It really depends on what you're trying to achieve. I would defer to my team for specific pricing models.
It's really done on a case-by-case basis. I would recommend organizations to start.... One thing we discovered in our businesses is that most organizations may have some sense of what their crown jewel applications are, what their most valuable applications are within their universe. For example, as I mentioned once before, if you're the Office of Personnel Management, a database that stores all the data for all the personnel would be a key application.
Once you've identified your most important applications, you want to map out your data centre, all your applications, and workloads, which are not quite applications, but they provide the connective tissue within your data centre for your applications and servers. You want to map them out. Most organizations haven't done that. If you think about maps as a key element of geostrategy, in order to control your terrain you have to have this map of your interior. That then shows you how all the applications interact.
If Chris is in the marketing department and I'm the guy who handles the key servers for whatever my organization is, a payment system or otherwise, and he gets hacked through an email, there's no reason why his server should ever be interacting with mine. He's not concerned. He's not an engineer. I'm the engineer. In that way, you draw a map of how your applications work and then you set rules for how they interact with one another.
The degree to which an organization wants to set rules for specific crown jewel applications across their enterprise affects the pricing model to some degree. That's why I'm not going to offer you a specific cost. If you want to map your enterprise and begin to set rules internally, that's when you really harden your interior. One of the benefits of setting rules is it provides alarms. If somebody breaks into one server and you know that server shouldn't be interacting.... Again, if he's hacked in the marketing department and I'm an engineer, we know these servers shouldn't be interacting. If you see an intruder doing it, it will set off an alarm so then the security operations team can know somebody's inside.