With Keyfactor SaaS-delivered public key infrastructure (PKI) and certificate lifecycle management, organizations can discover certificates, automate renewals at scale, identify and remediate vulnerabilities, prepare for post-quantum regulations, and address infrastructure and maintenance cost challenges.
Keyfactor provides a single platform for certificate issuance, visibility, control, and automation across an enterprise, including SaaS, on-premises, and hybrid environments. Keyfactor commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by working with Keyfactor.1 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Keyfactor on their organizations.
356%
Return on investment (ROI)
$9.9M
Net present value (NPV)
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed five decision-makers with experience using Keyfactor. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is industry-agnostic and has 40,000 employees and $20 billion in annual revenue.
Interviewees said that prior to using Keyfactor, their organizations typically (and often manually) managed a fragmented certificate estate across many teams, requiring significant support from PKI engineers to provision, deploy, and renew certificates. Visibility across the entire organization was limited given the team-by-team deployments, resulting in blind spots for expiration incidents and security vulnerabilities. PKI infrastructure was often complex and required steady annual investment to maintain and scale to the increasing demands of the business, which was becoming untenable.
After the investment with Keyfactor, the interviewees’ organizations could automate a significant portion of the certificate lifecycle on Keyfactor, refocusing valuable engineer hours on value-adding activities while accelerating support for the business. They gained “single pane of glass” visibility across their certificate estates, breaking down blind spots and avoiding costly incidents. They could gradually retire infrastructure, yielding savings on hardware, software, and the related management. Interviewees also described futureproofing their certificate estates on Keyfactor for post-quantum cryptography and more frequent certificate renewal timeframes on the horizon.
Key Findings
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Up to 12,000 hours saved on manual new certificate provisioning. The composite organization automates many of its manual certificate provisioning processes, reducing associated labor and providing a common solution for certificate provisioning across its disparate teams. This represents more than $1.5 million PV in productivity savings for the composite organization over three years.
Nearly 25 minutes saved per certificate on renewals. Keyfactor automates certificate renewals, reducing the time spent on manual renewals across several teams and decreasing the likelihood of certificate expiration. This represents more than $4.3 million PV to the composite organization over three years.
More than 6,600 hours avoided on certificate deployment. The composite fully automates (and increases the accuracy of) deployment for many certificates with Keyfactor, requiring just an approval for renewed certificates and less time overall for newly provisioned certificates. This represents nearly $1.7 million PV to the composite organization over three years.
A 95% reduction in certificate-related incidents. With Keyfactor’s certificate automation and enabled process improvements, certificates across the organization are less likely to expire. This reduces the likelihood of consequential internal or external incidents or outages that may affect internal productivity or external customers, representing more than $3.6 million PV to the composite organization over three years.
A 65% to 95% decrease in PKI infrastructure costs. By adopting Keyfactor, the composite organization reduces its physical and virtual PKI infrastructure related to certificates, including certificate authority (CA) servers, network hardware security modules (HSMs), database servers, related network infrastructure, and licensing and software assurance costs. This saves the composite organization more than $1.4 million PV annually over three years.
An improvement to security posture. Keyfactor provides the composite with complete visibility into its certificate landscape. Previously unknown or rogue certificates are accounted for and “shadow IT” related to certificates disappears. This improves its security posture, resulting in fewer attack vectors and reducing the likelihood of data breaches.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Reduced public certificate fees and related labor costs. Through better visibility into the certificate environment, the composite identifies public SSL/TLS certificates in use where it requires only private trust. The composite saves certificate fees by issuing private certificates and reduces related labor costs for managing publicly trusted certificates.
Improved PKI availability and performance. By shifting away from on-premises PKI infrastructure to Keyfactor, the composite organization faces infrastructure-related challenges less often and benefits from higher availability, better performance, and the ability to issue certificates at scale.
Increased post-quantum readiness. Keyfactor’s expertise and capabilities in post-quantum cryptography futureproof the composite organization’s transition to new quantum-resilient algorithms.
Improved productivity for other staff. The composite organization’s IT staff, auditors, and developers achieve productivity improvements directly or indirectly related to the Keyfactor implementation.
Improved visibility into the certificate estate. With centralized management on Keyfactor, single pane of glass visibility is available to the composite organization for the first time. The resulting benefits (including full discoverability, blind spot elimination, process improvement potential, and certificate insights) support its compliance and audit initiatives.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Keyfactor fees of $1.4 million. The composite organization pays one-time service fees and annual licensing fees for its SaaS Keyfactor implementation.
Internal Keyfactor-related labor costs of $1.4 million. The composite organization dedicates internal resources to support the Keyfactor implementation and ongoing automation work.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $12.7 million over three years versus costs of $2.8 million, adding up to a net present value (NPV) of $9.9 million and an ROI of 356%.
“The huge cost advantage is we’re not sitting on what was effectively 80 to 100 servers and firewalls that needed patching. Even the hours managing the actual systems. I don’t need systems admins anymore.”
Expert, cybersecurity, telecommunications
“With Keyfactor, we’ve only had one minor [outage] incident in five years.”
Project manager, information security, retail
“Automation and scalability. Those are the two biggest things Keyfactor brings to our organization.”
Principal security engineer, software
“The greatest testament to the value we’ve gotten from Keyfactor is the ability to scale certificate usage tenfold with the same number of resources today as we had five years ago.”
