Licensing
Rockfish NDR uses Ed25519-signed licenses with tier-based feature restrictions. Licenses are perpetual on a per site basis with 12 months of software maintenance included.
License Tiers
| Tier | Events/min | Price |
|---|---|---|
| Basic | 10,000 | Free |
| Professional | 50,000 | $99 |
| Enterprise | Unlimited | $999 |
Basic (Free)
Available without a license file:
- Ingest + Parquet storage
- GeoIP enrichment
- HTML reports
- S3 cloud upload
- Full documentation
Professional ($99)
- Everything in Basic
- IP reputation scoring
- Basic hunt algorithms
- MCP server integration
- Priority email support
Enterprise ($999)
- Everything in Professional
- ML anomaly detection
- Threat Intelligence support
- Workflow integration support
- Dedicated support
Deployment
- Runs on your VPC or on-premise
- No telemetry or phone home
- Fully air-gap capable
- Ed25519-signed licenses with provenance metadata included in every Parquet file
License File
Licenses are JSON files with an Ed25519 signature:
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_events_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Configuration
Specify the license file on the command line or in YAML config:
# CLI argument
rockfish --license /etc/rockfish/license.json ingest -i eve.json
# Or in rockfish.yaml
license: /etc/rockfish/license.json
Verify License
# Show license information with rockfish config
rockfish --license /etc/rockfish/license.json config
Next Steps
- License Tiers - Detailed feature matrix