Pricing

Per-host. No per-seat tax.

You pay for the hosts you protect, not the engineers who access them. Open Source is free up to 5 hosts and self-hosted. Team starts at $25/host/mo with volume discounts that kick in past 25 hosts.

Volume discounts on Team

Applied per-tier, not per-host. Your blended rate falls as your fleet grows. The admin portal shows your effective rate live.

Worked example: 200 hosts = 25 × $25 + 75 × $22 + 100 × $18 = $4,075 / mo blended ($20.38 / host).

Honest answers to pricing questions

No “contact sales for pricing” answers. If we don’t know yet, we say so.

Why per-host instead of per-user?

Because your blast radius is per-host. If one host is compromised, the audit log for that host is what your auditor wants. Per-user pricing penalises you for having small teams with many hosts, which is exactly the Series-A/B pattern. A 6-engineer team running 80 staging hosts shouldn’t pay 80x the price of a 6-engineer team running 10 hosts.

How do the volume discounts apply?

Automatically and per-tier, not per-host. If you run 200 hosts, your first 25 are billed at $25, the next 75 at $22, and the next 100 at $18 — a blended rate of about $20/host/mo. The admin portal shows your effective rate and projected next-tier savings.

Can I migrate from Teleport?

Yes. If you have an existing OpenSSH CA, we can read your CA private key into our managed KMS and rotate without re-trusting every host. The CLI ships a “linuxid migrate teleport” subcommand later this year. Until then, migration is a manual process we walk you through on a call — email saheed@linuxidentity.com.

What’s in the open-source tier exactly?

Everything the hosted tier has for the core SSH CA flow: short-lived cert issuance tied to your OIDC IdP, the host agent (sudo capture, audit upload), the append-only audit log with hash chain. What’s not included: the hosted control plane (you run it), hosted audit storage (you bring your own Postgres + object store), and email support. The open-source code is at github.com/aws-proj/Linux-Identity.

How does pricing scale to 10,000 hosts?

Through Enterprise. Above 2,000 hosts the volume brackets stop publishing and we negotiate a per-host floor in writing. Email us and we’ll send a sheet with break-even math before you have to talk to anyone.

Do you have an audit log retention add-on?

Not as a separate line item yet. Team includes 1 year of audit log retention in the hosted control plane. Enterprise customers can negotiate custom retention (e.g., 7 years for PCI). If you need longer than 1 year on Team, export the audit log to your own object store — the API supports that today.

Can I host the control plane in my own cloud account?

Yes, on Enterprise. We ship a Terraform module that deploys the full control plane into your cloud account: managed Postgres, the control plane binary on a container runtime, a KMS-equivalent key for the SSH CA, and edge delivery for the API. You own the infra; we provide the software and support. We support major clouds; talk to us about your target.