The Total Economic Impact™ Of ThreatLocker
Cost Savings And Business Benefits Enabled By ThreatLocker
A Forrester Total Economic Impact™ Study Commissioned By ThreatLocker, February 2025
The market for cybersecurity solutions is growing, driven by the need for more robust security measures to address the increasing number of security threats and attacks. IT leaders are seeking comprehensive, Zero Trust endpoint security solutions that not only protect their organization’s networks but also provide visibility and control over their applications and infrastructure. With features like allowlisting and ringfencing, companies can proactively prevent threats and reduce breach risk and impact.
ThreatLocker secures an organization’s internal network using comprehensive, Zero Trust endpoint security through default-deny, allowlisting, and ringfencing capabilities. With ThreatLocker, leaders gain visibility into applications running in their systems, control over internal infrastructure, and capabilities to reduce security breach risk and effectiveness.
ThreatLocker commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying ThreatLocker.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of ThreatLocker on their organizations.
Return on investment (ROI)
184%
Net present value (NPV)
$4.15M
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five decision-makers across four organizations with experience using ThreatLocker. For the purposes of this study, Forrester aggregated the interviewees’ experiences and combined the results into a single composite organization that is a multibillion-dollar, US-based, globally operated B2B organization.
Interviewees said that prior to using ThreatLocker, their organization experienced significant malware incidents and resource strain from previous security failures. Although interviewees evaluated alternative solutions, including other allowlisting features, they found them difficult to manage across multiple clients. Manual checklisting, when attempted, was also time consuming and inefficient. These limitations led to lack of visibility into applications running on the system, vulnerability to major security breaches, and disruption to business.
After the investment in ThreatLocker, the interviewees had no data security incidents. They experienced better data visibility, improved security postures, improved compliance, and increased productivity for their security operations teams. Key results from the investment included reduced risk of data breaches, enhanced security operations efficiencies, and avoided licensing costs.
Key Findings
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
- Achieved a 99% reduction in security incidents addressable with ThreatLocker. The ThreatLocker default-deny policy, which permits only allowlisted applications to run, significantly reduces the risk of unauthorized software execution and effectively prevents zero-day attacks. Over three years, the reduced risk of a data breach is worth $4 million to the composite organization.
- Gained 50% labor efficiencies from reduced time on routine maintenance, auditing access, cleanup, and detection and response. In addition to reducing the need for continuous monitoring, ThreatLocker helps security operations teams decrease the time spent on audits, routine maintenance, and manual reviews. Over three years, security operations efficiencies are worth $1.1 million to the composite organization.
- Replaced 10,000 third-party licenses with ThreatLocker. With ThreatLocker, organizations can reduce their reliance on endpoint detection and response (EDR) and antivirus solutions as well downgrade or decommission legacy allowlisting applications. Over three years, licensing cost avoidance is worth $1.2 million to the composite organization.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
- Limited effectiveness of security breaches through Ringfencing™. ThreatLocker limits the effectiveness of breaches through its Ringfencing solution, which contains potential threats within the network. The composite reports no security incidents after implementing ThreatLocker, and lockdown and isolate machine features allow quick, remote cleanups.
- Reduced shadow IT through increased visibility of end-user and application activity. The composite leverages the detailed visibility into end-user and application activity from ThreatLocker. This feature reduces shadow IT, simplifies the auditing process, and ensures that only approved applications are running, thereby mitigating the risk of unauthorized software.
- Eased use of software interface and policy creation. The intuitive ThreatLocker software interface and policy creation make it easier for the composite to manage and maintain security policies. This ease of use significantly improves the composite’s security posture and compliance readiness compared to allowlisting solutions in prior environments.
- Enhanced ThreatLocker support through Cyber Hero and ThreatLocker University. The composite uses ThreatLocker resources to ensure it leverages ThreatLocker and its features effectively, further enhancing the composite’s security posture.
