Licensing
Rockfish NDR uses Ed25519-signed licenses with tier-based feature restrictions.
License Tiers
| Tier | Flows/min | GeoIP | IP Reputation | Hunt | Alert | Demo | MCP |
|---|---|---|---|---|---|---|---|
| Community | 40,000 | — | — | — | Yes | Yes | Yes |
| Standard | 100,000 | Yes | Yes | — | Yes | Yes | Yes |
| Enterprise | Unlimited | Yes | Yes | Yes | Yes | Yes | Yes |
All tiers include:
- Full ingest pipeline (all event types)
- Static HTML report generation
- Demo mode with synthetic data
- MCP query server
- Alert publishing (MQTT/Kafka)
- Data retention management
License File
Licenses are JSON files with an Ed25519 signature:
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_flows_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Configuration
Specify the license file on the command line or in YAML config:
# CLI argument
rockfish --license /etc/rockfish/license.json ingest -i eve.json
# Or in rockfish.yaml
license: /etc/rockfish/license.json
Verify License
# Show license information with rockfish config
rockfish --license /etc/rockfish/license.json config
Community Tier
When no license file is provided, Rockfish operates in Community tier:
- Flow rate limited to 40,000 flows/min
- GeoIP and IP reputation enrichment disabled
- Hunt engine disabled
- All other features fully functional
Next Steps
- License Tiers - Detailed feature matrix