Licensing
Rockfish NDR uses Ed25519-signed license files for offline-verifiable feature gating.
Tiers
| Tier | Events/min | Segments | IP Rep | Anomaly/Behavioral/Hunt | MCP/Chat | Scope |
|---|---|---|---|---|---|---|
| Free | 10,000 | 1 | — | — | — | 1 sensor |
| Basic | 25,000 | 1 | Yes | — | — | 1 sensor |
| Professional | 100,000 | 8 | Yes | Yes | — | 1 sensor |
| Enterprise | Unlimited | Unlimited | Yes | Yes | Yes | Site (unlimited sensors) |
See License Tiers for the full feature matrix.
45-Day Trial
There are two try-before-you-buy windows, both 45 days:
- No license file — the CLI runs at the Free tier but auto-bumps to Basic features for the first 45 days from its build date, then settles back to Free.
- Any issued license — bumped to Professional features for the first
45 days from
issued_at(the trial caps at Professional; Enterprise features remain paid-only, and an Enterprise license is never down-ranked). After 45 days the license settles to its purchased tier.
The NDR engine re-checks the license once per day.
Purchasing
Licenses are purchased through the Rockfish Portal. Free, Basic, and Professional licenses each cover one Suricata instance; multiple sensors require multiple licenses. Enterprise is a site license that covers an unlimited number of sensors at a single site.
Installation
scp rockfish-license.json root@sensor:/opt/rockfish/etc/rockfish_license.json
rockfish occam --license /opt/rockfish/etc/rockfish_license.json
No License
Running without a license defaults to the Free tier (10K events/min, core panels, OT decoders, GeoIP, Parquet to S3 export, reports), with the 45-day Basic trial described above.
Expiry Reminders
Licenses are issued on an annual (per-year) basis with a 30-day grace
period past expires_at. Email reminders are sent at 30, 7, 1, and 0 days
before expiry. After expiry and the grace window, the engine falls back to
the Free tier.
Tier Details
Free
Available without a license file:
- Core panels, OT protocol decoders, S3 backhaul
- GeoIP enrichment + world map
- NIST PQC compliance, Encrypted Traffic Analytics, Performance lens
- HTML reports and full documentation
Basic
- Everything in Free
- IP reputation scoring (AbuseIPDB)
Professional
- Everything in Basic
- Anomaly (iForest/HBOS), Behavioral (SIGMA + OCCAM), Hunt detection
- Asset Inventory page, OT Protocol Traffic panel
- Per-segment sub-reports, Parquet signing, webhook publishing
Enterprise
- Everything in Professional
- Detection swimlane + topology graph, AI Assessment
- MCP + Chat, custom theme + logo, MQTT/Kafka, external threat intel
Deployment
- Runs on your VPC or on-premise
- No telemetry or phone home
- Fully air-gap capable
- Ed25519-signed licenses with provenance metadata included in every Parquet file
License File
Licenses are JSON files with an Ed25519 signature:
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_events_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Configuration
Specify the license file on the command line or in YAML config:
# CLI argument
rockfish --license /etc/rockfish/license.json occam
# Or in rockfish.yaml
license: /etc/rockfish/license.json
Verify License
# Show license information with rockfish config
rockfish --license /etc/rockfish/license.json config
Next Steps
- License Tiers - Detailed feature matrix