License Tiers
Detailed feature matrix for Rockfish NDR license tiers. The methods on
NdrTier in ndr/rockfish/crates/rockfish-types/src/license.rs are the
source of truth; this page mirrors them.
Free, Basic, and Professional are sold per sensor (one license per Suricata instance). Enterprise is a site license covering an unlimited number of sensors at a single site. See the Rockfish Portal for current pricing.
Tier Comparison
| Feature | Free | Basic | Professional | Enterprise |
|---|---|---|---|---|
| Events/min | 10,000 | 25,000 | 100,000 | Unlimited |
| Segments | 1 | 1 | 8 | Unlimited |
| Licensing scope | 1 sensor | 1 sensor | 1 sensor | Site (unlimited sensors) |
| Core panels (Overview, Alerts, Applications, DNS, TLS, Hosts, Flows) | Yes | Yes | Yes | Yes |
| OT protocol decoders | Yes | Yes | Yes | Yes |
| S3 backhaul / Parquet export | Yes | Yes | Yes | Yes |
| GeoIP country/ASN enrichment + world map | Yes | Yes | Yes | Yes |
| NIST PQC compliance (TLS) | Yes | Yes | Yes | Yes |
| Encrypted Traffic Analytics (ETA) | Yes | Yes | Yes | Yes |
| Performance lens (odometry) | Yes | Yes | Yes | Yes |
| Transport performance (per-flow) | Yes | Yes | Yes | Yes |
| IP reputation (AbuseIPDB) | — | Yes | Yes | Yes |
| Anomaly lens (iForest / HBOS) | — | — | Yes | Yes |
| Behavioral lens (SIGMA tactics + OCCAM HMM) | — | — | Yes | Yes |
| Hunt detection (beaconing, lateral, fanout, portscan, community) | — | — | Yes | Yes |
| Asset Inventory page | — | — | Yes | Yes |
| OT Protocol Traffic panel | — | — | Yes | Yes |
| Per-segment sub-reports | — | — | Yes | Yes |
| Parquet signing | — | — | Yes | Yes |
| Webhook publishing | — | — | Yes | Yes |
| Detection swimlane + topology graph | — | — | — | Yes |
| AI Assessment | — | — | — | Yes |
| MCP + Chat | — | — | — | Yes |
| Custom theme + logo (white-labelling) | — | — | — | Yes |
| MQTT / Kafka | — | — | — | Yes |
| External threat-intel feeds | — | — | — | Yes |
Several capabilities (PQC, ETA, Performance, Transport performance) are tier-permissive but data-strict: available at every tier, but the corresponding page or section only renders when the relevant Suricata plugin or processor has actually produced Parquet on disk.
The unified Detections page (combined-risk table + co-firing swimlane) is suppressed when fewer than two detection lenses are active, since it degrades to a worse Alerts view.
Free
The default when no license file is present. Provides core NDR functionality at 10,000 events/min over a single segment, one sensor:
- Core panels, OT protocol decoders, S3 backhaul
- GeoIP country/ASN enrichment + world map
- NIST PQC compliance, Encrypted Traffic Analytics
- Performance lens and per-flow Transport performance
The CLI auto-bumps Free to Basic for the first 45 days from its build date as a try-before-you-buy window.
Limit: 10,000 events per minute, 1 segment, 1 sensor.
Basic
Everything in Free, plus:
- IP reputation scoring (AbuseIPDB)
Limit: 25,000 events per minute, 1 segment, 1 sensor.
Professional
Adds detection intelligence:
- Everything in Basic
- Anomaly lens (iForest / HBOS)
- Behavioral lens (SIGMA tactic rules + OCCAM HMM sequence predictor)
- Hunt detection (beaconing, lateral movement, fanout, portscan, community)
- Asset Inventory page and the OT Protocol Traffic panel
- Per-segment sub-reports, Parquet signing, webhook publishing
Limit: 100,000 events per minute, up to 8 segments, 1 sensor.
Enterprise
Full NDR capability as a single-site license covering unlimited sensors:
- Everything in Professional
- Detection swimlane + network topology graph
- AI Assessment (LLM-generated executive summary)
- MCP server + in-report Chat
- Custom theme + logo, MQTT/Kafka, external threat-intel feeds
No event-rate or segment limit. Unlimited sensors at a single site.
License File Format
{
"id": "rockfish_acme-corp-enterprise_Abc123",
"tier": "enterprise",
"customer_name": "Acme Corp",
"customer_email": "[email protected]",
"max_events_per_min": null,
"issued_at": "2026-01-01T00:00:00Z",
"expires_at": "2027-01-01T00:00:00Z",
"signature": "base64-encoded-ed25519-signature"
}
Licenses are verified using Ed25519 digital signatures with a public key embedded in the binary. License provenance metadata is included in every Parquet file.
Deployment Model
- Annual (per-year) licenses with a 30-day grace period past
expires_at; software maintenance included for the license term - Per-sensor for Free / Basic / Professional; site license for Enterprise
- Runs on your VPC or on-premise
- No telemetry or phone home
- Fully air-gap capable