- Minimized disruptions to revenue streams. The composite finds ThreatLocker crucial for system availability, as downtime leads to lost revenue.
- Increased sales through partnership trust. ThreatLocker positively impacts the composite’s sales and revenue by helping it demonstrate robust security measures, which has been instrumental in earning the trust of clients and partners.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
- Enterprise license fees. ThreatLocker license fees vary based on the number of endpoints and the solutions in which the organization invests. Over a three-year period, the composite organization pays $1 million in licensing fees.
- Implementation and ongoing management. The composite will conduct a one-month proof of concept followed by three to four months of implementation. Over a three-year period, the composite organization incurs costs of $487,000 for implementation and ongoing management.
- Training costs. The composite will train its IT teams and end users on ThreatLocker. Cyber Hero and ThreatLocker University are available to its IT teams at no cost. Over a three-year period, the composite organization spends $700,000 on training.
The representative interviews and financial analysis found that a composite organization experiences benefits of $6.41M over three years versus costs of $2.26M, adding up to a net present value (NPV) of $4.15M and an ROI of 184%.
Key Statistics
-
Return on investment (ROI)
184%
-
Benefits PV
$6.41M
-
Net present value (NPV)
$4.15M
-
Payback
7 months
Benefits (Three-Year)
Reduced risk of data breach Security operations efficiencies Licensing cost avoidance
TEI Framework And Methodology
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in ThreatLocker.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that ThreatLocker can have on an organization.
-
Due Diligence
Interviewed ThreatLocker stakeholders and Forrester analysts to gather data relative to ThreatLocker.
-
Interviews
Interviewed five people at four organizations using ThreatLocker to obtain data about costs, benefits, and risks.
-
Composite Organization
Designed a composite organization based on characteristics of the interviewees’ organizations.
-
Financial Model Framework
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
-
Case Study
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Disclosures
Readers should be aware of the following:
This study is commissioned by ThreatLocker and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in ThreatLocker.
ThreatLocker reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
ThreatLocker provided the customer names for the interviews but did not participate in the interviews.
Consulting Team:
Nahida S. Nisa
Drivers leading to the ThreatLocker investment
Interviews
| Role | Industry | Revenue | Deployed Endpoints |
|---|---|---|---|
| Chief executive officer | IT & cybersecurity managed services | $5.5M | 40 |
| Chief information security officer Director of cybersecurity |
Transportation | $9.6B | 11,000 |
| IT manager | Finance | $2.6B | 600 |
| Global information security manager | Agribusiness | $9B | 2,500 internally and across 95% of affiliates |
Key Challenges
Prior to ThreatLocker, several interviewees’ organizations experienced security incidents that consumed significant resources, strained their lean teams, and ultimately catalyzed their decision to consider a default-deny solution. Some interviewees experienced temporary user productivity losses that locked users out of their applications and negatively impacted business when previous security solutions failed to detect malware. For others, compliance requirements drove the need for an application allowlisting solution.
The interviewees noted their organization’s struggles with common challenges, including:
-
Previous cybersecurity incidents highlighted the need for a default-deny solution. The chief information security officer in the transportation industry described how the decision to move to ThreatLocker was triggered by a significant security event. Similarly, the IT manager in the finance industry noted that their organization experienced an especially costly ransomware incident that led to implementing ThreatLocker.
The chief executive officer in IT and cybersecurity managed services mentioned that a cybersecurity incident with a client led to the realization that they needed a default-deny solution. The incident, where a detection solution failed to prevent ransomware, resulted in their organization losing the client.
-
Incident recovery consumed significant resources. The chief information security officer in the transportation industry mentioned that their organization operates with lean teams, and one of its objectives was to reduce resource need.
The chief executive officer in the IT and cybersecurity managed services industry shared that before deploying ThreatLocker, their IT team spent considerable time recovering from cybersecurity incidents. For example, recovering from the ransomware incident which led to the loss of a client took approximately three weeks and six employees. The chief executive officer said: “We had to take service employees and project employees and dedicate them to that recovery. They could have been working on other things.”
