Pricing
Runtime security at your cluster's scale.
Node-based pricing. No per-agent fees. Start with your cluster's current size and grow as you scale.
Pricing plans
Starter
$199/mo
For early-stage teams evaluating K8s runtime security. Up to 10 nodes, 3 team members, core detection.
- 10 nodes / DaemonSet pods
- 3 team members
- eBPF-based syscall monitoring
- Container escape + cryptomining detection
- Slack alert integration
- 7-day event retention
- Community support (Slack)
Growth
$499/mo
For production K8s security teams. Full threat library, SIEM integration, 30-day retention.
- 50 nodes
- 10 team members
- Full threat detection library (6 categories)
- Custom YAML policies
- Splunk / Elastic / Datadog SIEM integration
- PagerDuty + OpsGenie alerts
- 30-day event retention
- Audit log export (CSV / JSON)
- Email support (next business day)
Enterprise
Custom
For security-led organizations. Unlimited nodes, multi-cluster, SSO, dedicated onboarding.
- Unlimited nodes and clusters
- Unlimited team members
- Multi-cluster namespace isolation
- SSO (Okta / Azure AD / Google Workspace)
- Custom retention (90+ days)
- Dedicated onboarding engineer
- SLA-backed alert latency (<30s P99)
- SOC 2 Type II report available on NDA
| Feature | Starter | Growth | Enterprise |
|---|---|---|---|
| Node limit | 10 | 50 | Unlimited |
| Container escape detection | |||
| Cryptomining detection | |||
| Privilege escalation detection | |||
| Lateral movement detection | |||
| Custom YAML policies | |||
| Falco rule import | |||
| SIEM integration | |||
| Event retention | 7 days | 30 days | 90+ days |
| SSO | |||
| Multi-cluster support | |||
| Dedicated onboarding | |||
| SOC 2 report (on NDA) |
Frequently asked questions
A node is a Kubernetes worker node where the Kubesentry DaemonSet pod runs. Control plane nodes are excluded. You pay only for worker nodes where the agent is active.
No. Kubesentry runs as a DaemonSet — one agent pod per node — with no sidecars and no changes to your application images or deployments.
Yes. Kubesentry's policy engine accepts Falco YAML rule files without modification. You can import your entire Falco ruleset and then extend it with Kubesentry's action and routing extensions.
The Kubesentry agent requires CAP_SYS_ADMIN for eBPF program loading and CAP_BPF (Linux 5.8+). A detailed capability rationale is available on our Security page. We publish the minimum capability set required and explain why each is necessary.
Kubesentry processes syscall metadata (process names, PIDs, syscall types, container IDs) — not payload data. The control plane for policy delivery and alert routing uses TLS 1.3. If you configure SIEM forwarding, events route to your SIEM. See the Security page for full data handling details.
Start detecting runtime threats today.
Starter plan available immediately. Enterprise contracts typically close in 2 weeks.