WHERE ON-PREMISE COSTS MORE THAN BUYERS REALISE

The six line items that compound year over year.

18-25% annual Software Assurance

Milestone Care Plus, Genetec SMA, Hikvision SA, Bosch SA - mandatory for security patches and version upgrades. Five years = 100-125% of the original licence again. Skip it for 18-24 months and the software ages out.

Windows Server + MS SQL CALs

On-prem VMS runs on Windows Server. Plus MS SQL Server CALs in HikCentral, BVMS, XProtect. OS patches, antivirus exclusions, backup strategy - all customer-owned overhead.

Hardware refresh every 3-5 years

NVR appliances, DIVAR IP, Husky, Streamvault all age out. Customer pays for replacement on a cycle the integrator can rarely predict accurately.

Analytics modules billed separately

LPR / ANPR, AI search, facial recognition, access integration, multi-site federation - on-prem VMS bills each as a separate per-camera or per-server module. Genetec AutoVu, Milestone BriefCam, HikCentral AcuSeek, Bosch IVA each carry their own stack.

Inbound port for remote view

Every on-prem VMS that supports remote viewing opens a port through the firewall. Post-ransomware, corporate IT mandates "no inbound ports" - the on-prem architecture fails the policy.

Engineer truck-rolls for upgrades

Major version upgrades, OS patches that break things, hardware swaps, multi-site federation reconfigures - each is a billable site visit. Cloud upgrades happen in the vendor's backend with zero customer visits.

ON-PREMISE vs CLOUD VSaaS

Two delivery models. Same management function.

On-premise CCTV

Perpetual licence + 18-25%/year Software Assurance / Care Plus / SMA

Customer-hosted Windows Server + MS SQL Server CALs

NVR / DIVAR / Husky / Streamvault appliance refresh every 3-5 years

Add-on modules (LPR, AI, access) billed separately per camera or server

Inbound port through the firewall for remote view

Engineer truck-roll for major upgrades and multi-site federation changes

NDAA-banned hardware (HikCentral Chinese, DSS Pro Chinese) excluded from US federal-adjacent and Canadian federal deployments

TetherX cloud VSaaS

Annual platform subscription priced by channel count - upgrades and patches included

TetherBox at each site for local resilience and ringfencing

Outbound-only encrypted tunnel - no inbound ports through the firewall

200+ camera manufacturers and any ONVIF device, including existing Hikvision / Dahua kit behind the TetherBox

Optional per-camera cloud recording, AI search, ARC monitoring on top - no add-on stack

Continuous cloud delivery - no version-upgrade projects, no truck-rolls

Multi-site by default - one cloud console for unlimited sites

Pricing figures, ownership, acquisition dates and product behaviour cited on this page are point-in-time and drawn from public sources - see the disclaimer at the bottom of this page for sourcing, "as of" date, and how to flag corrections.

FAQ

Questions before you move from on-premise to cloud

Three layers, all owned and maintained by the customer:

Hardware: Windows or Linux server (HikCentral Pro requires server-grade Dell or HP), DIVAR IP / Husky / Streamvault appliance for those who buy bundles, NVR (Hikvision DS-7600 Chinese, Dahua NVR4000 Chinese, Avigilon HD NVR Canadian/Motorola, Bosch DIVAR IP German), iSCSI / NetApp storage fabric at scale.

Software: VMS perpetual licence (Milestone XProtect Danish/Canon, Genetec Security Center Canadian, HikCentral Pro Chinese, DSS Pro Chinese, Bosch BVMS German, Exacq Vision American/JCI, Senstar Symphony Canadian, VIVOTEK VAST 2 / VSS Taiwanese, Avigilon Unity Canadian/Motorola). Plus MS SQL Server CALs in most stacks.

Ongoing services: Software Assurance (Milestone Care Plus, Genetec SMA, Hikvision SA, Bosch SA) at 18-25% of licence price every year; OS patching; antivirus exclusions; backup; firewall + port-forwarding for remote view; VPN concentrator for multi-site.

One subscription line item. The vendor runs the management software in the cloud, handles version upgrades, applies security patches, and provides the multi-site dashboard. Customer (or integrator) installs cameras and points them at the cloud - or, for hybrid VSaaS (TetherX, Eagle Eye Networks American/Brivo, Milestone Arcules Danish/Canon), at a small on-site appliance like a TetherBox that handles local recording and uploads metadata + clips on demand.

The hidden cost in on-premise CCTV is the Software Assurance: 18-25% of original licence price every year, mandatory for security patches and version upgrades. Skip it for 18-24 months and the software ages out. Five years of SMA = 100-125% of the original licence price *again*.

Add: Windows Server hardware refresh every 3-5 years, MS SQL Server CAL costs, separately-licensed analytics modules (LPR, face, AI, access integration), stranded licences when a site shrinks, OS patching time, antivirus configuration drift, VPN concentrator for multi-site, and any per-site engineer truck-roll for major upgrades.

