Build vs Buy Analysis Template

# Build vs Buy Analysis: [Capability/System Name]

**Document Owner:** [Name]
**Created:** [Date]
**Last Updated:** [Date]
**Status:** [Draft / In Review / Final]
**Decision Deadline:** [Date]

---

## Executive Summary

### The Decision

**What we're evaluating:** [Brief description of capability needed]

**Options considered:**
1. Build: [Brief description]
2. Buy: [Vendor/Product name]
3. [Other options if applicable]

**Recommendation:** [Build / Buy / Hybrid]

**Rationale (3 sentences max):**
[Why this recommendation makes sense for our situation]

---

## Context and Requirements

### Business Need

**What problem are we solving?**
[Description of the business problem or opportunity]

**Who needs this?**
[Internal teams, customers, etc.]

**Why now?**
[Urgency and timing drivers]

### Requirements

#### Functional Requirements

| Requirement | Priority | Notes |
|-------------|----------|-------|
| [Requirement 1] | Must Have | |
| [Requirement 2] | Must Have | |
| [Requirement 3] | Should Have | |
| [Requirement 4] | Nice to Have | |

#### Non-Functional Requirements

| Requirement | Target | Notes |
|-------------|--------|-------|
| Performance | [Metric] | |
| Scalability | [Target] | |
| Availability | [SLA] | |
| Security | [Standards] | |
| Compliance | [Requirements] | |

#### Integration Requirements

- [ ] Must integrate with: [System 1]
- [ ] Must integrate with: [System 2]
- [ ] API compatibility: [Requirements]
- [ ] Data format: [Requirements]

---

## Option Analysis

### Option 1: Build In-House

#### Description

[What building in-house would look like - architecture, approach, team]

#### Capabilities Delivered

| Requirement | Fit | Notes |
|-------------|-----|-------|
| [Req 1] | ✅ Full / ⚠️ Partial / ❌ No | [Notes] |
| [Req 2] | ✅ / ⚠️ / ❌ | |
| [Req 3] | ✅ / ⚠️ / ❌ | |

#### Cost Analysis

**Development Costs (One-Time)**

| Item | Estimate | Assumptions |
|------|----------|-------------|
| Engineering time | [$ / hours] | [# engineers × # months] |
| Design | [$ / hours] | |
| Infrastructure setup | [$] | |
| Testing/QA | [$ / hours] | |
| **Total One-Time** | [$] | |

**Ongoing Costs (Annual)**

| Item | Estimate | Notes |
|------|----------|-------|
| Maintenance (engineering) | [$] | [% of team] |
| Infrastructure | [$] | |
| On-call/support | [$] | |
| Feature development | [$] | |
| **Total Annual** | [$] | |

**3-Year Total Cost of Ownership:** [$]

#### Timeline

| Milestone | Estimate |
|-----------|----------|
| MVP | [X months] |
| Production-ready | [X months] |
| Feature complete | [X months] |

#### Risks

| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Takes longer than estimated | [H/M/L] | [H/M/L] | |
| Key engineer leaves | [H/M/L] | [H/M/L] | |
| Requirements change | [H/M/L] | [H/M/L] | |
| [Other risk] | [H/M/L] | [H/M/L] | |

#### Pros

- [Pro 1]
- [Pro 2]
- [Pro 3]

#### Cons

- [Con 1]
- [Con 2]
- [Con 3]

---

### Option 2: Buy [Vendor Name]

#### Description

[What buying would look like - which product, how we'd implement]

#### Capabilities Delivered

| Requirement | Fit | Notes |
|-------------|-----|-------|
| [Req 1] | ✅ Full / ⚠️ Partial / ❌ No | [Notes] |
| [Req 2] | ✅ / ⚠️ / ❌ | |
| [Req 3] | ✅ / ⚠️ / ❌ | |

#### Cost Analysis

**Implementation Costs (One-Time)**

| Item | Estimate | Notes |
|------|----------|-------|
| License/setup fees | [$] | |
| Integration development | [$] | |
| Data migration | [$] | |
| Training | [$] | |
| **Total One-Time** | [$] | |

**Ongoing Costs (Annual)**

| Item | Estimate | Notes |
|------|----------|-------|
| Subscription/license | [$] | |
| Integration maintenance | [$] | |
| Support tier | [$] | |
| Additional usage fees | [$] | |
| **Total Annual** | [$] | |

**3-Year Total Cost of Ownership:** [$]

#### Timeline

| Milestone | Estimate |
|-----------|----------|
| Contract signed | [X weeks] |
| Integration complete | [X months] |
| Full rollout | [X months] |