Project manager, information security, retail
Key Statistics
356%
Return on investment (ROI)
$12.7M
Benefits PV
$9.9M
Net present value (NPV)
<6 months
Payback
Benefits (Three-Year)
[CHART DIV CONTAINER]
Labor savings on new certificate provisioningLabor savings on certificate renewalsLabor savings on certificate deploymentReduction in unplanned certificate-related incidentsAvoided infrastructure and maintenance costsImproved organizational security posture from improved certificate environment visibility
The Keyfactor Customer Journey
Drivers leading to the Keyfactor investment
[CONTENT]
Role
Industry
Revenue
SVP, director of security and network infrastructure
Banking
~$13B+
Cybersecurity product director
Banking
~$65B+
Project manager, information security
Retail
~$250B+
Principal security engineer
Software
~$10B+
Expert, cybersecurity
Telecommunications
~$120B+
Key Challenges
Interviewees noted how their organizations struggled with common challenges, including:
A lack of standardization and visibility into the certificate management landscape. Interviewees who managed certificates noted that disparate tooling across their organizations’ teams obscured visibility into the full certificate landscape. This lack of visibility often contributed to excessive use of public certificates (where private certificates would suffice), frequent certificate outages (ranging from minor to severe), and ultimately a higher level of risk.
Expensive, labor-intensive PKI infrastructure and solutions that could not scale with organizational needs. Interviewees’ their organizations required an increasing number of certificates, pushing current PKI infrastructure to its limits. Many interviewees noted that their legacy PKI environment would not scale with current demand without extreme cost increases.
The interviewee at the software organization explained that several different tools related to certificates were deployed across multiple teams, resulting in costly scaling if they were to stay the course. The interviewee concluded: “We really needed a solution that would help us consolidate but also be scalable by nature. That’s why we chose Keyfactor.”
Through many years of using independently managed, private certificates, the telecommunications organization had built up a significant infrastructure footprint (consisting of more than 70 CA servers) that was increasingly costly and difficult to manage.
Manual personnel effort throughout the certificate management lifecycle. A lack of standardized tooling across the organizations’ teams that provisioned and managed certificates contributed to process inefficiencies. Furthermore, these processes were often more likely to fail, leading to expired certificates and the related disruptions. Many interviewees also noted that the burden to manage certificates (especially public certificates) would continue to increase as lifespans continued to decrease (e.g., public TLS certificates to 47 days by 2029). The cybersecurity product director at the banking organization explained that historically, certificate provisioning, renewal, and deployment was handled at the application team level, resulting in a fragmented certificate landscape across many teams and nearly 100 individuals.
The prevalence of shadow IT with certificates and the associated security risks. Some teams maintained their own tools and processes, further obscuring certificate landscape visibility and contributing to increased security risk. The interviewee at the retail organization noted that individual teams often only had visibility into certificates for their own team, making visibility and compliance efforts at the organizational level essentially impossible.
Solution Requirements
The interviewees searched for a solution that could:
Support a multicloud, hybrid PKI approach.
Automate manually managed certificates (especially those requiring near-term renewal).
Allow for cost and labor reductions related to legacy CA infrastructure.
Provide visibility into all certificates at the organizational level.
“[With Keyfactor], we’re much more proactive on certificates. We focus broader, have greater visibility, better compliance, and better automation. We had many engineers that were exclusively managing the [certificate] lifecycle and not doing anything else. Now those engineers are focusing on security, on compliance, and working with our business partners on truly automating the certificate lifecycle.”
SVP, director of security and network infrastructure, banking
“We don’t get any business value having our engineers focus on the manual deployment and management of certificates across our environment.”
SVP, director of security and network infrastructure, banking
Composite Organization
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite organization is a global, $20 billion, industry-agnostic organization with 40,000 employees. Its infrastructure team manages PKI, while identity and access management personnel handle the certificate management lifecycle. The organization has approximately 400,000 certificates (public and private) distributed across many teams. It struggles with inconsistent solutions and processes for certificates, leading to manual provisioning, renewals, and deployment. It lacks standardized tooling across its teams, which limits visibility into the full certificate landscape, makes tracking and managing certificates impossible, and presents significant risk. The organization’s legacy PKI infrastructure includes a mix of hardware and virtual infrastructure that requires ongoing personnel effort to maintain and manage.
Deployment characteristics. The composite organization deploys Keyfactor EJBCA (a SaaS-based PKI solution) to start retiring legacy infrastructure and Keyfactor Command to inventory, monitor, and manage certificates moving forward. After deploying the Keyfactor solution, the composite prioritizes the transition of manually managed certificates that require near-term renewals. New certificates are provisioned, deployed, and ultimately renewed by Keyfactor. The composite organization continues to scale its certificate usage annually.
KEY ASSUMPTIONS
$20 billion revenue
40,000 employees
Legacy PKI infrastructure includes hardware, virtual CA servers, and HSMs
400,000 certificate estate (growing annually) includes private and public certificates
Analysis Of Benefits
Quantified benefit data as applied to the composite
Total Benefits
Ref.
