CrowdStrike, SentinelOne, and the Per-Device Pricing Trap: Why Stale Endpoints Quietly Cost Enterprises Six Figures

A 10,000-device enterprise on CrowdStrike Falcon Enterprise at the catalog reference rate of $15/device/month is paying $1.8M/year for endpoint protection. Run the MDM hygiene audit honestly and 10-15% of those device IDs haven't checked in for 90 days — laptops in a closet, contractor machines never collected, decommissioned VMs still on the asset list, lab images counted as production endpoints. At the low end of that range, you are paying $135K/year to protect machines that no longer exist. At the high end, $270K. Zero seat changes, zero negotiation, just a clean device count.

That number doesn't show up on any SSO-driven license audit, because there is no SSO event on a powered-off laptop. CrowdStrike doesn't bill on users — it bills on agents installed, regardless of whether the agent ever phones home. SentinelOne is the same shape. Microsoft Defender for Endpoint is a half-exception that's worth its own paragraph. Every per-device tool in the enterprise stack has this exact failure mode, and almost no procurement workflow catches it.

Try the free calculator — 15 seconds, no signup.

Why per-device pricing breaks the seat-compression model

Most SaaS spend reduction in 2026 leans on one of two playbooks. The first is per-seat compression: Salesforce, Outreach, Slack, Notion. You buy 100 seats, you pay for 100 seats whether 100 people log in or not. The lever is the gap between provisioned and active — a number the IdP already knows. We covered the audit framework in How to Find Unused SaaS Licenses, and the methodology generalizes well as long as the bill scales with humans.

The second is per-employee, the PEPM family: Workday, BambooHR, Gusto, Rippling. The lever there is the rate, not the seat count, because every employee is in the HRIS by definition. We worked through that math in The PEPM Blind Spot — same dimensional principle, different unit driving the bill.

Per-device pricing is a third category, and it's the one most procurement playbooks miss entirely. CrowdStrike, SentinelOne, and the Defender for Endpoint standalone SKU all price per agent installed on a machine. The number of agents has only a loose relationship to your headcount. A single sales engineer might have a laptop, a personal workstation, two test machines, a demo VM, and an iPad in MDM — five or six endpoints, one human. A 10,000-employee company routinely runs 12,000-18,000 protected endpoints, and the procurement team that benchmarks against headcount lands on the wrong number every renewal cycle.

The unit of waste isn't dormant seats and isn't an above-market PEPM rate. It's stale device IDs in the management console — agents the customer is still billing for even though the corresponding hardware no longer exists, doesn't belong to a current employee, or was retired without a deprovisioning step. The CFO lever has two parts: clean the device list, then question the tier.

What the catalog actually says

SeatCompress's catalog tracks the major endpoint security vendors at mid-tier reference rates, with the trust contract that every number is anchored to vendor pricing data we can defend if challenged.

CrowdStrike Falcon. The Enterprise tier — the mid-market default — sits at roughly $15/device/month in the catalog. CrowdStrike's published pricing page lists Falcon Go at $7.99, Falcon Pro at $14.99, and Falcon Enterprise at $19.99 as of mid-2026; enterprise contracts negotiate down materially from list, which is why the catalog reference sits below the published Enterprise number. Falcon Elite, the top tier with managed threat hunting layered in, lands in the $20-25/device/month range depending on commitment and managed-service scope (CrowdStrike doesn't publish a flat list price for Elite — the range reflects Vendr and Spendflo buyer-guide reporting on landed enterprise rates). The pricing model is per_endpoint, not per user — explicitly tagged that way in seed data because a single employee routinely carries multiple endpoints.

SentinelOne. Catalog reference is $8/device/month for the Singularity Core / Control tier, sourced from Vendr's buyer guide and pinned to enterprise-band median deals. SentinelOne's higher tiers (Complete, Commercial) sit closer to $10-12/device/month at enterprise scale. Same per_endpoint pricing model, same audit shape.

Microsoft Defender for Endpoint. This one is the partial exception. Defender Plan 1 and Plan 2 list at roughly $3 and $5.20 per user/month standalone, but the vast majority of enterprise deployments aren't standalone — Defender for Endpoint Plan 2 is bundled into Microsoft 365 E5 at no additional line-item cost, and into the Microsoft 365 E5 Security add-on. Translation: if your E5 spend is already locked, the marginal cost of Defender for Endpoint is zero, and the compression lever isn't "decommission stale devices to lower the bill" — it's "if you have E5, do you really also need CrowdStrike on the same machines?" That's a different post; we'll keep this one focused on the explicit per-device line items where the lever lives.

The Acme demo company in the SeatCompress seed runs 750 endpoints on CrowdStrike at $15/device/month = $11,250/month, $135,000/year. That's the per-device pricing model rendered in miniature, and even at 750 endpoints the stale-device audit picks up real money.

