License Tiers
Detailed feature matrix for Rockfish NDR license tiers.
Tier Comparison
| Feature | Community | Standard | Enterprise |
|---|---|---|---|
| Flow Rate | 40,000/min | 100,000/min | Unlimited |
| Ingest | All event types | All event types | All event types |
| Report | Yes | Yes | Yes |
| Demo Mode | Yes | Yes | Yes |
| MCP Server | Yes | Yes | Yes |
| Chat Server | Yes | Yes | Yes |
| Alert (MQTT/Kafka) | Yes | Yes | Yes |
| HTTP Report Server | Yes | Yes | Yes |
| Data Retention (Prune) | Yes | Yes | Yes |
| GeoIP Enrichment | — | Yes | Yes |
| IP Reputation | — | Yes | Yes |
| Hunt Engine | — | — | Yes |
| Anomaly Detection | — | — | Yes |
| Hunt Findings in Report | — | — | Yes |
Community Tier
Available without a license file. Provides core NDR functionality:
- Ingest all Suricata event types to Parquet
- Generate HTML reports (without enrichment overlays)
- MCP server for AI-powered queries
- Alert publishing to MQTT/Kafka
- Demo mode with synthetic data
- Data retention management
Limitation: 40,000 flows per minute.
Standard Tier
Adds enrichment intelligence:
- Everything in Community
- MaxMind GeoIP lookups (country, city, ASN)
- AbuseIPDB IP reputation scoring
- Geographic overlays in reports
- Reputation-based threat flagging
Limit: 100,000 flows per minute.
Enterprise Tier
Full NDR capability:
- Everything in Standard
- Graph-based behavioral threat hunting
- HBOS and Isolation Forest anomaly scoring
- Hunt findings integrated into reports
- 10 detection types (beaconing, lateral movement, C2 fanout, etc.)
- Continuous hunt scheduling
No flow rate limit.
License File Format
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_flows_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Licenses are verified using Ed25519 digital signatures with a public key embedded in the binary.