Free
For solo learners.
$0
Free forever
- 5 CVE / week (web console only)
- 10-CVE bulk CSV (sync)
- Telegram channel gate required
- 1 seat
- No API access
- No webhooks
Honest pricing. No usage cliff.
Pricing
Same data on every tier. The only thing that scales is throughput.
Billed monthly in USD via Paddle (Merchant of Record). Cancel anytime.
Most popular
Pro
For individual operators.
$99/mo
Approx. ~17 calls/min sustained
- API access
- 1,000 calls / day
- 3 webhooks
- 100-CVE bulk CSV (sync)
- Verdict history (Pro+)
- 1 seat
- Email support
Team
For security teams.
$499/mo
- 3 seats, org-shared quota
- 150,000 calls / day (shared)
- Unlimited webhooks
- 10,000-CVE bulk CSV (async)
- API bulk endpoint up to 500 CVEs/call
- Priority email support
Enterprise
For MSSPs and large SOCs.
$1,499/mo
- 10 seats, per-seat quota
- 200,000 calls / day per seat
- Unlimited webhooks
- 100,000-CVE bulk CSV (async)
- API bulk endpoint up to 1,000 CVEs/call
- SLA available on request
Compare every feature
Everything that changes by tier — quotas, rate limits, sources, security, and support.
| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Pricing & access | ||||
| Monthly price | $0 | $99 | $499 | $1,499 |
| REST API access | — | ✓ | ✓ | ✓ |
| Web console | 5 CVE / week | Unlimited | Unlimited | Unlimited |
| Verdict history | — | ✓ | ✓ | ✓ |
| Quotas & rate limits | ||||
| Daily quota | 20 | 1,000 | 150,000 | 200,000 per seat |
| Quota model | Per user | Per user | Org-shared | Per seat |
| Rate limit | 60 / min | 1,000 / min | 3,000 / min | 5,000 / min per seat |
| Bulk endpoint (per call) | — | — | Up to 500 CVEs | Up to 1,000 CVEs |
| CSV upload (per file) | 10 (sync) | 100 (sync) | 10,000 (async) | 100,000 (async) |
| Team features | ||||
| Seats included | 1 | 1 | 3 | 10 |
| Webhooks | — | 3 | Unlimited | Unlimited |
| Role-based seats | — | — | Owner / member | Owner / member |
| Email invitations | — | — | ✓ | ✓ |
| Signal sources | ||||
| CISA KEV | ✓ | ✓ | ✓ | ✓ |
| FIRST.org EPSS | ✓ | ✓ | ✓ | ✓ |
| Metasploit modules | ✓ | ✓ | ✓ | ✓ |
| Nuclei templates | ✓ | ✓ | ✓ | ✓ |
| ExploitDB | ✓ | ✓ | ✓ | ✓ |
| Curated GitHub PoCs | ✓ | ✓ | ✓ | ✓ |
| Security & compliance | ||||
| Single active session | ✓ | ✓ | ✓ (per seat) | ✓ (per seat) |
| EU data residency | ✓ | ✓ | ✓ | ✓ |
| Admin audit log | — | — | ✓ | ✓ |
| DPA available | — | — | On request | ✓ |
| Support | ||||
| Channel | Best-effort | Priority email | Priority email | |
| First-response target | Best effort | Within 2 business days | Within 1 business day | Within 4 business hours, business days |
Need more than 10 seats? Contact sales: [email protected]
FAQ
- What is a "verdict"?
-
A single, actionable label per CVE — one of
ACTIVELY_EXPLOITED,WEAPONIZED,POC_AVAILABLE,THEORETICAL, orNOT_APPLICABLE— derived deterministically from public threat-intel signals (CISA KEV, EPSS, Metasploit, Nuclei, ExploitDB, GitHub PoCs). Every verdict ships with a 0–100 confidence score and the list of sources used. - Is there a free tier?
- Yes — 5 CVE lookups per week through the web console, no credit card. The Telegram gate (join the channel and send a 6-character code to the bot) keeps abuse low and is free.
- How does shared quota work on the Team plan?
- All API calls from any of the 3 seats count against one org-wide pool of 150,000 / day. The counter resets at UTC midnight. Enterprise is different — each seat has its own 200,000 / day pool, so a 10-seat Enterprise org has 2,000,000 / day in aggregate without any one seat being able to starve another.
- Can I change my plan anytime?
- Yes. Upgrades take effect immediately and are prorated. Downgrades take effect at the end of the current billing period — you keep the higher quota until then. Cancellations follow the same rule.
- Do unused requests roll over to next month?
- No. Quotas reset daily at UTC midnight; nothing accumulates. We size each tier so a typical workload stays well under the ceiling, not so a heavy one barely fits.
- What happens when I hit my quota?
-
The API returns
429 Too Many Requestswith rate-limit headers (X-RateLimit-Limit,X-RateLimit-Remaining,X-RateLimit-Reset). No surprise overage fees, no auto-upgrade. Quota resumes at UTC midnight; if you need more capacity, upgrade from the dashboard. - Are there setup fees?
- None. The price you see is the only price — Paddle handles global tax and VAT inclusive of the listed amount.
- Do you offer educational or non-profit discounts?
- Contact us for educational and non-profit pricing — case-by-case basis. Email [email protected] with proof of affiliation.
- How is CVE data sourced and licensed?
-
All signals come from public, commercially-usable feeds:
CISA KEV (public domain), NVD (US government work),
FIRST.org EPSS (CC BY 4.0), ExploitDB, Rapid7's Metasploit
Framework (BSD-3), ProjectDiscovery's Nuclei templates (MIT),
and curated GitHub PoC indexes (we link out, never
redistribute exploit code). Attribution and license details
ship in every response's
meta.sourcesfield. - Do paid tiers auto-renew?
- Monthly. Cancel any time from your dashboard — we don't dark-pattern the cancel button. See the Refund Policy for the 14-day money-back guarantee.
- Where is data hosted?
- Hetzner Frankfurt, Germany (European Union). Cloudflare's global edge serves the marketing site and protects the API. Your account data does not leave the EU.
- Who handles billing and tax?
- Paddle.com Market Limited acts as Merchant of Record. They handle global tax collection (VAT, GST, sales tax), receipts, dunning, and chargebacks. We never see your card number.
- Can I share my Pro plan with my team?
- No. Pro is single-seat by design and the web console enforces single active session per user — a new login revokes the prior session. For multi-person use, choose Team (3 seats) or Enterprise (10 seats).
- Do you offer refunds?
- Yes — 14-day money-back guarantee for first-time subscribers. Full details on the Refund Policy.