Packetman saysPacketman here on pricing. The same agent runs on every tier — same threat intelligence, same blocklist enforcement. Tiers buy scale, retention, and analytics. Individual is nine dollars a month for one person, up to three agents. Tribe is nineteen a month for a household, up to ten. Business is three dollars per agent per month with a thirty-three agent minimum — so ninety-nine dollars to start — and no upper cap as you grow. Servers are a different job: a host that accepts connections from the internet faces a constant onslaught and needs server-grade hardening, so a confirmed server adds fifteen dollars a month. Enterprise is custom, from four ninety-nine a month, with SSO, compliance, and a dedicated manager. Annual billing saves twenty percent.$9/mo for one person. $19/mo for a household. $3/agent/mo for businesses — 33-agent minimum, no upper cap. +$15/server/mo for hosts that run exposed services. Custom Enterprise from $499/mo. 20% off annual.
Packetman saysThe comparison table below shows exactly what each tier includes. The differences aren't in security quality — every tier gets the same blocklist enforcement, the same reputation grading, the same threat intelligence. The differences are in how many agents you can enroll, how far back your history goes, whether you get the fleet analytics layer, and what your support channel looks like. Individual and Tribe get AI in-app support. Business and above get human-backed escalation. Enterprise adds priority routing to the DataStun team. One number worth knowing: the Business tier's seven fleet analytics — SBOM, first-seen radar, vendor map, deviation scoring, patch lag, SaaS license reconciliation, and location-aware network health — typically pay for the subscription on their own just from the SaaS license reconciliation finding.Same threat-intel quality across every tier. The differences are agent capacity, support level, and integrations.
Simple enough for grandma, admired by the CTO — the same protection for every customer.
Every plan includes a generous 30-day trial — you’re not charged until it ends.
For one person and a device or two
For tech-savvy folks covering family + close friends
For businesses and multi-office teams
For regulated, large, or sovereignty-driven orgs
Packetman saysThis calculator does the Business-tier math for you. Type how many agents you'll deploy. Business is three dollars per agent per month, with a thirty-three agent minimum — so anything up to thirty-three is ninety-nine dollars. Above that it's just three dollars times your agent count, with no upper limit. Toggle annual to see the twenty-percent-off rate, two dollars forty an agent. Once you pass five hundred agents we hand you to sales for a tailored number rather than printing a big total on a public page — your mesh entitlement and volume terms are worth a conversation.Business is $3/agent/mo with a 33-agent minimum and no upper cap. Drag the count to your fleet size.
Individual ($9/mo, 3 agents) and Tribe ($19/mo, 10 agents) are flat capped buckets — no per-agent math. Enterprise is custom; talk to sales.
We run partner and affiliate programs for businesses and individuals who bring DataStun to their own customers. If you’re interested, email [email protected] and we’ll send you the details.
For organizations with regulated environments, data residency requirements, or strategic security partnerships — on top of (or in place of) the standard Enterprise tier.
Custom agent count, dedicated infrastructure available, 24/7 escalation routing, master service agreement, custom feature development for genuinely unique needs.
Custom pricing. Typically multi-year, six-figure annual.
Run your own ten on AWS, GCP, Azure, DigitalOcean, Vultr, Hetzner, or on-premises. Your data never leaves your infrastructure. Full feature parity with hosted.
Available on request. License fee on top of your tier.
Run your own rep — become a threat-intel hub. Mirror our findings, contribute back, or join as a federation peer. For organizations with internal security research teams.
Available on request. Annual license + agent fees.
Government CERTs, security vendors, and large enterprises can join as federation peers. Bidirectional, equal-rank threat-intel exchange under formal agreement.
By application. Custom partnership agreement.
Same security underneath, different surface area.
