# Pricing — Whisper for Energy · flat, per-device, predictable

> Security you pay *more* for the moment you're attacked is priced backwards.
> Whisper is flat, per-device, per year — not per transaction, per query, or per seat.
> Keyless verify is free forever, attribution is never metered. A line item you can forecast.

Usage-metered tooling bills per API transaction, per query, per analyst seat — so the
invoice climbs as your fleet grows and spikes exactly during the incident, when you can
least afford to ration a hunt. Against a fielded fleet of 25M+ inverters streaming
telemetry, a meter is a number you cannot forecast. **We price the other way.**

`whisper verify --trustless` costs nothing and needs no account — our own API is not in the trust path.

- **$0** — Keyless verify, resolve and back-trace, free forever, no account
- **1×** — One flat per-device/year figure — not per-transaction, per-query or per-seat
- **25M+** — inverters already fielded; a per-transaction meter at that scale is unforecastable
- **0** — usage meters on attribution; never ration a hunt mid-incident
- **1** — revoke replaces re-keying a fleet whose certs have no CRL, no OCSP
- **~195 GW** — coordinated by one platform pair; a flat line hedges what a token takeover risks

---

## The pricing principle

**A meter that climbs with your fleet — and spikes when you're attacked — isn't a price.
It's a risk.** Two curves. One rises with every DER you add, every telemetry poll, every
query your analysts run chasing a rotating adversary — and peaks precisely during the
incident. The other is a flat line you set once and forecast for years.

```
annual cost
  ▲
  │                                             ╱ usage-metered
  │                                        ╱╱      (per transaction · query · seat)
  │                                  ╱╱          ◀── under attack: billed most when it hurts most
  │                          ╱╱╱
  │                ╱╱╱╱
  │        ╱╱╱╱
  ├──────────────────────────────────────────── Whisper · flat per-device / year
  │        (set once · forecast for years · attribution never metered)
  └──────────────────────────────────────────────▶ fleet growth · telemetry volume · incident load
       the gap between the lines is the overage a flat price never charges
```

- **Per-device, not per-transaction** — priced to the thing you govern, the inverter/gateway/EVSE, so a chatty telemetry cadence or a noisy incident never moves the invoice.
- **Attribution is never metered** — run `identify`, `walk`, `history` and Cypher as hard as an incident demands; no per-query tax means analysts never ration a hunt.
- **Additive, not another bill** — it sits on top of the OT SOC, SIEM and DERMS/2030.5 PKI you already own as a feed; no per-seat licence, no data-egress fee, no new console, no inline OT chokepoint.

---

## Three tiers · one primitive

Start keyless and free. Prove it on a segment. Roll it across the fleet — flat the whole
way. POC → pilot → enterprise, exactly the path a grid-security program buys on. Every tier
speaks the same *address-is-identity* primitive; you only widen how much of the fleet it
covers, never re-platform.

### POC — free to start · **$0**

Keyless checks need no account, no card. A free sign-up (still $0) then adds a handful of
identities to prove the bind. The keyless half of the platform is trustless, anchored at the
IANA root, our API never in the path — no account:

- `whisper verify --trustless` any DER identity
- Resolve and reverse-resolve a /128, read its RDAP
- Back-trace a suspicious /128 to the device behind it — reverse-DNS + RDAP, no key

Then a free key (still $0) adds:

- Bind a handful of inverters to the `LFDI` they already carry and `dig -x` them

### Pilot — a fleet segment · fixed scope

A bounded segment, time-boxed, one flat price. Everything in POC, keyed to a defined device
count — the full control plane on a slice, so a program owner can prove value before the
board:

- Provision device /128 identities from the `LFDI` (or DER serial) for the segment
- Full attribution graph — unmetered during the pilot
- Egress governance: `op:policy` default-deny · `firewall` · `budget` · `lookups` · `revoke`
- Machine-readable feed into your SIEM: Splunk connector & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
- The tamper-evident, Bitcoin-anchored transparency log — every mint and revoke auditable

### Enterprise — flat per-device / year · fleet quote

One rate, quoted to your fleet size. It doesn't move. The whole program, all three planes,
across every device — the way a utility or aggregator CISO buys defence-in-depth:

