May 5, 2026

Cyber Security Cost UK 2026: Real Pricing for SMBs & Mid-Market

By Andy Pickett · Managing Director

Published 5 May 2026 · About the author

Quick Answer: A typical UK SMB spends £15–£30 per user per month on cyber security in 2026 (EDR, email security, training and monitoring), plus £500–£5,000/year for Cyber Essentials or Cyber Essentials Plus and £3,500–£7,500 for an annual external pen test. For a 25-person business that lands at roughly £7,500–£15,000/year all-in — substantially less than the cost of a single ransomware incident.

Cyber security cost UK 2026 — pricing breakdown for UK businesses

Cyber security pricing in the UK has consolidated dramatically over the last 24 months. Five years ago, costs were opaque and quote-only across the board; today most UK providers (including Connection Technologies) publish per-user-per-month rates, certification fees are public on IASME’s website, and pen-test market rates have flattened. That makes 2026 the first year where you can confidently model your full cyber spend before requesting quotes.

This guide breaks down realistic 2026 prices across all the major service categories — Cyber Essentials, EDR, MDR, SIEM, pen testing, awareness training, cyber insurance and incident-response retainers — and shows what a balanced budget looks like for businesses from 1 to 250+ staff. Every price below is sourced from publicly available UK rate cards or our own benchmarking of 80+ proposals over the last 12 months.

How much should a UK business spend on cyber security?

The most common benchmark is 4–8% of total IT spend, scaling up to 10–14% for regulated sectors (financial services, healthcare, defence supply chain). For a typical UK SMB whose IT budget runs at £1,500–£3,000 per user per year, that means cyber security should consume roughly £180–£420 per user per year.

Translated into monthly rates, here’s what most UK businesses spend per user across our three standard service tiers:

Essentials tier — £6–£12/user/month: EDR, business email security, phishing-simulation training, monthly patch & threat review. Adequate for low-risk businesses under 25 staff.
Standard tier — £15–£22/user/month: All of the above plus Managed Detection & Response (MDR), business-hours UK SOC, managed Cyber Essentials. The right fit for most UK SMBs.
24/7 Premium tier — £25–£35/user/month: All of the above plus 24/7 SOC monitoring, SIEM with log retention, threat hunting, Cyber Essentials Plus, incident-response retainer. Required for regulated sectors and businesses with enterprise customers.

Compare quotes against these bands. If a provider quotes £5/user/month for “managed cyber,” they’re selling antivirus with marketing. If a provider quotes £60/user/month for an SMB without a clear MDR + SIEM justification, they’re overpriced. Most legitimate UK providers fall between these markers.

Cyber Essentials & Cyber Essentials Plus cost in 2026

Cyber Essentials is a UK-government-backed certification scheme operated through five IASME-licensed certification bodies. It is a minimum-controls baseline rather than a comprehensive standard, which is precisely why it’s cheap, fast and now mandatory for many UK tenders.

Cyber Essentials (basic)

Self-assessed via a partner: £500–£1,500 total. The IASME fee starts at £300 (1–9 staff micro band) and scales to £500–£700 by headcount; the rest is the partner’s consultancy time helping you complete the questionnaire and remediating any gaps.
Self-certified directly: £300–£700 if you submit the questionnaire yourselves with no external help. Cheapest route, but most first-time applicants fail without remediation guidance — a £300 saving turns into 4–6 weeks of churn.
Annual renewal: Required every 12 months. Most partners charge £500–£800 for renewals because the underlying questions don’t change much year to year, so the consultancy effort drops.

Cyber Essentials Plus

The Plus version adds an external assessor audit covering a sample of devices, vulnerability scanning, simulated phishing and authenticated patching checks. It’s significantly more demanding to pass.

IASME audit fee: £1,400 (fixed, regardless of organisation size).
Assessor labour: £1,000–£3,500 depending on the number of devices in scope and how prepared you are. Typical mid-market business: £2,000–£2,500.
Total realistic cost: £2,500–£5,000 all-in for the first year. Full Plus pricing breakdown here.
Annual renewal: Required every 12 months — the Plus audit is not a one-time pass.

