Skip to content
Get started

Pricing

Permafrost prices on identity-object count, not log volume. Every new customer starts with a 30-day free trial of full-coverage CIEM, then continues on the metered Professional Edition.

How pricing works

Permafrost prices on identity-object count, not log volume. Every new customer starts with a 30-day free trial of full-coverage CIEM, no card required.

After the trial, coverage continues on the metered Professional Edition: every identity object across all of a customer’s connected tenants, plus every workload surface, API access, and priority support. An administrator can also grant comped access without billing.

Professional Edition

Full coverage

Full coverage for serious least-privilege.

$3.50per human identity / month
$0.50per non-human identity / month

Billed monthly in arrears, exclusive of tax. The 10-Day Rule and group exclusion apply.

All identities
  • All surfaces, all data
  • Hourly sync
  • API access
  • Custom role export (ARM / Bicep / Terraform)
  • Full reports (PDF, CSV)
  • Priority email support
  • 30-day free trial included
Start 30-day trial

No card required. After 30 days, subscribe to keep full coverage.

Enterprise

Volume

Volume coverage with procurement and security review on your terms.

Annual commitment, volume terms, and a single invoice across all of your connected tenants.

Built on the same metered model: $3.50 per human and $0.50 per non-human identity, with volume terms applied to your committed scope. Annual prepay takes 20% off the per-identity rate.

All identities, all tenants
  • Everything in Professional Edition
  • Volume pricing on metered identities
  • Annual commitment and consolidated invoicing
  • Security review, DPA, and procurement support
  • Dedicated onboarding and priority support
  • Single sign-on for operator access
Talk to sales

Volume terms, annual invoicing, and a security review. We'll scope it with you.

How the trial works

The self-serve path to full CIEM coverage for your Microsoft Cloud identities.

  1. Start a 30-day free trial

    Connect a tenant with read-only consent. Full coverage of every human and non-human identity, no card.

  2. Subscribe to keep coverage

    After 30 days, subscribe to keep full coverage. Metered monthly in arrears at the rates above, so you only pay for identities you actually run. Don't subscribe and the account locks; data stays recoverable for 30 days, then is purged.

  3. Or get it comped

    Need it without billing? An admin can grant your account comped access with no subscription required.

What happens after the trial

No card to start, and no surprise at the end. Here is the full lifecycle, start to finish.

  1. Day 1

    Start free

    Connect a tenant with read-only consent. Full coverage of every human and non-human identity, no card.

  2. Day 30

    Subscribe to keep coverage

    The trial ends. Subscribe to continue on metered Professional Edition, or have an admin comp the account. Either keeps coverage live.

  3. Day 30+

    Or the account locks

    If you don't subscribe, the account locks at the trial end and enters a 30-day window. We send a warning 7 days before data is purged. Subscribe any time in the window to unlock instantly.

After the 30-day trial: an unconverted account locks, then its data is purged 30 days later (warning on day 23). Subscribing at any point before purge restores full access.

How are identities counted?

Billing counts human identities (members, guests, named admins) at $3.50 per month and non-human identities (service principals, managed identities, app registrations, agents) at $0.50 per month. Groups are never counted. Microsoft first-party service principals are excluded.

What is the 10-Day Rule?

An identity is billed for a month only if it was enabled on at least 10 calendar days that month — so short-lived or decommissioned identities, enabled fewer than 10 days, are not counted and do not inflate the bill.

What does the trial include?

The 30-day trial unlocks full Professional coverage with no card, up to 500 human and 2,500 non-human identities. After 30 days, subscribe to keep full coverage.

What happens after my trial?

There is no free-forever path. When the 30-day trial ends, the account locks unless you subscribe or an admin comps it. Your data stays recoverable for 30 days, and we send a warning 7 days before it is purged. Subscribe at any point in that window to unlock instantly.

Can I forecast or cap my monthly spend?

Yes. The estimator above projects your monthly cost from your human and non-human identity counts, including a seasonal-swing range. Once you are subscribed, the billing page shows live accrued spend and an end-of-month forecast from your run rate, so there are no surprises before the invoice.

Is there an annual discount?

Yes. An annual prepay commitment takes 20% off the per-identity rate, applied to your committed scope and to annual overage. It is a commitment path, distinct from the default monthly arrears, and is set up through the Enterprise contact flow.

Do you offer enterprise or volume pricing?

Yes. Enterprise covers volume terms on a committed scope, annual commitment with a single consolidated invoice, procurement and PO support, and a security review. Choose Talk to sales on the Enterprise card to scope it. There is no self-serve Enterprise checkout.

How principals are counted

A principal is any identity object in a customer’s connected Azure tenants that holds a role assignment. The billing count rolls up to one number per customer, across the set of tenants the customer has connected.

What gets counted:

  • Users. Members and guests in the directory who hold any role assignment.
  • Service principals. Application service principals provisioned to the directory, counted only when they hold a role assignment.
  • Managed identities. System-assigned and user-assigned managed identities with role assignments.
  • Agent identities. AI agent and copilot identities with role assignments.

What does not get counted:

  • Groups. Groups are containers, not principals. A group never counts toward billing, regardless of how many role assignments or members it holds. Billing counts the human and non-human principals themselves.
  • Microsoft first-party service principals (the built-in directory tenants that ship with Azure).
  • Identity objects that exist in the directory but hold no role assignments anywhere in the connected tenants.
  • Per-tenant doubles — if the same external identity has assignments in two of a customer’s connected tenants, that is two principals because the assignments are independent.

What Professional includes

Professional Edition models every identity object inside the customer’s connected tenants, plus the full surface set: Findings, Roles, PIM, custom-role export, API access, and all workload surfaces. The 30-day trial unlocks the same full coverage with no card; after it ends, subscribe to keep full coverage, or have an administrator grant comped access.

The API exposes findings, identities, per-principal UPR, recommended roles, and connected tenants over a scoped, bearer-auth, read-only REST surface. The full route list, scopes, and rate limits are in the API reference.

The full feature breakdown lives in the grid above. The live marketing page is at /pricing.

Enterprise and volume pricing

Most customers self-serve: start the trial, then continue on the metered Professional Edition. Larger programmes can move to Enterprise, a sales-assisted path for teams that need procurement, a security review, and committed volume terms.

Enterprise builds on the same metered model and adds:

  • Volume terms. Pricing scales down from the $3.50 per human and $0.50 per non-human list rate, applied to a committed scope.
  • Annual commitment. A consolidated annual invoice in place of monthly arrears. Annual prepay takes 20% off the per-identity rate, and the same discount applies to annual overage.
  • Procurement and security review. Purchase-order support, a data-processing agreement, and a security questionnaire review.
  • Dedicated onboarding. Hands-on onboarding and priority support, plus single sign-on for operator access.

Enterprise is a sales motion, not a self-serve checkout, so there is no Stripe path to it. Start the conversation at Talk to sales.

Why pricing on identity objects, not on logs

CIEM measures the gap between permissions granted and permissions used. The unit of work is the identity object, not the log row. Pricing on log volume rewards inflated ingestion and punishes customers who run quiet, well-instrumented tenants. Those are the customers most likely to get value out of a permission-posture tool in the first place. Permafrost prices on the unit it measures.