-
Poor visibility inhibited governance. Interviewees struggled with managing and reducing cybersecurity risks due to a lack of visibility into applications running in their environments. This limited insight led to higher operational costs and additional staff to manage security incidents, highlighting existing security solution limitations and the need for a more proactive approach.
The global information security manager in the agribusiness industry said that a lack of visibility led to unauthorized applications running on their systems, increasing the risk of malware and ransomware incidents, “Before [ThreatLocker], we didn’t even have the level of visibility where we knew who was moving data from their desktops to a USB.” Their parent organization’s decentralized approach to security across different affiliates in the prior environment also made it difficult to standardize and enforce security policies. -
Compliance requirements drove the need for an application allowlisting solution. Compliance and regulatory requirements were top-of-mind for all interviewees. The global information security manager in the agribusiness industry noted that their organization adopted the 18 CIS Critical Security Controls, which required an application allowlisting solution. This compliance requirement drove the decision to implement ThreatLocker.
The director of cybersecurity in the transportation industry also highlighted PCI Security Standards Council compliance: “PCI is a requirement for antivirus or virus suppression. Of course, we work with our Qualified Security Assessor (QSA). The QSA agreed that ThreatLocker actually meets the requirement. So it took away the need for bringing additional tools to meet that requirement.”
Solution Requirements
The interviewees’ organizations searched for a solution that could:
- Enable a Zero Trust, default-deny security approach with allowlisting capabilities.
- Manage security across many endpoints without significantly increasing resource requirements.
- Provide a robust and user-friendly application control solution.
- Standardize across all affiliates.
Composite Organization
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The US-based, multibillion-dollar B2B organization operates globally. Its 10,000 employees each have a desktop or laptop computer. The organization has an existing security platform with an antivirus/EDR solution.
Deployment characteristics. The composite organization deploys ThreatLocker across 10,000 endpoints after a one-month proof of concept and a three-month implementation period. A team of 10 security analysts supports the tool, and all end users are trained in the change management process.
Quantified benefit data as applied to the composite
Total Benefits
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Reduced risk of data breach | $1,633,130 | $1,633,130 | $1,633,130 | $4,899,389 | $4,061,352 |
| Btr | Security operations efficiencies | $459,680 | $459,680 | $459,680 | $1,379,040 | $1,143,156 |
| Ctr | Licensing cost avoidance | $297,458 | $594,915 | $594,915 | $1,487,288 | $1,209,050 |
| Total benefits (risk-adjusted) | $2,390,267 | $2,687,725 | $2,687,725 | $7,765,716 | $6,413,558 | |
Reduced Risk Of Data Breach
Evidence and data. Interviewees highlighted the biggest benefit of ThreatLocker as its default-deny policy. This policy ensures that only trusted applications can run, which significantly reduces the risk of unauthorized software execution. Most interviewees adopted ThreatLocker after experiencing costly security incidents with alternative security solutions, and all four interviewees reported no ransomware or malware incidents after deploying ThreatLocker.
- The chief information security officer in the transportation industry noted that in addition to preventing security incidents, ThreatLocker also helped introduce a culture of awareness among employees, promoting a consciousness of what they run on their workstations: “ThreatLocker instills an awareness in people since they have to consciously request to use a new application, which sometimes prompts them to ask whether they should be using the application on a workstation and makes them aware of their workstation or server hygiene.”
- The chief executive officer in IT and cybersecurity managed services shared that a cybersecurity incident with a client, in which a prior security solution failed to prevent ransomware, led the interviewee’s organization to adopt ThreatLocker. Since deploying ThreatLocker, the organization has had zero data breaches. The chief executive officer emphasized that ThreatLocker Application Control and Storage Control features had been particularly valuable in preventing unauthorized software and controlling USB access, mentioning that the ThreatLocker Network Control feature had been crucial in protecting the organization’s remote monitoring and management tool from external attacks.