Benefit
Year 1
Year 2
Year 3
Total
Present Value
Atr
Labor savings on new certificate provisioning
$448,800
$605,880
$799,762
$1,854,442
$1,509,600
Btr
Labor savings on certificate renewals
$1,606,500
$1,735,020
$1,908,522
$5,250,042
$4,328,256
Ctr
Labor savings on certificate deployment
$396,300
$665,712
$1,046,034
$2,108,046
$1,696,349
Dtr
Reduction in unplanned certificate-related incidents
$1,280,000
$1,440,000
$1,680,000
$4,400,000
$3,615,928
Etr
Avoided infrastructure and maintenance costs
$479,180
$589,760
$700,340
$1,769,280
$1,449,199
Ftr
Improved organizational security posture from improved certificate environment visibility
$41,156
$41,156
$41,156
$123,468
$102,349
Total benefits (risk-adjusted)
$4,251,936
$5,077,528
$6,175,814
$15,505,277
$12,701,681
Labor Savings On New Certificate Provisioning
Evidence and data. Across the interviewees’ organizations, manual certificate provisioning across different teams required a significant amount of time. Provisioning tasks included certificate signing request generation, CA interaction, approval, and certificate retrieval. Keyfactor streamlined many of these processes, reducing manual labor and providing a common solution for certificate provisioning across the organizations’ disparate teams.
Despite a tenfold increase in certificate provisioning after adopting Keyfactor, the interviewee at the retailer noted that fewer than five internal resources now focus on work related to certificates, which is fewer than before Keyfactor, as most of their organization’s required certificates can be provisioned on a self-service basis by the teams that need them.
“My best people were essentially functioning as systems admins,” explained the interviewee at the telecommunications organization, as manual provisioning and renewals represented an inordinate percentage of their working hours. These personnel now focus on automating certificates on Keyfactor rather than managing them. “The future is bright, as we’re looking to have a significant percentage of our certificates fully automated on Keyfactor in 2026,” concluded the interviewee. “Every [phase] is hundreds of certificates we don’t need to manage anymore.”
The SVP and director of security and network infrastructure at the bank explained that before working with Keyfactor, certificate management did not add value to the business. Keyfactor enabled personnel who manually managed certificates to focus on strategic integration work with the bank’s business applications.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
The composite organization has 400,000 certificates (both private and public).
The number of certificates the composite requires increases annually, by 8% in Year 1, 10% in Year 2, and 12% in Year 3.
Before Keyfactor, the composite manually provisioned 15% of its required certificates due to solution or process limitations.
Manual certificate provisioning took 90 minutes on average before Keyfactor. With Keyfactor, the composite reduces provisioning to 2 minutes on average.
The average fully burdened hourly rate for personnel who manually manage certificates is $75.
Risks. This benefit will vary among organizations based on:
The number of new certificates an organization must provision annually.
The extent to which an organization must manually provision new certificates.
The specifics of these manual processes related to the potential for savings with Keyfactor automation.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.5 million.
“Even though our certificate usage has increased over 10 times since adopting Keyfactor, our team has remained pretty steady. We’re actually leaner than when we started.”
Project manager, information security, retail
“We’re saving an exponential amount of hours provisioning private certificate services with Keyfactor. Right now, we’re managing twice the certificates with half of the resources.”
Expert, cybersecurity, telecommunications
Labor Savings On New Certificate Provisioning
Ref.
Metric
Source
Year 1
Year 2
Year 3
A1
Total certificates in organization
Composite baseline, A1+A3 for Year 1 and Year 2
400,000
432,000
475,200
A2
Certificates required to be provisioned annually (as percentage of total estate growth)
Composite
8%
10%
12%
A3
Certificates provisioned annually on Keyfactor
A1*A2
32,000
43,200
57,024
A4
Percentage of certificates provisioned manually
Interviews
15%
15%
15%
A5
Certificates provisioned manually
A3*A4
4,800
6,480
8,554
A6
Time required to provision manually (average, minutes)
Interviews
90
90
90
A7
Time to provision with Keyfactor (average, minutes)
Interviews
2
2
2
A8
Time savings on manual provisioning with Keyfactor (hours)
A5*(A6-A7)/60 minutes
7,040
9,504
12,545
A9
Average fully burdened hourly rate for staff provisioning certificates
Composite
$75
$75
$75
At
Labor savings on new certificate provisioning
A4*A5
$528,000
$712,800
$940,896
Risk adjustment
↓15%
Atr
Labor savings on new certificate provisioning (risk-adjusted)
$448,800
$605,880
$799,762
Three-year total: $1,854,442
Three-year present value: $1,509,600
Labor Savings On Certificate Renewals
Evidence and data. Interviewees explained that Keyfactor automated certificate renewals across their environments, reducing the number of hours spent on manual renewals across several teams and reducing the likelihood of outages.
The interviewee at the software organization stated that Keyfactor enabled them to consolidate PKI and certificate management from multiple teams to one team while supporting the business (e.g., through certification deployment and especially renewals) at the speed it required. The interviewee also noted: “Keyfactor has definitely allowed us to streamline certificate processes for internal customers. We have a defined pipeline, so those who need it can connect to EJBCA to get their certificates. It also helps us ensure policy adherence around certificate type requirements for specific customers and the validity of certificates. We’ve been able to manage all of this much more consistently and with fewer resources now.”
A “self-service” feature for certificates across the retail organization enabled by Keyfactor allowed teams to automate their own certificates, including one-click renewals that were previously (and inconsistently) managed manually across these teams.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
The composite organization has 400,000 certificates (both private and public).
Most certificates require renewal at least once a year, some more frequently. As such, the composite must renew 105% of the certificates across its estate annually.
The composite must manually renew 15% of the certificates that require it before Keyfactor.
It took 25 minutes to renew a certificate on average before Keyfactor. This decreases to 1 minute on average using Keyfactor’s one-click and automated renewal features.
The average fully burdened hourly rate for personnel manually managing certificates is $75.
