Predictable annual pricing across four tiers, scaled by the number of agents you protect. No per-call metering, no overage charges, no soft caps. Apache 2.0 source remains freely buildable from GitHub for inspection and evaluation; production deployment requires a paid tier.
First production deployment. Single team running one or a few high-value agent workflows. The fastest path from pilot to paid.
Two teams, or one team scaling. The natural second-year motion; Starter is proven, more workflows are coming online, and the upgrade cliff has to be gentle.
Org-wide, multiple workflows, regulated-industry default. The tier most enterprise deployments settle into, with agents across finance, operations, and customer-facing teams.
Large enterprise, complex compliance posture, named-account relationship. Dedicated engineering and services on top of the product, not a feature unlock, a service layer.
Starter through Enterprise ship the same gateway, the same console, and the same set of features. Tiers differ by agent capacity and the support commitment, not by feature gates. The full capability inventory lives on the product page; what each tier's support level includes lives on the support page.
Five principles that shape every quote. Anchored in what procurement, security, and engineering actually need.
We price by the number of agents you protect, defined as distinct (tenant, subject) pairs the gateway has minted tokens for, over a rolling 90-day window. Per-call metering creates the wrong incentive on a security product ("we're being charged more for using you, so we'll use you less") and procurement teams reject it.
When your distinct-agent count hits a tier's ceiling, the gateway
returns 402 Payment Required on new mints. Existing
tokens are unaffected. Tier upgrades are renewal conversations,
not surprise invoices. Upgrading is a hot-reload of the license
file with zero downtime.
SSO, SCIM, JIT elevation, audit verify, AI-assisted Rego, SIEM forwarders, multi-tenant scoping: all in every tier. Enterprise adds dedicated support, custom Rego authoring, on-prem code review, and contractual SLAs as services, not capability gates.
The Apache 2.0 gateway, extractor, SDKs, and helm chart remain freely buildable from GitHub. Clone, inspect, build, run for evaluation. Production deployment requires a paid tier: a contractual constraint plus a license-key technical constraint.
"Contact" sits in the tiles instead of a number because every first deal involves a small negotiation around pilot scope, agent count, and support commitments. We'll publish public price ranges once the first three commercial agreements anchor them.
Every first deal involves a small negotiation around pilot scope, agent count, integration footprint, and support commitments. A flat public number would either anchor low and undercut larger deployments, or anchor high and lose smaller teams. We publish tier structure publicly and quote within one business day on request. Once the first three commercial agreements anchor the ranges, we'll publish them.
Yes. The Apache 2.0 gateway, extractor, SDKs, and helm chart are freely buildable from GitHub for evaluation. Spin it up on a laptop or in CI, exercise the five checks, inspect the audit chain. Production deployment requires a paid tier (a contractual constraint plus a license-key technical constraint), but evaluation is unrestricted. Paid 90-day pilots are available on the Starter tier.
When distinct-agent count hits the tier ceiling, the gateway
returns 402 Payment Required on new mints. Existing
tokens are unaffected. Upgrading is a hot-reload of the license
file with zero downtime, prorated to the renewal date. No
surprise overage invoices.
Same product. Pro is the standard commercial tier with business-day support, quarterly business review, and self-service onboarding. Enterprise adds a dedicated support engineer, custom Rego authoring, on-prem code review for regulated deployments, a contractual SLA, roadmap input, and procurement-friendly terms. None of the differences are capability gates; they are service commitments.
Yes, on a controlled basis. Authorised partners receive wholesale pricing and may discount up to the floor set per tier; they cannot price below the floor. This protects the brand from race-to-the-bottom commodification and prevents channel conflict between partners working the same deal. Partner enquiries: contact us.
The license is a signed JWT containing tier, agent cap, expiry,
and customer ID. The gateway validates the signature on startup
with a baked-in public key, then enforces the agent cap at
mint time. Air-gapped deployments work without registry
connectivity (the JWT is self-contained); cloud deployments
additionally support online activation against
license.intentgate.app. License files do not phone
home and contain no telemetry.
A single Pro or Enterprise license covers multiple deployment instances under one customer, provided the aggregate distinct agent count stays under the tier ceiling. Multi-region active- active and replicated audit chains are negotiated under Enterprise terms.
Past 500 agents, pricing transitions from per-agent to negotiated annual under custom commercial terms. Typical structure: a base platform fee plus a per-agent component that scales down with volume. Send us your deployment shape and we'll quote.
Pro services (policy authoring, SIEM wiring, custom Rego), volume discounts past 500 agents, on-prem support, paid pilot terms; we'll quote.
Talk to us