- The IT manager in finance highlighted that ThreatLocker Application Allowlisting and Ringfencing capabilities had been instrumental in preventing unauthorized software execution and reducing the attack surface.
- The global information security manager in the agribusiness industry mentioned that the ThreatLocker Zero Trust approach and Application Allowlisting had significantly reduced the risk of unauthorized software execution, noting that ThreatLocker had helped prevent malware, ransomware, and insider threats. The Storage Control module also improved data governance by limiting access to sensitive files and ensuring that only authorized users could interact with critical data.
- All interviewees described how ThreatLocker effectively reduced the risk of security breaches at their organization with its default-deny policy and Application Allowlisting, Ringfencing, and Storage Control features, which prevent unauthorized software execution, reduce the attack surface, and improve overall security posture. The global information security manager in the agribusiness industry remarked on its cyber insurance policy impact: “Most cyber insurance [providers] like the idea of being proactive, and I have ThreatLocker in place to give us that capability. We’re not being reactive. We’re demonstrating to cyber insurance [providers] that we are committed to being proactive from a security response perspective.” The chief executive officer in IT and cybersecurity managed services noted: “We’ve heard many of our clients say that their [cyber insurance] rates dropped after we implemented ThreatLocker. I would estimate [they dropped] by between 10% and 15%.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- According to Forrester Research, the composite experiences a 68% likelihood of one or more breaches per year, with 81% from internal incidents or external attacks that target the organization or its employees’ home remote network.2 Remaining attacks involve the company’s external ecosystem. The mean cumulative cost of breaches is $3,010,000.
- With ThreatLocker, the composite experiences a 99% reduction in security breaches.
- The composite’s cyber insurance policy rate reduction from allowlisting with ThreatLocker is 10%.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The organization’s baseline security strength, exposure, and posture.
- The organization’s industry, risks, or activities that impact the costs of its cyber insurance policy.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $4.1 million.
Reduced Risk Of Data Breach
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Likelihood of experiencing one or more breaches per year | Forrester research | 68% | 68% | 68% | |
| A2 | Percentage of breaches from internal incidents or from external attacks targeting the organization or its remote network | Forrester research | 81% | 81% | 81% | |
| A3 | Reduction in security incidents addressable with ThreatLocker | Interviews | 99% | 99% | 99% | |
| A4 | Mean cumulative cost of breaches | Forrester research | $3,010,000 | $3,010,000 | $3,010,000 | |
| A5 | Subtotal: Reduced exposure to security breaches with ThreatLocker | A1*A2*A3*A4 | $1,641,329 | $1,641,329 | $1,641,329 | |
| A6 | Cyber insurance policy cost | Composite | $2,800,000 | $2,800,000 | $2,800,000 | |
| A7 | Cyber insurance policy rate reduction due to allowlisting with ThreatLocker | Interviews | 10% | 10% | 10% | |
| A8 | Subtotal: Cyber insurance policy cost savings with ThreatLocker | A6*A7 | $280,000 | $280,000 | $280,000 | |
| At | Reduced risk of data breach | A5+A8 | $1,921,329 | $1,921,329 | $1,921,329 | |
| Risk adjustment | ↓15% | |||||
| Atr | Reduced risk of data breach (risk-adjusted) | $1,633,130 | $1,633,130 | $1,633,130 | ||
| Three-year total: $4,899,389 | Three-year present value: $4,061,352 | |||||
Security Operations Efficiencies
Evidence and data. Interviewees noted that ThreatLocker reduced the burden on their IT teams, minimizing the time spent on audits, routine maintenance, and manual reviews, as well as reducing the need for constant monitoring and intervention.
