Pricing

Honest pricing for an open-core security tool.

Free if you self-host. Cheap if you don't. Custom only when scope genuinely requires it.

Plan calculator

Choose the deployment path

Open core

$0Self-host

$15Team annual

CustomPrivate tenant

Open source

Self-host the full platform under Apache 2.0. The binary the hosted plan runs is the same one you do.

$0forever

Deploy from GitHub

Trust graph + path resolution
AWS, Kubernetes, GitHub OIDC connectors
Repo exposure scanning
Policy simulator (read-only)
Community support on Discord
No usage limits, no hidden detections

Most teams pick this

Team

Hosted Identrail for teams who want time-to-value over infrastructure ownership. SAML SSO, scheduled scans, alerting.

$15/user/mo

3-user minimum · billed monthly or annually

Start a free risk scan

Everything in Open source
Hosted in the US or EU
SAML SSO included from day one
Scheduled scans and Slack alerting
Path-grounded severity scoring
14-day hosted trial, no card required

Enterprise

Private tenancy, regional controls, named support, and the procurement surface large security organisations expect.

Customtailored to scope

Talk to us

Everything in Team
Private single-tenant deployment
SCIM, audit log streaming
Custom data residency
Named TAM and onboarding program
Custom SLA, security review, MNDA

Compare in detail

What's in each plan, line by line.

If a row matters to you and is missing here, ask — we'll either explain or add it.

Capability	Open source	Team	Enterprise
AWS IAM trust-path resolution	Included	Included	Included
Kubernetes RBAC + workload identity	Included	Included	Included
GitHub Actions OIDC stitching	Included	Included	Included
Repo credential exposure scanning	Core detectors	Extended detectors + auto-revoke playbooks	Custom detectors per workspace
Policy simulator	Read-only	Read-only + dry-run + canary	All gates + scoped enforcement windows
Hosted in our cloud	No (self-host)	US or EU	US, EU, or your region
SAML SSO	Self-host any IdP	Included	Included + SCIM
Audit log streaming	Local log	Webhook	S3, Splunk, Datadog, Elastic
Support	Community Discord	Email, business hours	24/7 with named TAM and custom SLA

Pricing FAQ

Why is the hosted plan cheaper than other security tools?

Because the engine is open source. We are not amortising a private platform investment over every seat — we are charging for the part you genuinely benefit from outsourcing: hosting, hardening, scheduled scans, alerting, support. If you do not need any of those, the OSS edition is the same code, free.

Is there a free trial?

The Open source edition is free forever. The hosted Team plan includes a 14-day trial with no card required. Enterprise pilots are scoped per engagement.

Do you require write access to my cloud?

No. Connector setup uses read-only credentials. Policy enforcement is a separate, opt-in surface that requires explicit approval and named operators. You can run Identrail in read-only mode forever.

What about data residency?

Hosted Team customers pick US or EU. Enterprise customers pick a region or run a private single-tenant deployment in a region of their choice. Self-host gives you complete control.

Is Identrail SOC 2 compliant?

Honest answer: not yet. SOC 2 Type I is in progress and on a public roadmap on the /security page. Enterprise customers can review our security posture and receive an MNDA-protected security questionnaire on request.

Honest pricing for an open-core security tool.

Choose the deployment path

Start free. Upgrade when the team grows.