Worth knowing: certifying through a partner means you can usually claim £25,000 of free IASME cyber insurance if your annual turnover is under £20m. That’s typically worth more than the certification fee itself.

IT support that actually supports you

Proactive managed IT from a UK team. 24/7 monitoring, cybersecurity and cloud services. Get a free quote.

Get a Free IT Quote →0333 015 2615

✓ No obligation✓ 24/7 monitoring✓ UK-based team

Endpoint protection (antivirus, EDR, MDR, XDR)

The endpoint stack is where most of the per-user-per-month spend goes. Pricing depends heavily on which capability layer you buy.

Business antivirus

£2–£4 per device per month for products like Bitdefender GravityZone Business, Trend Micro Worry-Free, Sophos Intercept X.
Adequate for micro-businesses (< 10 staff) with low-risk profiles. Increasingly insufficient on its own as attackers routinely bypass signature-based detection.

Endpoint Detection & Response (EDR)

£4–£8 per device per month for managed EDR using CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Business or Sophos Intercept X Advanced with XDR.
Adds behavioural detection, telemetry, response playbooks and the ability to quarantine devices remotely. Antivirus vs EDR explained.

Managed Detection & Response (MDR)

Office-hours MDR: £10–£18 per endpoint per month, UK SOC monitoring 9–5 weekdays.
24/7 MDR: £15–£35 per endpoint per month, round-the-clock UK monitoring with 15-minute response SLAs.
Enterprise MDR with threat hunting: £40+ per endpoint per month.
The big leap is from EDR to MDR — you’re now paying for human analysts at a UK SOC, not just software. UK 24/7 MDR pricing here.

Extended Detection & Response (XDR)

XDR layers identity, email and cloud telemetry into the EDR/MDR view. Pricing usually runs £5–£10 per user per month on top of the underlying MDR seat. For most UK SMBs the right move is to bundle XDR with MDR rather than buy them separately. EDR / MDR / XDR comparison.

Email security cost in 2026

Email is the threat vector behind 84% of UK business breaches according to the 2024 Cyber Security Breaches Survey, so email security is non-negotiable. Pricing has come down sharply in the last two years thanks to AI-native entrants like Sublime Security, Material and IRONSCALES competing with the legacy Mimecast / Proofpoint stack.

Microsoft 365 native (Defender for Office 365 P1): £1.50–£1.70/user/month if you don’t already have Business Premium (which includes it).
Add-on email security platforms: £3–£6 per user per month (Mimecast, Proofpoint, Avanan, Egress).
AI-native phishing protection: £2–£5 per user per month (IRONSCALES, Sublime Security, Material, Tessian).

If you’re on Microsoft 365 Business Premium (which most UK SMBs are), Defender for Office 365 P1 is included — configure it properly before paying for a third-party layer on top.

SIEM and SOC pricing

SIEM (Security Information & Event Management) is the log-aggregation layer that feeds your SOC analysts. Two pricing models dominate:

SaaS SIEM (per-GB ingestion): Microsoft Sentinel charges roughly £1.80–£2.30 per GB ingested. A typical 50-person business ingests 40–100 GB/month, so £75–£230/month for raw ingestion plus retention costs.
Managed SIEM as part of MDR: Bundled into the £25–£35/user/month 24/7 Premium tier with no separate ingestion charge. Easier to budget, but less flexibility on log retention windows.
Standalone managed SOC: £800–£3,500/month for SMBs, depending on data volume and analyst hours. SIEM monitoring pricing here.

For most UK businesses under 100 staff, bundled SIEM-with-MDR is dramatically simpler than running standalone Sentinel + a separate SOC. We have a detailed analysis in our managed SOC vs in-house cost comparison.

Penetration testing prices in 2026

Penetration testing costs have stabilised at the following bands. Pricing is heavily dependent on scope, so request a fixed-scope statement of work before signing.

