Security is where CDN margins go to relax. The same mitigation capacity sells at wildly different prices, mostly because buyers rarely benchmark it the way they benchmark bandwidth.
How mitigation is priced
Common structures: bundled into delivery with limits, priced per protected application, or priced by clean-traffic volume. Each is defensible; each hides different exposure. Bundled plans cap the attack size they absorb, per-app pricing punishes architectures with many small services, and clean-traffic models bill you for being attacked less than you feared. The absence of benchmarking is self-reinforcing: without market data, every quote feels incomparable, and incomparable quotes get accepted.
The clauses that matter more than price
Time-to-mitigate commitments with teeth, whether mitigation traffic counts against your bandwidth commitment, and what happens contractually during a sustained multi-day event. A cheap plan that bills attack traffic as usage is not cheap. Read the clean-traffic definition twice: some contracts define it in ways that let ordinary volatile traffic drift into billable territory, which converts a bad traffic day into a bad invoice without any attack occurring.
Sizing deserves the same rigor as pricing. Protection is sold by attack magnitude, and the temptation is to buy against the largest attack ever reported anywhere. The relevant number is different: the largest attack plausible against you, informed by your sector, visibility and history, with headroom. Overbuying mitigation capacity is the security equivalent of overcommitting bandwidth, except the unused capacity costs more and the fear discount runs in the vendor’s favor. A calm sizing conversation, held before any incident, is where most of the savings in this category actually live.
Benchmarking it
Security lines respond to competition like every other line. A single comparable quote for equivalent mitigation capacity routinely moves renewal pricing by double-digit percentages, precisely because vendors assume the security line never gets shopped. A single credible alternative also improves the parts of the deal money cannot show: response commitments sharpen and vague clauses acquire numbers when a competitor is visibly in the room.
In practice
Extract three numbers from your current arrangement: what you pay for protection annually, the largest attack it contractually absorbs, and what happens to billing during mitigation. If any of the three takes a support ticket to discover, the arrangement has already told you something. Benchmarked against the market, those three numbers routinely fund the entire review.
The security assessment benchmarks your current protection against the market and reads the mitigation clauses for you.