VSaaS subscription rolls all of this into one number. At 50-500 cameras, VSaaS is usually lower. At 500-1,000 cameras it's comparable. Above 1,000 cameras at a single critical-infra site (airport, transit, utility), on-premise often still wins.

Three places. Critical infrastructure with no-cloud mandates - airports, transit, utility substations, defence sites where the security policy explicitly forbids cloud egress. 1,000+ camera single sites where bandwidth math against pure cloud breaks down and on-premise iSCSI / VRM storage (Bosch BVMS Enterprise German, Genetec Security Center Canadian, Milestone XProtect Corporate Danish) is genuinely the right architecture. Air-gapped networks with no Internet egress at all.

For the 50-500 camera mid-market and the multi-site retail / hospitality / property-management / commercial portfolio, on-premise is almost always over-cooked.

This is the single biggest driver of on-premise-to-VSaaS migration in 2024-26. Verbatim 2025 integrator quote from IPVM's 120-integrator survey: "EagleEye cloud because a major client had a ransomware attack and their corporate IT dept mandated a no open port policy. Cloud was the solution to meet this requirement."

Every on-premise VMS that supports remote viewing needs an inbound port through the firewall. Post-ransomware, corporate IT bans inbound ports site-wide. The on-premise VMS architecture fails the policy. VSaaS with outbound-only encrypted tunnel meets it. The TetherBox implements exactly this pattern.

Honest answer: hybrid is what VMS vendors recommend to protect on-premise revenue. Milestone's own why-hybrid-VMS-VSAAS blog walks back the cloud commitment to keep Care Plus / SMA renewals alive. Genuine hybrid use cases: 1,000+ cameras at one site with limited upload, or critical-infra sites with multi-tier on-prem + cloud-managed-overview.

For everyone else, "hybrid" is usually VSaaS with a TetherBox / Bridge / Gateway at the edge for resilience - which is just modern VSaaS architecture, not hybrid in the legacy sense.

On-premise flagships: Milestone XProtect Express+/Pro+/Expert/Corporate (Danish, Canon-owned), Genetec Security Center (Canadian), HikCentral Pro (Chinese, Hikvision - NDAA-banned), DSS Pro (Chinese, Dahua - NDAA-banned), Bosch BVMS Lite/Plus/Pro/Enterprise (German, Triton/Keenfinity since Dec 2024), Exacq Vision (American, Johnson Controls), Avigilon Unity (Canadian, Motorola Solutions).

Hybrid (on-prem + sister cloud): Milestone XProtect + Arcules (the Arcules brand merged back into Milestone July 2024), Genetec Security Center + Stratocast + Security Center SaaS, Hikvision HikCentral Pro + HikCentral Connect.

Cloud-native VSaaS: Verkada (American), Rhombus (American), Eagle Eye Networks (American, Brivo since Dec 29 2025), Videoloft (British), Camcloud (Canadian), YourSix (American, Axis-only), Avigilon Alta (Canadian, Motorola), TetherX (UK + AU).

Yes. 30-day free trial through an integrator partner with a TetherBox, full platform access, and a dedicated onboarding contact. Run TetherX alongside the existing on-premise VMS to see the operational difference. No card, no commitment.

Want this at your site?

Get a quote from a certified TetherX installer. We will match you with a local partner who knows your area and your needs.

Certified Installers
Local to You
No Obligation
Prefer to browse partners first? See our partner directory →
ALSO COMPARED

See TetherX against another VMS

Researching options? Read the side-by-side for each VMS the channel asks about most.

Verkada

Closed proprietary ecosystem vs open cameras, no lock-in.

Avigilon Alta

Motorola ecosystem pull vs genuinely brand-agnostic.

Cisco Meraki

Tied to Cisco networking stack vs network-agnostic.

iVMS / DSS / EZStation

Free Windows-only single-brand tools vs cloud-native multi-site.
See all comparisons

Need a 5-year TCO worked example for a specific on-premise CCTV retrofit?

Read the full FAQ Compare all VSaaS providers Vendor comparison hub

Try TetherX free for 30 days

Run TetherX alongside the existing on-premise VMS for a 30-day trial. Compare them side-by-side at the same sites. No card, no rip-and-replace.

Start Free Trial

About this comparison. Information about other vendors is drawn from their public product pages, datasheets, integrator forums (Reddit, vendor user groups), public CVE databases (NVD, CISA) and customer conversations - accurate to the best of our knowledge as of Q2 2026. Pricing, features, security posture and policies change. A vendor may have shipped a fix, dropped a price, added a region or changed an architecture since this page was last reviewed.

If you believe anything here is inaccurate or out of date, please contact us and we will review and correct it. Trademarks and product names belong to their respective owners and are referenced here for identification only.