Pricing

Software maintenance costs: what to budget after launch

March 5, 2026 | 9 min read

Server monitoring dashboard with performance metrics

Budget 15-20% of your initial build cost per year for software maintenance. A $20,000 app costs $3,000-$4,000 annually for dependency updates, security patches, bug fixes, and monitoring. Add $100-$400/month for infrastructure (hosting, database, email). Total ongoing cost for a growth-stage app: $350-$730/month.

Building software is a one-time cost. Running it is a recurring one. Most founders budget for the first and forget the second.

The result? Three months after launch, a security vulnerability shows up in a dependency. Six months in, a third-party API changes its authentication method and breaks your checkout flow. A year later, the database runs out of storage at 2 AM on a Saturday. These are not edge cases. They happen to every production application.

This post breaks down what software maintenance costs, what's included, and how to budget for it so none of this catches you off guard. If you haven't built yet and want to understand initial development pricing, read our companion post on how much custom software costs in 2026.

The 15-20% rule

The industry standard for annual software maintenance is 15-20% of the initial build cost. This number comes from decades of enterprise software data, and it holds true for custom applications at every scale.

Here's what that looks like in practice:

A $10,000 MVP costs $1,500-$2,000/year to maintain
A $20,000 SaaS product costs $3,000-$4,000/year to maintain
A $50,000 enterprise platform costs $7,500-$10,000/year to maintain
A $100,000 regulated fintech app costs $15,000-$20,000/year to maintain

These numbers cover maintenance only. They don't include new feature development, infrastructure costs, or third-party API fees. Those are separate line items, and we'll cover infrastructure costs below.

What's included in software maintenance

"Maintenance" is a vague word. Here's what it means in concrete engineering terms.

Dependency updates

A typical web application has 50-200 npm packages in its dependency tree. Each package releases updates; some fix bugs, some patch security vulnerabilities, and some introduce breaking changes. An engineer needs to review these updates, test them against your application, and deploy the ones that matter. Skipping this for 6-12 months creates a backlog that takes days to untangle instead of hours.

Security patches

When a CVE (Common Vulnerabilities and Exposures) is published for a library your app uses, you need to patch it. Fast. The Log4j vulnerability in 2021 affected millions of applications worldwide. Companies that had active maintenance contracts patched within days. Companies without maintenance scrambled for weeks, and some got breached in the meantime.

Bug fixes

No software ships bug-free. Users find edge cases your test suite didn't cover. A form fails when someone pastes formatted text from Word. A calculation rounds incorrectly on invoices over $10,000. The search bar breaks when a product name contains an ampersand. These bugs trickle in over months, and each one needs investigation, a fix, and a deployment.

Server monitoring and uptime

Someone needs to watch your application's health. CPU usage, memory consumption, error rates, response times, disk space. When your database hits 90% storage capacity, you need to know before it hits 100% and crashes. Monitoring tools send alerts, but a human needs to respond to those alerts and take action.

SSL renewals and certificate management

SSL certificates expire. If yours lapses, browsers show a scary "Not Secure" warning and your users leave. Most hosting platforms auto-renew certificates, but custom domains, subdomains, and API endpoints sometimes need manual attention.

Database backups and recovery testing

Backups are only useful if they work. An engineer should verify backup integrity quarterly by restoring a backup to a staging environment and confirming the data is complete. A backup that hasn't been tested is a backup you can't trust.

Infrastructure costs breakdown

Maintenance labor is one cost. Infrastructure is another. Here's what the monthly bills look like for a typical custom application.

Service	Startup / MVP	Growth stage	Enterprise
Hosting (Vercel, AWS, etc.)	$0-20/mo	$50-200/mo	$500-3,000/mo
Database (Supabase, Neon, RDS)	$0-25/mo	$25-100/mo	$200-1,000/mo
Email / SMS (Resend, Twilio)	$0-20/mo	$20-50/mo	$50-100/mo
CDN / File storage (S3, Cloudflare)	$0-5/mo	$5-25/mo	$25-50/mo
Monitoring (Sentry, Better Stack)	$0/mo	$0-30/mo	$50-100/mo
Domain + SSL	$15-50/yr	$15-50/yr	$15-50/yr
Monthly total (approx.)	$15-70/mo	$100-400/mo	$850-4,300/mo

These ranges assume standard SaaS tooling. Self-hosted alternatives (your own Postgres on a VPS, for example) can reduce database costs but increase maintenance labor.

For a typical $20,000 custom application at growth stage, expect to spend $100-$400/month on infrastructure plus $250-$330/month in maintenance labor (based on the 15-20% annual rule). That's a total ongoing cost of $350-$730/month to keep your app running, secure, and up to date.

What breaks if you skip maintenance

Some founders treat maintenance as optional. "The app works fine. Why pay someone to touch it?" Here's why.

Outdated dependencies with known CVEs. Every unpatched vulnerability is an open door. Automated scanners probe public-facing applications daily. If your app uses a library version with a published CVE, attackers know exactly how to exploit it. A data breach costs far more than a year of maintenance.

