WHERE ON-PREMISE COSTS MORE THAN BUYERS REALISE

The eight line items that pile up year over year.

18-25% annual maintenance fee

Milestone Care Plus, Genetec SMA, Hikvision SA, Bosch SA - same idea under different names. Mandatory for security patches and version upgrades. Five years = the original licence price again. Skip it for 18-24 months and the software ages out.

Windows Server (+ SQL on some stacks)

On-prem VMS runs on Windows Server. Large Milestone XProtect and Genetec systems also need a paid Microsoft SQL Server licence (the free Express edition runs out around 300 cameras); HikCentral bundles PostgreSQL. Either way, OS patching, antivirus exclusions and backups are all customer-owned overhead.

Hardware refresh every 3-5 years

NVR appliances, DIVAR IP, Husky and Streamvault boxes all age out. The customer pays for replacement on a cycle the installer rarely predicts accurately.

Analytics modules billed separately

LPR (number-plate recognition), AI search, facial recognition, access integration, multi-site federation - on-prem VMS bills each as a separate per-camera or per-server module. Genetec AutoVu, Milestone BriefCam, HikCentral AcuSeek, Bosch IVA each carry their own stack.

Inbound port for remote view

Every on-prem VMS that supports remote viewing opens a port through the firewall. Corporate IT often requires "no inbound ports" - sometimes after a ransomware incident, more often just modern security baseline. The on-prem architecture fails that policy.

Engineer visits for upgrades

Major version upgrades, OS patches that break things, hardware swaps, multi-site federation reconfigures - each is a billable site visit. Cloud upgrades happen on the vendor's side with no customer visits.

A workstation per operator

On-prem control rooms need a dedicated Windows PC with a discrete GPU for every operator position, each running client software to install, configure and patch - and concurrent access is capped (HikCentral Pro allows 100 clients, older versions just 5). Cloud VSaaS opens in a browser or mobile app from any modern device, with no per-seat hardware and no client install.

One server, one point of failure

The on-prem management server is a single point of failure: if it goes down - or its licence dongle is lost - central management of the whole estate goes with it. Cloud VSaaS is hosted with redundancy and recovery built in, and most issues are resolved in minutes, not a site visit.

ON-PREMISE vs CLOUD VSaaS

Two delivery models. Same management function.

The honest read on where each one wins and where each one costs you something.

On-premise CCTV

Strengths

Genuinely the right answer for 1,000+ camera single sites (airports, transit, utility) where the bandwidth maths against pure cloud breaks down and iSCSI / VRM storage scales

Works on air-gapped networks with no Internet access at all - mandatory for some defence and critical-infrastructure deployments

Trade-offs

A large up-front capex outlay - the licence cost alone typically lands at three to four years of the equivalent VSaaS subscription, and that is the software before the servers and operator workstations needed to run it

Perpetual licence + 18-25% / year maintenance fee, plus Windows Server licences (and paid SQL Server on Milestone / Genetec stacks), plus appliance refresh every 3-5 years - the customer absorbs all of it

Inbound port through the firewall for remote view fails the "no inbound ports" baseline that corporate IT now mandates, and engineer visits are required for major upgrades, multi-site federation changes and patching

The industry is moving on: vendors are investing in cloud and modern web platforms while the monolithic Windows Server products are increasingly left in maintenance mode - slower feature releases and longer gaps between meaningful updates

TetherX cloud VSaaS

Strengths

Annual subscription priced by channel count (from £80/site/year) - upgrades, patches and multi-site management included; no Windows Server, no MS SQL licences, no per-site engineer visits

1,000+ integrations and any ONVIF device, including existing Hikvision and Dahua kit ringfenced behind the TetherBox; outbound-only encrypted tunnel meets the no-inbound-ports policy

Optional per-camera cloud recording, AI search and ARC monitoring on top - no long list of extras, no separately-licensed analytics modules

Opens in a browser or on iOS / Android from any reasonably modern laptop, tablet or phone, anywhere - no per-operator workstation or GPU, no client software to install or patch, and no concurrent-user licence cap