#### Vendor Assessment

| Criteria | Score (1-5) | Notes |
|----------|-------------|-------|
| Financial stability | | |
| Product roadmap alignment | | |
| Customer references | | |
| Support quality | | |
| Security posture | | |
| API/integration quality | | |

#### Risks

| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Vendor lock-in | [H/M/L] | [H/M/L] | |
| Price increases | [H/M/L] | [H/M/L] | |
| Vendor goes away | [H/M/L] | [H/M/L] | |
| Feature gaps | [H/M/L] | [H/M/L] | |
| Integration complexity | [H/M/L] | [H/M/L] | |

#### Pros

- [Pro 1]
- [Pro 2]
- [Pro 3]

#### Cons

- [Con 1]
- [Con 2]
- [Con 3]

---

### Option 3: [Hybrid / Alternative]

[If applicable, same structure as above]

---

## Comparison

### Side-by-Side

| Criteria | Build | Buy | Winner |
|----------|-------|-----|--------|
| 3-Year TCO | [$X] | [$Y] | [Build/Buy] |
| Time to value | [X months] | [Y months] | [Build/Buy] |
| Feature fit | [%] | [%] | [Build/Buy] |
| Customization | [High/Med/Low] | [High/Med/Low] | [Build/Buy] |
| Control | [High/Med/Low] | [High/Med/Low] | [Build/Buy] |
| Ongoing effort | [High/Med/Low] | [High/Med/Low] | [Build/Buy] |
| Risk | [High/Med/Low] | [High/Med/Low] | [Build/Buy] |

### Strategic Considerations

#### Build Favors When:

- [ ] This is core to our differentiation
- [ ] Off-the-shelf doesn't meet unique requirements
- [ ] We have specialized expertise
- [ ] Long-term cost savings are significant
- [ ] We need full control over roadmap
- [ ] Integration with existing systems is complex

#### Buy Favors When:

- [ ] This is commodity/undifferentiated
- [ ] Time-to-market is critical
- [ ] We lack expertise in this domain
- [ ] Vendor is mature with strong ecosystem
- [ ] Requirements are standard/well-served
- [ ] Focus should be on core product

### Core vs Context Analysis

| Factor | Assessment |
|--------|------------|
| Is this core to our differentiation? | Yes / No |
| Would customers pay more for a custom solution? | Yes / No |
| Does this create competitive advantage? | Yes / No |
| Is off-the-shelf "good enough"? | Yes / No |

**Core:** Build for competitive advantage
**Context:** Buy to focus resources on core

---

## Recommendation

### Decision

**Recommended option:** [Build / Buy / Hybrid]

### Rationale

**Primary reasons:**

1. [Reason 1 - most important]
2. [Reason 2]
3. [Reason 3]

**Key trade-offs accepted:**

1. [Trade-off 1 we're accepting and why]
2. [Trade-off 2 we're accepting and why]

### Implementation Plan

**If we proceed:**

| Phase | Timeline | Key Activities |
|-------|----------|----------------|
| Phase 1 | [Dates] | [Activities] |
| Phase 2 | [Dates] | [Activities] |
| Phase 3 | [Dates] | [Activities] |

### Success Criteria

| Metric | Target | Measurement |
|--------|--------|-------------|
| [Metric 1] | [Target] | [How measured] |
| [Metric 2] | [Target] | [How measured] |

### Exit Criteria / Re-evaluation Triggers

We should revisit this decision if:
- [Trigger 1]
- [Trigger 2]
- [Trigger 3]

---

## Appendix

### Stakeholders Consulted

| Name | Role | Input |
|------|------|-------|
| [Name] | [Role] | [Key feedback] |

### Vendors Evaluated

| Vendor | Why Considered | Why Selected/Rejected |
|--------|----------------|----------------------|
| [Vendor 1] | [Reason] | [Decision] |
| [Vendor 2] | [Reason] | [Decision] |

### Reference Materials

- [Link to requirements doc]
- [Link to vendor proposals]
- [Link to technical spikes]
- [Link to competitor analysis]

### Assumptions

1. [Assumption 1]
2. [Assumption 2]
3. [Assumption 3]

# Build vs Buy Analysis: Customer Identity Platform

**Document Owner:** Alex Rivera
**Created:** October 1, 2025
**Last Updated:** October 15, 2025
**Status:** In Review
**Decision Deadline:** October 25, 2025

---

## Executive Summary

### The Decision

**What we're evaluating:** Customer authentication, authorization, and identity management for our B2B SaaS platform. Current homegrown auth system doesn't support enterprise requirements (SSO, MFA, audit logs).