External infrastructure pen test: £3,500–£7,500 one-off. Typical scope: public-facing IP ranges, a dozen ports, common services. 3–5 days of consultant time.
Web application pen test: £5,000–£15,000 depending on application complexity (number of user roles, business logic depth, API count).
Internal network pen test: £5,000–£12,000 (assumed-breach scenario).
Mobile app pen test (iOS + Android): £6,000–£14,000.
Cloud pen test (AWS/Azure/GCP): £7,000–£18,000.
Red team engagement: £25,000+ (multi-week, multi-vector adversary simulation).

For PCI DSS and Cyber Essentials Plus you also need quarterly external vulnerability scans — budget £1,200–£2,500 per year for these via an Approved Scanning Vendor (ASV).

Awareness training and phishing simulation

Per-user platform cost: £1–£3 per user per month for KnowBe4, MetaCompliance, usecure, CybSafe, Proofpoint Security Awareness Training.
Phishing simulation cadence: Monthly templated campaigns, quarterly bespoke campaigns.
Annual reporting: Click-rate, report-rate, repeat-offender lists for board reporting.

Don’t skip this line item. Cyber Essentials Plus auditors now check that awareness training is delivered and tracked. Cyber insurers ask for it on renewal questionnaires.

Cyber insurance cost in 2026

UK cyber insurance premiums have stabilised after the 2021–2023 ransomware-driven price hikes. Realistic 2026 ranges, assuming you have basic controls (MFA, backups, EDR):

Micro business (< 10 staff, £500k cover): £500–£1,500/year.
Small business (10–50 staff, £1m cover): £1,500–£4,000/year.
Mid-market (50–250 staff, £2–5m cover): £5,000–£15,000/year.
Enterprise (250+ staff, £5m+ cover): £15,000–£50,000+/year.

If you certify through IASME’s Cyber Essentials and turn over under £20m, you get £25,000 of free cyber insurance bundled in. Full breakdown of what’s covered.

Incident response retainers

Often forgotten in budgeting, but worth its weight if a breach happens. An IR retainer guarantees response within a specified SLA (typically 1–4 hours) and locks in a discounted hourly rate.

Retainer fee: £3,000–£15,000/year for SMBs, £25,000+ for mid-market.
Hourly rate during an incident: £200–£350/hour with retainer; £400–£600/hour without.
Typical incident duration: 80–200 hours for a contained ransomware response, 300+ for a full-environment compromise.

Realistic 2026 budgets by company size

Here’s what a balanced cyber security spend looks like across three representative UK businesses, using mid-band pricing:

10-person business (low risk, no regulatory driver)

Essentials tier managed cyber: £9 × 10 × 12 = £1,080/year
Cyber Essentials annual: £750
Awareness training: £2 × 10 × 12 = £240/year
External pen test: £3,500 (every 2 years ≈ £1,750/year amortised)
Cyber insurance: £1,000/year (or £0 with CE bundled)
Total: ~£4,820/year (~£40/user/month all-in)

50-person business (mid-market, B2B services)

Standard tier managed cyber (24/7 MDR): £22 × 50 × 12 = £13,200/year
Cyber Essentials Plus annual: £3,500
Awareness training: £2 × 50 × 12 = £1,200/year
External pen test (annual): £5,000
Cyber insurance: £3,500/year
IR retainer: £5,000/year
Total: ~£31,400/year (~£52/user/month all-in)

200-person business (regulated sector)

Premium tier managed cyber: £30 × 200 × 12 = £72,000/year
Cyber Essentials Plus + ISO 27001 surveillance: £12,000/year
Awareness training: £3 × 200 × 12 = £7,200/year
Pen testing (3 annual + quarterly ASV scans): £18,000/year
Cyber insurance: £14,000/year
IR retainer: £15,000/year
Total: ~£138,200/year (~£58/user/month all-in)

Note: at 200 staff, an in-house security analyst (£55,000–£75,000 fully-loaded) starts to make sense alongside outsourced SOC + pen testing. Below 100 staff, fully-outsourced almost always wins on cost.

