Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Licensing

Rockfish NDR uses Ed25519-signed license files for offline-verifiable feature gating.

Tiers

TierEvents/minSegmentsIP RepAnomaly/Behavioral/HuntMCP/ChatScope
Free10,00011 sensor
Basic25,0001Yes1 sensor
Professional100,0008YesYes1 sensor
EnterpriseUnlimitedUnlimitedYesYesYesSite (unlimited sensors)

See License Tiers for the full feature matrix.

45-Day Trial

There are two try-before-you-buy windows, both 45 days:

  • No license file — the CLI runs at the Free tier but auto-bumps to Basic features for the first 45 days from its build date, then settles back to Free.
  • Any issued license — bumped to Professional features for the first 45 days from issued_at (the trial caps at Professional; Enterprise features remain paid-only, and an Enterprise license is never down-ranked). After 45 days the license settles to its purchased tier.

The NDR engine re-checks the license once per day.

Purchasing

Licenses are purchased through the Rockfish Portal. Free, Basic, and Professional licenses each cover one Suricata instance; multiple sensors require multiple licenses. Enterprise is a site license that covers an unlimited number of sensors at a single site.

Installation

scp rockfish-license.json root@sensor:/opt/rockfish/etc/rockfish_license.json
rockfish occam --license /opt/rockfish/etc/rockfish_license.json

No License

Running without a license defaults to the Free tier (10K events/min, core panels, OT decoders, GeoIP, Parquet to S3 export, reports), with the 45-day Basic trial described above.

Expiry Reminders

Licenses are issued on an annual (per-year) basis with a 30-day grace period past expires_at. Email reminders are sent at 30, 7, 1, and 0 days before expiry. After expiry and the grace window, the engine falls back to the Free tier.

Tier Details

Free

Available without a license file:

  • Core panels, OT protocol decoders, S3 backhaul
  • GeoIP enrichment + world map
  • NIST PQC compliance, Encrypted Traffic Analytics, Performance lens
  • HTML reports and full documentation

Basic

  • Everything in Free
  • IP reputation scoring (AbuseIPDB)

Professional

  • Everything in Basic
  • Anomaly (iForest/HBOS), Behavioral (SIGMA + OCCAM), Hunt detection
  • Asset Inventory page, OT Protocol Traffic panel
  • Per-segment sub-reports, Parquet signing, webhook publishing

Enterprise

  • Everything in Professional
  • Detection swimlane + topology graph, AI Assessment
  • MCP + Chat, custom theme + logo, MQTT/Kafka, external threat intel

Deployment

  • Runs on your VPC or on-premise
  • No telemetry or phone home
  • Fully air-gap capable
  • Ed25519-signed licenses with provenance metadata included in every Parquet file

License File

Licenses are JSON files with an Ed25519 signature:

{
  "id": "rockfish_acme-corp-enterprise_Abc123",
  "tier": "enterprise",
  "customer_name": "Acme Corp",
  "customer_email": "[email protected]",
  "max_events_per_min": null,
  "issued_at": "2026-01-01T00:00:00Z",
  "expires_at": "2027-01-01T00:00:00Z",
  "signature": "base64-encoded-ed25519-signature"
}

Configuration

Specify the license file on the command line or in YAML config:

# CLI argument
rockfish --license /etc/rockfish/license.json occam

# Or in rockfish.yaml
license: /etc/rockfish/license.json

Verify License

# Show license information with rockfish config
rockfish --license /etc/rockfish/license.json config

Next Steps