Zero Trust for the 50-Person Company (Without a $1M Budget)

Most zero-trust marketing assumes you have a CISO, a six-figure tooling budget and a year to execute. You probably have one IT generalist, a quarter, and a leadership team that wants to know what they're getting for the spend. That's enough — if you sequence the work correctly.

We've executed this 90-day plan for dozens of small and mid-sized US businesses, from law firms to family offices to manufacturers. The order matters more than the specific vendors. Below is the sequence we run, the decisions to make at each phase, and the budget bands to expect in 2026.

Phase 1 (Weeks 1–4): Identity is the new perimeter

Everything else in zero trust assumes identity is solved. If it isn't, no subsequent control matters. Get this right and the rest of the program runs on rails.

1. 1Consolidate to one identity provider (Entra ID, Okta, Google Workspace, JumpCloud). Eliminate every standalone login for SaaS apps that supports SSO.
2. 2Enforce phishing-resistant MFA (passkeys or FIDO2) on every account. Make hardware keys the default for admin accounts.
3. 3Eliminate shared logins. Every shared inbox, every shared SaaS account, every 'team' password in a vault — replace with per-user identity and delegated access.
4. 4Turn on conditional access policies that block legacy authentication (POP, IMAP, basic auth) outright. This single change blocks the majority of credential-stuffing attacks against M365 and Google.
5. 5Disable self-service password reset for admin accounts unless it requires a phishing-resistant factor.

Budget band: $15–$25/user/month for the IdP + MFA tier you need, plus $40–$80 per hardware key for the admin population. Typical 50-person company spends $12–$18K in year one on identity.

Phase 2 (Weeks 5–8): Device trust

Identity tells you who; device tells you what they're using. Both have to be trusted before access is granted.

1. 1Enroll every endpoint in MDM (Intune, Jamf, Kandji). Yes, including the founder's MacBook.
2. 2Require disk encryption (FileVault, BitLocker) and OS-patch currency as a precondition for access.
3. 3Deploy EDR on every device (CrowdStrike, SentinelOne, Defender for Endpoint). Untrusted devices don't get production access.
4. 4Block access from unmanaged devices through a conditional-access policy. If a personal phone needs access to email, enroll it or give it a containerized app — don't make exceptions.

Budget band: $8–$15/device/month for MDM + EDR. A 50-person company with 70 devices spends $7–$13K/year.

Phase 3 (Weeks 9–12): Application access and the VPN retirement

Now the per-application controls. SaaS goes behind SSO; internal apps go behind a ZTNA broker; the VPN goes away.

1. 1Inventory SaaS apps. Anything with SSO, put behind SSO with provisioning (SCIM). Anything without SSO, either replace it or wrap it with a password manager that enforces shared-secret policies.
2. 2Put internal apps (file servers, dev tools, admin consoles) behind a ZTNA broker — Cloudflare Access, Tailscale, Twingate, or Zscaler Private Access. Each access decision evaluates identity + device + context, every time.
3. 3Decommission the legacy VPN. The VPN was a flat network; replace it with per-app, identity-aware tunnels. This single change eliminates the most common ransomware initial-access vector for mid-market companies.
4. 4Audit and remove standing access to production systems. Adopt just-in-time access (Cloudflare, Teleport, AWS IAM Identity Center) for engineers and admins.

Budget band: $5–$10/user/month for ZTNA. Typical 50-person company spends $3–$6K/year. The VPN you're retiring usually costs more than the replacement.

What you don't need yet

Skip these in the first 90 days. They're real later — none of them are real now.

• A full SASE rollout. Useful at 200+ users with significant traffic; overkill at 50.
• Microsegmentation of the data center. If you have a data center, fine; most 50-person companies don't.
• A custom SIEM. Use your EDR's built-in detections plus M365/Google security center. Add SIEM at 150+ users or when a regulator requires it.
• A CASB. M365 E5 + Google Workspace Enterprise include the controls a CASB used to sell separately.
• A DLP product. Use the native DLP in M365 or Google first. A standalone DLP is a six-month project that 50-person companies almost never finish.

Total cost, total time

A 50-person company executing all three phases in 2026 should expect:

• $40–$80K total in year one (identity + device + ZTNA + hardware keys + a few weeks of outside engineering).
• $30–$60K in run-rate years two and beyond.
• 90 days from kickoff to all three phases live.
• Reduction in measurable attack surface that any cyber-insurance underwriter will recognize — and often translate into a lower premium that offsets a meaningful chunk of the spend.

Where Cybrvault fits

We run this 90-day program for small and mid-sized clients across the US. You can also run it yourself with the sequence above — the value of outside engineering is mostly compressing the calendar (90 days instead of 9 months) and avoiding the three or four expensive misconfigurations that show up if you've never done it before.