Wireless sensor networks suffer from limited resources, in particular finite energy supply. A common way to save energy is reducing radio transmissions by using in-network data aggregation, which is very sensitive to non-cooperative nodes, e.g., nodes that have been compromised by an attacker. Usually, security to such attacks can only be achieved by spending considerably more energy. In this paper, we present the ESAWN framework, a highly customizable protocol for secure in-network data aggregation. The main contribution of ESAWN is providing gracefully degrading security guarantees, in particular dataauthenticity. Instead of providing 'full' authenticity, we only assure an aggregate to be authentic with a given probability. This is done by propagating aggregates on redundant paths, allowing other nodes to check correctness. Hence, a user can trade-off security against energy in a very fine-grained manner. We present both analytical and MICA2-based simulation results, showing the practicality of our approach. For example, with 10% compromised nodes, ESAWN saves, up to 70% energy while degrading authenticity by 5%.