Security you pay more for the moment a plant is attacked is priced backwards.
Usage-metered tooling bills per connection, per lookup, per analyst seat — so the invoice climbs as you inventory more assets and spikes exactly during the incident, when you can least afford to ration a hunt. Against a site carrying tens of thousands of assets — and 145,000+ ICS services already sitting exposed on the open internet — a meter is a number you cannot forecast.
whisper verify --trustless costs nothing and needs no account — our own API is not in the trust path.
A meter that climbs with every asset you inventory — and spikes when you're attacked — isn't a price. It's a risk.
Two curves. One rises with every asset you add, every connection, every lookup your analysts run chasing a rotating adversary — and peaks precisely during the incident. The other is a flat line you set once and forecast for years.
Per-asset, not per-transaction
Priced to the thing you actually govern — the asset, PLC, RTU, gateway or HMI — so a chatty plant or a noisy incident never moves the invoice. Commission a new line, extend a site, weather an attack: the figure holds.
Attribution is never metered
Run identify, walk, history and Cypher as hard as an incident demands. No per-lookup tax means your OT SOC never rations a hunt while a rotating adversary keeps working across clouds and residential proxies.
Additive, not another bill
It sits on top of the OT monitoring, SIEM and threat-intel you already own as a feed — no per-analyst-seat licence, no data-egress fee, no new console to staff, no appliance in the plant path.
Start keyless. Prove it on a plant zone. Roll it across the site — flat the whole way.
POC → pilot → enterprise, exactly the path an OT security program buys on. Every tier speaks the same address-is-the-asset primitive; you're only widening how much of the plant it covers, never re-platforming and never touching a PLC.
Keyless, then a handful
$0 to start
No procurement. Verify free forever; provision a handful of asset identities hands-on.
The keyless half of the platform — trustless, anchored at the IANA root, our API never in the path — plus a first taste of the identity plane:
- ✓
whisper verify --trustlessany asset identity - ✓ Resolve and reverse-resolve a /128, read its RDAP
- ✓ Back-trace a suspicious
/128to the asset behind it — reverse-DNS + RDAP, no key - ✓ Provision a handful of asset /128s from the OPC UA
ApplicationUrior serial
One plant zone
Fixed scope
A bounded zone, time-boxed, one flat price.
Everything in POC, keyed to a defined zone so an OT lead can prove value before the board — the full control plane on a slice of the plant:
- ✓ Provision asset identities from
ApplicationUri/ IDevID / serial for the zone - ✓ Full attribution graph — unmetered during the pilot
- ✓ MUD-style egress governance —
op:policy/firewall/budget/revoke - ✓ Reverse observability —
op:lookupsshows who's enumerating your assets - ✓ SIEM feed: Splunk & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
- ✓ EU CRA Annex I + IEC 62443-4-2 CR 1.2 evidence export
Flat per-asset / year
Site quote
One rate, quoted to your asset count. It doesn't move.
The whole program, all three planes, across every asset on the site or fleet — the way a CISO buys defence-in-depth:
- ✓ Identity, attribution graph and egress governance, site-wide
- ✓ Unlimited attribution — no per-lookup meter, ever
- ✓ On-prem or your own tenant — GDPR / data-residency by construction
- ✓ Availability-safe: no inline OT chokepoint, fail-open, anycast on AS219419
- ✓ Enterprise support and SLA, supplier interface agreements
Why a quote, not a sticker. A site price is one number, but the right number depends on asset count, on-prem vs tenant, and the standards evidence you need — so we quote it flat and in writing, and it holds for the term. No usage true-ups, no surprise line at renewal. Get a site quote →
The same platform, at three widths. Nothing behind the paywall is the security itself.
The keyless verification a peer operator, a regulator, an insurer or an integrator needs to check an asset's identity is free at every tier — on principle. The keyed tiers widen coverage and feed your stack; they never gate the ability to verify.
| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
Trustless verify / resolve / RDAP (whisper verify --trustless) | ✓ | ✓ | ✓ |
| Trace a /128 to the asset behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Public transparency log — every mint & revoke (tamper-evident today) | ✓ | ✓ | ✓ |
Asset /128 provisioning (register, DANE-EE pin, revoke) | a handful | a plant zone | site-wide |
Full attribution graph (identify, origins, walk, history, Cypher) | — | plant zone | unlimited |
MUD-style egress governance (op:policy / firewall / budget / revoke) | — | plant zone | site-wide |
Reverse observability — who's enumerating your assets (op:lookups) | — | plant zone | site-wide |
| SIEM feed: Splunk & Microsoft Sentinel connectors today · CEF/ECS | — | ✓ | ✓ |
| EU CRA Annex I + IEC 62443-4-2 CR 1.2 evidence (STIX/TAXII on roadmap) | — | ✓ | ✓ |
| On-prem / own tenant (data residency, GDPR) | — | — | ✓ |
| Availability-safe — no inline OT chokepoint · fail-open · anycast | ✓ | ✓ | ✓ |
| Enterprise support & SLA · supplier interface agreements | — | pilot support | ✓ |
| Metered by usage (per connection / lookup / seat) | never | never | never |
One line per asset — the legacy floor included. An asset that speaks OPC UA passes its ApplicationUri as the device_id; an 802.1AR IDevID device passes its serial. A dumb Modbus PLC behind a gateway gets a verifiable /128, PTR and RDAP for the first time — and it's still one per-asset line, with no premium for being old. (A first-class typed --application-uri argument is on the roadmap; today you pass it as device_id.)
The ROI isn't a promise — it's the costs the flat line takes off your books.