Risks. This benefit will vary among organizations based on:
The number of new certificates that require annual renewal by an organization.
The specifics for manual renewal processes related to the potential for efficiency gains with Keyfactor.
The extent to which new and existing certificates renewals are already automated.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $4.3 million.
“Keyfactor allows for the automation of certificate renewal at the speed our business and internal customers need it.”
Principal security engineer, software
Labor Savings On Certificate Renewals
Ref.
Metric
Source
Year 1
Year 2
Year 3
B1
Certificates in environment
A1
400,000
432,000
475,200
B2
Certificates requiring renewal
Composite (average slightly over 1 time per year, including deprecation)
105%
105%
105%
B3
Certificate renewals
B1*B2
420,000
453,600
498,960
B4
Percentage of certificates requiring manual renewal
Interviews
15%
15%
15%
B5
Certificates renewed manually
B3*B4
63,000
68,040
74,844
B6
Average time to renew manually (minutes)
Composite
25
25
25
B7
Average time to renew (automated) with Keyfactor (minutes)
Interviews
1
1
1
B8
Time savings on manual certificate renewal with Keyfactor (hours)
B5*(B6-B7)/60 minutes
25,200
27,216
29,938
B9
Average fully burdened hourly rate for staff renewing certificates
Composite
$75
$75
$75
Bt
Labor savings on certificate renewals
B8*B9
$1,890,000
$2,041,200
$2,245,320
Risk adjustment
↓15%
Btr
Labor savings on certificate renewals (risk-adjusted)
$1,606,500
$1,735,020
$1,908,522
Three-year total: $5,250,042
Three-year present value: $4,328,256
Labor Savings On Certificate Deployment
Evidence and data. Interviewees explained that before Keyfactor, certificates still required manual deployment (e.g., installation, binding, testing) after provisioning or renewal, which added labor. With Keyfactor, interviewees’ organizations could fully automate deployment, requiring just an approval (i.e., zero-touch) for renewed certificates and significantly reducing time for newly provisioned certificates.
The interviewee at the bank noted that certificate deployment was historically the most manual, labor-intensive process across their organization, often requiring staff to work weekends to avoid bottlenecks to business agility. After deploying Keyfactor, automated certificate management (including deployment) reduced the time required to deploy certificates. The interviewee concluded, “Keyfactor has brought hope to many application teams since they no longer have to manage certificates [manually] as they had been doing for so long before.”
Automating certificate deployment on Keyfactor allowed the software organization to consolidate its deployment effort that many individuals previously managed onto one platform, a benefit highlighted by several interviewees. The interviewee at the software organization summarized: “We were managing certificates across multiple systems across multiple teams. Consolidation to one platform definitely has reduced the amount of manual work.”
The interviewee at the retail organization said that navigating certificate deployment complexities was challenging amid growth. They explained that automated deployment on Keyfactor (in addition to provisioning and renewal) freed up the personnel who were historically responsible for these tasks, allowing them to work on more personally satisfying work that affected business results. The interviewee concluded: “Now [internal certificate engineers] don’t spend their entire day on rudimentary operational stuff. They’re able to take on more challenging, growth-related jobs that drive more job satisfaction.”
Certificate deployment and installation at the telecommunications organization was not only time consuming for internal staff but it was also sometimes inaccurate when managed manually. The interviewee explained: “Even when people manually renewed their certificates, they wouldn’t get them installed correctly. They would miss a spot or [dependency] and we’d get an outage. Keyfactor will more and more become a tool for the end-to-end automation of certificates where we can take some human intervention out.”
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
With Keyfactor, the composite can fully automate 15% to 25% of its newly provisioned and newly renewed certificates via automated deployment in Years 1 to 3, respectively.
Historically, newly provisioned certificates required 70 minutes on average to deploy manually. Automated deployment on Keyfactor reduces this process to 15 minutes on average.
Historically, newly renewed certificates required 15 minutes on average to redeploy manually. Keyfactor reduces this process to 1 minute on average using zero-touch or one-click approval.
The average fully burdened hourly rate for personnel manually managing certificates is $75.
Risks. This benefit will vary among organizations based on:
An organization’s specific certificate deployment requirements related to the number of certificates/frequency of deployment across its estate.
An organization’s previous manual deployment processes related to the potential for efficiency gains with Keyfactor.
The extent to which new and existing certificate deployment is already automated.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.7 million.
>6,600 hours
Avoided manual certificate deployment/installation work
Labor Savings On Certificate Deployment
Ref.
Metric
Source
Year 1
Year 2
Year 3
C1
Newly provisioned certificates that require deployment
A3
32,000
43,200
57,024
C2
Percentage of certificates that can be deployed automatically using Keyfactor
Composite
15%
20%
25%
C3
Average time to deploy a newly provisioned certificate manually (minutes)
Interviews
70
70
70
C4
Average time deploy a newly provisioned certificate on Keyfactor (minutes)
Interviews
15
15
15
C5
Time saved on new certificate deployment (hours)
C1*C2*(C3-C4)/60 minutes
4,400
7,920
13,068
C6
Average fully burdened hourly rate for staff deploying certificates
Composite
$75
$75
$75
C7
Subtotal: Labor savings on new certificate deployment
C5*C6
$330,000
$594,000
$980,100
C8
Newly renewed certificates that require deployment
B5
63,000
68,040
74,844
C9
Average time to redeploy a renewed certificate manually (minutes)
Interviews
15
15
15
C10
Average time redeploy a renewed certificate on Keyfactor (minutes)
Interviews
1
1
1
C11
Time saved on renewed certificate redeployment (hours)
C2*C8*(C9-C10)/60
2,205
3,175
4,366
C12
Subtotal: Labor savings on renewed certificate redeployment
C6*C11
$165,375
$238,140
$327,443
Ct
Labor savings on certificate deployment
C7+C12
$495,375
$832,140
$1,307,543
Risk adjustment
↓20%
Ctr
Labor savings on certificate deployment (risk-adjusted)
$396,300
$665,712
$1,046,034
Three-year total: $2,108,046
Three-year present value: $1,696,349
Reduction Of Unplanned Certificate-Related Incidents
Evidence and data. Interviewees explained that certificates across their organizations were less likely to expire due to their use of Keyfactor products and related process improvements. This reduced the likelihood of consequential internal or external incidents or outages that could affect internal productivity or external customers alike. Interviewees spoke about what these improvements meant for their organizations.
