Permafrost EPM
Skip to content
Get started

Pricing

Permafrost prices on identity-object count, not log volume. Community Edition covers the privileged set forever at no charge. Professional Edition unlocks every identity and every surface — start with a 90-day free trial.

Two editions

Permafrost ships two editions so the choice is clear: privileged-only coverage at no cost, or full-coverage CIEM on a subscription.

Community Edition covers the privileged set of identities forever at no charge. Professional Edition extends coverage to every identity object across all of a customer’s connected tenants, plus every workload surface, API access, and priority support. A 90-day free trial of Professional Edition is available to every new customer.

Community Edition

Free

Privileged-only insight, free forever.

$0forever
Unlimited (privileged identities only)
  • Dashboard, Identities, Findings, Roles, PIM
  • Privileged identities only
  • Daily sync
  • Connect any number of tenants
  • No credit card required
  • Community email support
Get started free

Professional Edition

Full coverage

Full coverage for serious least-privilege.

Pricing details coming soon. Start with a 90-day free trial — no commitment during the trial period.

All identities
  • All surfaces, all data
  • Hourly sync
  • API access
  • Custom role export (ARM / Terraform)
  • Full reports (PDF, CSV)
  • Priority email support
  • 90-day free trial included
Start 90-day trial

One-time per customer. After 90 days, your account reverts to Community Edition unless you subscribe.

How are principals counted?

Principals are users, service principals, managed identities, agent identities, and groups that have role assignments in your connected tenants.

What does Community Edition include?

Community Edition covers privileged identities only — users and service principals with direct or inherited privileged role assignments. Dashboard, Findings, Roles, and PIM surfaces are all included, free forever.

What does Professional Edition include?

Professional Edition unlocks every identity type across all workload surfaces — Intune, Exchange, Purview, Defender, SharePoint, Teams, and more. Hourly sync, API access, full reports, and priority support included.

Can I extend my trial?

Yes — reach out from the in-app Settings page and we’ll review case-by-case.

How principals are counted

A principal is any identity object in a customer’s connected Azure tenants that holds a role assignment. The billing count rolls up to one number per customer, across the set of tenants the customer has connected.

What gets counted:

  • Users. Members and guests in the directory who hold any role assignment.
  • Service principals. Application service principals provisioned to the directory, counted only when they hold a role assignment.
  • Managed identities. System-assigned and user-assigned managed identities with role assignments.
  • Agent identities. AI agent and copilot identities with role assignments.
  • Groups with role assignments. Counted as one principal each, regardless of group membership size.

What does not get counted:

  • Microsoft first-party service principals (the built-in directory tenants that ship with Azure).
  • Identity objects that exist in the directory but hold no role assignments anywhere in the connected tenants.
  • Per-tenant doubles — if the same external identity has assignments in two of a customer’s connected tenants, that is two principals because the assignments are independent.

What changes between editions

Community Edition is privileged-only. Permafrost models the privileged set of identities inside the customer’s connected tenants and stops there. Professional Edition extends coverage to every identity object in those connected tenants, plus the full surface set (Findings, Roles, PIM, custom-role export, API access, and all workload surfaces).

The full per-edition feature breakdown lives in the grid above. The live marketing page is at /pricing.

Why pricing on identity objects, not on logs

CIEM measures the gap between permissions granted and permissions used. The unit of work is the identity object, not the log row. Pricing on log volume rewards inflated ingestion and punishes customers who run quiet, well-instrumented tenants. Those are the customers most likely to get value out of a permission-posture tool in the first place. Permafrost prices on the unit it measures.