Skip to main content

Pricing

Free forever, or pay per term. No auto-renewal.

One scanner, two editions. Pick Core for general code (Python, JavaScript, TypeScript, Go) or Salesforce for Apex, LWC, Aura, Flow, and live-org posture. The core scan is free forever on either edition. Pro adds compliance evidence, the portfolio view, and the deep detector packs. Every paid option is a one-time payment for a fixed term; we never auto-bill you. The 14-day trial unlocks full Pro and then drops to Free on day 15, no card.

$ vulkro license-status shows your term; when it lapses the CLI drops to Free and keeps scanning

LICENSE CLASS: FREE

Free

Permanent. No card. No expiry.

$0forever

no card, no account, no expiry

  • Scans Python, JavaScript, TypeScript, and Go
  • Finds the OWASP API top 10: broken auth, injection, SSRF, leaky data, broken access control
  • Catches vulnerable dependencies and leaked secrets, including in your git history
  • Fast incident response when a known compromise hits the news
  • Audits your MCP server configs and your editor / browser extensions
  • SARIF output for GitHub Code Scanning, plus JSON for CI scripts
  • Vulnerability database updates on the same schedule as Pro, no delay
  • Unlimited projects in the CLI, one project at a time in the desktop console

LICENSE CLASS: PRO-30

Pro Monthly

One payment. 30 days. No auto-renewal.

$39one-time

manual renewal, no auto-billing

  • Everything in Free, plus:
  • Compliance evidence packs: SOC 2, ISO 27001, HIPAA, PCI-DSS 4.0, NIST 800-53/171, HITRUST (9+ packs)
  • Portfolio view: scan and track many projects at once
  • Pro detector packs: AI and agent safety checks, plus live API probing (13 attack classes, against your own endpoints)
  • Pro output formats: CycloneDX and SPDX SBOMs, OpenVEX, executive PDF and HTML, GDPR Article 30 records (23 formats in total)
  • Email support, direct from the Vulkro team
Best value

LICENSE CLASS: PRO-365

Pro Annual

One payment. 365 days. No auto-renewal.

$349one-time

manual renewal, no auto-billing

Save $119 vs monthly (about 3 months free)

  • Everything in Free, plus:
  • Compliance evidence packs: SOC 2, ISO 27001, HIPAA, PCI-DSS 4.0, NIST 800-53/171, HITRUST (9+ packs)
  • Portfolio view: scan and track many projects at once
  • Pro detector packs: AI and agent safety checks, plus live API probing (13 attack classes, against your own endpoints)
  • Pro output formats: CycloneDX and SPDX SBOMs, OpenVEX, executive PDF and HTML, GDPR Article 30 records (23 formats in total)
  • Email support, direct from the Vulkro team

Not sure? The 14-day trial is full Pro, no card.

The Free tier, in writing

What Free really includes.

Free is a permanent tier, not a demo. It is also the tier a lapsed Pro license lands on: the scanner keeps running and the vulnerability database keeps updating. What Pro sells is detection depth, not data freshness.

Capability (Core edition)FreePro
Deep code analysis (endpoints + cross-file taint) for JavaScript/TypeScript, Python, GoIncludedIncluded
Dependency CVEs across npm, PyPI, Go, Cargo, Maven (signed offline bundle: OSV + NVD + CISA KEV + EPSS)IncludedIncluded
Vulnerability database freshnessSame bundle, same scheduleSame bundle, same schedule
Secrets, broken auth, injection, OWASP API Top 10, supply-chain catalog, incident responseIncludedIncluded
CI output: SARIF for GitHub Code Scanning, JSON, NDJSON, tableIncludedIncluded
Pro detector packs (AI and agent safety, live API probing)Not includedIncluded
Compliance evidence (SOC 2, ISO 27001, HIPAA, PCI-DSS 4.0, NIST, HITRUST; 9+ packs)Not includedIncluded
Heavy output formats (CycloneDX, SPDX, OpenVEX, executive PDF and HTML, GDPR RoPA; 23 formats in total)Not includedIncluded
Portfolio view in the desktop consoleOne project at a timeMany projects at once

The Salesforce edition follows the same shape: the core Salesforce scan is free forever; Pro adds the five-category review, the AppExchange readiness report, and the live-org audit.

$ vulkro scan --format sarif free on every tier, so CI gating never needs a license

The term model

A term you buy, not a subscription that bills you.

Competitors auto-bill until you find the cancel button. Vulkro Pro is a per-term license with no auto-renewal: you pay once, the term runs out, and renewal is a decision you make with full information.

01

Buy a term

30 or 365 days, one payment, bound to one machine. No stored card, no billing relationship that outlives the term.

02

The term ends. Nothing bills.

There is no charge to catch, no retention flow, nothing to cancel. The CLI tells you the license lapsed and drops to Free.

03

Free keeps you safe meanwhile

The CVE bundle keeps updating on the same schedule as Pro, so a lapsed scanner never goes stale on known vulnerabilities. Buy another term when the Pro depth is worth it again.

More than one seat

Team and Enterprise.

Team licensing is signed seat extensions plus a team policy file committed to your repo. Enterprise covers air-gapped and off-menu requirements. Both are sized by conversation: no self-serve checkout, no invented per-seat price on this page.