| Feature | Individual | Tribe | Business | Enterprise |
|---|---|---|---|---|
| Price (monthly) | $9/mo | $19/mo | $3/agent/mo | from $499/mo |
| Price (annual, 20% off) | $7/mo $84/yr | $15/mo $180/yr | $2.40/agent/mo ~$79/mo at the 33-agent floor | annual contract |
| Minimum | — | — | 33 agents ($99/mo floor) | negotiated |
| Server-grade protection Packetman saysA host that runs services exposed to the internet faces a constant onslaught of scans and exploitation attempts — a far more rigorous, ongoing protection workload than a workstation. We auto-detect servers by their listening services and flag them for you to confirm; a confirmed server adds a flat per-server fee for hardened defenses (kernel-level inbound blocklisting, exposure management, scanner-aware grading, auth-boundary monitoring). Workstations are never charged the server rate. | — | — | +$15/server/mo | negotiated |
| Agent capacity Packetman saysIndividual and Tribe are capped buckets — 3 and 10 are hard ceilings; to grow past them you change tiers. Business and Enterprise scale by agents with no upper limit: Business is simply $3/agent above the 33-agent minimum. | Up to 3 (hard cap) | Up to 10 (hard cap) | 33+, no upper limit | Unlimited, negotiated |
| History retention | 30 days | 30 days | 90 days | 365 days |
| Sphere of Trust mesh Packetman saysA mesh is an everyone-pings-everyone group of agents rendered as the meshmap. Hard cap of 12 nodes per mesh at every tier. Business and Enterprise pick which 12 agents populate each mesh from their full fleet, and earn one additional mesh per 200 paid agents. | 3-node mesh | Up to 10-node mesh | 12-node mesh, select from your fleet 1 mesh at the 33-agent minimum; +1 per 200 paid agents | 12-node mesh, select from unlimited agents meshes scale 1 per 200 paid agents |
| Real-time blocklist enforcement Packetman saysEvery agent enforces a 20,000+ entry global blocklist at the OS firewall layer (Windows Firewall / iptables / pfctl). Updates within 60 seconds. Source attribution travels with every entry so you can see who flagged the IP. | Yes | Yes | Yes | Yes |
| Public threat intel Packetman saysCurated public threat-intelligence feeds refreshed every 6 hours feed our reputation pipeline; D / F grades land on the global blocklist within minutes of decision. No license required, available to every tier. | Yes | Yes | Yes | Yes |
| Commercial-derived threat data Packetman saysThreat intelligence sourced from licensed commercial feeds (VirusTotal, Recorded Future, others). Broader coverage and earlier signal than public-only. The agent enforcement is identical; the difference is the depth of what gets enforced. | — | — | Yes | Yes |
| Per-tenant dashboard URL Packetman saysYour tenant gets its own subdomain (yourcompany.tenant.datastun.com) with its own DNS, TLS cert, and isolated dashboard. Cleaner sharing with stakeholders, audit-ready URLs in reports, and cleaner SSO bindings down the road. | — | — | Yes | Yes |
| Fleet analytics & insights — intrinsically larger-organization features, billed where the analysis is meaningful | ||||
| AI Governance dashboard Packetman saysBytes uploaded to each AI vendor (Anthropic, OpenAI, Microsoft Copilot, Cursor, etc.) sliced by application, machine, and day. 50+ providers catalogued. Pure metadata — no DPI, no proxy, no MITM. The volume-and-attribution view of corporate AI adoption. (cross-fleet AI vendor traffic) | — | — | Yes | Yes |
| Fleet SBOM Packetman saysAuto-generated software bill of materials: every distinct executable hash, with version, signer, % of agents running it, how often it actually runs, and which external destinations its data goes to. Answers CVE exposure in seconds; also surfaces install-vs-use gaps and surprising external phone-home behavior. (inventory + usage + data-flow) | — | — | Yes | Yes |
| First-seen radar Packetman saysDaily feed of every executable, destination, or code-signer the fleet has never seen before, ranked by spread velocity. Earliest possible signal for both lateral movement and shadow-IT viral adoption. (new exes, destinations, signers) | — | — | Yes | Yes |
| Vendor concentration map Packetman saysStacked bytes-out per cloud / SaaS vendor, sliced by department or location, over time. Single-pane answer to "how dependent are we on each vendor" and "if AWS us-east-1 vanished, what stops?" (bytes per cloud / SaaS) | — | — | Yes | Yes |
| Per-machine deviation score Packetman saysEvery agent gets a daily score for how unlike the rest of the fleet its destinations and executables look. The top 1% surfaces as "review this machine." Cheap pre-filter for SOC analysts who cannot watch every endpoint. (outlier ranking) | — | — | Yes | Yes |