Integrates each camera over its native API, not lowest-common-denominator ONVIF - so on-camera analytics (Bosch IVA, AXIS, LPR / ANPR) surface in TetherX at full depth, the same as a tightly-coupled vendor stack

Trade-offs

If the deployment is a single 1,000+ camera critical-infrastructure site with an on-cloud-traffic ban or an air-gap requirement, a deep on-prem stack (Bosch BVMS Enterprise, Genetec Security Center, Milestone XProtect Corporate) remains the more natural fit

WORKED EXAMPLE - 5-YEAR TCO

What five years actually costs: 1,000 cameras, 100 sites, 10 operators

On-premise is sold on the licence price. The licence is only the first line. Below is an illustrative 5-year build-up for a distributed multi-site estate, using publicly listed pricing - split into the capital expenditure paid up front and the operating cost that follows. VSaaS turns the whole lot into one operating subscription, with no capex at all.

Cost line (5 years) On-premise VMS TetherX VSaaS
Up front — capital expenditure (capex)
Per-camera software licences
1,000 cameras × around $70-98 each, perpetual		 $70,000-98,000 Included — no per-camera licence
Windows Server licence(s)
plus paid MS SQL on Milestone / Genetec stacks		 $2,000-6,000 Included
Management & streaming servers
sized for 1,000 cameras		 $8,000-15,000 Included
Operator workstations with GPU
10 seats, dedicated graphics + client install		 $8,000-12,000 Any browser, tablet or phone — $0
Install & configuration
initial rollout across 100 sites		 $15,000-30,000 Remote deploy, no per-site visit
Total up front (capex) $100,000–160,000 $0 — nothing bought outright
Then over 5 years — operating expenditure (opex)
Hardware refresh + ongoing engineer visits
servers / workstations age out, upgrade call-outs		 $15,000-30,000 Included — no hardware to refresh
Maintenance / upgrade fees
free around 36 months, then per-camera annual		 $6,000-8,000 (years 4-5) Included — upgrades & patches automatic
In-house IT administration
OS patching, backups, security, scaling		 Ongoing staff time (not costed here) Managed for you
Additional over 5 years (opex)
excludes storage, optional AI and in-house IT labour		 $20,000–40,000 on top One subscription (opex)
Optional AI analytics
on-prem: separate per-camera module		 +$300,000-800,000
1,000 × $300-800/camera		 Edge person/vehicle detection included; advanced AI priced by type

Figures are illustrative and use publicly listed reseller pricing; actual costs vary with vendor, discounting and configuration, and exclude storage (charged either way), in-house IT staff time and optional AI. For a distributed estate like this - around a hundred sites, cameras spread across them - the on-premise stack repeats across every layer, while VSaaS stays one predictable line item. Start a 30-day free trial.

Pricing figures, ownership, acquisition dates and product behaviour cited on this page are point-in-time and drawn from public sources - see the disclaimer at the bottom of this page for sourcing, "as of" date, and how to flag corrections.

FAQ

Questions before you move from on-premise to cloud

Three layers, all owned and maintained by the customer:

Hardware: Windows or Linux server (HikCentral Pro requires a server-grade Dell or HP), a DIVAR IP / Husky / Streamvault appliance for those buying bundles, NVRs - Network Video Recorders such as Hikvision DS-7600 (Chinese), Dahua NVR4000 (Chinese), Avigilon HD NVR (Canadian, Motorola) or Bosch DIVAR IP (German) - and iSCSI / NetApp storage at scale.

Software: a VMS perpetual licence - Milestone XProtect (Danish, Canon), Genetec Security Center (Canadian), HikCentral Pro (Chinese), DSS Pro (Chinese), Bosch BVMS (German), Exacq Vision (American, JCI), Senstar Symphony (Canadian), VIVOTEK VAST 2 / VSS (Taiwanese) or Avigilon Unity (Canadian, Motorola). Large Milestone XProtect and Genetec stacks also need a paid Microsoft SQL Server licence (Express is free to around 300 cameras); HikCentral bundles PostgreSQL.

