Start free, get audit-ready on Essentials, run a full programme on Complete. Yearly billing saves roughly 17%.
$0/yr billed yearly
Evaluate — or very small teams & solo operators
$250/yr billed yearly
SMB starter — one framework, light cadence
$2,500/yr billed yearly
Full SMB GRC programme
Mid-market & regulated enterprise
| Feature | Free | Essentials | Complete | Enterprise |
|---|---|---|---|---|
| AI Sidekick — your built-in AI vCISO | ||||
| AI vCISO assistant (chat, guidance, drafting) | 5-credit trial | |||
| AI personas | 2 (Compliance, Analyst) | 5 (CISO, Compliance, Analyst, IR, Pentester) | 5 | |
| Hosted AI credits / month | 5 (signup trial) | 25 | 250 | Unlimited |
| Top-up credits | ||||
| AI propose / approve loop on evidence & controls | Basic | |||
| AI risk derivation from compliance gaps | ||||
| Scheduled AI workflows (gap review, assessment cadence) | Monthly only | |||
| Bring your own AI (your model & key) — all tiers | ||||
| MCP server access (connect your own AI agent) | ||||
| Agentic API keys (user-managed, scoped) | ||||
| Safe actions — human-approved, scope-gated tools | ||||
| Compliance & Standards | ||||
| Standards available | 1 — NIST CSF 2.0 (read-only) | 2 active baselines | All 16 | All 16 + unlimited custom |
| Control ↔ requirement mapping (bidirectional) | ||||
| Cross-framework derivation (NIST CSF hub) | ||||
| Assessments & evidence | ||||
| Onboarding wizard | ||||
| Assessment runs | 1 (read-only) | Unlimited | Unlimited | Unlimited |
| Control state machine (claimed → validated → gap → managed) | View only | |||
| Coverage / maturity / gap analytics | Basic snapshot | |||
| Manual evidence upload | Up to 1 GB | Up to 25 GB | Unlimited | |
| Evidence expiry tracking + reminders | ||||
| Risk management | ||||
| Org-level risk appetite | View only | |||
| Risk register | Manual, basic | |||
| 5×5 inherent / residual scoring | ||||
| SCF threat catalogue (41 threats / 39 risk statements) | ||||
| Risk heatmap | ||||
| Risk treatment plans linked to controls | ||||
| Materiality flag | ||||
| Threat-Informed Attack Surface Management | ||||
| Attack-surface scans | Passive only | Passive + light active | Deep, active & passive | All + custom modules |
| Manual scans / month | 5 | 25 | Unlimited | Unlimited |
| Scheduled scans | Weekly | Daily / on-demand | Continuous + SLA | |
| Monitored domains | 3 | 10 | 25 | Unlimited |
| Tracked assets | 50 | 200 | 500 | Unlimited |
| Asset types (domain, host, IP, cert, identity, data, app, device…) | 9 | 9 | 9 | 9 + custom |
| Live scan feed | ||||
| Vulnerability triage with audit events | Read-only | |||
| CVE enrichment | ||||
| Dashboards & analytics | ||||
| Real-data dashboards (assets, scans, findings) | Basic | |||
| GRC dashboard (compliance + risk posture) | ||||
| Attack-surface graph view | ||||
| Time-bucketed trend analytics | ||||
| Reporting & exports | ||||
| Compliance report (executive summary, coverage, gaps, risk) | Watermarked | |||
| HTML reports (browser print) | Watermarked | |||
| Data export | CSV only | CSV + JSON | CSV + JSON + bulk | |
| Collaboration | ||||
| Collaboration & project sharing (internal + third-party) | ||||
| Email notifications (scan events, digests, alerts) | Basic | |||
| Activity feed | ||||
| Shared AI Sidekick team memory | ||||
| Gamification & engagement | ||||
| Maturity achievement badges | ||||
| Maturity progress & path-to-baseline | ||||
| Risk-treated-over-time streaks | ||||
| Identity, access & audit | ||||
| OIDC single sign-on (Microsoft 365 & email) | ||||
| Built-in roles (Main Admin / Admin / User / Reader) | ||||
| MFA (via identity provider) | ||||
| Audit log (typed events) | Last 7 days | Read by admin | Read + export | Read + export |
| Platform & support | ||||
| Projects | 1 | 2 | Unlimited | Unlimited |
| Users | 1 | 3 | 10 | Unlimited |
| Data retention | 7 days | 30 days | 90 days | 365 days (configurable) |
| Public REST API access | ||||
| Support | Community | Email (business hours) | Priority email + chat | Dedicated CSM, 24×7 |
| Onboarding | Self-serve | Self-serve + docs | Onboarding call | Tailored training |
NIST CSF 2.0 is the core spine every account runs; Complete unlocks all of the below.
All prices in USD. Enterprise plans add unlimited scale, public API access and dedicated support — talk to sales for design-partner pricing. Yearly billing saves roughly 17% versus monthly. Registered users can preview what we are building next on our roadmap.