The 10-15% stale-device over-count is structural, not exceptional

Why does the average enterprise device count drift 10-15% above truth? Five mechanisms, all common, all silent on a renewal-only review:

Decommissioned laptops still in MDM. An employee leaves; HR processes the exit; IT collects the laptop and wipes it; nobody removes the device ID from CrowdStrike or SentinelOne until a quarterly cleanup that often doesn't happen. The agent license keeps billing. Multiply across two to four years of employee turnover and the ghost-device population is material.

Contractor devices retained after engagement. Contractors get CrowdStrike-managed laptops for the duration of an engagement. When the contract ends, the device is sometimes returned, sometimes not. Either way, the device record stays in the console unless someone explicitly removes it. Procurement doesn't see contractor end dates; the EDR admin doesn't see the procurement contract. The gap is structural.

Test, lab, and golden-image machines billed as production. Engineering, IT, and security teams maintain test machines and golden images. CrowdStrike's agent gets installed by group policy when a machine joins the domain. Test machines that get recycled monthly look like fresh devices each cycle; one physical box can register two or three different device IDs in a quarter. Each one gets billed.

VMs and cloud images counted as endpoints. Falcon and SentinelOne both protect server workloads, and the pricing model for cloud workloads is the same per-endpoint billing as user devices. A poorly-rotated CI/CD environment can spin up and tear down hundreds of short-lived VMs per week, each registering a new endpoint ID. If retention isn't tuned in the console, the count balloons.

Acquisitions inherit unaudited stacks. Companies acquired in the last 18 months bring their own device inventory, often with two or three EDR vendors layered over the same machines during a tooling consolidation that never finishes. We've seen 4,000-employee companies running both CrowdStrike and SentinelOne on the same laptops because the migration project stalled.

Across all five mechanisms, the empirical floor most procurement teams encounter on a first audit is 10% over-count; the ceiling at messier organizations is 15-20%. That's why "10-15%" is the published range — it's the band most real audits land in, not a marketing claim.

Worked example: 10,000-device enterprise on Falcon Enterprise

A 10,000-employee company. Mature security org, CrowdStrike Falcon Enterprise on the fleet, contract auto-renews in 90 days. The procurement team pulls the latest invoice: 10,000 endpoints × $15/device/month × 12 months = $1.8M/year. They benchmark against headcount, find the per-employee number is in line with peers, sign off.

Now run the MDM hygiene audit honestly.

Pull the CrowdStrike Falcon console, Hosts → Host Management. Filter on Last Seen greater than 90 days. The typical result at the scale and operational profile described above: 1,000 to 1,500 stale device IDs. Some are sleeping correctly (occasional remote employee, traveling executive's backup laptop), but the majority are ghosts. Cross-reference against the Active Directory or Okta termination feed for the last 24 months; that pass alone usually clears 60-70% of the stale list as confirmed-departed users.

Conservative outcome: 1,000 stale devices confirmed. Decommission them in the console; CrowdStrike's billing reconciles on the next monthly cycle. Savings: 1,000 × $15 × 12 = $180K/year. The work to do this is roughly a week of one security analyst's time, with no negotiation, no vendor conversation, and no architecture change. Pure operational hygiene against an SKU that bills on what's listed in your own console.

That's lever one. Lever two is the tier question.

The tier-downgrade lever: are you on Elite when Enterprise covers the threat model?

CrowdStrike's tier ladder reflects three meaningful breakpoints:

• Falcon Go (~$8/device/month at the catalog floor, $7.99 published): essentially next-gen antivirus. Small businesses, light feature set.
• Falcon Pro (~$8/device/month catalog, $14.99 published list): adds device control and threat intelligence. Still primarily preventative.
• Falcon Enterprise (~$15/device/month catalog, $19.99 published list): adds EDR, threat hunting, and the Falcon Insight detection capability most enterprise security teams build their playbooks around.
• Falcon Elite ($20-25/device/month range): adds Falcon Complete managed services — CrowdStrike's SOC team runs your hunt and response, not yours.

The tier the customer actually needs is a function of the in-house security operations team's maturity, not the marketing pitch. A 10,000-employee enterprise with a 24/7 SOC, mature detection engineering, and a SOAR platform usually does not need Falcon Elite — they're paying $5-10/device/month extra for a managed service they're staffed to run themselves. A 2,000-employee company with one security engineer often does need Elite, because the alternative is "incidents trigger after-hours and nobody is awake to respond."

If the 10,000-device customer in the worked example above is currently on Elite at $23/device/month, the tier-downgrade question is: is our internal SOC mature enough that Elite's managed-services layer is duplicative? If yes, drop to Enterprise and reclaim $8/device/month × 10,000 × 12 = $960K/year — minus the cost of any internal headcount required to backfill what Elite's managed service was doing. Some enterprises will find they've been paying for both an internal SOC and a managed SOC and using only the internal one.

The combined math on this hypothetical 10,000-device customer:

• Stale-device audit: $180K/year recovered with one week of analyst time.
• Elite → Enterprise tier downgrade (if applicable): up to $960K/year, contingent on internal capability.