Ongoing services: the annual maintenance fee (Milestone Care Plus, Genetec SMA, Hikvision SA, Bosch SA - all branded differently, same idea) at 18-25% of the licence price every year; OS patching; antivirus exclusions; backups; firewall plus port-forwarding for remote view; a VPN concentrator for multi-site.

One subscription line item. The vendor runs the management software in the cloud, handles version upgrades, applies security patches, and provides the multi-site dashboard. Customer (or integrator) installs cameras and points them at the cloud - or, for hybrid VSaaS (TetherX, Eagle Eye / Brivo American, Milestone Arcules Danish/Canon), at a small on-site appliance like a TetherBox that handles local recording and uploads metadata + clips on demand.

The hidden cost in on-prem CCTV is the annual maintenance fee - 18-25% of the original licence price every year, mandatory for security patches and version upgrades. Skip it for 18-24 months and the software ages out. Five years of that fee equals the original licence price again.

Add: Windows Server hardware refresh every 3-5 years, Microsoft SQL Server licences on large Milestone / Genetec stacks, separately-licensed analytics modules (LPR - Licence Plate Recognition - facial recognition, AI, access integration), leftover licences when a site shrinks, OS patching time, antivirus configuration drift, a VPN concentrator for multi-site, and an engineer visit per site for major upgrades.

VSaaS rolls all of this into one predictable number, with upgrades, security patches and support included. For the vast majority of deployments - multi-site estates, distributed cameras, anything that needs remote access - VSaaS comes out lower once you count the servers, operator workstations, maintenance fees and in-house IT time, not just the headline licence. On-premise keeps a genuine cost edge in only one narrow case: a single very large site (1,000+ cameras in one location) with the bandwidth profile to match, or an air-gapped / no-cloud-mandate environment. Spread those same cameras across multiple sites and the on-premise stack has to be rebuilt and maintained at every one, while VSaaS stays a single line.

Three places. Critical infrastructure with no-cloud mandates - airports, transit, utility substations, defence sites where the security policy explicitly forbids cloud traffic. 1,000+ camera single sites where the bandwidth maths against pure cloud breaks down and on-prem iSCSI or VRM storage (Bosch BVMS Enterprise, Genetec Security Center, Milestone XProtect Corporate) is genuinely the right answer. Air-gapped networks with no Internet access at all.

For sites of 1-500 cameras and multi-site retail, hospitality, property-management and commercial estates, on-prem is almost always overkill.

Every on-prem VMS that supports remote viewing needs an inbound port through the firewall. Corporate IT teams increasingly ban inbound ports as a security baseline - sometimes after a ransomware incident, more often just standard modern policy. The on-prem VMS architecture fails that policy. VSaaS with an outbound-only encrypted tunnel meets it. The TetherBox is built exactly that way.

Honest answer: hybrid is what VMS vendors recommend to protect on-prem revenue. Milestone's own blog defending hybrid walks back the cloud commitment to keep Care Plus and SMA renewals alive. Real hybrid use cases do exist: 1,000+ cameras at one site with limited upload bandwidth, or critical-infrastructure sites that want on-prem recording with a cloud-managed overview on top.

For everyone else, "hybrid" is usually just VSaaS with a TetherBox / Bridge / Gateway at the edge for resilience - which is modern VSaaS architecture, not hybrid in the old-school sense.

Yes - and it's the clearest signal of where the industry is heading. Almost every major on-premise VMS now has a cloud or cloud-managed sibling: Milestone launched (then reabsorbed) Arcules, Genetec pushes Security Center SaaS and Stratocast, Hikvision added HikCentral Connect, Bosch and Avigilon both have cloud lines. The reason is the same one buyers feel: a monolithic Windows Server application is increasingly hard and costly to maintain, secure and extend, whereas a platform built on modern web standards ships features and security fixes continuously, with nothing for the customer to patch or upgrade. As R&D shifts to these cloud platforms, the legacy on-premise product lines tend to see less active development - slower feature releases and longer gaps between meaningful updates - so the customer-hosted option is the one falling behind over time.

