Security you pay more for the moment you're attacked is priced backwards.
Usage-metered tooling bills per API transaction, per query, per analyst seat — so the invoice climbs as your fleet grows and spikes exactly during the incident, when you can least afford to ration a hunt. Against a fielded fleet of 25M+ inverters streaming telemetry, a meter is a number you cannot forecast.
whisper verify --trustless costs nothing and needs no account — our own API is not in the trust path.
A meter that climbs with your fleet — and spikes when you're attacked — isn't a price. It's a risk.
Two curves. One rises with every DER you add, every telemetry poll, every query your analysts run chasing a rotating adversary — and peaks precisely during the incident. The other is a flat line you set once and forecast for years.
Per-device, not per-transaction
Priced to the thing you actually govern — the inverter, gateway or EVSE — so a chatty telemetry cadence or a noisy incident never moves the invoice. Add a model line, extend a program, weather an attack: the figure holds.
Attribution is never metered
Run identify, walk, history and Cypher as hard as an incident demands. No per-query tax means your analysts never ration a hunt while a rotating adversary keeps dispatching.
Additive, not another bill
It sits on top of the OT SOC, SIEM and DERMS/2030.5 PKI you already own as a feed — no per-analyst-seat licence, no data-egress fee, no new console to staff, no inline OT chokepoint.
Start keyless and free. Prove it on a segment. Roll it across the fleet — flat the whole way.
POC → pilot → enterprise, exactly the path a grid-security program buys on. Every tier speaks the same address-is-identity primitive; you're only widening how much of the fleet it covers, never re-platforming.
Free to start
$0
Keyless checks need no account, no card. A free sign-up adds a handful of identities to prove the bind — still $0.
The keyless half of the platform — trustless, anchored at the IANA root, our API never in the path — needs no account:
- ✓
whisper verify --trustlessany DER identity - ✓ Resolve and reverse-resolve a /128, read its RDAP
- ✓ Back-trace a suspicious
/128to the device behind it — reverse-DNS + RDAP, no key
Then a free key (still $0) adds
- ✓ Bind a handful of inverters to the
LFDIthey already carry anddig -xthem
A fleet segment
Fixed scope
A bounded segment, time-boxed, one flat price.
Everything in POC, keyed to a defined device count — the full control plane on a slice, so a program owner can prove value before the board:
- ✓ Provision device /128 identities from the
LFDI(or DER serial) for the segment - ✓ Full attribution graph — unmetered during the pilot
- ✓ Egress governance:
op:policydefault-deny ·firewall·budget·lookups·revoke - ✓ Machine-readable feed into your SIEM: Splunk & Microsoft Sentinel connectors today (STIX 2.1 / TAXII on the roadmap)
- ✓ The tamper-evident, Bitcoin-anchored transparency log — every mint and revoke auditable
Flat per-device / year
Fleet quote
One rate, quoted to your fleet size. It doesn't move.
The whole program, all three planes, across every device — the way a utility or aggregator CISO buys defence-in-depth:
- ✓ Identity, attribution graph and egress governance, fleet-wide
- ✓ Unlimited attribution — no per-query meter, ever
- ✓ Non-repudiable telemetry — sign each DER's dispatch and telemetry to its /128
- ✓ On-prem or your own tenant — NIS2 / GDPR data residency by construction
- ✓ Enterprise support and SLA · CIP-013 supplier interface agreements
Why a quote, not a sticker. A fleet price is one number, but the right number depends on device count, on-prem vs tenant, and the standards evidence you need — so we quote it flat and in writing, and it holds for the term. No usage true-ups, no surprise line at renewal. Get a fleet quote →
The same platform, at three widths. Nothing behind the paywall is the security itself.
The keyless verification a utility, an ISO, a regulator or a researcher needs to check a DER's identity is free at every tier — on principle. The keyed tiers widen coverage and feed your stack; they never gate the ability to verify. Roadmap items are labelled honestly, never sold as shipped.
| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
Trustless verify / resolve / RDAP (whisper verify --trustless) | ✓ | ✓ | ✓ |
| Trace a /128 to the device behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Public transparency log — every mint + revoke, tamper-evident, Bitcoin-anchored | ✓ | ✓ | ✓ |
Device /128 identities (register, DANE-EE, op:revoke) from the LFDI | a handful | fleet segment | fleet-wide |
Full attribution graph (identify, origins, walk, history, Cypher) | — | fleet segment | unlimited |
Egress governance (op:policy, firewall, budget, lookups, revoke) | — | fleet segment | fleet-wide |
| Non-repudiable telemetry — sign a DER's dispatch/telemetry to its /128 | — | fleet segment | fleet-wide |
| SIEM feed — Splunk connector today · CEF / ECS | — | ✓ | ✓ |
| STIX 2.1 / TAXII · ISAC JSON export | roadmap | roadmap | roadmap |
First-class typed --lfdi arg (pass the LFDI as device_id today) | roadmap | roadmap | roadmap |
| On-prem / own tenant (data residency, NIS2 / GDPR) | — | — | ✓ |
| Enterprise support & SLA · CIP-013 supplier interface agreements | — | pilot support | ✓ |
| Metered by usage (per transaction / query / seat) | never | never | never |
On the roadmap, stated plainly. The Splunk and Microsoft Sentinel connectors ship today (signed JSON → CEF/ECS). STIX 2.1 over TAXII, a machine-readable per-ISAC export, and a first-class typed --lfdi argument are proposed and on the roadmap — until they land you pass the LFDI as device_id, which is shipped and live. The transparency log is tamper-evident, Ed25519-signed and Bitcoin-anchored today; independent third-party witnessing is the next step, and the log already speaks the witness-cosigning protocol.