- The chief information security officer in the transportation industry noted that their organization operates with lean teams, adding, “Part of the idea in leveraging ThreatLocker is to use the services and the tool to have a default-deny policy with a whitelisting approach so we wouldn’t need as many resources.” The interviewee estimated that the team would have needed five additional detection and response personnel without ThreatLocker, which translated to cost savings and allowed the existing IT staff to focus on other critical tasks.
- The chief executive officer in IT and cybersecurity managed services noted a long-term reduction in the time and resources spent on incident recovery. The proactive approach allowed their IT team to address issues quickly and efficiently, preventing larger issues.
- The IT manager in the finance industry noted that ThreatLocker allowed their IT team to spend less time on manual reviews and more time on other important tasks. Additionally, easy auditing access to files and applications with ThreatLocker made their compliance reporting more efficient, saving time and resources. While auditing access to files and applications used to take the team two days, it now takes about 5 minutes.
- The global information security manager in agribusiness mentioned that ThreatLocker improved visibility and streamlined their organization’s IT processes, freeing IT staff to focus on other tasks.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- The composite organization has 10 FTEs on its cyber security team who experience 50% labor efficiencies from reduced time on routine maintenance, auditing access, cleanup, and detection and response.
- The average fully burdened hourly rate for a security analyst is $65.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The organization’s size, industry, and number of deployed endpoints.
- The salary for a security analyst.
- The organization’s security posture and exposure.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.1 million.
Security Operations Efficiencies
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Cyber security team FTEs | Composite | 10 | 10 | 10 | |
| B2 | Labor efficiencies gained from reduced time on routine maintenance, auditing access, cleanup, and detection and response | Interviews | 50% | 50% | 50% | |
| B3 | Average fully burdened hourly rate for a security analyst | Composite | $65 | $65 | $65 | |
| B4 | Productivity recapture | TEI standard | 80% | 80% | 80% | |
| Bt | Security operations efficiencies | B1*B2*B3*B4*2080 hours | $540,800 | $540,800 | $540,800 | |
| Risk adjustment | ↓15% | |||||
| Btr | Security operations efficiencies (risk-adjusted) | $459,680 | $459,680 | $459,680 | ||
| Three-year total: $1,379,040 | Three-year present value: $1,143,156 | |||||
Licensing Cost Avoidance
Evidence and data. Interviewees used ThreatLocker for proactive threat prevention combined with other reactive tools, some of which they were able to decommission after deploying ThreatLocker.
- The chief executive officer in IT and cybersecurity managed services said: “One [side] is preventive and one is reactive. On the preventive side, we’ve found nothing better than ThreatLocker.” Their organization was able to decommission some of its reactive tools after deploying ThreatLocker.
- The IT manager in the finance industry also decommissioned a preventive security tool after deploying ThreatLocker, eliminating associated costs and benefiting from a more efficient and user-friendly solution.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- The composite organization has 10,000 third-party licenses at $70 per license for a security tool that they replaced with ThreatLocker.
- The composite organization decommissions 50% of the tool in Year 1 and 100% in Years 2 and 3.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The desired endpoint protection and organization coverage.
- The number and cost of legacy tools.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.2 million.
Licensing Cost Avoidance
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Third-party licenses replaced with ThreatLocker | Composite | 10,000 | 10,000 | 10,000 | |
| C2 | Percentage of legacy savings realized | Composite | 50% | 100% | 100% | |
| C3 | Cost avoided per license | Interviews | $70 | $70 | $70 | |
| Ct | Licensing cost avoidance | C1*C2*C3 | $350,000 | $700,000 | $700,000 | |
| Risk adjustment | ↓15% | |||||
| Ctr | Licensing cost avoidance (risk-adjusted) | $297,458 | $594,915 | $594,915 | ||
| Three-year total: $1,487,500 | Three-year present value: $1,209,229 | |||||
Unquantified Benefits
Interviewees mentioned the following additional benefits that their organization experienced but were not able to quantify:
- Limited effectiveness of security breaches with Ringfencing™. Ringfencing is a key ThreatLocker feature that limits security threat effectiveness. While interviewees had not experienced a security incident after investing in ThreatLocker, they noted that the Ringfencing feature would help contain potential threats and prevent their spread by controlling what applications can do and how they interact. The chief information security officer in the transportation industry described a hypothetical breach scenario: “With ThreatLocker in place, we’re not going to have a complete compromise of the system, so any sort of cleanup is quick and lightweight. We can do it from a console remotely versus rebuilding the workstations with a thumb drive or bringing them into a support location. So it’s hours of employee time. We haven’t had to rebuild one workstation that’s had ThreatLocker on it since I’ve been here.”