The interviewee at the retailer explained that expired certificates were common before using Keyfactor. These certificate outages ranged in impact from minor internal disruptions to significant customer-facing outages. After implementing Keyfactor, their organization faced just one such outage in several years. This resulted in “significant savings,” according to the interviewee.
Interviewees said that gaining visibility into their organization’s entire certificate estate was a main driver in reducing certificate-related incidents. At the telecommunications organization, the interviewee noted that Keyfactor allowed them to put processes around certificate renewals that greatly increased visibility into which certificates were set to expire. The interviewee explained the impact of some of these incidents: “While most of the incidents were often not a big deal, we also have had outages where people would go into [retail stores] and couldn’t order a new [product] because of a certificate outage. Then that starts costing us hundreds of thousands per hour or more.”
Interviewees also noted that incorrect certificate deployment was a factor in certificate-related incidents; automating certificate deployment and installation using Keyfactor further reduced the likelihood of such incidents.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
Between 18 and 22 internal and customer-facing certificate-related incidents (e.g., expiration, outages, downtime) occur annually. These incidents increase year-over-year as the certificate estate becomes more complex.
The frequency of these incidents decreases by 85% to 95% (in Years 1 to 3, respectively) with the Keyfactor solution and the related certificate management process improvements it enables.
Based on the interviews, the average cost of a certificate-related incident is $100,000, which includes lost employee productivity, customer disruption, and lost revenue.
Risks. This benefit will vary among organizations based on:
An organization’s previous processes for certificate management related to the number of pre-Keyfactor certificate-related incidents (and therefore the potential for improvement with Keyfactor).
An organization’s business and industry related to the cost of a certificate-related incident.
The skill and capacity of an organization’s personnel working on Keyfactor/certificate lifecycle management processes.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3.6 million.
95%
Reduction in certificate-related incidents (Year 3)
“In the past year, five years, we’ve only had one [expired certificate] with minimal downtime. It only took one person on our end about an hour to understand what had happened and renew the certificate. So the bottom line is that before Keyfactor, there were several outages a year that would require a lot of troubleshooting and manual work to investigate and renew the certificates.”
Project manager, information security, retail
“[Before Keyfactor], we would have outages because certificates were frequently installed incorrectly.”
Expert, cybersecurity, telecommunications
“The return on cost for Keyfactor is incredibly high. Probably in the millions of dollars a year by reducing [certificate] outages.”
Expert, cybersecurity, telecommunications
Reduction In Unplanned Certificate-Related Incidents
Ref.
Metric
Source
Year 1
Year 2
Year 3
D1
Certificate-related incidents in previous legacy environment
Composite
18
20
22
D2
Reduction in certificate-related incidents in Keyfactor environment
Interviews
85%
90%
95%
D3
Avoided certificate-related incidents in Keyfactor environment (rounded)
D1*D2
16
18
21
D4
Average cost per certificate-related incident
Interviews
$100,000
$100,000
$100,000
Dt
Reduction in unplanned certificate-related incidents
D3*D4
$1,600,000
$1,800,000
$2,100,000
Risk adjustment
↓20%
Dtr
Reduction in unplanned certificate-related incidents (risk-adjusted)
$1,280,000
$1,440,000
$1,680,000
Three-year total: $4,400,000
Three-year present value: $3,615,928
Avoided Infrastructure And Maintenance Costs
Evidence and data. By adopting Keyfactor, several interviewees described their organizations’ ability to reduce physical and virtual PKI infrastructure related to certificates, including (but not limited to) CA servers, HSMs, database servers, related network infrastructure, and licensing and software assurance costs.
By adopting Keyfactor for their private PKI, the interviewee at the telecommunications organization spoke to dramatic cost savings resulting from retired infrastructure and management. They retired nearly all of their 80 to 100 servers and firewalls that required ongoing management and maintenance.
Despite a 10-times growth in certificates at the retail organization, working with Keyfactor on a hybrid on-premises/SaaS PKI solution allowed it to retire infrastructure previously associated with certificates, eliminate personnel management and maintenance, and reduce travel to and from on-premises data centers.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
The average annual cost related to PKI infrastructure (including hardware, virtualization, software licenses, and assurance) is $300,000.
Two PKI engineer FTEs are responsible for infrastructure management-related activities.
One-and-a-half IT FTEs are responsible for PKI infrastructure maintenance.
The average fully burdened annual salary for PKI engineers is $187,000.
The average fully burdened annual salary for IT resources is $165,000.
