Free is a permanent tier, not a demo. It is also the tier a lapsed Pro license lands on: the scanner keeps running and the vulnerability database keeps updating. What Pro sells is detection depth, not data freshness.
Capability (Core edition)FreePro
Deep code analysis (endpoints + cross-file taint) for JavaScript/TypeScript, Python, GoIncludedIncluded
Dependency CVEs across npm, PyPI, Go, Cargo, Maven (signed offline bundle: OSV + NVD + CISA KEV + EPSS)IncludedIncluded
Vulnerability database freshnessSame bundle, same scheduleSame bundle, same schedule
Secrets, broken auth, injection, OWASP API Top 10, supply-chain catalog, incident responseIncludedIncluded
CI output: SARIF for GitHub Code Scanning, JSON, NDJSON, tableIncludedIncluded
Pro detector packs (AI and agent safety, live API probing)Not includedIncluded
Compliance evidence (SOC 2, ISO 27001, HIPAA, PCI-DSS 4.0, NIST, HITRUST; 9+ packs)Not includedIncluded
Heavy output formats (CycloneDX, SPDX, OpenVEX, executive PDF and HTML, GDPR RoPA; 23 formats in total)Not includedIncluded
Portfolio view in the desktop consoleOne project at a timeMany projects at once
The Salesforce edition follows the same shape: the core Salesforce scan is free forever; Pro adds the five-category review, the AppExchange readiness report, and the live-org audit.