- Reduced shadow IT through increased visibility of end-user and application activity. ThreatLocker significantly improved visibility into end-user and application activity and helped reduce shadow IT. Several interviewees mentioned that ThreatLocker made auditing easier and more efficient by providing detailed visibility into the applications being used and the users. These insights ensured that only approved applications were running, reducing the risk of unauthorized software.
- Eased use of software interface and policy creation. Interviewees mentioned that the easy-to-use ThreatLocker software interface and policy creation was a significant benefit compared to other allowlisting solutions. Because the ThreatLocker interface is intuitive and easy to navigate, IT staff could easily create, manage, and maintain security policies, ultimately improving security posture and compliance readiness.
- Enhanced ThreatLocker support through Cyber Hero and ThreatLocker University. Interviewees highly valued their ThreatLocker partnership and made use of the provided resources. The IT manager in the finance industry described the Cyber Hero support team as very responsive and quick to resolve issues. Additionally, ThreatLocker University offered comprehensive training that helped IT staff become proficient in the platform. This support ensured that interviewees’ organizations could effectively leverage ThreatLocker to enhance their security posture.
- Minimized disruptions to revenue streams. Several interviewees described that the ability of ThreatLocker to maintain system availability was crucial to their operations, noting that any downtime resulted in lost revenue.
- Increased sales through partnership trust. ThreatLocker had a positive impact on sales and revenue for some organizations, particularly those in managed services. The chief executive officer in the IT and cybersecurity managed services industry shared that they won new clients, including a large healthcare client, by demonstrating the robust security measures and ransomware attack prevention ThreatLocker enabled.
Flexibility
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement ThreatLocker and later realize additional uses and business opportunities, including:
- Improved operational efficiencies for end users. Interviewees described the ThreatLocker-introduced process improvements as key to unlocking opportunities and initiatives that would have been more time-consuming for IT teams and end users in the prior state. The global information security manager in the agribusiness industry explained: “Now that we’re able to allowlist applications, it means that the IT managers can adopt new tools and technologies without a lengthy approval process. For example, we had a project where the approval process was shortened because ThreatLocker was in place already vetting the applications.” Faster approvals offered more flexibility to the end user to initiate and complete projects on time.
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Appendix A).
Quantified cost data as applied to the composite
Total Costs
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Dtr | Enterprise license fees | $0 | $424,200 | $424,200 | $424,200 | $1,272,600 | $1,054,923 |
| Etr | Implementation and ongoing management | $394,240 | $37,180 | $37,180 | $37,180 | $505,780 | $486,701 |
| Ftr | Training costs | $697,950 | $8,580 | $8,580 | $8,580 | $723,690 | $719,287 |
| Total costs (risk-adjusted) | $1,092,190 | $469,960 | $469,960 | $469,960 | $2,502,070 | $2,260,911 | |
Enterprise License Fees
Evidence and data. Interviewees’ licensing costs for ThreatLocker varied depending on organization size and endpoints deployed. Pricing is per license per year and can be reduced with unified pricing for all products. Contact ThreatLocker for additional details.
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- The composite organization pays annual enterprise licensing fees of $40.40 per endpoint for the ThreatLocker suite of products.