Risks. This benefit will vary among organizations based on:
An organization’s certificate estate related to the PKI infrastructure required to support it.
The specific breakdown of an organization’s PKI infrastructure (e.g., on-premises, virtualized, owned, leased).
The skill and capacity of an organization’s personnel resources who support this infrastructure.
Results. To account for these risks, Forrester adjusted this benefit downward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.
95%
Reduction in PKI infrastructure costs with Keyfactor solution (Year 3)
“With Keyfactor, we just need a small fraction of the infrastructure that we needed before.”
Project manager, information security, retail
Avoided Infrastructure And Maintenance Costs
Ref.
Metric
Source
Year 1
Year 2
Year 3
E1
Annual cost of PKI infrastructure
Composite
$300,000
$300,000
$300,000
E2
PKI engineer FTEs dedicated to infrastructure management
Composite
2
2
2
E3
IT FTEs dedicated to infrastructure maintenance
Composite
1.5
1.5
1.5
E4
Average fully burdened annual salary for PKI engineers
Composite
$187,000
$187,000
$187,000
E5
Average fully burdened annual salary for IT resources
Composite
$165,000
$165,000
$165,000
E6
Annual percentage of infrastructure/maintenance retirement with Keyfactor
Interviews
65%
80%
95%
Et
Avoided infrastructure and maintenance costs
(E1+(E2*E4) +(E3*E5)) *E6
$598,975
$737,200
$875,425
Risk adjustment
↓20%
Etr
Avoided infrastructure and maintenance costs (risk-adjusted)
$479,180
$589,760
$700,340
Three-year total: $1,769,280
Three-year present value: $1,449,199
Improved Organizational Security Posture From Improved Certificate Environment Visibility
Evidence and data. Keyfactor provided complete visibility into the certificate landscape for the interviewees’ organizations. Previously unknown or rogue certificates were accounted for and shadow IT related to certificates disappeared. This improved the organizations’ security postures, resulting in fewer attack vectors and reducing the likelihood of costly data breaches.
Interviewees cited newfound visibility into their organizations’ certificate estates as the biggest driver of security posture, as it provided potential insights into unknown vulnerabilities.
They also noted that full visibility into certificate estates greatly supported compliance or audit efforts, especially in highly regulated industries such as banking.
The SVP at the bank noted that visibility into their certificate lifecycles with Keyfactor would ultimately help them prioritize their efforts. They explained: “Automating and having visibility into a [certificate] lifecycle is central to security posture. It’s about understanding not only where we have certificates, but what the algorithms that we’re using are and being able to see what that brings from a risk perspective. For example, our web banking servers, those are externally facing, so those are the ones we must materially address first. As we look at the journey to post-quantum readiness, it really decreases the operational risk to have assurance that we know where and how certificates exist.”
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
The cumulative cost of security incidents for the composite organization is $5.1 million, based on Forrester’s 2025 Security Survey.2
The likelihood of the composite organization experiencing one or more security incidents annually is 68%.3
Keyfactor may address 5% of the composite organization’s security incident vectors, resulting in an average annualized risk exposure addressable with Keyfactor of $96,837.
Keyfactor and the related process improvements reduce the organization’s average annual risk exposure via these vectors by 50% annually, based on reduction of shadow IT and key certificate expirations.
Risks. This benefit will vary among organizations based on:
An organization’s baseline security posture.
Results. To account for these risks, Forrester adjusted this benefit downward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $126K.
“Keyfactor supports meeting our compliance requirements and, overall, gaining the confidence in our visibility to potentially prevent some vulnerabilities.”
Principal security engineer, software
Improved Organizational Security Posture From Improved Certificate Environment Visibility
Ref.
Metric
Source
Year 1
Year 2
Year 3
F1
Cumulative cost of security incidents
Forrester research
$5,086,000
$5,086,000
$5,086,000
F2
Likelihood of experiencing one of more security incidents
Forrester research
68%
68%
68%
F3
Percentage of incidents originating from external attacks, internal incidents
Forrester research
56%
56%
56%
F4
Percentage of incidents related to certificate vulnerabilities addressable with Keyfactor
Interviews
5%
5%
5%
F5
Annual risk exposure addressable with Keyfactor
F1*F2*F3*F4
$96,837
$96,837
$96,837
F6
Reduced risk exposure to security incident costs from addressable vulnerabilities with Keyfactor
Interviews
50%
50%
50%
Ft
Improved organizational security posture from improved certificate environment visibility
F5*F6
$48,419
$48,419
$48,419
Risk adjustment
↓15%
Ftr
Improved organizational security posture from improved certificate environment visibility (risk-adjusted)
$41,156
$41,156
$41,156
Three-year total: $123,468
Three-year present value: $102,349
Unquantified Benefits
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
Savings on public certificate labor and CA costs. With more visibility into their organizations’ certificate environments with Keyfactor, interviewees explained that they could privately issue certificates that they publicly issued before, saving on both CA costs and the manual labor required to manage the process. The interviewee at the telecommunications organization noted that they previously used expensive public certificates instead of private certificates because they were fully managed and would not require manual effort. With Keyfactor, replacing these public certificates with trusted, fully automated private certificates is an ongoing effort. The interviewee summarized: “We had a lot of interfaces that use public certificates that could utilize our trusted routes that we have [internally], and then we can issue them at a much cheaper cost. We also can expand the lifecycle of those certificates because they’re privately trusted.”
Improved PKI availability and performance. Interviewees explained that moving to Keyfactor from owned/managed PKI infrastructures reduced infrastructure-related challenges and resulted in benefits from higher availability, performance, and the ability to support the business.
