You're Not Buying Software. You're Buying Risk. | Active Logic Insights

Enterprises write eight-figure software contracts. Mid-market companies write six-figure ones. Startups write four-figure invoices, or skip the contract entirely and hire a freelancer off an invoice template. The work product often looks identical on the surface, and for a long time I could not explain the price gap in a way that survived scrutiny.

Budget is the surface answer. It explains who can write the check. It does not explain why a Fortune 500 would ever write one that large when a capable twenty-person shop could deliver software that, from the outside, looks the same. The real answer is that the enterprise and the startup are not buying the same product, even when they hire the same category of vendor. The enterprise is paying for something the smaller buyer cannot afford, and most of the time is not even aware exists inside the transaction.

The Real Product on the Invoice

The product on the invoice is software. The product being bought is risk transfer. Errors and omissions insurance, contractual indemnification, SOC 2 and compliance attestations, defined escalation paths, named technical leadership, and a corporate counterparty with enough on its balance sheet to be worth suing if the engagement fails. When a billion-dollar company negotiates with a vendor, the sections of the contract that get fought over are almost never the scope of work. They are the limitation of liability, the indemnification terms, the insurance coverage floors, and the SLA enforcement mechanics. The scope gets agreed to in a meeting. The risk language gets negotiated for weeks. That tells you where the money is actually going.

A Conversation at Microsoft

I have a family member at Microsoft who runs parts of the data center cooling infrastructure. Sharp engineer, long tenure, real visibility into how the company allocates money. A while back we were talking about the scale of what Microsoft spends on outside vendors every year, and I asked him the question I had been asking myself for years. Microsoft can staff internally on almost anything it wants. Why does it keep writing seven- and eight-figure checks to outside firms when the talent is already inside the building?

His answer was liability. Microsoft can hold its vendors legally accountable in ways it cannot hold individual employees accountable. Vendors carry E&O insurance that covers damages when a project goes wrong. They sign contracts with real teeth. If an engagement collapses, there is a corporate counterparty with assets and contractual obligation sitting on the other side of the table. That is not available from an employee, a freelancer, or a shell agency operating out of someone’s apartment.

Now compare the recourse you actually have across vendor tiers. Sue a firm that carries $5M in E&O and has a US legal presence, and you can recover real damages when you win. Sue an offshore firm registered in a jurisdiction that does not enforce US judgments, and you can win the case and collect nothing. Sue a freelancer whose largest asset is a laptop, and there is nothing to garnish. Legal recourse against a real vendor is a feature you are buying. Legal recourse against cheap alternatives is almost always theoretical, no matter how airtight the contract looks.

You Can Only Buy the Risk Level You Can Afford

Every organization sits somewhere on a spectrum of risk tolerance, and the spectrum is defined by two things: how much money you have, and how much downside you can absorb. A startup with eighteen months of runway cannot sign a contract with a premium firm, because the bank account will not support it. A mid-market company has more options and will usually end up buying in the middle of the market. A Fortune 500 will buy the top, not because the top does better engineering, but because the downside of a critical project failing inside a regulated business is so much worse than the cost of hiring a vendor who carries real coverage.

Nobody in that picture is making an irrational decision. They are all buying the risk profile their balance sheet will support. The problem is that most buyers do not consciously realize that is what they are deciding. They think they are buying software at different price points. They are actually buying different risk profiles wrapped around roughly the same software.

I have written about the real cost of the cheap option in False-Shoring and in The Most Expensive Software Is the One That Works. Both pieces land the same underlying point from different angles. The line item on the invoice is almost never the real cost of the project, and cheap software often becomes the most expensive software a company ever buys, because the failure rate at the bottom of the market is high, and the recovery cost when a project fails is never priced into the original decision.

The optimism problem compounds all of this. Every client I have ever worked with walked into their vendor relationship expecting it to work. That is rational. Nobody signs a contract expecting to be in litigation eighteen months later. But enterprises budget for the possibility of failure in ways that startups and mid-market companies generally do not, and that budget difference is the premium.