**Options considered:**
1. Build: Extend existing auth system with enterprise features
2. Buy: Auth0 (Identity-as-a-Service)
3. Buy: Okta Customer Identity Cloud

**Recommendation:** Buy (Auth0)

**Rationale:** Authentication is not our core differentiator, and building enterprise-grade identity would take 6+ months of senior engineering time. Auth0 delivers the features we need immediately at a lower 3-year TCO than building, letting us focus engineering on our core product.

---

## Context and Requirements

### Business Need

**What problem are we solving?**

We're losing enterprise deals because we lack SSO, MFA, and audit logging. Three Fortune 500 prospects in the past quarter required SSO integration with their IdP—we couldn't deliver. Our homegrown auth also has security concerns (password storage using outdated hashing, no brute force protection).

**Who needs this?**

- Sales: Enterprise deals blocked by auth requirements
- Security: Risk from current implementation
- Customers: Enterprise IT requiring SSO
- Engineering: Maintenance burden of current system

**Why now?**

- $2.4M in pipeline blocked by SSO requirement
- SOC 2 audit in Q1 will flag auth concerns
- Security incident at competitor increased customer scrutiny

### Requirements

#### Functional Requirements

| Requirement | Priority | Notes |
|-------------|----------|-------|
| SSO (SAML, OIDC) | Must Have | Okta, Azure AD, Google Workspace |
| MFA | Must Have | TOTP, SMS, WebAuthn |
| Social login | Must Have | Google, GitHub, LinkedIn |
| Password authentication | Must Have | With modern security |
| Role-based access control | Must Have | Map to our permission model |
| Audit logging | Must Have | All auth events |
| User management UI | Should Have | Admin console |
| Branding/customization | Should Have | Login page matches our brand |
| Passwordless | Nice to Have | Magic links, passkeys |
| Bot protection | Nice to Have | CAPTCHA, rate limiting |

#### Non-Functional Requirements

| Requirement | Target | Notes |
|-------------|--------|-------|
| Availability | 99.99% | Auth is critical path |
| Latency | <200ms | Login API calls |
| Scale | 100K MAU | Current: 15K, growing 20%/month |
| Security | SOC 2, ISO 27001 | Required for enterprise |
| Compliance | GDPR, CCPA | Data residency options |

#### Integration Requirements

- [ ] React frontend SDK
- [ ] Node.js backend SDK
- [ ] REST API for user management
- [ ] Webhooks for user events
- [ ] Import existing 15K users

---

## Option Analysis

### Option 1: Build In-House

#### Description

Extend our existing Node.js/PostgreSQL auth system. Add SAML/OIDC SSO support, integrate MFA library, build audit logging, upgrade password security. Would require 2-3 senior engineers for ~6 months.

#### Capabilities Delivered

| Requirement | Fit | Notes |
|-------------|-----|-------|
| SSO (SAML, OIDC) | ⚠️ Partial | Can build, complex to maintain |
| MFA | ✅ Full | Libraries available |
| Social login | ✅ Full | Already have basic version |
| Password auth | ✅ Full | Upgrade hashing |
| RBAC | ✅ Full | Already have |
| Audit logging | ✅ Full | Build custom |
| User management UI | ⚠️ Partial | Basic admin exists |
| Branding | ✅ Full | Full control |
| Passwordless | ⚠️ Partial | Significant work |
| Bot protection | ⚠️ Partial | Would need to add |

#### Cost Analysis

**Development Costs (One-Time)**

| Item | Estimate | Assumptions |
|------|----------|-------------|
| Engineering time | $450,000 | 2.5 engineers × 6 months @ $300K/yr |
| Security review | $25,000 | External pentest |
| Infrastructure | $5,000 | Additional services |
| Testing/QA | $50,000 | Included in eng time |
| **Total One-Time** | $530,000 | |

**Ongoing Costs (Annual)**

| Item | Estimate | Notes |
|------|----------|-------|
| Maintenance | $100,000 | 0.5 engineer ongoing |
| Infrastructure | $12,000 | Servers, monitoring |
| Security updates | $25,000 | Ongoing patching |
| Feature development | $75,000 | New IdP support, etc. |
| **Total Annual** | $212,000 | |

**3-Year TCO:** $530K + (3 × $212K) = **$1,166,000**

#### Timeline

| Milestone | Estimate |
|-----------|----------|
| MVP (password + MFA) | 2 months |
| SSO support | 4 months |
| Production-ready | 6 months |
| Full feature parity with buy option | 9+ months |