The catch is that bolting a cloud layer onto a legacy on-premise core is not the same as a platform built cloud-native from day one. TetherX was designed for the cloud from the start - so you get the modern model without dragging the on-premise architecture along underneath it.

On-premise flagships: Milestone XProtect Express+/Pro+/Expert/Corporate (Danish, Canon-owned), Genetec Security Center (Canadian), HikCentral Pro (Chinese, Hikvision - NDAA-banned), DSS Pro (Chinese, Dahua - NDAA-banned), Bosch BVMS Lite/Plus/Pro/Enterprise (German, Triton/Keenfinity since Dec 2024), Exacq Vision (American, Johnson Controls), Avigilon Unity (Canadian, Motorola Solutions).

Hybrid (on-prem + sister cloud): Milestone XProtect + Arcules (the Arcules brand merged back into Milestone July 2024), Genetec Security Center + Stratocast + Security Center SaaS, Hikvision HikCentral Pro + HikCentral Connect.

Cloud-native VSaaS: Verkada (American), Rhombus (American), Eagle Eye / Brivo (American), Videoloft (British), Camcloud (Canadian), YourSix (American, Axis-only), Avigilon Alta (Canadian, Motorola), TetherX.

Yes. 30-day free trial through an integrator partner with a TetherBox, full platform access, and a dedicated onboarding contact. Run TetherX alongside the existing on-premise VMS to see the operational difference. No card, no commitment.

Want this at your site?

Get a quote from a certified TetherX installer. We will match you with a local partner who knows your area and your needs.

Certified Installers
Local to You
No Obligation
Prefer to browse partners first? See our partner directory →
ALSO COMPARED

See TetherX against another VMS

Researching options? Read the side-by-side for each VMS the channel asks about most.

Network Optix / Nx Witness

On-prem-first VMS with cloud overlay - same engine ships as DW Spectrum and Wisenet WAVE. Russian engineering heritage flag for NDAA/AUKUS procurement.

Verkada

Closed proprietary ecosystem vs open cameras, no lock-in.

Compliance and ringfencing

Keep existing kit secure where rules allow; phase replacement where they require it. Covers NDAA, UK, AU, India.

Cisco Meraki

Tied to Cisco networking stack vs network-agnostic.
See all comparisons

Need a 5-year TCO worked example for a specific on-premise CCTV retrofit?

Read the full FAQ Compare all VSaaS providers Vendor comparison hub

Try TetherX free for 30 days

Run TetherX alongside the existing on-premise VMS for a 30-day trial. Compare them side-by-side at the same sites. No card, no rip-and-replace.

Start Free Trial

Across the partner network

TetherX partners hold the accreditations security-procurement buyers and insurers filter on. Coverage varies by partner.

NSI 9 ISO 9001 7 SSAIB 5 SafeContractor 5 BAFE 4 CHAS 4 ConstructionLine 4 Cyber Essentials 3 NICEIC 2 ISO 14001 2 ISO 27001 1

Counts reflect partners currently in the TetherX directory holding each accreditation.

Anything wrong on the VSaaS vs on-premise comparison?

Flag an inaccuracy, an outdated fact, or a missing nuance on the VSaaS vs on-premise page. We update the per-vendor pages and the /compare hub from this inbox - real reply, real human.

Please tell us what to call you.
Please enter your email address.
Please tell us what to fix or add.
Please complete the reCAPTCHA verification.

We reply within 1 business day. No newsletter, no follow-up sequence.

[1] About this comparison. Information about other vendors is drawn from their public product pages, datasheets, integrator forums (Reddit, vendor user groups), public CVE databases (NVD, CISA), publicly-listed LinkedIn company pages (headcount, headquarters, founding year, leadership transitions and corporate ownership signals) and customer conversations - accurate to the best of our knowledge as of Q2 2026. Pricing, features, security posture and policies change. A vendor may have shipped a fix, dropped a price, added a region or changed an architecture since this page was last reviewed.

If you believe anything here is inaccurate or out of date, please contact us and we will review and correct it. Trademarks and product names belong to their respective owners and are referenced here for identification only.

Start trial Call now

30 days free. No card. Talk to a local installer.