- The organization enrolls 10,000 endpoints.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The licensing agreement and specific solutions an organization chooses.
- The number of endpoints an organization enrolls.
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.1 million.
Enterprise License Fees
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| D1 | License fee per endpoint | Composite | $40.40 | $40.40 | $40.40 | ||
| D2 | Endpoint licenses | Composite | 10,000 | 10,000 | 10,000 | ||
| Dt | Enterprise license fees | D1*D2 | $404,000 | $404,000 | $404,000 | ||
| Risk adjustment | ↑5% | ||||||
| Dtr | Enterprise license fees (risk-adjusted) | $0 | $424,200 | $424,200 | $424,200 | ||
| Three-year total: $1,272,600 | Three-year present value: $1,054,923 | ||||||
Implementation And Ongoing Management
Evidence and data. Overall, interviewees described the implementation process with ThreatLocker as quick and easy due to automation, ease of integration, and effective support from the ThreatLocker team. For most interviewees, the initial proof of concept phase took roughly four weeks with full deployment finalized in three to four months.
- The IT manager in the finance industry said: “You get the implementation plan approved, which wasn’t a big deal — less than 30 days. We did the initial client rollout to all devices and then started going to learning mode. In four weeks, we started to flip into secured mode. We were done in less than a month for workstations and in six weeks for servers.”
- Interviewees from organizations with subsidiaries, partners, or clients onboarded affiliated organizations at a rate of two to three per month. The chief executive officer of the IT and cybersecurity managed services organization noted: “We just started a process of onboarding two to three [clients] every month. And we actually got through them faster than we thought we would — in less than a year.”
- The global information security manager in the agribusiness industry described minimizing end-user impact by completing an initial internal rollout before launching a phased rollout to subsidiary organizations over four months.
- Interviewees also described ongoing management as minimal compared to other solutions. The chief information security officer in the transportation industry said, “We’ll say for the one person, it’s probably 25% of their time.” The IT manager in finance said: “It’s one person maybe. Last week was a little heavier because I was in there asking questions and making tweaks. But on average, I would say it takes six hours a week at most.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- Four FTEs, including one business leader, one IT analyst, and two security analysts, with an average fully burdened hourly rate of $200, dedicate 70% of their time to an initial 16-week implementation of ThreatLocker. Activities include proof of concept, policy creation, baselining, and rollout.
- One FTE with a fully burdened hourly rate of $65 dedicates 25% of their time to ongoing management.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The skill set and salary levels of the implementation team.
- The complexity of the organization’s existing internal IT infrastructure and variations in time and resources required to install or test.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $487,000.
Implementation And Ongoing Management
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| E1 | FTEs involved in implementation (proof of concept, policy, baselining, and rollout) | Composite | 4 | ||||
| E2 | Average fully burdened hourly rate per FTE (one business leader, one IT analyst, and two security analysts) | Composite | $200 | ||||
| E3 | Weeks spent on implementation | Interviews | 16 | ||||
| E4 | Percentage of time allocated to implementation | Interviews | 70% | ||||
| E5 | Average fully burdened hourly rate for a security analyst | Composite | $65 | $65 | $65 | ||
| E6 | FTEs involved in ongoing maintenance (upgrades and onboarding new user systems or applications) | Interviews | 1 | 1 | 1 | ||
| E7 | Percentage of time dedicated to ongoing maintenance | Interviews | 25% | 25% | 25% | ||
| Et | Implementation and ongoing management | E1*E2*E3*E4*40 hours per week + E5*E6*E7*2080 hours per year | $358,400 | $33,800 | $33,800 | $33,800 | |
| Risk adjustment | ↑10% | ||||||
| Etr | Implementation and ongoing management (risk-adjusted) | $394,240 | $37,180 | $37,180 | $37,180 | ||
| Three-year total: $505,780 | Three-year present value: $486,701 | ||||||
Training Costs
Evidence and data. Interviewees described making additional resources available for education and internal development. Organizations allocated time for their security operations team to participate in online training through ThreatLocker University to stay current on features, functionalities, and security trends.