Revenue, Budget, and the Risk You Can Actually Buy

The table below is built on real benchmarks, not vibes. Deloitte’s Global Technology Leadership Study has tracked technology spend as a percentage of revenue for years, and it has climbed steadily: 3.28% in 2016, 4.25% in 2020, 5.49% by 2022, with projections near 5.85% by 2024. Flexera’s Tech Spend Pulse puts the median higher, around 8% across surveyed enterprises, with smaller firms (2,001 to 5,000 employees) closer to 10% and the largest (over 10,000 employees) closer to 6% due to scale efficiencies. Industry matters more than revenue in a lot of these numbers. Avasant’s benchmarking puts financial services firms at 4.4% to 11.4% of revenue on IT (25th to 75th percentile), while discrete manufacturers sit at 1.4% to 3.2%. A bank at $500M in revenue will out-spend a manufacturer at $500M on technology by a factor of three, and both are behaving rationally for their industry.

The table takes those published benchmarks and maps them against the risk profile you can realistically buy in each revenue band. It is directional. Anchor to your industry’s norms before you act on it.

Annual Revenue	Typical IT Spend (% of Revenue)	Realistic Project Budget	Vendor Options in Your Range	Risk Level You Can Actually Buy
Under $1M (startup, early stage)	6 to 12% (survival mode, tech-heavy)	$5K to $50K	Freelancers, offshore teams, AI-assisted solo builders	High. Rebuilds and failures are part of the risk you are accepting.
$1M to $10M (small business)	5 to 10%	$25K to $250K	Boutique agencies, blended onshore and offshore	Moderate. Some protection, real gaps.
$10M to $100M (mid-market)	4 to 8%	$100K to $1M	US-based specialized firms, Team as a Service partners	Low to moderate. Accountability is available, but only if you pay for it explicitly.
$100M to $1B (enterprise)	3 to 7% (industry-dependent)	$500K to $5M+	Established firms with insurance, SOC 2, engineering leadership	Low. Legal and compliance recourse are part of the deliverable.
$1B+ (large enterprise, Fortune 1000)	1.4 to 11.4% (sector-driven: manufacturing low, financial services high)	$1M to $50M+	Global systems integrators, dedicated vendor partners, Big Four firms	Near zero. Full indemnification and professional liability are table stakes.

Two observations on how to read that. A startup at $5M in revenue cannot realistically sign a $2M development contract, and it also cannot afford a $2M project failure on a ship-in-nine-months bet. So it buys what it can afford and carries the risk. That is a survivable decision, but founders should see it for what it is, which is a conscious choice to carry risk rather than transfer it. An enterprise at $1B in revenue cannot run a critical initiative on a freelancer contract, not because the freelancer cannot do the work, but because the downside of that project failing is measured in lost customers, regulatory scrutiny, and missed product windows that cost far more than the insurance premium baked into top-of-market rates.

Match the Stakes to the Spend

The question worth asking before you sign any vendor contract is not “how cheap can I get this done.” It is “what happens if this fails.” If the answer is “we miss a quarter and rebuild,” then freelance, offshore, AI-assisted, and solo builder are all fair game, because the downside is absorbable. If the answer is “we lose a key client, fail a compliance audit, or miss the launch the next funding round depends on,” the cheap path is not actually cheap. The downside is the real price, and no savings on the invoice will ever cover it.

If you are not sure which category you are in, the questions in my guide to vetting software development partners will surface it quickly. The whole point of that piece is helping a leader figure out, before signing, whether the vendor they are about to hire actually carries the risk coverage they think they are paying for. False-shoring makes this especially treacherous, because the front end of the deal looks premium while the risk profile underneath is low-margin offshore.

What Comes Next

That chart tells you what you can afford to spend. It does not tell you what you should be reinvesting in inside your own company, which is the offensive question, not the defensive one. AI has collapsed the cost of building and maintaining software to a degree that most leadership teams have not priced in yet. If your operating stack is entirely rented, it is replicable by any competitor with a credit card. I put the revenue-based reinvestment framework in a companion piece: The Reinvestment Most Companies Skip.

The takeaway from this one, though, is simple. When you sign a vendor contract, understand what is on the invoice versus what is being delivered. The invoice says software development. The actual product at the enterprise tier is the risk that someone else now carries on your behalf. What you can afford to pay is, in almost every case, the same as what you can afford to lose.