| Patch-lag scoreboard Packetman saysVersion-share distribution per common product (Chrome, Firefox, OpenSSL, OpenSSH, Office, Java) vs current GA. "Chrome 110 still on 12 of your 400 machines." Auditor-ready histograms; vulnerability-management feed. (version distribution vs GA) | — | — | Yes | Yes |
| SaaS license reconciliation Packetman saysPer-application unique-machine-per-month counts. "You licensed 50 Adobe seats; 67 distinct machines opened acrobat.exe last month. Top 17 violators →." Same for Office, Slack, Cursor, Figma, Notion. Pays for the tier on its own. (seats vs actual usage) | — | — | Yes | Yes |
| Location-aware network health Packetman saysPer-location TCP retransmission rate (link quality) and TCP RST rate (middlebox misbehavior) ranked vs your fleet baseline. Catches bad VPN gateways, captive portals, MTU black holes, NAT exhaustion. "Tampa office has 14× normal RST rate" is gold for a network-team buyer. (TCP RST + retransmission rollup) | — | — | Yes | Yes |
| Org-wide executable analysis Packetman saysSaturation, drift, rename detection, executable outliers across the whole fleet. Living-off-the-land malware persists by impersonating known-good binaries; cross-fleet hash anchoring is the cleanest detection. Needs ~50 agents of baseline. (outliers, drift, rename, LotL) | — | — | — | Yes |
| Beaconing detector Packetman saysCross-machine search for consistent low-bandwidth periodic outbound connections — the network signature most C2 traffic prints. Catches dormant or staged compromises that single-machine EDR misses. Signature of behavior, not signature of binary. (cross-machine C2 signature) | — | — | — | Yes |
| Data-sovereignty rollup Packetman saysBytes uploaded to each destination country, sliced by department / location tag, over arbitrary time ranges. Filter to "non-EU destinations from EU-tagged agents." GDPR / Schrems II answered with measurement, no DPI. Compliance audience pays for this alone. (bytes by destination country, by tag) | — | — | — | Yes |
| In-app support Packetman saysAI in-app support answers first, in tenant context. Tenant admins can run more AI assistance themselves or escalate to a real human at DataStun. No email, no phone tag, no ticket numbers — the full thread lives in your dashboard. | AI only + community | AI + human-backed | AI + human-backed | AI + human-backed priority queue |
| Agent rules + custom blocklists Packetman saysTenant-scoped blocklist overrides distributed to every agent within 60 seconds. Block a specific destination, IP range, or executable hash for your fleet only — without affecting other tenants. Same enforcement primitive as the global blocklist. | — | — | Yes | Yes |
| SAML / OIDC SSO Packetman saysSingle sign-on via your existing identity provider (Okta, Entra, Google Workspace, Auth0, etc.). Group claim → tenant role mapping; SCIM provisioning so deactivated identity-provider accounts auto-deactivate in DataStun. | — | — | — | Yes |
| Compliance reports (SOC 2, HIPAA) Packetman saysPre-built compliance evidence reports with the dated, signed format auditors expect. Evidence binders for SOC 2 CC6.6 / CC7.2, HIPAA §164.308 access controls, ISO 27001 A.12.4 logging. Saves weeks per audit cycle. | — | — | — | Yes |
| Dedicated account manager Packetman saysA named human at DataStun who knows your tenant, your fleet, and your priorities. Quarterly reviews, roadmap input, and an escalation channel. Not a sales rep — a technical AM who can route a question to the right engineer. | — | — | — | Yes |
Hover any i for a one-paragraph definition; click it for the full deep-dive in the glossary. MSSP and affiliate partnerships are in the “For partners” section above.
Every paid business tier gets a deep set of cross-fleet analyses derived from data the agent already collects. Each one becomes meaningful at scale — that’s why they’re bundled with Business and Enterprise, not Individual or Tribe. The first seven start paying off at 10+ agents; the last three need 100+ to be worth the compute.
Business & Enterprise
Bytes uploaded to each AI vendor — by application, by machine, by day, fleet-wide. 50+ providers catalogued. The volume-and-attribution view of corporate AI adoption, no DPI. Full feature page →
Business & Enterprise
Auto-generated software bill of materials: every executable hash, with version, signer, % of fleet running it, how often it actually runs, and which external destinations its data goes to. Answers CVE exposure in seconds. Also surfaces the install-vs-use gap (“you have 67 Adobe seats but only 12 actually opened the app last month”) and surprising external phone-home behavior on supposedly-internal tools.
Business & Enterprise
Daily feed of every new (executable, destination, code-signer) the fleet has never seen before, ranked by spread velocity. Earliest signal of both lateral movement and shadow-IT viral adoption.