Increased post-quantum readiness. Interviewees stressed that adopting Keyfactor aligned with post-quantum cryptography initiatives at their organizations, futureproofing the transition to new, quantum-ready Federal Information Processing Standards. The cybersecurity product director at the bank noted that using Keyfactor will allow them to demonstrate post-quantum readiness to industry regulators and result in significant audit preparation time savings. The interviewee at the retailer summarized, “We see Keyfactor as a partner we can lean on while navigating all of the post-quantum challenges ahead.”
Improved productivity for other staff. Interviewees noted productivity improvements for staff beyond those managing the certificate lifecycle and related PKI infrastructure. Several interviewees explained that the certificate estate visibility delivered by Keyfactor significantly decreased the work required by auditors to prepare for compliance reviews, notably at the telecommunications organization, where auditors are now an estimated 30% more efficient.
Improved visibility into the certificate estate. Prior to Keyfactor, interviewees’ certificate estates (and the related management) were often fragmented across several teams. With centralized management on Keyfactor, single pane of glass visibility delivered full discoverability, eliminated blind spots, created the potential for process improvements, and provided insight across all certificates, which significantly supported compliance and audit initiatives. The cybersecurity product director at the banking organization explained that Keyfactor is now seen as the “the encyclopedia for certificates,” allowing for single search that can check any certificate across the organization, including who owns it, who deployed it, and when it expires.
“The Keyfactor team is always partnering with us to ensure that we’re getting what we need. They have been in regular sync with the engineering team to ensure that they can support our business in the shortest possible timeframes.”
Principal security engineer, software
“If I can take 30% of what we purchase in public today and move them to private certificates, we could save a ton of money.”
Expert, cybersecurity, telecommunications
“One of the things that we have now with Keyfactor is a centralized dashboard where we can actually see all of the certificates being used and what state they are in. Internationally, each country was managing their certificates on their own. Now they’ve all joined the Keyfactor system that we’ve implemented for them.”
Project manager, information security, retail
Flexibility
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Keyfactor and later realize additional uses and business opportunities, including:
Preparedness for 47-day TLS certificates and other renewal frequency changes. Keyfactor allows organizations to renew certificates with a one-click approval or zero-touch provisioning, reducing the time required to manually renew and install (as quantified in Benefit B). As renewal frequency requirements for certificates continues to increase (notably a 47-day renewal cycle for public TLS certificates), interviewees expressed optimism in knowing that their Keyfactor certificate landscape would support these evolving requirements and continue to deliver productivity value.
Ability to support business initiatives through faster certificate growth. Several interviewees explained that Keyfactor accelerated their certificate management from provisioning to deployment, increasing the speed with which they deploy certificates to support new business initiatives. The interviewee at the software organization also explained that reducing the manual work required by consolidating on Keyfactor also reduced dependencies across their organization, resulting in faster certificate deployment and ultimately faster progress for the business. At the telecommunications organization, provisioning and deploying a new certificate could take weeks prior to Keyfactor.
Ability to deploy in new regions and configurations. Keyfactor supports on-premises, fully SaaS, and hybrid deployments, giving organizations the flexibility to deploy to their specific needs and requirements across new and existing regions.
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).
“Keyfactor is one of the key contributors for post-quantum algorithm support. They are also watching how the industry is trending with the short-term certificate durations and building systems to support crypto agility in this ecosystem. Keyfactor’s constant involvement in the industry means I’m confident that by 2029, when the industry converges on both of these, we will be riding the wave where the industry is heading and not lagging behind.”
Principal security engineer, software
“We know that shortening certificate renewal timeframes is a trend in the industry and we need to comply with them. All of the automation enabled by Keyfactor will help us with the visibility and automation we need to meet these industry changes.”
Project manager, information security, retail
“Keyfactor has the best experts in the certificate world that I’ve ever worked with. When we need to come up with solutions, they bring in the right people. When I need to talk to the top people on their products, whether it’s Command or EJBCA, they bring them in without hesitation. That’s invaluable when you’re looking for direction.”
Expert, cybersecurity, telecommunications
Analysis Of Costs
Quantified cost data as applied to the composite
Total Costs
Ref.
Cost
Initial
Year 1
Year 2
Year 3
Total
Present Value
Gtr
Keyfactor fees
$58,845
$533,500
$533,500
$533,500
$1,659,345
$1,385,581
Htr
Internal personnel costs
$233,977
$468,000
$468,000
$468,000
$1,637,977
$1,397,823
Total costs (risk-adjusted)
$292,822
$1,001,500
$1,001,500
$1,001,500
$3,297,322
$2,783,404
Keyfactor Fees
Interviewees explained that their annual investment with Keyfactor depended on factors such as deployment options (e.g., on-premises, SaaS, hybrid), the number of certificates in the estate, and the precise breakdown of SKUs and services contracted with Keyfactor.
Pricing for the composite organization was estimated by Keyfactor based on a SaaS deployment and 400,000 baseline certificates in the estate.
Pricing will vary. Contact Keyfactor for pricing specific to your organization.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
The composite organization pays $485,000 annually for a SaaS-based Keyfactor PKI and certificate automation deployment for up to 1 million active certificates.
There are one-time initial professional service fees of $53,496 upon initial implementation.
Risks. These costs will vary among organizations based on:
The specific breakdown of an organization’s Keyfactor products based on deployment type and professional services bundle(s).
