PRICING · OPEN CORE
Free OSS that earns your trust.
Hosted that earns its keep.
The engine, every APT chain, and every detection rule are open source and free forever. The hosted tier adds the signer, the SIEM adapters, and the workspace your team needs. No per-run fees. No seat tax for small teams.
CORE · APACHE 2.0
Self-hosted
Run MayaTrail anywhere. Same engine, same chains, same evidence bundles as the hosted tier.
Free
FOREVER · NO LIMITS
- Engine + Pulumi orchestration + CLI
- All 6 APT chains · OSS today, every future chain ships free
- 11+ Sigma rules, MITRE-mapped, technique-by-technique
- IR playbooks per chain · 700+ lines, prep / identify / contain / recover
- MITRE coverage map · byte-identical evidence bundles
- Self-host on any AWS account
- No hosted control plane
- No SIEM adapters
- No evidence signer
PLATFORM · HOSTED
Team
For detection-engineering teams that want shared runs, signed evidence, and live SIEM ingest.
$1,200/mo
UP TO 5 ENGINEERS · MONTHLY OR ANNUAL
- Everything in Core, plus:
- Hosted control plane · run history, scheduling, shared workspace
- Cryptographic evidence signer with managed keys
- SIEM adapters: Sentinel · Splunk · Chronicle · Elastic · Wazuh
- Custom chain authoring UI
- SSO · audit log · RBAC
- Priority access to new APT chains 30 days before OSS release
- Slack support · 1 business day
PLATFORM · ENTERPRISE
Enterprise
For larger teams, MSSPs, and orgs that need on-prem control plane, custom chains, or SLAs.
From $36,000/yr
ANNUAL · CUSTOM CONTRACT
- Everything in Team, plus:
- Unlimited seats
- Custom APT chain authoring by our research team
- On-prem control plane option
- Dedicated multi-tenant support (MSSPs)
- White-label option in private preview
- Premium support · 4-hour SLA
- Training for your detection team
- Contractual indemnification
What's actually different.
| Core · Free | Team · $1.2k/mo | Enterprise | |
|---|---|---|---|
| Engine + APT chainsEngine, chains, MITRE map, IR playbooks | ✓ | ✓ | ✓ |
| Sigma rule library11+ rules today · all future rules | ✓ | ✓ | ✓ |
| Number of runs / monthNo per-run charges, ever | Unlimited | Unlimited | Unlimited |
| Hosted control planeRun history · scheduled drills · workspace | × | ✓ | ✓ |
| Evidence signerCryptographic, hash-chained, audit-ready | self-host | managed | managed |
| SIEM adaptersSentinel · Splunk · Chronicle · Elastic · Wazuh | × | all 5 | all 5 + custom |
| Engineers / seats | unlimited (self-host) | 5 included | unlimited |
| SSO + audit log | × | ✓ | ✓ + SCIM |
| Custom chain authoringOur researchers build a chain to your spec | × | × | ✓ · 4 per yr |
| On-prem control plane | N/A · self-host | × | ✓ |
| Priority new-chain access30 days before OSS release | × | ✓ | ✓ |
| Support | community · GitHub | Slack · 1 BD | premium · 4hr SLA |
Pricing questions we hear.
Is the OSS really useful by itself, or is it a teaser for the paid tier?
It's genuinely useful by itself. The OSS includes the full engine, every APT chain we ship, all Sigma rules, the MITRE mapper, and the Pulumi sandbox machinery. Many of our early users will never upgrade and that's fine - the hosted tier adds the team workflow (signer, SIEM adapters, shared workspace), not the actual emulation capability. If you're a solo detection engineer or your team is happy self-hosting, Core forever is the right answer.
Do you charge per run, per technique, or per evidence bundle?
None of the above. Pricing is tier-based, not metered. Run as many drills as you want. We refuse meter-based pricing because it would discourage exactly the behavior we want: testing detections frequently. The only cost variable to you is your AWS sandbox spend, which is typically under $2 per run.
Will you paywall existing OSS features later?
No. See our OSS principles in the GTM strategy: Apache 2.0, never re-licensed, never paywalled retroactively. Hosted features (signer, adapters, control plane) are additive. We hold ourselves to the dbt Labs model, not the HashiCorp/Elastic playbook.
What about Azure or GCP?
Not in pricing yet. We're AWS-first by design. Azure-light is on the roadmap (Q2 2027) but only after we have AWS depth that no competitor can match. We'd rather be the best AWS attack-emulation tool than the third-best multi-cloud one. If you're >50% AWS, we're a fit today; if you need multi-cloud parity, we're not the right vendor yet.
How does the Enterprise tier scale beyond $36k?
By scope, not seats. Base Enterprise is $36k/year for unlimited seats. Scope additions: custom chain authoring beyond 4/year, on-prem control plane, white-label (for MSSPs), additional 4-hour SLA tiers, dedicated solutions architect. Most Enterprise contracts land in the $36-90k range; nothing six-figure-plus unless it's an MSSP with multi-tenant deployment.
Can we try Platform before committing?
Yes - 14-day POC. Free 14-day access to Platform with one custom APT chain built by our team for your specific stack. You run it in your AWS, against your SIEM, with our researchers on Slack. If you don't convert, you keep the chain and the Sigma rules.
What's your refund policy?
Monthly Team plans: cancel any time, no refund for current month. Annual Team plans: pro-rated refund within first 60 days. Enterprise contracts: per-contract clauses, but we will not lock you in past first 90 days.
Do you accept POs and procurement processes?
For Enterprise, yes - we have a vendor security questionnaire, SOC 2 Type I (Type II in progress), and a standard MSA. For Team, we prefer to avoid procurement: single-page MSA, credit card or invoice, contracts close in days not months. If procurement is unavoidable, expect 2-3 weeks.
What discounts do you offer?
Annual prepay: 15% off Team if paid annually upfront. Open-source maintainers: 50% off Team for any individual who maintains a relevant detection-engineering OSS project (Sigma, Atomic, Stratus, etc.). Education / nonprofit: 70% off, by application. No volume or "logo" discounts.
GET STARTED
Run your first drill in an hour.
The OSS installs in one command. Or jump straight to a hosted Team trial - 14 days, one custom chain for your stack, founder-led onboarding.