Even the conservative case — just the device hygiene work, no tier change — is the kind of number that should make it into a CFO's quarterly procurement review. The aggressive case, both levers pulled, is approaching seven figures on a single line item that procurement signed off on three months earlier because the per-employee math looked clean.

SentinelOne and the comparison case

A parallel run on a 10,000-device SentinelOne customer at the catalog $8/device/month reference rate is $960K/year total for the Core/Control tier. Same 10-15% stale-device pattern applies — SentinelOne's Singularity console exposes the same Last Seen and group-membership filters, the same agent-license-billing mechanic. A 12% stale-device finding at this scale is $115K/year recovered. The tier-downgrade angle is narrower than CrowdStrike's (SentinelOne's Complete tier is a smaller premium over Control than Falcon Elite is over Enterprise), but the device hygiene lever is identical in shape.

The reason none of the traditional SaaS-spend platforms surface this lever cleanly: their data model is built around SSO events. We dug into the architectural gap in the Zylo vs. Vendr vs. Productiv comparison — those platforms aggregate provisioning events from Okta, Azure AD, and Google Workspace. CrowdStrike and SentinelOne don't speak SSO for device authentication; the device-to-user mapping is loose, downstream, and often manual. The dashboards built for seat compression don't render this category meaningfully, because the underlying telemetry isn't there.

We don't yet ship per-device peer benchmarks the way we ship per-employee benchmarks for the PEPM tools. The infrastructure is there — pricingDimension was added to the benchmark schema in May 2026 with per_employee lit up and per_endpoint explicitly deferred to a later phase. The dollar magnitude on stale-device hygiene is large enough that the device-count audit pays for itself before the peer-rate audit even arrives.

The MDM / EDR audit checklist

If you run nothing else from this post, run this. One security analyst, one week, before your next CrowdStrike or SentinelOne renewal.

Step 1: Pull the host list with Last Seen > 90 days. In CrowdStrike Falcon: Hosts → Host Management → Filter: Last Seen > 90 days. In SentinelOne Singularity: Sentinels → Filter: Last Active > 90 days. Export to CSV.

Step 2: Cross-reference against your HR termination feed. Pull the last 24 months of departed employees from Workday, BambooHR, or whatever HRIS owns the truth. Match by hostname, owner email, or device tag. Confirmed departures with stale device IDs are the cleanest decommission candidates.

Step 3: Filter for contractor and lab device tags separately. Most mature EDR deployments tag devices with purpose:contractor, env:lab, owner:engineering-test, or similar. Run a count on each tag against current contractor and project rosters. The deltas are decommission candidates.

Step 4: Identify VM and ephemeral-cloud workloads. Cross-reference against your CMDB or cloud asset inventory. Short-lived VMs that registered as endpoints in CI/CD or test environments should not be billing against your EDR license. If they are, talk to whoever owns retention in the console — there's almost always a setting that nobody tuned.

Step 5: Reconcile the survivor list against headcount. If the cleaned device count is still more than 1.4× headcount, you have a configuration problem (multiple agents per device, double-counted server workloads) or an inventory problem (devices that should have been collected at offboarding but weren't). Either way, the next finding is bigger than the first one.

Step 6: Open the tier question. With a clean device count, the per-device tier decision becomes a real conversation. Internal SOC maturity, threat model, detection engineering capacity — those determine whether you need Elite, Enterprise, or Pro. Most enterprises that have run this audit honestly find one tier of headroom.

Five steps, one week of work, six-figure outcome at enterprise scale. The same pattern as the per-employee audit we documented in the PEPM Blind Spot: the lever sits on a dimension the legacy SaaS-spend dashboards don't render natively, so the savings hides in plain sight until somebody pulls it manually.

The bottom line

Per-device pricing isn't per-seat and isn't per-employee. It bills on what's installed, regardless of whether the install is current, the user is current, or the machine still exists. The 10-15% stale-device over-count we see on first audits is large enough that endpoint security is one of the highest-leverage line items in the enterprise SaaS budget — before you even consider whether the tier matches the threat model.

At 10,000 devices, the device-hygiene lever alone is $135K-$270K/year. With a defensible tier downgrade, the combined number routinely clears $500K to seven figures. None of it shows up on an SSO-driven license audit, because the unit of waste isn't a dormant seat — it's a ghost endpoint, and the data lives in the EDR console, not in Okta.

The CFOs who pull this audit before their next CrowdStrike or SentinelOne renewal find numbers their procurement team did not surface, because procurement was benchmarking against headcount, and the lever was the device count. Per-device sits alongside per-seat, per-employee, and usage as one of four pricing dimensions the legacy SaaS-spend tools miss — we map the whole landscape in Dimensional SaaS Compression. One renewal cycle of disciplined MDM/EDR hygiene pays for an entire year of the operational discipline that produces it.

Try the free calculator — 15 seconds, no signup.