Pricing
Pay for what drifts.
Vibgrate prices per project under governance — not per developer, not per repo. Scan everything for free, get your DriftScore, then pay only for the projects you choose to keep in check.
Estimate your bill
Size your estate — we bill the billable, not the detected
Small services & libraries.
Each band's rate per project drops as your estate grows. The filled bar shows where your billable projects land — after micro-project sizing.
free forever — up to 10 billable projects
The unit
What counts as a project
A project is any independently-versioned unit of software with its own manifest — a service, app or library. Think package.json, a Maven module, go.mod, a Cargo crate, or an Nx / Bazel target. A single repository often contains many.
We detect them automatically and exclude vendored code, node_modules and test fixtures by default. You always see "detected vs governed" and choose what to switch on.
Micro-project pricing
Not every project is billed the same
A Lambda handler is not the same unit of work as a 200-file service, so we don't charge for it as if it were. Every detected project is automatically sized into one of four tiers and billed as a fraction of a project. We total the fractions across your estate and round down to the nearest whole number — that total is your billable projects.
Nano
×1/25Billed as a twenty-fifth of a project.
A tiny single-purpose serverless function
Qualifies on any 2 of 3
< 10 source files · < 1 MB source · < 5 dependencies
Micro
×⅒Billed as a tenth of a project.
A serverless function or tiny micro-service
Qualifies on any 2 of 3
< 20 source files · < 2.5 MB source · < 10 dependencies
Small
×⅓Billed as a third of a project.
A modest component or library
Qualifies on any 2 of 3
< 30 source files · < 5 MB source · < 25 dependencies
Standard
×1Billed as a full project.
A normal product service or app
Qualifies on any 2 of 3
Anything larger
How sizing works
- Three measured signals. Source-file count, source byte size, and declared dependency count — measured automatically on every scan.
- Any 2 of 3. A project lands in the lowest tier whose limits it meets on at least two of the three signals, so one chatty test folder or one extra dependency never bumps a genuine micro-project.
- Source code only. Lockfiles, generated files, and vendored / build directories (
node_modules,dist, …) are excluded — a bigpnpm-lock.yamlcan't inflate a tiny project. - Always rounded down. 1.9 billable raw is billed as 1. Nine micro-projects (0.9) cost nothing.
Worked example
247 detected → 49 billable
The legend stays the same everywhere — CLI, dashboard and this estimator: Standard ×1 · Small ×⅓ · Micro ×⅒ · Nano ×1/25.
Billing weight ≠ risk weight
Nano, micro and small projects roll up fully into DriftScores, the portfolio view, and every risk and compliance report. Only the billing fraction is reduced — the CTO dashboard never under-counts risk.
No surprise mid-cycle rises
If a project grows into a higher tier, it keeps its cheaper rate for the rest of the cycle and the new rate starts next cycle, flagged in advance. A project that shrinks gets the cheaper rate right away.
Automatic & measurable
The same three signals are applied to every project on every scan. No manual exceptions, no hidden multipliers, no per-customer overrides, and no tickets to reclassify a project.
Four plans. One free forever.
Scanning and your DriftScore never cost anything. You pay when you want projects watched continuously, gated, and governed.
Free
Scan everything and see where you stand.
Overage —
Start free- Includes
- Scan unlimited repos & projects
- DriftScore + top-10 findings
- Shareable board-ready report
- Up to 10 projects monitored
Team
Keep your team's projects in check over time.
Overage $0.02/min
Start free- Everything in Free, plus
- Continuous monitoring & trends
- Full risk register + EOL report
- Upgrade roadmap & backlog
- CycloneDX / SPDX export
- Workflow automations (alert & route)
- Slack & email alerts
Business
Govern drift across the whole portfolio.
Overage $0.02/min
Start free- Everything in Team, plus
- Merge gates & drift policies
- Drift budgets & accountability
- Portfolio & exec dashboards
- Remediation hand-off + verify
- Audit trail & compliance export
- Push to Cortex / Backstage
- Multi-VCS
Enterprise
Controls and scale for regulated estates.
Overage Custom
Talk to usor book a 20-min demo →- Everything in Business, plus
- Custom build-from-scratch workflows
- SSO / SAML & SCIM
- On-prem / VPC deployment
- Custom policy & support SLA
Compare every capability
Mapped to the full Vibgrate platform — from first scan to continuous governance.
Hover or tap the beside any capability to see what it does and read more in the help centre.
| Capability | Free | Team | Business | Enterprise |
|---|---|---|---|---|
| Limits & cloud compute | ||||
| Repositories under continuous monitoring | 1 | 10 | 50 | Unlimited |
| Scan credits / mo | 5 | 100 | 500 | Unlimited |
| MCP tokens / mo | 10,000 | 2.5M | 10M | Unlimited |
| Included VM minutes / mo (scans + migrations) | 30 | 1,000 | 5,000 | Unlimited |
| VM-minute overage rate (when enabled) | — | $0.02 / min | $0.02 / min | Custom |
| Remediation-agent tokens (platform key) | — | — | $15 / 1M | Custom |
| Analyse & measure | ||||
| Repository, stack & dependency inventory | Included | Included | Included | Included |
| DriftScore + top-10 prioritised findings | Included | Included | Included | Included |
| Continuous monitoring & historical trends | Not included | Included | Included | Included |
| Living SBOM (CycloneDX / SPDX) | Not included | Included | Included | Included |
| Signed SBOM attestations | Not included | Not included | Included | Included |
| Risk & roadmap | ||||
| Full risk register & EOL report | Not included | Included | Included | Included |
| Vulnerability prioritisation (SCA / VEX ingest) | Not included | Included | Included | Included |
| Upgrade roadmap & investment plan | Not included | Included | Included | Included |
| Govern & automate | ||||
| Workflow automations (alert & route) | Not included | Included | Included | Included |
| Automated remediation workflows | Not included | Not included | Included | Included |
| Custom (build-from-scratch) workflows | Not included | Not included | Not included | Included |
| Merge gates & drift policies | Not included | Not included | Included | Included |
| Drift budgets & team accountability | Not included | Not included | Included | Included |
| Remediation hand-off + verification | Not included | Not included | Included | Included |
| Portfolio & board-level dashboards | Not included | Not included | Included | Included |
| Push to IDP (Cortex / Backstage) · multi-VCS | Not included | Not included | Included | Included |
| Audit trail & compliance export | Not included | Not included | Included | Included |
| Controls | ||||
| SSO / SAML, on-prem, SLA | Not included | Not included | Not included | Included |
Questions, answered plainly
No. Most of Vibgrate's work runs automatically in CI, where seats are irrelevant — charging per developer would mean paying for people who never log in. We charge per project under governance, with unlimited seats included.
Every plan reports compliance posture
DORA, CRA, ISO 27001, SOC 2, NIST, PCI DSS, FedRAMP and CMMC — see exactly which control areas Vibgrate assesses, framed honestly as readiness signals (not an attestation).
Get your DriftScore in minutes.
Install the CLI, run a scan, see exactly how far behind your estate has drifted.