LICENSE CLASS: TEAM

Team

One license, seat extensions for every developer, one policy file the whole team reviews like code.

  • Signed seat extensions on one license: each developer gets a seat, one purchase covers the team
  • Repo-committed team policy: the same gates and suppressions for everyone, reviewed like code
  • Works offline like everything else: no license server to host, no per-seat SaaS dashboard
  • Available from v0.16.0
Contact for team licenses

LICENSE CLASS: CUSTOM

Enterprise

Off-menu requirements and air-gapped deployments. Custom terms; a license you control.

  • Multiple machines, your whole team
  • Air-gapped license server
  • Private rule packs (on roadmap)
  • On-prem CVE bundle mirror (on roadmap)
  • Direct line to the Vulkro team
Contact sales

Need it free

If the price is the only thing stopping you, write to us.

A student learning to ship safely. An unfunded open-source maintainer. A nonprofit, a school, a security teacher, a team in a place where $349 is a month's rent. If Vulkro would make your project safer and the license is the blocker, tell us what you are building. We started this to help make the internet a secure place again, and that matters more to us than losing you on price.

Questions

Pricing questions, answered.

What's actually in the 14-day trial?
Full Pro. Every detector, every output format, every language. No trial-only watermark, no truncated reports, no "preview" warnings on findings. The CLI tells you on day 12 that the trial is ending. On day 15 it drops to the Free tier and keeps scanning; Pro features prompt for purchase but nothing hard-blocks. Each edition (Core and Salesforce) has its own trial.
What happens when my Pro license expires?
Vulkro keeps working at the Free tier. Pro-only features prompt you to renew, but everything in Free (the core security scan, vulnerable-dependency check, secrets, broken-auth, injection, fast incident response, the MCP server and editor extension audits, CI integration) continues without interruption. The vulnerability database updates on the same schedule as Pro: we never punish you for not paying with a stale advisory feed. What pauses until you renew is the Pro depth: the advanced detector packs (and new packs as they ship), compliance evidence, the portfolio view, and the heavy output formats. No auto-renewal, no surprise charges. Buy a fresh one-time Pro license whenever you are ready.
Is Vulkro for Salesforce the same license as Core Vulkro?
No. Core Vulkro and Vulkro for Salesforce are two separate editions of one scanner. A Core Pro license does not unlock the Salesforce edition, and a Salesforce Pro license does not unlock the core engine. Each has its own 14-day trial and its own machine-bound key. The machine ID is the same on both (it comes from your hardware), so if you have already cached it on one edition, the other picks it up automatically.
How do team licenses work?
From v0.16.0, a team license is one purchase with signed seat extensions: each developer's machine gets a seat on the same license, and a team policy file committed to your repo keeps every seat running the same gates and suppressions. There is no license server to host and no per-seat SaaS dashboard. Team licenses are sized by conversation: email us with your team size and we will quote it.
What does “one machine, single developer” mean?
Every Vulkro license is bound to one machine ID generated from your hardware. Run vulkro machine-id (or vulkro-sf machine-id for the Salesforce edition) to see yours. Need it on more than one machine, including CI? That is what the Team license is for; email [email protected].
Does Vulkro ever upload my source code?
Never. Vulkro runs entirely on your own machine. No cloud upload, no telemetry, no AI service in the loop. For Salesforce, source and org metadata stay on your laptop too; the connection to your live org uses your own Salesforce login, so the access token stays with Salesforce, not with us. See the privacy policy for the full statement, or read the manifesto for the reasoning.
Is Vulkro open source?
No. The detection code is closed source: that is the product. What we do publish is the benchmark itself: the test code, the labelled examples, and the scoring rules. You can run the benchmark on your laptop and compare our catch rate and false-positive rate against the alternatives on the same examples. We compete on reproducible results, not on source openness. (The free Vulkro Labs tools are a separate, open-source project.)
What's the line between Free and Pro?
Free covers what a single developer on one project needs to ship safely: the OWASP API top 10, vulnerable-dependency check, secret detection, auth bugs, injection, fast incident response, the MCP server and editor extension audits, and CI-friendly output for GitHub Code Scanning. Free supports Python, JavaScript, TypeScript, and Go. Pro adds what teams and regulated industries pay for: audit-ready compliance evidence (SOC 2, HIPAA, PCI, ISO 27001, and more), a portfolio view across many projects, the deeper detection packs, the heavy report formats (SBOM, executive PDF and HTML), and live API probing. Both tiers get the same vulnerability database updates on the same schedule. The full split is in the table above.
What is the AppExchange readiness report?
A Salesforce Pro feature: a single HTML report grouped by the same checklist your AppExchange reviewer uses. Section by section, what cleared and what still needs work. Email it to the reviewer or hand it to a client. No login required to read it.
Do you offer refunds?
No. Once a license file is issued it cannot be revoked, so refunds are not offered as a matter of policy. That is exactly why the 14-day full-Pro trial comes before any purchase. If you're unhappy, reach out and we'll do what we can. See the refund policy for the full text.
Buying for a consultancy with many client orgs?
For Salesforce, multi-org and per-engagement options (AppExchange Security Review prep and consultancy audits across many client orgs) are available under Enterprise: email us and we will size it to your practice.

Install free. Decide later.

14 days of full Pro on your laptop, then it drops to Free and keeps running. No card, no account.