#### Risks

| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Takes longer than estimated | High | High | Auth is notoriously complex |
| Security vulnerabilities | Medium | Critical | Extensive testing, audit |
| Key engineer leaves | Medium | High | Knowledge concentration |
| IdP compatibility issues | High | Medium | Each IdP is different |
| Ongoing maintenance burden | High | Medium | Distracts from core product |

#### Pros

- Full control over implementation
- No vendor dependency
- Customization flexibility
- No per-user fees at scale

#### Cons

- 6+ months to production
- Significant engineering investment
- Ongoing maintenance burden
- Security responsibility on us
- We're not auth experts

---

### Option 2: Buy Auth0

#### Description

Auth0 is an identity-as-a-service platform. We'd use their Universal Login, SDKs, and enterprise connections. Implementation involves replacing our auth endpoints with Auth0 APIs and migrating existing users.

#### Capabilities Delivered

| Requirement | Fit | Notes |
|-------------|-----|-------|
| SSO (SAML, OIDC) | ✅ Full | Native support, 20+ enterprise IdPs |
| MFA | ✅ Full | Multiple options, adaptive |
| Social login | ✅ Full | 50+ providers |
| Password auth | ✅ Full | Breached password detection |
| RBAC | ✅ Full | Built-in RBAC |
| Audit logging | ✅ Full | Comprehensive logs, export |
| User management UI | ✅ Full | Full admin console |
| Branding | ✅ Full | Customizable Universal Login |
| Passwordless | ✅ Full | Magic links, WebAuthn |
| Bot protection | ✅ Full | Attack protection included |

#### Cost Analysis

**Implementation Costs (One-Time)**

| Item | Estimate | Notes |
|------|----------|-------|
| Auth0 setup/onboarding | $0 | Self-serve |
| Integration development | $60,000 | 1 engineer × 2 months |
| User migration | $15,000 | Scripting, validation |
| Training | $5,000 | Team enablement |
| **Total One-Time** | $80,000 | |

**Ongoing Costs (Annual)**

| Item | Estimate | Notes |
|------|----------|-------|
| Auth0 subscription | $108,000 | B2B Pro @ $9K/month for our MAU |
| Integration maintenance | $25,000 | Minor updates |
| Support tier | $0 | Included in plan |
| **Total Annual** | $133,000 | |

**3-Year TCO:** $80K + (3 × $133K) = **$479,000**

#### Timeline

| Milestone | Estimate |
|-----------|----------|
| POC complete | 2 weeks |
| Integration complete | 6 weeks |
| User migration | 2 weeks |
| Full rollout | 2 months total |

#### Vendor Assessment

| Criteria | Score (1-5) | Notes |
|----------|-------------|-------|
| Financial stability | 5 | Acquired by Okta (public co) |
| Product roadmap alignment | 4 | Strong B2B focus |
| Customer references | 5 | Used by similar companies |
| Support quality | 4 | Good docs, community |
| Security posture | 5 | SOC 2, ISO 27001, extensive certifications |
| API/integration quality | 5 | Excellent SDKs, docs |

#### Risks

| Risk | Likelihood | Impact | Mitigation |
|------|------------|--------|------------|
| Vendor lock-in | Medium | Medium | Abstract behind interface |
| Price increases | Medium | Low | Multi-year contract |
| Vendor acquisition/changes | Low | Medium | Okta acquisition complete |
| Feature gaps | Low | Low | Very comprehensive |
| Outage impacts us | Low | High | Auth0 99.99% SLA |

#### Pros

- Production-ready in 2 months
- Battle-tested security
- Comprehensive features
- Frees engineering for core product
- Lower 3-year TCO
- Expert support available

#### Cons

- Vendor dependency
- Ongoing subscription cost
- Less customization flexibility
- Data leaves our infrastructure

---

### Option 3: Buy Okta Customer Identity Cloud

#### Description

Okta CIC (formerly Auth0 after acquisition, but with Okta pricing model). Enterprise-focused identity platform.

#### Capabilities Delivered

Same as Auth0 (✅ Full for all requirements)

#### Cost Analysis

**3-Year TCO:** ~$680,000 (higher pricing tier, more enterprise-focused)

#### Assessment

Okta CIC is more enterprise-focused with higher pricing. Given our current scale and needs, Auth0 provides equivalent features at lower cost. Would reconsider Okta if we needed deeper Okta Workforce Identity integration.

