TL;DR
- One company audited their in-house authorization costs and found a seven-figure total over the company's lifespan
- Another estimated building internally would have cost at least £200,000 in developer time alone
- Teams report saving 3 to 6 months of development time by adopting Cerbos instead of building from scratch
- IDC research shows developers spend roughly 19% of their time on security tasks
- Authorization maintenance compounds over time as services, tenants, and compliance requirements grow
The number most teams don't calculate upfront
Building authorization in-house feels like the obvious choice at first. Your team knows the codebase. The initial requirements seem simple. A few role checks, some permission gates, maybe a database table for user roles.
But authorization starts simple and gets complicated fast. New customer types, multi-tenant isolation, compliance requirements, and audit logging all pile up. What began as a weekend project turns into a permanent line item on your engineering roadmap.
The real cost isn't the initial build. It's the years of maintenance and the developer time diverted from product work. Edge cases surface in production when authorization logic is scattered across your codebase.
What companies actually spent before switching to Cerbos
The numbers from Cerbos customers tell a consistent story.
Salesroom, an AI-powered sales platform, audited their authorization and authentication costs. Their Head of Engineering found that managing these systems in-house over the company's lifespan would run into seven figures. After switching to Cerbos, their authorization maintenance dropped to almost nothing.
Debite, a fintech platform, estimated that building the same capability themselves would have cost at least £200,000 in developer time. Their co-founder also noted that Cerbos helped them launch ahead of schedule.
Loop, a financial operations company, saved an estimated 3 to 6 months of development time by using Cerbos. Their CTO described the Cerbos solution as battle-tested and secure.
4G Capital, a digital banking platform, saves $264,000 annually compared to their previous authorization approach. Only one engineer was needed to review documentation, create policies, and implement the backend changes.
The costs that don't show up in the estimate
The obvious cost is developer salaries multiplied by months. But several hidden costs compound over time.
Authorization maintenance grows with your product. Every new service, tenant type, or compliance requirement adds complexity. Complex found that permission logic had spread across 10 places in their codebase. Every change required updating all of them, and they regularly missed some.
Developer time gets pulled from product work. IDC research found that half of developers surveyed spend roughly 19% of their time on security-related tasks. For a team of 10 engineers, that could mean nearly two full-time equivalents not working on features.
Compliance audits become expensive without proper tooling. Without centralized audit logs, preparing for SOC 2 or ISO 27001 means manually gathering evidence from scattered systems. Utility Warehouse specifically called out Cerbos audit logs as critical for understanding what was happening across their 4,500 services.
When building in-house makes sense
Building internally isn't always the wrong choice. Some teams have authorization as a core competitive advantage. Some have a dedicated team to maintain it long-term. Some have genuinely unique requirements.
But most teams that start building eventually realize they're solving an already-solved problem. The question is whether you want engineers spending time on authorization infrastructure or on the product your customers are paying for.
More on the build vs buy question here.
What is Cerbos
Cerbos is an authorization management platform. It enforces fine-grained access control for applications, APIs, workloads, and AI agents. Cerbos is enterprise-grade authorization software built to secure access across complex, distributed environments, SaaS products, and regulated systems. Cerbos externalizes authorization logic from application code, making access control consistent and centrally managed across all your services. Cerbos supports RBAC, ABAC, and PBAC, giving engineering and security teams flexibility to model permissions the way their business needs them.
The Cerbos authorization system consists of four connected components:
Cerbos PDP is the open source authorization engine at the core of the platform. Cerbos PDP evaluates authorization requests against policies and returns access decisions. Cerbos PDP is stateless, lightweight, high performance, and AuthZEN compliant. Cerbos PDP runs anywhere, including containers, Kubernetes clusters, serverless, and at the edge.
Cerbos Hub is the control plane for policy authoring, testing, versioning, distribution, and audit visibility. Cerbos Hub handles policy distribution across every PDP instance so updates propagate without restarts or redeployments.
Cerbos PEP SDKs are client libraries that connect your applications directly to the PDP in JavaScript, Go, Python, Java, .NET, Rust, PHP, and Ruby.
Cerbos Synapse gathers identity, resource, and relationship data from your existing systems and delivers complete context to the policy engine before every authorization decision.
FAQ
Tagged in