How to get a real quote

Use the cost benchmarks above to sanity-check any quote you receive. The key questions to ask any UK cyber provider:

Is this priced per user, per endpoint, or per device? (Endpoints > users for businesses with servers + workstations.)
Is the SOC UK-based, and what hours? (24/7 UK matters for regulated sectors.)
Are licences passed through at cost, or marked up? (CrowdStrike, SentinelOne licences are commonly marked up 20–40%.)
Is incident response included in the monthly fee, or quoted separately?
What’s the contract length, and what are the offboarding terms?

For a tailored 2026 cyber security quote based on your headcount, sector and existing tooling, request one via our cyber security quote form — we’ll come back within 24 hours with itemised pricing.

Frequently Asked Questions

For a typical 10-person UK SMB, a balanced cyber security stack costs around £4,000–£5,500 per year — or roughly £30–£45 per user per month all-in. That covers EDR, email security, awareness training, an annual Cyber Essentials certification, biennial pen testing and basic cyber insurance. Many UK micro-businesses can get this down to £3,000/year by using the free £25k IASME insurance bundled with Cyber Essentials.

For most UK businesses, yes. At £500–£1,500/year managed, it’s the cheapest credible cyber-controls baseline available. It is mandatory for many UK government contracts, increasingly required by enterprise customers in supplier-onboarding due diligence, and includes £25,000 of free IASME cyber insurance for businesses turning over under £20m. The certification process itself usually surfaces 5–15 control gaps you didn’t know existed — that diagnostic value alone often pays for the certificate.

EDR (Endpoint Detection & Response) is software-only — you pay for the platform but your team triages alerts. UK EDR pricing runs £4–£8 per endpoint per month. MDR (Managed Detection & Response) bundles EDR with a UK Security Operations Centre staffed by analysts who triage and respond to alerts on your behalf. UK MDR pricing runs £15–£35 per endpoint per month for 24/7 coverage. The price gap reflects the human-analyst cost rather than the software.

An external infrastructure pen test costs £3,500–£7,500 in 2026, depending on the scope of public-facing assets in scope. A web application pen test costs £5,000–£15,000. A red team engagement starts at £25,000. Most UK SMBs run one external pen test per year, plus quarterly external vulnerability scans (£1,200–£2,500/year) to satisfy Cyber Essentials Plus and PCI DSS requirements.

Yes — this is now the dominant pricing model in UK B2B cyber security. Most reputable UK providers offer tiered per-user-per-month subscriptions (typically Essentials £6–£12, Standard £15–£22, Premium £25–£35) with monthly billing, no upfront capex and the ability to add or remove seats as you scale. One-off costs (Cyber Essentials, pen tests, incident response) are quoted separately. Avoid providers who insist on multi-year fixed contracts with no flexibility — that’s a 2018 pricing model.

For a 1–5 person UK micro-business, a credible minimum is: Microsoft 365 Business Premium (includes Defender, MFA, conditional access — from £18.10/user/month), an EDR layer if not on M365 Business Premium (£5/user/month), Cyber Essentials self-certification (£300/year), basic awareness training (£1.50/user/month). Total: £25–£30 per user per month all-in. Below this you’re not really doing cyber security — you’re hoping.

Common reasons: (a) the higher quote includes 24/7 SOC monitoring while the lower one is business-hours only, (b) licence pass-through markups vary 0–40% between providers, (c) the higher quote includes an incident-response retainer while the lower one bills hourly during incidents, (d) one is quoting per-user and the other per-endpoint (servers + laptops + mobiles add up), (e) one is genuinely cheaper because it’s offshore or under-resourced. Always ask for a line-item breakdown before comparing — total prices are meaningless without it.

Want a real, line-itemised cyber security quote for your business? Request one here — we’ll respond within 24 hours with pricing across all three plan tiers, plus your specific Cyber Essentials gap analysis. Or compare other reputable UK providers in our guide to the best cyber security companies UK 2026.