A predictable figure is only half the case. The other half is what it removes: per-site firewall toil, incident blast radius, audit effort, truck-rolls, analyst hours, and re-platform risk.
Micro-segmentation without per-site firewall rules
A per-asset /128 plus a default-deny egress allow-list is a conduit at asset granularity — additive to your 62443 zones, keyed to a verifiable identity, not a hand-maintained VLAN-and-ACL matrix per site. One declared policy travels with the asset; no bespoke firewall rules to re-derive at every brownfield plant.
One revoke, not re-imaging a fleet
Contain a compromised asset in one call — op:revoke tears down its /128, PTR and DANE pin worldwide at DNS-TTL, cross-org, no CRL you hope each device fetched and no truck rolled to every site. The eventual on-box remediation is yours; the immediate containment is one line.
CRA / 62443 evidence in the box
Findings arrive already mapped to EU CRA Annex I 2(d) identity, 2(j) attack-surface and 2(l) logging, and to IEC 62443-4-2 CR 1.2 + 3-3 zones-and-conduits — a byproduct of the tool, not a separate consulting line before a 2027 CE deadline.
Blast-radius reduction without OT downtime
It rides existing DNS/IPv6 and adds no inline OT chokepoint — the verify/DANE path is built to fail open, so a Whisper outage never bricks a PLC. You shrink the blast radius of a convergence-bridge compromise without a change window or a plant stop.
Analyst hours you stop burning
Correlating a rotating, meaningless last IP across Amazon, Google and Azure is manual, and it never converges. The graph collapses the rotation to one operator with a replayable evidence chain — and because attribution is unmetered, the meter never punishes an analyst for looking harder mid-incident.
A vendor that will still be here
No per-connection true-up, no per-seat creep as your SOC grows, no data-egress fee. It's real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Longevity is the cheapest line in any TCO.
A pricing model can be an attack surface. Ours isn't.
If security is metered, an adversary can run up your bill, and a defender rations their own hunt. We priced those failure modes out.
"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"
Never. The graph is unmetered on the keyed tiers — identify, walk, history and Cypher run as hard as the hunt demands. There is no per-query line for an attacker to inflate and none for a defender to fear.
"Does my bill spike when I'm under attack, or just when I inventory more assets?"
Neither. The price is per-asset, set once, for the term. A traffic flood, an enumeration campaign against your plant, or commissioning a new line moves your risk — it doesn't move the invoice. The meter that would have peaked during the incident simply doesn't exist.
"Is the keyless tier a real capability, or a trap that expires into a sales call?"
Real, and permanent. Keyless verify is anchored at the IANA root — our own API is not in the trust path, so we couldn't gate it if we wanted to. Verifying an asset's identity is a public check; charging for the truth would defeat the point.
Straight answers, before the call.
What exactly is metered?
Nothing by usage. You pay a flat rate per asset, per year. No per-connection charge, no per-lookup graph fee, no per-analyst seat, no data-egress bill. The only variable is how many assets the program covers.
Can I try it without procurement?
Yes — the POC is free and keyless. Run whisper verify --trustless today — resolve, reverse-resolve and read RDAP for any /128, no key — then provision a handful of asset /128s hands-on. A Pilot is a fixed, time-boxed engagement on one plant zone.
What happens as I inventory more assets?
The per-asset rate holds; the total scales linearly and predictably with asset count, quoted in writing for the term. No usage true-up, no renewal surprise, no penalty for a busy or attacked plant.
Is this on top of my SIEM and OT-monitoring cost?
It's a feed into the SIEM and threat-intel you already run — the Splunk and Microsoft Sentinel connectors ship today — and additive to your OT monitoring. Not a replacement, not a second console to staff. It makes the tools you already pay for sharper.
Can a Whisper outage take my plant down?
No. It adds no inline OT chokepoint; the verify/DANE path is built to fail open and rides anycast on AS219419. If we're slow or dark, checks degrade to your existing anchors — a Whisper outage never bricks a controller. Availability-safe is priced in, not a premium.
On-prem or hosted?
Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-asset logs stay where your regulator needs them — GDPR and data residency by construction, at no metered premium.
What if I stop?
Identities are DNSSEC/DANE objects you can verify independently, and evidence exports are open formats (CEF, ECS; STIX and CRA/62443 JSON on the roadmap). There's no proprietary lock on your own asset attestations or your compliance record.
Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the whole one.
You already pay for OT monitoring, a SIEM, and a threat-intel subscription, and you should keep them — Whisper is additive to all three. Where a per-connection cloud makes the bill unforecastable and a rigid multi-module suite makes you buy packages you don't need, a flat per-asset line adds the two layers no one else owns — publicly verifiable, key-derived asset identity and cross-org attribution across rotating egress — without a meter and without an appliance in the plant path.
| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-connection / usage-metered cloud | hard | yes |
| Rigid multi-module OT suite (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per-asset / year | yes | no |
Honest boundary. Whisper governs who may reach and speak to an asset and attributes them — it does not add authentication to Modbus, DNP3 or PROFINET on the wire, and the last-inch command check stays with your PLC or a protocol-aware gateway. It makes the OT-monitoring, SIEM and threat-intel investments you already carry sharper, as a machine-readable feed — not a thing they compete with. See the full comparison →
One flat number. Every asset, covered.
Keyless verify is free forever — start there, no account. When you're ready, a site quote is one flat per-asset/year figure you can forecast and defend. No meter, no surprise at renewal, no appliance in the plant path.
Or run whisper verify --trustless right now — it costs nothing.