The ROI isn't a promise — it's the costs the flat line takes off your books.
A predictable figure is only half the case. The other half is what it removes: analyst hours, incident blast radius, audit effort, and re-platform risk.
Analyst hours you stop burning
Correlating a rotating, meaningless last IP across Amazon, Google and Azure is manual, and it never converges. The graph collapses cloud rotation to one operator — and a JA4 client fingerprint collapses a residential-proxy swarm the same way — with a replayable evidence chain. The hours go back to your OT SOC, and the meter never punishes them for looking harder.
One revoke, not a fleet-wide re-key
A compromised inverter is revoked worldwide at DNS-TTL speed — no re-flashing fielded units, no CRL you hope every device fetched. IEEE 2030.5's own certs are life-long, with no CRL and no OCSP; the alternative to one call is a truck-roll. The blast radius is one leaf key, never a shared root — the single-CA-compromise failure mode is structurally removed.
Grid, warranty and recall exposure
Catching fleet-scale enumeration before it becomes mass compromise is the difference between a revoke and a recall. Research models <2% of inverters (~4.5 GW) as enough to force EU grid load-shedding, and one platform pair coordinated ~195 GW — a flat line item hedges against a variable-cost, grid-scale catastrophe.
Audit effort you don't repeat
Findings arrive already aligned to NERC CIP-013 R1.2.3/R1.2.6 and CIP-005 R3.1/R3.2 vendor-remote-access controls, and map to NIS2 Art.21 and NISTIR 7628. The transparency log gives your regulator a non-repudiable issuance and revocation trail. The compliance artefact is a byproduct of the tool, not a separate consulting line.
Re-platform risk you avoid
The field already proposes DIDs/SSI for inverters, but no productized, DNS/DANE-anchored, one-call-revocable offering exists — and security vendors fold. Whisper is real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Longevity is the cheapest line in any TCO.
No shadow costs at renewal
No per-transaction true-up, no per-seat creep as your OT SOC grows, no data-egress fee. What you forecast in year one is what you sign in year three — the number a CFO can actually plan around, and defend in an audit.
A pricing model can be an attack surface. Ours isn't.
If security is metered, an adversary can run up your bill, and a defender rations their own hunt. We priced those failure modes out.
"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"
Never. The graph is unmetered on the keyed tiers — identify, walk, history and Cypher run as hard as the hunt demands. There is no per-query line for an attacker to inflate and none for a defender to fear.
"Does my bill spike when I'm under attack, or just when my fleet grows?"
Neither. The price is per-device, set once, for the term. A telemetry flood, a fleet-enumeration campaign, or adding a model line moves your risk — it doesn't move the invoice. The meter that would have peaked during the incident simply doesn't exist.
"Is the free tier a real capability or a trap that expires into a sales call?"
Real, and permanent. Keyless verify is anchored at the IANA root — our own API is not in the trust path, so we couldn't gate it if we wanted to. Verifying a DER's identity is a public check; charging for the truth would defeat the point.
Straight answers, before the call.
What exactly is metered?
Nothing by usage. You pay a flat rate per device, per year. No per-API-transaction charge, no per-query graph fee, no per-analyst seat, no data-egress bill. The only variable is how many devices the program covers.
Can I try it without procurement?
Yes. The keyless checks need no account at all — run whisper verify --trustless today, and resolve, reverse-resolve and read RDAP for any /128. A free sign-up (still $0) then adds a handful of identities, so you can bind a few inverters to the LFDI they already carry and dig -x them. When you're ready to provision a slice, a Pilot is a fixed, time-boxed engagement.
What happens when my fleet grows?
The per-device rate holds; the total scales linearly and predictably with device count, quoted in writing for the term. No usage true-up, no renewal surprise, no penalty for a busy or attacked fleet.
Is this on top of my SIEM cost?
It's a feed into the SIEM and OT-detection you already run — the Splunk and Microsoft Sentinel connectors ship today — not a replacement and not a second console to staff. It makes the tools you already pay for sharper, and adds no inline OT chokepoint.
On-prem or hosted?
Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-device logs stay where your regulator needs them — NIS2 and GDPR data residency by construction, at no metered premium.
What if I stop?
Identities are DNSSEC/DANE objects you can verify independently, the transparency log is a public append-only record, and evidence exports are open formats (CEF, ECS; STIX and ISAC JSON on the roadmap). There's no proprietary lock on your own attestations or your compliance record.
Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the whole one.
You already pay for a behavioural OT SOC, a SIEM, and a DERMS that consumes the manufacturer's IEEE 2030.5 certificate, and you should keep them — Whisper is additive to all three. Where a rigid six-figure OT-module bundle makes you buy packages you don't need and a per-transaction cloud makes the bill unforecastable, a flat per-device line adds the two layers no one else owns — attribution across rotating clouds and residential proxies and publicly verifiable, revocable identity after auth — without a meter and without a new silo. It can even DANE-pin the same 2030.5 certificate your CSIP head-end already speaks.
| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-API-transaction / usage-metered cloud | hard | yes |
| Rigid multi-module OT bundle (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per-device / year | yes | no |
It makes the OT-detection and threat-intel investments you already carry sharper, as a machine-readable feed — not a thing they compete with. See the full comparison →
One flat number. Every device, covered.
Keyless verify is free forever — start there, no account. When you're ready, a fleet quote is one flat per-device/year figure you can forecast and defend. No meter, no surprise at renewal.
Or run whisper verify --trustless right now — it costs nothing.