health.whisper.online · pricing

Security you pay more for the moment you're breached is priced backwards.

Usage-metered tooling bills per API transaction, per query, per analyst seat — so the invoice climbs as your device fleet and FHIR footprint grow, and spikes exactly during the incident, when a hospital can least afford to ration a hunt and a HIE can least afford to slow one down. Against tens of thousands of networked machines and a ~279-day average to detect and contain, a meter is a number no HTM lead or CISO can forecast.

We price the other way. Flat, per device or FHIR endpoint, per year — not per transaction, per query, or per seat. Keyless verify is free forever, attribution is never metered. One line item you can forecast — and defend to your board.

whisper verify --trustless costs nothing and needs no account — our own API is not in the trust path.

$0 Keyless verify, resolve and back-trace — free forever, no account
One flat per-device / per-endpoint / year figure — not per-transaction, per-query or per-seat
$7.42M the average US healthcare breach a flat line hedges against (IBM, 2025)
0 usage meters on attribution — never ration a hunt mid-incident
1 revoke replaces a fleet re-image or a recall truck-roll
~279 days average to detect and contain — a meter would bill every day of it

A meter that climbs with your fleet — and spikes when you're attacked — isn't a price. It's a risk.

Two curves. One rises with every device you connect, every endpoint you publish, every API call, every query your analysts run chasing an operator across rotating egress — and peaks precisely during the incident. The other is a flat line you set once and forecast for years.

annual cost → device & endpoint growth · API volume · incident load → usage-metered per transaction · per query · per seat under attack ↓ billed most exactly when it hurts most the overage a flat price never charges Whisper · flat per device / endpoint / year set once · forecast for years · attribution never metered
Flat means the number you sign this year is the number you defend in every budget after. The meter you don't pay — the one that would have peaked mid-incident — is the whole point.

Per-device, not per-transaction

Priced to the thing you actually govern — the device or the FHIR endpoint — so a busy fleet, a chatty HIE, or a noisy incident never moves the invoice. Add a service line, extend a product line, weather an attack: the figure holds.

Attribution is never metered

Run identify, walk, history and Cypher as hard as an incident demands. No per-query tax means your SOC never rations a hunt while an operator keeps rotating across HIE partners, cloud and residential proxies.

Additive, not another bill

It sits on top of the IoMT visibility platform, SIEM and UDAP/TEFCA trust you already own — as a feed. No per-analyst-seat licence, no data-egress fee, no new appliance to rack, no new console to staff.

Start keyless and free. Prove it on a service line. Roll it across the HDO — flat the whole way.

POC → pilot → enterprise, exactly the path a device-security or interoperability program buys on. Every tier speaks the same address-is-identity primitive; you're only widening how much of the estate it covers, never re-platforming and never adding an appliance.

POC

Free to start

$0

Keyless checks need no account, no card. A free sign-up adds a handful of identities to prove the bind — still $0.

The keyless half of the platform — trustless, anchored at the IANA root, our API never in the path — needs no account:

  • whisper verify --trustless any device or FHIR endpoint identity
  • Resolve and reverse-resolve a /128, read its RDAP, read the public transparency log
  • Back-trace a suspicious /128 to the device behind it — reverse-DNS + RDAP, no key

Then a free key (still $0) adds

  • Bind a handful of devices / FHIR endpoints to the identifier they already carry (Endpoint.identifier or serial) and dig -x them
Pilot

Flat engagement

Fixed scope

A device fleet or a service line, time-boxed, one flat price.

Everything in POC, keyed to a defined device / endpoint count so a program owner can prove value before the board:

  • Provision device & FHIR-endpoint identities from the key they already carry (Endpoint.identifier, device serial or UDI as device_id)
  • Full control plane — attribution graph + egress governance (policy·firewall·budget·lookups·revoke), unmetered
  • Machine-readable feed into your SIEM: Splunk & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
  • FDA §524B / HIPAA §164.312 / EU MDR evidence, each mint & revoke in the transparency log
Enterprise

Flat per-device / year

Fleet quote

One rate, quoted to your HDO or product line. It doesn't move.