---

## Comparison

### Side-by-Side

| Criteria | Build | Auth0 | Winner |
|----------|-------|-------|--------|
| 3-Year TCO | $1.17M | $479K | Auth0 |
| Time to value | 6 months | 2 months | Auth0 |
| Feature fit | 85% | 100% | Auth0 |
| Customization | High | Medium | Build |
| Control | High | Medium | Build |
| Ongoing effort | High | Low | Auth0 |
| Risk | High | Low | Auth0 |

### Strategic Considerations

#### Build Favors When:

- [ ] This is core to our differentiation - **NO** (auth is table stakes)
- [ ] Off-the-shelf doesn't meet unique requirements - **NO** (Auth0 meets all)
- [ ] We have specialized expertise - **NO** (not auth experts)
- [ ] Long-term cost savings are significant - **NO** (higher TCO to build)
- [ ] We need full control over roadmap - **PARTIAL** (some value)
- [ ] Integration with existing systems is complex - **NO** (Auth0 integrates well)

#### Buy Favors When:

- [x] This is commodity/undifferentiated - **YES**
- [x] Time-to-market is critical - **YES** ($2.4M pipeline waiting)
- [x] We lack expertise in this domain - **YES**
- [x] Vendor is mature with strong ecosystem - **YES**
- [x] Requirements are standard/well-served - **YES**
- [x] Focus should be on core product - **YES**

### Core vs Context Analysis

| Factor | Assessment |
|--------|------------|
| Is this core to our differentiation? | No - auth is expected, not differentiating |
| Would customers pay more for a custom solution? | No - they just want SSO to work |
| Does this create competitive advantage? | No - competitors have similar auth |
| Is off-the-shelf "good enough"? | Yes - Auth0 exceeds requirements |

**Conclusion:** Auth is **context**, not core. Buy.

---

## Recommendation

### Decision

**Recommended option:** Buy Auth0

### Rationale

**Primary reasons:**

1. **Cost:** Auth0's 3-year TCO ($479K) is less than half of building ($1.17M), even accounting for subscription fees.

2. **Speed:** We can be in production in 2 months vs. 6+ months, unblocking $2.4M in pipeline before year-end.

3. **Focus:** Auth is not our differentiation. Every engineer-month spent on auth is a month not spent on our core product.

4. **Risk:** Auth0 is battle-tested, SOC 2 compliant, and maintained by security experts. Building exposes us to security risk and ongoing maintenance burden.

**Key trade-offs accepted:**

1. **Vendor dependency:** We're accepting dependency on Auth0. Mitigation: Abstract behind interface, maintain ability to swap.

2. **Ongoing subscription cost:** $133K/year is significant but justified by faster time-to-market and lower total cost.

### Implementation Plan

| Phase | Timeline | Key Activities |
|-------|----------|----------------|
| Phase 1 | Oct 25 - Nov 8 | POC, contract signing, integration spike |
| Phase 2 | Nov 8 - Dec 6 | Full integration, staging deployment |
| Phase 3 | Dec 6 - Dec 20 | User migration, production rollout |
| Phase 4 | Jan 2026 | Enterprise customer SSO configurations |

### Success Criteria

| Metric | Target | Measurement |
|--------|--------|-------------|
| Time to production | ≤2 months | Deploy date |
| Enterprise deals unblocked | ≥2 deals | Sales pipeline |
| Auth reliability | 99.9% | Monitoring |
| User migration success | 100% users migrated | User count |
| SOC 2 auth findings | 0 critical | Audit report |

### Exit Criteria / Re-evaluation Triggers

We should revisit this decision if:
- Auth0 pricing increases >30%
- We acquire a company with significant auth infrastructure
- Our scale exceeds Auth0's pricing model economics (500K+ MAU)
- Auth0/Okta has significant security incident

---

## Appendix

### Stakeholders Consulted

| Name | Role | Input |
|------|------|-------|
| Sarah Chen | CTO | Aligned on buy recommendation |
| James Lee | VP Sales | Confirmed pipeline blocked by SSO |
| Chris Anderson | Security Lead | Prefers Auth0's security posture |
| Mike Johnson | Senior Engineer | Estimated build effort |

### Vendors Evaluated

| Vendor | Why Considered | Why Selected/Rejected |
|--------|----------------|----------------------|
| Auth0 | Market leader, good B2B support | **Selected** - best fit |
| Okta CIC | Enterprise leader | Higher pricing, similar features |
| AWS Cognito | Already on AWS | Limited enterprise features |
| Firebase Auth | Low cost | Consumer-focused, limited SSO |
| FusionAuth | Open source option | Less mature, more ops overhead |

### Reference Materials

- [Auth0 B2B Pro pricing](link)
- [Auth0 security whitepaper](link)
- [Engineering spike: Auth0 POC](link)
- [Sales: Enterprise deals blocked](link)