# Pricing: flat, per-device, forecastable at BOM time

> A per-message meter on a fleet you sized at design time is priced backwards.
> We price the other way: flat, per-device, per year. Not per message, per
> query, per MB, or per seat. Keyless verify is free forever; attribution is
> never metered. One line item you can put in the unit economics before the
> product ships.

- **$0**: keyless verify, resolve and RDAP, free forever, no account
- **1×**: one flat per-device/year figure, not per-message, per-MB or per-seat
- **0** usage meters on attribution: never ration a hunt mid-incident
- **1** owner-thrown revoke replaces a fleet-wide credential rotation you can't physically do
- **BOM**: a number you can price into the product before it ships
- **10-20y**: device lifetimes, the term the price has to be sane over

---

## The pricing principle

A meter that climbs with your fleet, and spikes when you're attacked, isn't a
price. It's a risk. Usage-metered device platforms bill per message, per
operation, per MB, so the invoice climbs with every unit you ship and peaks
precisely during the incident, when a hijacked fleet is chattiest and your
analysts can least afford to ration a hunt.

- **Per-device, not per-message.** Priced to the thing you actually govern, so a chatty firmware release or a noisy incident never moves the invoice.
- **Attribution is never metered.** Run `identify`, `walk`, `history` and Cypher as hard as an incident demands.
- **Additive, not another bill.** A feed into the device cloud, SIEM and threat-intel you already own: no per-analyst-seat licence, no data-egress fee, no new console to staff.

## The three tiers

### Verify · free, forever ($0)

No account. No card. No key. The keyless half of the platform, trustless and
anchored at the IANA root:

- `whisper verify --trustless` any device identity
- Resolve and reverse-resolve a /128, read its RDAP
- Check a DANE-EE pin from any client with a TLS stack: reverse-DNS + RDAP, no key

### Pilot · flat engagement (fixed scope)

One product line, time-boxed, one flat price. Everything in Verify, keyed to a
defined device count:

- Provision device identities from the secure-element key for the line
- Full attribution graph: unmetered during the pilot
- Machine-readable feed into your SIEM: Splunk & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
- EU CRA / IEC 62443 / EN 303 645 evidence export

### Fleet · flat per-device / year (fleet quote)

One rate, quoted to your fleet size. It doesn't move.

- Identity, attribution graph and device governance, fleet-wide
- Unlimited attribution: no per-query meter, ever
- On-prem or your own tenant: data sovereignty by construction
- Enterprise support and SLA, supplier / ODM interface specs

**Why a quote, not a sticker.** The right number depends on fleet size, on-prem
vs tenant, and the standards evidence you need, so we quote it flat and in
writing, and it holds for the term. No usage true-ups, no surprise line at
renewal. Get a fleet quote → <https://console.whisper.security/sign-up>

## What each tier includes

| Capability | Verify | Pilot | Fleet |
|---|---|---|---|
| Trustless verify / resolve / RDAP | ✓ | ✓ | ✓ |
| Trace a /128 to the device behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Full attribution graph (`identify`, `origins`, `walk`, `history`, Cypher) | – | product line | unlimited |
| Device-identity provisioning (register /128, DANE-EE, `revoke`) | – | product line | fleet-wide |
| Device governance (per-device /128, policy, `op:logs`) | – | product line | fleet-wide |
| SIEM feed: Splunk & Microsoft Sentinel connectors today · CEF/ECS | – | ✓ | ✓ |
| EU CRA / IEC 62443 / EN 303 645 evidence export | – | ✓ | ✓ |
| On-prem / own tenant | – | – | ✓ |
| Enterprise support & SLA · supplier / ODM interface specs | – | pilot support | ✓ |
| Metered by usage (per message / query / MB / seat) | never | never | never |

## The ROI: four costs the flat line takes off your books

- **Analyst hours you stop burning**: the graph collapses a rotating last-IP fog to one operator with a replayable evidence chain, and the meter never punishes your team for looking harder.
- **The rotation you can't do**: when a shared credential leaks, "rotate it" means a recall-grade OTA campaign. With per-device identity it's one `revoke` for the affected unit, at DNS-TTL speed, publicly checkable.
- **One revoke, not a fleet event**: no CRL distribution, no coordinated firmware push, no support-line surge. The blast radius is one leaf key, never a shared root.
- **Audit effort you don't repeat**: findings arrive already mapped to EU CRA and IEC 62443 evidence.
- **Re-platform risk you avoid**: IoT platforms retire and strand their fleets. Whisper anchors identity in public DNS and registered address space (AS219419).
- **No shadow costs at renewal**: no per-message true-up, no per-seat creep, no data-egress fee.

## A pricing model can be an attack surface. Ours isn't.

> **"If attribution is metered, do my analysts ration lookups mid-incident?"**
> Never. The graph is unmetered on the keyed tiers. There is no per-query line
> for an attacker to inflate and none for a defender to fear.

> **"Does my bill spike when a hijacked fleet gets chatty, or when I ship a popular product?"**
> Neither. The price is per-device, set once, for the term. The meter that
> would have peaked during the incident simply doesn't exist.

> **"Is the free tier a real capability or a trap that expires into a sales call?"**
> Real, and permanent. Keyless verify is anchored at the IANA root: our own API
> is not in the trust path, so we couldn't gate it if we wanted to.

## The questions procurement always asks

- **What exactly is metered?** Nothing by usage. A flat rate per device, per year. The only variable is how many devices the program covers.
- **Can I try it without procurement?** Yes: the Verify tier is free and needs no account. A Pilot is a fixed, time-boxed engagement on one product line.
- **What happens when my fleet grows?** The per-device rate holds; the total scales linearly, quoted in writing for the term.
- **Is this on top of my device-cloud cost?** It's a layer on top of the enrollment and SIEM you already run, not a replacement and not a second console to staff.
- **On-prem or hosted?** Either. The Fleet tier runs on-prem or in your own tenant, at no metered premium.
- **What if I stop?** Identities are DNSSEC/DANE objects you can verify independently; evidence exports are open formats (CEF, ECS; STIX on the roadmap). No proprietary lock on your own records.

| Pricing model | Forecastable at BOM time? | Meter spikes under attack? |
|---|---|---|
| Per-message / per-operation metered cloud | hard | yes |
| Rigid multi-module bundle (six-figure floor) | partly | n/a: over-scoped |
| Whisper: flat per-device / year | yes | no |

Get a fleet quote → <https://console.whisper.security/sign-up> · [For device makers →](/for-device-makers)

Or run `whisper verify --trustless` right now: it costs nothing.

---

*Whisper for Embedded · Identity on the wire for every device · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
