud security architect, governance engineer), we publish a band reconciled from Levels.fyi, Salary.com, Glassdoor and Indeed. Each aggregator measures something slightly different (base vs total comp, self-reported vs employer-reported) so the band is wider than any single source.
Compliance multiplier derivation
The compliance multipliers on the /compliance page (SOC 2 +40%, ISO 27001 +50%, HIPAA +60%, PCI DSS +80%) are derived from comparing baseline cloud governance program costs against industry-disclosed costs of running the same governance program plus the framework controls. We use audit-fee schedules from BSI, BV, Schellman, and other accredited certification bodies for the audit component. We use AICPA, HHS, and PCI SSC published control requirements for the control-implementation component. Compliance automation tool prices (Vanta, Drata, OneTrust) come from the vendor public pricing pages. The multipliers assume governance baseline is in place; pursuing compliance from scratch is more expensive.
ROI calculation components
The /roi page treats governance ROI as the sum of three independent components: cloud waste recovery (15-25% of cloud spend, anchored on Vantage and Sedai public research that places cloud waste at 28-35% and assuming governance recovers half to three-quarters of it), breach risk reduction (using the IBM CODB $4.45M average breach cost with a probability reduction estimate from public security research), and audit cost savings (70-80% reduction in audit preparation time, anchored on Vanta and Drata public case-study disclosures). The 200-600% three-year ROI band is the convolution of those three across the company-size tiers on the /staffing and home pages.
Refresh cadence
We do a substantive review of the underlying figures monthly, on the first business week of each month. The Updated YYYY-MM-DD line at the bottom of every page reflects when that review last occurred, not when the page CSS changed.
Mechanically, every Updated date on the site reads from one constant (LAST_VERIFIED_DATE) in src/lib/schema.ts. That same constant feeds the Article JSON-LD dateModified on every page. We update it only when a substantive review has happened, so cosmetic refreshes do not falsely imply data freshness.
Material rate changes trigger an out-of-cycle refresh: a cloud-provider pricing announcement, a public commercial vendor list-price change of more than 10 percent, a new annual BLS OEWS release, a new IBM CODB release, or a substantive FinOps Foundation publication.
Explicitly out of scope
We do not publish figures we cannot defend from public sources, even where the demand is high.
Quoted enterprise discounts
Negotiated discount levels are not publicly disclosed and vary by contract size, term, multi-product bundling, and reseller markup. Publishing a single figure would be misleading.
AWS Reserved Instance / Savings Plan specifics
RI and SP economics are heavily company-specific (workload pattern, reservation horizon, regional commitment). The /roi page references the headline 30-72% public AWS-disclosed savings but does not model the company-specific math.
Azure regional surcharges
Azure pricing varies by region, currency, and contract type in ways that defy a single number. We cite the US East-2 list price as a reference point.
Cold-start premiums for vector DBs and SaaS tools
Where vendors charge a deployment / activation fee on top of monthly list, we exclude it because the figure is not consistently disclosed.
Single-vendor brand-comparison pages
We do not publish pages that purport to compare two named brands (Wiz vs Orca, Vanta vs Drata) in isolation. The /tools and /build-vs-buy pages treat each vendor as one entry in a category.
Personal salary disclosures
We use BLS OEWS aggregate ranges and consumer aggregator bands. We do not publish or solicit individual salary data points.
Limitations
Even with public sources only and monthly review, the data has known limitations and we want to be explicit about them.
Cloud-provider list prices drift between our monthly reviews. AWS, Azure, and GCP each issue smaller pricing changes weekly. If a figure on the site differs from what you see on a vendor pricing page today, the vendor page is the authoritative value and we will catch up on the next review.
The 28-35% cloud-waste figure (Vantage, Sedai) is an industry average. Individual organisations span a wide range. Governance investment recovers a portion of waste, not all of it; the /roi page treats waste recovery as 15-25% of cloud spend, which is the half-to-three-quarters portion of the waste range. Your specific organisation may sit anywhere in that band.
Compliance multipliers assume the baseline cloud governance program is in place. Pursuing compliance certification on top of a zero baseline (no CSPM, no policy enforcement, no identity governance) costs substantially more than the multiplier figures suggest because the framework controls also have to be implemented from scratch.
The /staffing salary bands are US-centric. Outside the US, BLS OEWS does not apply; the consumer aggregator bands span global self-reported data unevenly. For roles in EU, UK, India, or other geographies, treat the US bands as a starting point and apply regional adjustments.
Corrections
If a figure on the site looks wrong or a source we cite has moved, email [email protected] with the figure in dispute and the public source you would prefer we cite. Material errors get addressed within five business days; minor figure refreshes ride the regular monthly review cadence.
Editorial position is documented on /about.
Updated 2026-05-11