- Identity, attribution graph and egress governance, fleet-wide
- Unlimited attribution — no per-query meter, ever
- Non-repudiable telemetry — sign each DER's dispatch and telemetry to its /128
- On-prem or your own tenant — NIS2 / GDPR data residency by construction
- Enterprise support and SLA · CIP-013 supplier interface agreements

**Why a quote, not a sticker.** A fleet price is one number, but the right number depends on
device count, on-prem vs tenant, and the standards evidence you need — so we quote it flat
and in writing, and it holds for the term. No usage true-ups, no surprise line at renewal.
Get a fleet quote → <https://console.whisper.security/sign-up>

---

## What each tier includes

The keyless verification a utility, an ISO, a regulator or a researcher needs to check a
DER's identity is free at every tier — on principle. The keyed tiers widen coverage and feed
your stack; they never gate the ability to *verify*. Roadmap items are labelled honestly,
never sold as shipped.

| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
| Trustless verify / resolve / RDAP (`whisper verify --trustless`) | ✓ | ✓ | ✓ |
| Trace a /128 to the device behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Public transparency log — every mint + revoke, tamper-evident, Bitcoin-anchored | ✓ | ✓ | ✓ |
| Device /128 identities (register, DANE-EE, `op:revoke`) from the LFDI | a handful | fleet segment | fleet-wide |
| Full attribution graph (`identify`, `origins`, `walk`, `history`, Cypher) | — | fleet segment | unlimited |
| Egress governance (`op:policy`, `firewall`, `budget`, `lookups`, `revoke`) | — | fleet segment | fleet-wide |
| Non-repudiable telemetry — sign a DER's dispatch/telemetry to its /128 | — | fleet segment | fleet-wide |
| SIEM feed — **Splunk connector today** · CEF / ECS | — | ✓ | ✓ |
| STIX 2.1 / TAXII · ISAC JSON export | roadmap | roadmap | roadmap |
| First-class typed `--lfdi` arg (pass the LFDI as `device_id` today) | roadmap | roadmap | roadmap |
| On-prem / own tenant (data residency, NIS2 / GDPR) | — | — | ✓ |
| Enterprise support & SLA · CIP-013 supplier interface agreements | — | pilot support | ✓ |
| Metered by usage (per transaction / query / seat) | never | never | never |

**On the roadmap, stated plainly.** The Splunk connector ships today (signed JSON → CEF/ECS).
Microsoft Sentinel, STIX 2.1 over TAXII, a machine-readable per-ISAC export, and a
first-class typed `--lfdi` argument are *proposed and on the roadmap* — until they land you
pass the LFDI as `device_id`, which is shipped and live. The transparency log is
tamper-evident, Ed25519-signed and Bitcoin-anchored today; independent third-party
witnessing is the next step, and the log already speaks the witness-cosigning protocol.

---

## Where the flat number pays for itself

The ROI isn't a promise — it's the costs the flat line takes off your books. A predictable
figure is only half the case; the other half is what it removes: analyst hours, incident
blast radius, audit effort, and re-platform risk.

- **Analyst hours you stop burning.** Correlating a rotating, meaningless *last IP* across Amazon, Google and Azure is manual and never converges. The graph collapses cloud rotation to one operator — and a `JA4` client fingerprint collapses a residential-proxy swarm the same way — with a replayable evidence chain. The hours go back to your OT SOC, and the meter never punishes them for looking harder.
- **One revoke, not a fleet-wide re-key.** A compromised inverter is `revoke`d worldwide at DNS-TTL speed — no re-flashing fielded units, no CRL you hope every device fetched. IEEE 2030.5's own certs are *life-long, with no CRL and no OCSP*; the alternative to one call is a truck-roll. The blast radius is one leaf key, never a shared root — the single-CA-compromise failure mode is structurally removed.
- **Grid, warranty and recall exposure.** Catching fleet-scale enumeration before it becomes mass compromise is the difference between a `revoke` and a recall. Research models **<2% of inverters (~4.5 GW)** as enough to force EU grid load-shedding, and one platform pair coordinated **~195 GW** — a flat line item hedges against a variable-cost, grid-scale catastrophe.
- **Audit effort you don't repeat.** Findings arrive aligned to **NERC CIP-013 R1.2.3/R1.2.6** and **CIP-005 R3.1/R3.2** vendor-remote-access controls, and map to NIS2 Art.21 and NISTIR 7628. The transparency log gives your regulator a non-repudiable issuance and revocation trail. The compliance artefact is a byproduct of the tool.
- **Re-platform risk you avoid.** The field already proposes DIDs/SSI for inverters, but no productized, DNS/DANE-anchored, one-call-revocable offering exists — and security vendors fold. Whisper is real routable address space (**AS219419**), run by people who ran the internet's regional address registry and operated one of its root DNS servers. Longevity is the cheapest line in any TCO.
- **No shadow costs at renewal.** No per-transaction true-up, no per-seat creep as your OT SOC grows, no data-egress fee. What you forecast in year one is what you sign in year three.

