How to evaluate a CIAM vendor without falling for the demo

What the demo will not tell you

CIAM demos show the polished happy path. They will not surface what matters at scale: pricing curves above 1M MAU, the data export experience, the operational cost of running custom auth flows, and how the vendor responds when something breaks in production at 3 AM.

The eight questions to actually ask

What is the per-MAU cost at 10K, 100K, 1M, and 10M MAU? Get this in writing.
What is the data export format and how do I get my users out? Test it on the trial account.
What is the SLA, and what's the historical uptime? Ask for the last 12 months of status page data.
How long has the current SDK version been the recommended one? SDK churn signals broader product instability.
What does support response look like at our tier? Not the marketing answer — the contractual one.
Show me an audit log entry and the API to query it. Real screen, real data.
What's the migration story if I move to you, and what if I move away? Both directions matter.
Who else in our segment is using you, and can I talk to them? Two reference calls minimum.

What to test in trial

Performance under burst load (sign-in spikes at 9 AM)
The recovery flow when an authenticator is lost
The flow for a user whose email changed
The behavior when MFA is misconfigured
The audit log for a sequence of normal user actions

Pricing reality

Per-MAU list pricing is rarely what enterprises pay. Negotiation matters. Get multiple bids. Push for caps on growth-stage pricing. Ask about "active" MAU definitions — they vary widely.

Common pitfalls

Buying based on developer experience alone, ignoring operational fit
Underestimating the cost of customer SSO support requests
Choosing a vendor that won't scale to where you'll be in 24 months
Skipping data export evaluation until lock-in is already happening
Trusting the vendor's reference customers without finding your own

Useful internal links

For the universe of options, see our vendor profiles and head-to-head comparisons.