Degraded performance. Databases accumulate bloat. Log files fill disk space. Caches grow stale. Without periodic cleanup and optimization, your app gets slower by 5-10% per quarter. After a year of neglect, users notice. After two years, they leave.

Broken integrations. Third-party APIs change their endpoints, deprecate versions, and update authentication methods. Stripe, Twilio, Google Maps; they all release breaking changes on a schedule. If nobody's watching for these changes and updating your integration code, one morning your payment processing stops working with no warning.

Compounding technical debt. The longer you wait, the more expensive the catch-up. A year of skipped dependency updates might take 2-3 days to resolve. Two years of skipped updates can take 2-3 weeks, because major version jumps introduce breaking changes that cascade through your codebase.

Maintenance vs. feature development

These are two different budget categories, and mixing them up causes problems.

Maintenance keeps your app running. It covers security patches, dependency updates, bug fixes, monitoring, and infrastructure management. Maintenance work doesn't add new capabilities to your product. It preserves the ones you already have.

Feature development makes your app better. It covers new user flows, additional integrations, UI improvements, performance optimization, and new business logic. Feature work adds capabilities your users don't have yet.

Budget for both separately. Maintenance is predictable and recurring; you can estimate it as 15-20% of build cost annually. Feature development is variable and depends on your product roadmap. Mixing them into one budget leads to a common trap: feature work eats the maintenance budget, and security patches get deferred "until next month" for six months straight.

Maintenance retainer models

There are three common ways to structure a maintenance relationship with your development partner.

Hourly (pay as you go)

You call when something breaks. The engineer bills by the hour. This is the cheapest option when nothing goes wrong, and the most expensive when something does. Response times are slower because you're not a priority client. You're in the queue behind retainer clients.

Best for: simple marketing sites or internal tools that aren't business-critical.

Monthly retainer (5-10 hours/month)

You reserve a fixed number of hours each month. The engineer handles dependency updates, security patches, bug fixes, and monitoring within those hours. You get priority response times because the engineer has already allocated capacity for your project. Unused hours don't roll over (in most agreements), which motivates proactive maintenance rather than reactive firefighting.

Best for: SaaS products, customer-facing applications, and any software that generates revenue.

Annual contract

You commit to 12 months of maintenance at a discounted rate. The engineer provides a defined scope of services: monthly dependency audits, quarterly security reviews, guaranteed response times for critical issues, and a fixed number of bug-fix hours. Annual contracts typically save 10-15% compared to month-to-month retainers.

Best for: enterprise platforms, regulated industries, and applications with compliance requirements that mandate ongoing security oversight.

How Savi handles post-launch maintenance

After we ship your product, we offer optional maintenance retainers starting at 5 hours per month. Here's what's included.

Proactive dependency updates: we run automated audits weekly and apply critical patches within 48 hours
Priority response times: retainer clients get same-day response for critical issues, next-business-day for non-critical
Monthly health reports: a summary of what we updated, what we monitored, and what needs attention
Database backup verification: quarterly restore tests to confirm your backups are recoverable
Uptime monitoring: 24/7 monitoring with automatic alerts when your app goes down

Maintenance isn't glamorous work. Nobody celebrates a dependency update. But the founders who budget for it sleep better, because they know a CVE at 2 AM won't turn into a data breach by morning.

For a full breakdown of what it costs to build the software in the first place, read our guide on custom software development pricing.

Frequently asked questions

How much does it cost to maintain a software application per year?

The industry standard is 15-20% of your initial build cost per year. A $20,000 app costs $3,000-$4,000 annually for maintenance labor alone. Add $1,200-$4,800/year for infrastructure (hosting, database, email, monitoring). Total annual cost for a growth-stage app runs $4,200-$8,800.

What happens if I skip software maintenance after launch?

Skipping maintenance creates compounding risk. Unpatched dependencies expose known CVEs to automated attackers. Performance degrades 5-10% per quarter from database bloat. Third-party API changes break integrations without warning. Two years of skipped updates can take 2-3 weeks to resolve, compared to hours if done monthly.

What is included in a software maintenance retainer?

A typical 5-10 hour monthly retainer covers dependency updates, security patches within 48 hours, bug fixes, server monitoring (CPU, memory, error rates), SSL certificate management, and quarterly database backup verification. Retainer clients get same-day response for critical issues versus queue-based delays with hourly billing.

How much does cloud hosting cost for a custom web application?

For startups and MVPs, infrastructure costs $15-$70/month covering hosting, database, and basic services. Growth-stage apps run $100-$400/month. Enterprise platforms with higher traffic and compliance needs cost $850-$4,300/month. These ranges assume standard SaaS tooling like Vercel, Supabase, and Cloudflare.

Should I budget for maintenance separately from new feature development?

Yes, always separate the two. Maintenance (15-20% of build cost annually) is predictable and recurring, covering security, bug fixes, and updates. Feature development is variable and driven by your roadmap. Mixing them into one budget leads to security patches getting deferred for months while feature work consumes all available hours.

Need a maintenance plan for your software?

We offer monthly retainers starting at 5 hours. Your app stays updated, secure, and fast.

Talk to our team