pricing
Simple, usage-based pricing
Start free. Upgrade when you need more capacity. No setup fees, no per-seat pricing, no surprises.
For evaluation and low-volume use cases.
- ✓1,000 API calls / month
- ✓60 calls / minute
- ✓72 CVE-covered products
- ✓52 PyPI + 70 npm packages (supply chain)
- ✓Full response schema incl. cve_ids
- ✓Python SDK
- ✓Community support
For production CI/CD pipelines and small teams.
- ✓25,000 API calls / month
- ✓$0.002 / call thereafter
- ✓300 calls / minute
- ✓72 CVE-covered products
- ✓52 PyPI + 70 npm packages (supply chain)
- ✓Full response schema incl. cve_ids
- ✓Python SDK
- ✓Email support
- ✓Stripe billing portal
For teams with high-throughput pipelines and AI agents.
- ✓200,000 API calls / month
- ✓$0.0008 / call thereafter
- ✓600 calls / minute
- ✓72 CVE-covered products
- ✓52 PyPI + 70 npm packages (supply chain)
- ✓Full response schema incl. cve_ids
- ✓Python SDK
- ✓Priority support
- ✓Stripe billing portal
For large-scale supply chain orchestration and AI agents.
- ✓1,000,000 API calls / month
- ✓$0.0006 / call thereafter
- ✓1,200 calls / minute
- ✓72 CVE-covered products
- ✓52 PyPI + 70 npm packages (supply chain)
- ✓Full response schema incl. cve_ids
- ✓Python SDK
- ✓Priority support
- ✓Stripe billing portal
- ✓Team account management
What's included
| Feature | Free | Starter | Pro | Team |
|---|---|---|---|---|
| Included calls / month | 1,000 | 25,000 | 200,000 | 1,000,000 |
| Overage billing | None (hard cap) | $0.002 / call | $0.0008 / call | $0.0006 / call |
| 72 CVE-covered products | ✓ | ✓ | ✓ | ✓ |
| 52 PyPI + 70 npm packages (supply chain) | ✓ | ✓ | ✓ | ✓ |
| cve_ids field | ✓ | ✓ | ✓ | ✓ |
| risk_factors | ✓ | ✓ | ✓ | ✓ |
| confidence score | ✓ | ✓ | ✓ | ✓ |
| Python SDK | ✓ | ✓ | ✓ | ✓ |
| X-Attestd-Knowledge-Age header | ✓ | ✓ | ✓ | ✓ |
| 80% usage warning email | ✓ | ✓ | ✓ | ✓ |
| Email support | - | ✓ | ✓ | ✓ |
| Priority support | - | - | ✓ | ✓ |
| Billing portal | - | ✓ | ✓ | ✓ |
| Team account management | - | - | - | ✓ |
Frequently asked questions
What counts as an API call?
Each request to /v1/check counts as one call, regardless of the response (supported or unsupported product).
Do unused calls roll over?
No. Included calls reset on your billing anniversary each month.
Can I change plans?
Yes. Upgrade or downgrade at any time via your billing portal. Tier changes take effect immediately.
What happens when I hit my limit?
It depends on your tier. Free tier: further calls return HTTP 429 until your period resets. Upgrade to continue. Starter, Pro, and Team: calls beyond your included allocation are billed automatically via Stripe at the overage rate. Your pipeline is never blocked.
How does overage billing work?
Starter, Pro, and Team tiers use Stripe Meter billing. Once you exceed your included calls, each additional call is charged at $0.002 (Starter), $0.0008 (Pro), or $0.0006 (Team). There is no hard cap on calls. The API keeps working. Overage charges appear on your next invoice.
Will I get a warning before hitting my limit?
Yes. You'll receive an email when you've used 80% of your included calls for the month. Free users get a prompt to upgrade; Starter and Pro users are reminded that overage billing will kick in automatically.
Is there a trial period?
The free tier is permanent. No time limit. You can evaluate the full response schema and integrate before upgrading.
What products are supported?
CVE coverage spans 72 infrastructure products across 12 categories: databases (13), web servers & proxies (7), messaging & streaming (6), containers & orchestration (7), service mesh & networking (5), observability & monitoring (5), infrastructure & runtimes (6), security tooling (1), ci/cd platforms (4), javascript runtimes & sandboxes (4), authentication & identity (6), and language runtimes (8). Supply chain monitoring covers 52 PyPI and 70 npm packages across AI/ML, JS frameworks, TanStack / OpenSearch clients, and more. See the full product list.
Does supply chain monitoring cost extra?
No. Supply chain monitoring for PyPI and npm packages is included in all tiers at the same API call rate as CVE checks. Use the same API endpoint and authentication.
How often is supply chain data updated?
Ingestion runs on a scheduled basis; the last_updated field in the response shows when monitoring last ran for that package. Registry and OSV sources are checked on each run.
Ready to get started? A free key takes under a minute to set up.