Business & Enterprise
Stacked-bar of outbound bytes per cloud / SaaS vendor, sliced by department and over time. Single-pane answer to “how dependent are we on each vendor” and “if AWS us-east-1 vanished, what stops?”
Business & Enterprise
Every agent gets a daily score for how unlike the rest of the fleet its destinations + executables look. The top 1% surfaces as “review this machine.” Cheap pre-filter for SOC analysts.
Business & Enterprise
Version-share distribution across your fleet vs current GA, per common product (Chrome, Firefox, OpenSSL, Java, OpenSSH, Office). “Chrome 110 still on 12 of your 400 machines.” Auditor histogram included.
Business & Enterprise
Per-application unique-machine-per-month counts. “You licensed 50 Adobe seats; 67 distinct machines opened acrobat.exe last month.” Same for Office, Slack, Cursor, Figma. Pays for the tier.
Business & Enterprise
Per-location TCP retransmission rate (link quality) and TCP RST rate (middlebox misbehavior) ranked vs your fleet’s baseline. Catches bad VPN gateways, captive portals, MTU black holes, NAT exhaustion. “Tampa office has 14× normal RST rate” is a network-team buyer’s dream.
Enterprise only
Saturation, drift, rename detection, executable outliers. Living-off-the-land malware persists by impersonating known-good binaries; cross-fleet hash anchoring is the cleanest detection. Needs ~50 agents of baseline.
Enterprise only
Cross-machine search for consistent low-bandwidth periodic outbound connections — the network signature most C2 traffic prints. Catches dormant or staged compromises that single-machine EDR misses. Signature of behavior, not signature of binary.
Enterprise only
Bytes uploaded to each destination country, sliced by department / location tag, over arbitrary time ranges. Filter to “non-EU destinations from EU-tagged agents.” GDPR / Schrems II answered with measurement, no DPI, no content access. Compliance officers will pay for this alone.
Each of these is derivable from data the agent already collects — no new collection, no privacy regression. They’re the analyses that only become valuable when there’s a fleet to analyze, which is why they’re bundled with the tiers that have one.
Every DataStun tenant gets the same model: an AI that knows your fleet answers first, your administrator owns the conversation, and the DataStun team backs it all up when a case needs us. No email, no phone tag, no ticket numbers — the full thread (AI replies, admin notes, our response) lives in your dashboard.
The dashboard’s chat surface understands your tenant — your devices, your destinations, your blocklist activity, your AI Governance numbers — and answers in context. The first reply lands in seconds, not in a ticket queue. Most questions stop here.
If the AI’s answer didn’t land, one click forwards the full conversation (with all the context the AI saw) to your tenant administrator. They can run additional AI assistance themselves or push it to the DataStun team. For Tribe tier the administrator is the household sponsor; for Business and Enterprise it’s your tenant admin.
When the administrator decides a case needs us, they forward it as an escalated request from inside the dashboard. A real human at DataStun reads it, replies in the same thread, and the admin closes the loop with the original user. Enterprise and MSSP tiers receive priority routing on these handoffs.
AI handles the volume, humans handle the judgment calls. Every thread is auditable, searchable, and resumable from the dashboard later. Individual tier ends at step 1 (AI plus the community forum); paid tiers carry through to a human at DataStun.
Capabilities sold à la carte so you pay only for what you use. All three are available on Business tier and above.
What it does: TTL-based packet lifetime enforcement. Cap the travel distance of packets to any destination so they die before they can reach the internet — distributed across every endpoint and gateway, no middlebox, no single point of failure.
Why it’s worth paying for: Stops lateral movement, data exfiltration, and nation-state reach at the packet layer. Your Oracle database can talk to its local switch and nothing beyond.
Per agent, per month. Pro-rated on enable/disable. Gateway pricing (UCG, MikroTik, Linux routers) available separately.
What it does: N² network performance testing across your fleet — latency, throughput, jitter, packet loss, and traceroute path, each direction, between every pair of agents. 500 agents = 124,750 measurement pairs.
Why it’s worth paying for: Answers “why is the network slow?” with real measurements instead of a shrug. Catches asymmetric routing, VPN under-performance, and ISP shortfalls with evidence you can forward to your vendor.
Per agent, per month. Scheduled baselines + on-demand. Pro-rated on enable/disable.
What it does: On-demand packet capture from your agents — including both ends of a mesh test — with a per-direction IO graph, TCP expert analysis (retransmissions, dup-ACKs, out-of-order), an in-tenant AI diagnosis, and a downloadable .pcapng you can open in Wireshark.
