Pricing

Fixed price. In the open.

The Rapid Assessment is the core offer — a fixed-scope, two-week PCI DSS 12.3.3 cryptographic inventory plus a QSA-ready evidence pack. The free scanner and public registry are the on-ramp, not the product. No quote-only games.

For teams · the core offer

For teams with a 12.3.3 deadline.

↓ Preview a sample Evidence Report

regulated mid-market · banks · healthcare · defense contractors

Rapid Assessment

$5,000–$8,000fixed scope · 2-week sprint
  • Hand-driven scan of your codebase + manual review of TLS, cert & KMS posture
  • CycloneDX 1.6 CBOM + executive summary PDF
  • Audit Pack: Cryptographic Inventory Summary + compliance matrix (PCI-DSS 4.0.1 Req 12.3.3, FIPS 140-2 transition, CNSA 2.0, NIST 800-208)
  • Founder call once per week during the engagement
  • Migration playbook with prioritized remediation
  • Bridges to Enterprise without a 6-month sales cycle
Book a 30-min call →

F500 AppSec / GRC programs

Enterprise

$25K–$150Kannual · launching Year 2
  • Continuous monitoring + drift detection
  • Audit Pack with white-label
  • Custom rules engine (your team authors detection)
  • Slack / Jira / ServiceNow integration
  • SSO + SCIM + audit log
  • Dedicated CSM + quarterly reviews
Talk to founder →

For practitioners · the on-ramp

Free to start.

The free scanner and public registry are how teams discover CipherM — not the revenue. Pro is on the waitlist while we stay focused on assessments, and the $99/mo team tier is deliberately parked until there are champions inside larger orgs to push it through procurement.

OSS maintainers · students · solo developers

Open

$0forever
  • cipherm-scan CLI · 104 rules (classical + post-quantum)
  • cipherm-tls handshake validator
  • Public CBOM registry — upload, browse, diff
  • Threat Clock + Q-CBOM extension
  • CycloneDX 1.6 output, freely interoperable
Start the free scan →

security engineers · freelancers · internal champions

Pro

$39per month · waitlist
  • Private CBOMs (not in public registry)
  • Unlimited scans across unlimited repos
  • Custom regex rules (your detection logic)
  • PDF export for stakeholder reports
  • Continuous TLS validation — 10 endpoints
  • Email + priority support

FAQ

Is cipherm-scan really Apache-2.0?

Yes. The CLI scanner is OSS forever. The detection ruleset (rules/) is also Apache-2.0. The registry, hosted dashboard, Audit Pack, and continuous-monitoring pieces are proprietary.

What's a Rapid Assessment, exactly?

A 2-week fixed-scope engagement. We run the scanner across your code and configs and manually review your TLS, cert, and cloud KMS posture. We deliver a CycloneDX 1.6 CBOM, executive summary PDF, compliance matrix per standard, and a prioritized migration playbook. One founder call per week during the engagement.

When is Enterprise actually available?

Year 2 (2027). Pre-traction we don't run a 6-12 month enterprise sales cycle. The Rapid Assessment is the bridge — if it goes well it converts to a multi-year Enterprise contract.

Why no $99/mo team tier?

Mid-market tiers compete with both extremes and dilute the message. Open captures distribution. Pro captures internal champions. Rapid Assessment captures regulated mid-market. The middle returns once we have champions to push procurement.

Do I need a domain to use the CLI?

No. cipherm-scan runs locally and emits CycloneDX JSON. The registry is one upload destination among many — your CBOM is yours.

What about students and OSS maintainers?

Open tier covers you forever. If you're maintaining a popular OSS project and want a verified CipherM-scanned badge for your README, email founder@cipherm.io.