The number of active certificates in an organization’s certificate estate.
Results. To account for these variances, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.
“We got constant support from Keyfactor to ensure that whatever design or architecture we put together would scale. When new use cases came up, we needed to ensure that there was zero downtime and impact to the business.”
Principal security engineer, software
Keyfactor Fees
Ref.
Metric
Source
Initial
Year 1
Year 2
Year 3
G1
Initial professional services and configuration fees
Keyfactor list pricing
$53,495.50
G2
Annual recurring Keyfactor fees
Keyfactor list pricing
$485,000
$485,000
$485,000
Gt
Keyfactor fees
G1+G2
$53,496
$485,000
$485,000
$485,000
Risk adjustment
↑10%
Gtr
Keyfactor fees (risk-adjusted)
$58,845
$533,500
$533,500
$533,500
Three-year total: $1,659,345
Three-year present value: $1,385,581
Internal Personnel Costs
Interviewees described the internal resources required to support their Keyfactor solution(s) at deployment and on an ongoing basis. On average, interviewees noted that they completed Keyfactor implementation in phases over a few months, depending on the deployment option, which required internal resources along with Keyfactor-provided resources. Once implemented, they required internal resources to manage Keyfactor-related tasks such as continued certificate automation, interfacing with Keyfactor resources, expanding Keyfactor to additional teams and/or certificates, retiring infrastructure, and managing certificate visibility.
Modeling and assumptions. For the composite organization, Forrester makes the following assumptions:
Five internal resources at the composite organization spend approximately 75% of their working hours on Keyfactor implementation-related activities over the course of the four-month implementation period.
Once deployed, the composite dedicates 2.5 FTE resources to ongoing Keyfactor-related activities.
The average fully burdened annual salary for internal personnel managing Keyfactor-related activities is $156,000.
Risks. This cost will vary among organizations based on:
An organization’s certificate estate related to the scope and complexity of a Keyfactor deployment and the required personnel to support it.
The skill and capacity of an organization’s staff supporting Keyfactor.
Results. To account for these variances, Forrester adjusted this cost upward by 20%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1.4 million.
Internal Personnel Costs
Ref.
Metric
Source
Initial
Year 1
Year 2
Year 3
H1
Internal personnel involved with Keyfactor initial deployment
Composite
5
H2
Implementation duration (months)
Interviews
4
H3
Percentage of working time dedicated to initial deployment activities
Interviews
75%
H4
Average fully burdened annual salary for personnel managing Keyfactor-related activities
Composite
$156,000
$156,000
$156,000
$156,000
H5
Subtotal: Internal implementation costs
H1*H2*H3*H4
$194,981
H6
FTEs dedicated to Keyfactor ongoing management activities
Composite
2.5
2.5
2.5
H7
Subtotal: Internal ongoing management costs
H4*H6
$390,000
$390,000
$390,000
Ht
Internal personnel costs
H5+H8
$194,981
$390,000
$390,000
$390,000
Risk adjustment
↑20%
Htr
Internal personnel costs (risk-adjusted)
$233,977
$468,000
$468,000
$468,000
Three-year total: $1,637,977
Three-year present value: $1,397,823
Financial Summary
Consolidated Three-Year, Risk-Adjusted Metrics
Cash Flow Chart (Risk-Adjusted)
[CHART DIV CONTAINER]
Total costsTotal benefitsCumulative net benefitsInitialYear 1Year 2Year 3
Cash Flow Analysis (Risk-Adjusted)
Initial
Year 1
Year 2
Year 3
Total
Present Value
Total costs
($292,822)
($1,001,500)
($1,001,500)
($1,001,500)
($3,297,322)
($2,783,404)
Total benefits
$0
$4,251,936
$5,077,528
$6,175,814
$15,505,277
$12,701,681
Net benefits
($292,822)
$3,250,436
$4,076,028
$5,174,314
$12,207,956
$9,918,277
ROI
356%
Payback
<6 months
Please Note
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Keyfactor.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Keyfactor can have on an organization.
Due Diligence
Interviewed Keyfactor stakeholders and Forrester analysts to gather data relative to Keyfactor.
Interviews
Interviewed five decision-makers at organizations using Keyfactor to obtain data about costs, benefits, and risks.
Composite Organization
Designed a composite organization based on characteristics of the interviewees’ organizations.
Financial Model Framework
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Case Study
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Total Economic Impact Approach
Benefits
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
Financial Terminology
Present value (PV)
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PVs of costs and benefits feed into the total NPV of cash flows.
Net present value (NPV)
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
Return on investment (ROI)
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
Discount rate
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
Payback
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Appendix A
Total Economic Impact
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Appendix B
Endnotes
1Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
2Source: Forrester’s Security Survey, 2025. This study analyzes broad patterns among security decision-makers across multiple areas related to an organization’s cybersecurity practices. While this study primarily provides insight into the priorities, investments, and customer journeys of decision-makers, it also includes questions about general priorities as well as standard demographic and firmographic questions. Forrester annually assesses cybersecurity metrics through interviews, surveys, and expertise in the field.
3Ibid.
[CONTENT]
Disclosures
Readers should be aware of the following:
This study is commissioned by Keyfactor and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Keyfactor. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with Keyfactor based on the inputs provided and any assumptions made. Forrester does not endorse Keyfactor or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Keyfactor and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Keyfactor make no warranties of any kind.
Keyfactor reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Keyfactor provided the customer names for the interviews but did not participate in the interviews.
PDF