Cost Model

As-of: 2026-05-09. Azure pricing sourced from Azure App Service Linux Pricing and Azure Database for PostgreSQL Flexible Server Pricing. All figures are Central US region, pay-as-you-go. Verify all figures against current Azure pricing pages before presenting to stakeholders — prices may have changed since this document was last updated.

Build Cost (One-Time + Projected)

v1 — Spent to Date

Category	Effort / Cost	Notes
Backend architecture + implementation	~200 engineering hours	5 streams: governance hardening, policy engine, ephemeral issuance, vault integration, notification skeleton
Frontend (React + Fluent UI 9)	~60 engineering hours	Full UI with auth, routing, lease management, admin views
Policy engine (pure evaluator + 6 rules)	~40 engineering hours	Included in backend total; called out for CTO visibility
Seed/fixture system	~15 engineering hours	`seed-definition.ts` single-source-of-truth approach
Deploy pipeline (staging + prod scripts)	~20 engineering hours	PowerShell scripts, zip deploy, smoke tests
Azure provisioning (staging)	~10 engineering hours	Resource group, App Service, Postgres, Key Vault, Entra registration
Azure provisioning (prod — partial)	~5 engineering hours	Resource group + App Service created, not configured
Keeper integration (KSM + Commander)	~30 engineering hours	Included in backend total; called out for vendor-specific effort
Integration + pressure testing	~20 engineering hours	4 integration test suites, 2 pressure test scripts
Total v1 engineering	~400 engineering hours	Single engineer (Ben). No external contractors.

Tooling / Licenses	Cost	Notes
Azure subscription (staging, ~2 weeks)	~$25–40	B1 App Service + B1ms Postgres + Key Vault ops
Keeper trial	$0 (trial)	12-day trial from provisioning date. Expiry is imminent.
Dev tooling (IDE, GitHub, CI)	$0	Existing infrastructure
Total v1 tooling spend	~$25–40	Excludes engineering labor cost

v3 — Projected Build Cost

Category	Estimated Effort	Notes
Production deployment + VNet/NAT/private endpoints	20–30 hours	Infrastructure + validation
Bot Framework registration + Teams integration	15–25 hours	M365 admin coordination, bot identity, Adaptive Card wiring
Governance hardening (`HARDEN_GOVERNANCE_v1=true`)	10–15 hours	Runtime validation, staging soak, flag flip
Frontend test runner + coverage expansion	15–20 hours	Wire vitest, expand from 1 spec to baseline coverage
Discovery strategy finalization (UID-pinned)	10–15 hours	Reconcile hand-linked SQL, validate discovery job
Dedicated Postgres database + baseline migration	5–10 hours
Keeper license conversion + KSM folder grants	5–10 hours	External coordination with Keeper
Total v3 projected	80–125 hours	Scope not locked — this is directional.

v4 — Projected Build Cost

Category	Estimated Effort	Notes
SMS gateway integration (ACS or Twilio)	20–30 hours	API integration, Key Vault config, error handling
Two-step issuance flow (challenge + OTP)	30–40 hours	New `ChallengeEvent` model, `challenge.service.ts`, endpoint changes
Android companion app (if option A)	80–120 hours	Native Android dev, push notification, biometric
Standard SMS delivery (if option B)	0 additional hours	No app needed
Security review + threat modeling	20–30 hours	SIM swap mitigation analysis, penetration testing
Total v4 projected	70–220 hours	Range depends on companion app vs. SMS-only decision

Ongoing Cost (Monthly Run Rate)

v1 Staging (Current)

Resource	SKU	Est. Monthly Cost	Source
App Service Plan	B1 Linux (1 core, 1.75 GB)	~$13	Azure pricing page — verify
Postgres Flexible Server	Burstable B1ms (1 vCore, 2 GB)	~$12–15	Azure pricing page — verify. Plus storage at ~$0.115/GB/mo.
Postgres storage	32 GB provisioned	~$3.70	Estimate based on standard provisioned storage
Key Vault	Standard (operations)	~$0.50–1.00	$0.03/10K operations; low volume in staging
Application Insights	Data ingestion	~$1–3	~$2.30/GB ingested; staging is low volume
Total staging		~$30–37/mo	Below the $50/mo budget alert threshold set in manifest

v3 Production (Projected)

