Licensing
Rockfish NDR uses Ed25519-signed license files for offline-verifiable feature gating.
Tiers
| Tier | Events/min | GeoIP | IP Rep | Hunt | MCP | SIGMA |
|---|---|---|---|---|---|---|
| Basic | 25,000 | Yes | — | — | — | — |
| Professional | 100,000 | Yes | Yes | — | Yes | — |
| Enterprise | Unlimited | Yes | Yes | Yes | Yes | Yes |
45-Day Enterprise Trial
Every license includes 45 days of Enterprise features from the issue date. After 45 days, the license settles to its purchased tier. The NDR engine re-checks the license once per day.
Purchasing
Licenses are purchased through the Rockfish Portal. Each license is valid for one Suricata instance. Multiple sensors require multiple licenses.
Installation
scp rockfish-license.json root@sensor:/opt/rockfish/etc/rockfish_license.json
rockfish sigma --license /opt/rockfish/etc/rockfish_license.json
No License
Running without a license defaults to Basic tier (25K events/min, GeoIP, Parquet to S3 export, reports).
Expiry Reminders
Email reminders are sent at 30, 7, 1, and 0 days before expiry. After expiry, the engine falls back to Basic tier. Licenses are perpetual on a per site basis with 12 months of software maintenance included.
License Tiers
| Tier | Events/min | Price |
|---|---|---|
| Basic | 25,000 | Free |
| Professional | 100,000 | $99 |
| Enterprise | Unlimited | $999 |
Basic (Free)
Available without a license file:
- Ingest + Parquet to S3 export
- GeoIP enrichment
- HTML reports
- Full documentation
Professional ($99)
- Everything in Basic
- IP reputation scoring
- Basic hunt algorithms
- MCP server integration
- Priority email support
Enterprise ($999)
- Everything in Professional
- ML anomaly detection
- Threat Intelligence support
- Workflow integration support
- Dedicated support
Deployment
- Runs on your VPC or on-premise
- No telemetry or phone home
- Fully air-gap capable
- Ed25519-signed licenses with provenance metadata included in every Parquet file
License File
Licenses are JSON files with an Ed25519 signature:
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_events_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Configuration
Specify the license file on the command line or in YAML config:
# CLI argument
rockfish --license /etc/rockfish/license.json sigma
# Or in rockfish.yaml
license: /etc/rockfish/license.json
Verify License
# Show license information with rockfish config
rockfish --license /etc/rockfish/license.json config
Next Steps
- License Tiers - Detailed feature matrix