- The chief executive officer in the IT and cybersecurity managed services industry said: “I think most people take four to five months to complete Cyber Hero Training. We allot them time in their daily schedule to do the studying. It’s about a four- or five-month process for 1 hour, three times a week. We don’t have to pay [extra] for the training, and every employee is allowed to take the test twice before we incur low costs of around $100 to $200 to retake the exam. That incentivizes employees to pass within the first two times.”
- Interviewees also described change management for end users to promote knowledge about security policies and the process to approve requested applications. The director of cybersecurity in the transportation industry said: “We’ve had a culture of letting users install anything they could or wanted to on the system. Everybody was an administrator on the system, and it was a big culture shift of, ‘How can you take things away from me like this?’ So we did an extensive set of lunch-and-learns and focused training sessions with every user that would be impacted. There was extensive communication and specific sessions per department. This is a new kind of product, and you have to educate the marketplace.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
- All 10,000 end users, with an average fully burdened hourly rate of $55, complete a 1-hour webinar training for ThreatLocker on their workstations.
- Ten security analysts, with an average fully burdened hourly rate of $65, complete an initial 130-hour training and monthly, 1-hour trainings to stay current.
Risks. Results may not be representative of all experiences and the benefit will vary based on the following variables:
- The complexity and support model of the organization’s IT infrastructure.
- The number, skill level, efficiency, and salaries of analysts within an organization.
- The security posture and exposure of the composite organization.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $719,000.
Training Costs
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|---|
| F1 | End users with workstations using ThreatLocker | Composite | 10,000 | ||||
| F2 | Average fully burdened hourly rate for an end user | Composite | $55 | ||||
| F3 | Hours per webinar training | Interviews | 1 | ||||
| F4 | Security analysts | Composite | 10 | 10 | 10 | 10 | |
| F5 | Average fully burdened hourly rate for a security analyst | Composite | $65 | $65 | $65 | $65 | |
| F6 | Training hours for IT team | Interviews | 130 | 12 | 12 | 12 | |
| Ft | Training costs | F4*F5*F6+F1*F3*F2 | $634,500 | $7,800 | $7,800 | $7,800 | |
| Risk adjustment | ↑10% | ||||||
| Ftr | Training costs (risk-adjusted) | $697,950 | $8,580 | $8,580 | $8,580 | ||
| Three-year total: $723,690 | Three-year present value: $719,287 | ||||||
Consolidated Three-Year, Risk-Adjusted Metrics
Cash Flow Chart (Risk-Adjusted)
Total costs Total benefits Cumulative net benefits Initial Year 1 Year 2 Year 3-
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
Cash Flow Analysis (Risk-Adjusted Estimates)
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($1,092,190) | ($469,960) | ($469,960) | ($469,960) | ($2,502,070) | ($2,260,911) |
| Total benefits | $0 | $2,390,267 | $2,687,725 | $2,687,725 | $7,765,717 | $6,413,558 |
| Net benefits | ($1,092,190) | $1,920,307 | $2,217,765 | $2,217,765 | $5,263,647 | $4,152,647 |
| ROI | 184% | |||||
| Payback | 7 months | |||||
Appendix A: Total Economic Impact
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Total Economic Impact Approach
-
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
-
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
-
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
-
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
Appendix B: Supplemental Material
Related Forrester Research
The State Of Data Security, 2024, Forrester Research, Inc., July 1, 2024.
The Devastating Business Impacts of a Cyber Breach, Harvard Business Review, May 4, 2023.
Appendix C: Endnotes
1Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
2 Source: Forrester's Security Survey, 2024. Base: 483 security decision-makers in North America who have experienced a breach in the past 12 months. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field. Analyses are provided with information rooted with specific data sets most accurately applied to the situations that have been collected in the study.
PDF 