Nothing to install on your endpoints. The agent captures with what’s already on the device — no Wireshark, no Npcap, no capture drivers pushed to your machines. The capture is brief, scoped to the one test, and removed from the device after upload; all decoding happens server-side inside your tenant.
Why it’s worth paying for: The evidence grade that used to require a network engineer with a tap, delivered in minutes from wherever your agent is. Pay per incident — no subscription.
One credit per run. Credits never expire. Failed or canceled runs auto-refund.
Common questions about pricing and what fits your situation.
Each device running the DataStun agent — Windows, macOS, or Linux. One install on one machine = one agent. Reinstalling on the same machine doesn’t count as a new agent. Individual covers up to 3 devices and Tribe up to 10; Business is billed at $3/agent/month (33-agent minimum, no upper cap) based on actual enrolled count.
You’re billed for the actual number of agents enrolled at the end of each billing period. Add an agent mid-month, you’re pro-rated for the partial period. Remove an agent, you stop being billed for it on the next cycle. No surprise overages, no minimum lock-in for the Business tier.
Annual billing is 20% off the per-agent rate ($4.80/agent/month equivalent vs $6/month). You pay 12 months upfront and get 12 months of service. Switch from monthly to annual at any time and the discount applies on the next renewal.
Enterprise-tier features (SAML / OIDC SSO, compliance reports, a dedicated account manager, priority routing on the DataStun escalation queue) are operationally expensive to deliver and only make sense at scale. The 100-agent floor is the threshold where the bundle is economically rational for both sides. Below 100 agents the Business tier gives you the same security and threat data without the enterprise overhead; above 100, you simply pay per actual agent count — no separate platform fee.
You’ll see a dashboard notification as you approach 100 agents and a path to upgrade to Enterprise. Existing agents continue working; new enrollments above 100 are temporarily quarantined (still heartbeating, but not counted toward tier-gated features) until you upgrade. We never silently cap your security.
Yes, in either direction. Upgrades are immediate; downgrades take effect at the end of your current billing period. Switching tiers never requires re-enrollment of agents — your tenant_id is stable across tier changes.
Threat intelligence sourced from commercial feeds (VirusTotal Enterprise, Recorded Future, etc.) that we license and derive blocklist + grading data from. Business and above tiers receive the derived data; Individual uses public threat sources only. Quality of agent enforcement is the same; commercial-derived data is broader in coverage.
MSSP gives you a single billing relationship across all your managed customers, wholesale per-agent pricing (33-50% below direct rate), a cross-customer aggregate view for your operators, and white-label dashboards included. The math wins from the first customer once you’re managing more than ~10 agents at wholesale; from there, the volume tiers ($4 → $3.50 → $3) reward growth.
Three reasons: you absorb tier-1 support that we’d otherwise staff for; you commit volume by bringing N customers; and you handle onboarding and configuration. The wholesale rate reflects the work you’re doing on our behalf. It’s the same model CrowdStrike, SentinelOne, Sophos, and Bitdefender use for their MSSP partners.
Pricing applies to your total agent count across all your managed customers, not per-customer. So 5 customers at 30 agents each = 150 total agents, billed at the 100-500 tier ($3.50/agent/mo = $525/mo). Cross the next threshold and the per-agent rate steps down for all your agents going forward, not just the marginal ones.
Self-hosted ten means your tenant control plane (your dashboard, your data, your agents’ home) runs on your infrastructure. Self-hosted rep means you operate your own threat-intelligence backend that federates with ours. Most customers who self-host pick ten for data residency reasons. Self-hosted rep is for organizations with internal threat-research teams. Both are available on request.
Yes — we offer 50% off Business and Enterprise tiers for registered non-profits, public schools, and accredited universities. Reach out for the verification process.
Get in touch. The Enterprise tier exists precisely for situations that don’t fit the standard buckets. If you have unusual scale, regulated requirements, or strategic security partnership ambitions, we’ll build the right arrangement.
No. DataStun captures only connection metadata — IP addresses, domain names, ports, protocols, and byte counts. The contents of your communications are never inspected, stored, or disclosed, even in Advanced Packet Diagnostics (which captures headers only by default).
Three agents on the Individual tier, with a generous 30-day trial — no charge until it ends. Or talk to us about what your team needs.
Partner & affiliate programs available — email [email protected].