Resource	SKU Recommendation	Est. Monthly Cost	Notes
App Service Plan	S1 Standard (1 core, 1.75 GB, custom domain + SSL, auto-scale)	~$69	Verify. B1 lacks custom domain SSL and auto-scale. S1 is the minimum production tier.
Postgres Flexible Server	General Purpose D2s_v3 (2 vCores, 8 GB)	~$100–125	Verify. Burstable may suffice initially but GP is recommended for production SLA.
Postgres storage	64 GB provisioned + backup	~$10–15	Growing with audit trail accumulation
Key Vault	Standard	~$1–2	Modest operation volume
Application Insights	Data ingestion	~$5–15	Depends on telemetry volume; 2–6 GB/mo estimated
NAT Gateway	Standard	~$32 + $0.045/GB processed	Fixed hourly cost + per-GB data processing
Keeper licensing	Per-seat or platform fee	TBD	Trial must be converted. Contact Keeper for enterprise pricing.
Bot Framework	Free tier (Teams channel)	$0	Free for standard channels including Teams
Total production		~$220–260/mo	Excludes Keeper licensing (TBD)

v4 Production (Projected Additions)

Resource	SKU	Est. Monthly Cost	Notes
Azure Communication Services (SMS)	Per-message	~$0.0075/msg (US)	Volume-dependent. 100 msgs/mo = $0.75; 1,000 msgs/mo = $7.50
OR Twilio SMS	Per-message	~$0.0079/msg (US) + $1/mo phone number	Slightly higher per-message, additional phone number cost
Additional App Insights (challenge events)	Marginal	~$2–5	New telemetry surface for OTP events

Projected Cost at Scale

Cost Scaling Model

Scale	Users	Est. Requests/Mo	App Service	Postgres	KV	Insights	NAT GW	SMS (v4)	Total/Mo	Per-User/Mo
Pilot	10	50	S1: ~$69	B1ms: ~$15	~$1	~$3	$0 (no VNet)	—	~$88	~$8.80
Department	100	500	S1: ~$69	D2s_v3: ~$125	~$2	~$8	~$35	~$4	~$243	~$2.43
Division	1,000	5,000	P1V2: ~$140	D4s_v3: ~$250	~$5	~$25	~$40	~$38	~$498	~$0.50
Enterprise	10,000	50,000	P2V2: ~$280	D8s_v3: ~$500	~$15	~$70	~$55	~$375	~$1,295	~$0.13

All figures are estimates. Verify against current Azure pricing. Keeper licensing is excluded from all rows — it’s a separate line item that depends on the licensing model negotiated.

Cost-Per-User Trend

Cost per user decreases with scale. The fixed-cost base (App Service, Postgres, NAT Gateway) is amortized across more users. The primary variable costs are Application Insights (scales with telemetry volume) and SMS (scales linearly with message count).

Non-Linear Cost Steps

These are the points where you have to upgrade SKUs:

Trigger	Current SKU	Upgrade To	Cost Jump
Custom domain + SSL needed	B1 (~$13)	S1 (~$69)	+$56/mo
>200 concurrent connections or >1.75 GB memory	S1 (~$69)	P1V2 (~$140)	+$71/mo
>4 vCores needed for Postgres	D2s_v3 (~$125)	D4s_v3 (~$250)	+$125/mo
Postgres IOPS > burstable limit	Burstable (~$15)	General Purpose (~$125)	+$110/mo
High-availability Postgres needed	Single server	Zone-redundant HA	~2x Postgres cost

What’s Not in This Model

Keeper licensing: Pricing is not public. Depends on seat count, enterprise vs. business tier, and negotiated terms. This is likely the single largest cost variable and must be resolved before v3 scoping.
Engineering labor: Ongoing maintenance, on-call, feature development.
Security audit: SOC 2 Type II readiness assessment (typically $30K–80K for initial audit).
Custom domain SSL: Azure-managed certificates are free for custom domains on S1+; third-party certs add cost only if required by policy.
Disaster recovery: Cross-region failover for Postgres and App Service would roughly double infrastructure cost.