---

## A pricing model can be an attack surface. Ours isn't.

If security is metered, an adversary can run up your bill, and a defender rations their own
hunt. We priced those failure modes out.

> **"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"**
> Never. The graph is unmetered on the keyed tiers — `identify`, `walk`, `history` and Cypher
> run as hard as the hunt demands. There is no per-query line for an attacker to inflate and
> none for a defender to fear.

> **"Does my bill spike when I'm under attack, or just when my fleet grows?"**
> Neither. The price is per-device, set once, for the term. A telemetry flood, a
> fleet-enumeration campaign, or adding a model line moves your risk — it doesn't move the invoice.

> **"Is the free tier a real capability or a trap that expires into a sales call?"**
> Real, and permanent. Keyless `verify` is anchored at the IANA root — *our own API is not
> in the trust path*, so we couldn't gate it if we wanted to. Verifying a DER's identity is a
> public check; charging for the truth would defeat the point.

---

## The questions procurement always asks

- **What exactly is metered?** Nothing by usage. A flat rate per device, per year — no per-transaction charge, no per-query graph fee, no per-seat licence, no data-egress bill. The only variable is how many devices the program covers.
- **Can I try it without procurement?** Yes — the keyless checks need no account at all. Run `whisper verify --trustless` today; resolve, reverse-resolve and read RDAP for any /128 — no sign-up. A free sign-up (still $0) then adds a handful of identities, so you can bind a few inverters to the `LFDI` they already carry and `dig -x` them. A Pilot then provisions a bounded, time-boxed segment.
- **What happens when my fleet grows?** The per-device rate holds; the total scales linearly and predictably with device count, quoted in writing for the term. No usage true-up, no renewal surprise.
- **Is this on top of my SIEM cost?** It's a feed *into* the SIEM and OT-detection you already run — the Splunk and Microsoft Sentinel connectors ship today — not a replacement and not a second console to staff. It adds no inline OT chokepoint.
- **On-prem or hosted?** Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-device logs stay where your regulator needs them — NIS2 / GDPR data residency by construction, at no metered premium.
- **What if I stop?** Identities are DNSSEC/DANE objects you can verify independently, the transparency log is a public append-only record, and evidence exports are open formats (CEF, ECS; STIX and ISAC JSON on the roadmap). No proprietary lock on your own attestations or compliance record.

---

## How it sits next to what you already buy

**Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the
whole one.** You already pay for a behavioural OT SOC, a SIEM, and a DERMS that consumes the
manufacturer's IEEE 2030.5 certificate, and you should keep them — Whisper is additive to all
three. Where a rigid six-figure OT-module bundle makes you buy packages you don't need and a
per-transaction cloud makes the bill unforecastable, a flat per-device line adds the two
layers no one else owns — attribution across rotating clouds and residential proxies, and
publicly verifiable, revocable identity after auth — without a meter and without a new silo.
It can even DANE-pin the same 2030.5 certificate your CSIP head-end already speaks.

| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-API-transaction / usage-metered cloud | hard | yes |
| Rigid multi-module OT bundle (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per-device / year | yes | no |

It makes the OT-detection and threat-intel investments you already carry sharper, as a
machine-readable feed — not a thing they compete with. [See the full comparison →](/compare)

---

## One flat number. Every device, covered.

Keyless verify is free forever — start there, no account. When you're ready, a fleet quote is
one flat per-device/year figure you can forecast and defend. No meter, no surprise at renewal.

Secure your fleet → <https://console.whisper.security/sign-up> · [For grid security →](/for-grid-security)

Or run `whisper verify --trustless` right now — it costs nothing.

---

*Whisper for Energy · Identity on the wire for distributed energy resources · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