The whole program, all three planes, across every device and endpoint — the way a CISO buys defence-in-depth:

  • Identity, attribution graph and egress governance, organisation-wide
  • Unlimited attribution — no per-query meter, ever
  • Non-repudiable device attestation — sign a device's readings & telemetry to its /128 so a downstream system trusts they came from the real device
  • On-prem or your own tenant — HIPAA / data-residency by construction
  • Enterprise support & SLA, availability-safe fail-open — a Whisper outage never bricks a device

Why a quote, not a sticker. A fleet price is one number, but the right number depends on device and endpoint count, on-prem vs your own tenant, and the standards evidence you need — so we quote it flat and in writing, and it holds for the term. No usage true-ups, no surprise line at renewal. Get a fleet quote →

The same platform, at three widths. Nothing behind the paywall is the security itself.

The keyless verification a patient's app, a QHIN, a regulator or a researcher needs to check a device or endpoint identity is free at every tier — on principle. The keyed tiers widen coverage and feed your stack; they never gate the ability to verify. Roadmap items are labelled honestly, never sold as shipped.

CapabilityPOCPilotEnterprise
Trustless verify / resolve / RDAP (whisper verify --trustless)
Trace a /128 to the device or endpoint behind it (reverse-DNS + RDAP)
Public Merkle transparency log — every mint & revoke (/checkpoint, /ledger)
Device & FHIR-endpoint identity (register /128, DANE-EE, revoke)a handfulfleet sliceorg-wide
Full attribution graph (identify, origins, walk, history, Cypher)fleet sliceunlimited
Egress governance (policy, firewall, budget, op:logs)fleet sliceorg-wide
Non-repudiable device attestation — sign a device's readings/telemetry to its /128fleet sliceorg-wide
Lookups — who resolved / RDAP-queried your identity (recon tripwire)
§524B / HIPAA §164.312 / EU MDR evidence — each mint & revoke in the transparency log
SIEM feed — Splunk connector today · CEF / ECS
STIX 2.1 / TAXII · H-ISAC JSON exportroadmaproadmaproadmap
First-class typed --udi arg (pass the UDI / Endpoint.identifier as device_id today)roadmaproadmaproadmap
On-prem / own tenant (HIPAA, data residency)
Enterprise support & SLA · availability-safe fail-openpilot support
Metered by usage (per transaction / query / seat)nevernevernever

On the roadmap, stated plainly. The Splunk and Microsoft Sentinel connectors ship now (signed JSON → CEF/ECS). STIX 2.1 over TAXII, a machine-readable H-ISAC export, and a first-class typed --udi argument are proposed and on the roadmap — until they land you pass your UDI or Endpoint.identifier as device_id, which is shipped and live. The transparency log is tamper-evident, Ed25519-signed and Bitcoin-anchored via OpenTimestamps today — it speaks the tlog-witness protocol, but is not yet independently witnessed; that's the next step, and we say so.

The ROI isn't a promise — it's the costs the flat line takes off your books.

A predictable figure is only half the case. The other half is what it removes: analyst hours, incident blast radius, audit effort, re-platform risk, and the renewal surprise.

Analyst hours you stop burning

Correlating a rotating, meaningless last IP across HIE partners, cloud and residential proxies is manual, and it never converges — and 41% of 2024 healthcare breaches started with a third party you don't monitor. The graph collapses the rotation to one operator with a replayable evidence chain, and op:lookups shows you who is enumerating your endpoints before the exfil — the hours go back to your SOC, and the meter never punishes them for looking harder.

Breach, ransomware and patient-safety exposure

Catching fleet-scale enumeration before it becomes mass compromise is the difference between a revoke and a headline. An attack is now a measurable safety event — peer-reviewed research finds in-hospital mortality rises 35–41% for patients already admitted when ransomware hits; the average US healthcare breach runs $7.42M and ~133M records were exposed in a single recent year. A flat line item hedges a variable-cost catastrophe.

One revoke, not a fleet re-image or recall

A compromised device or endpoint is revoked worldwide at DNS-TTL speed — no truck-roll, no re-imaging a 15-year-old machine you can't put an agent on, no CRL you hope every device fetched. The blast radius is one leaf key, never a shared root — the single-CA failure mode is structurally removed.

§524B & HIPAA evidence you don't reassemble

Findings arrive already mapped to a built-in authentication + unauthorised-access control (FDA §524B(b)(2); EU MDR 17.4; IEC 62443 FR1) and to HIPAA §164.312(a)/(b)/(d) — with the transparency log as the postmarket-containment trail (§524B(b)(1)/CVD). When OCR asks "what talked to ePHI, prove it," the answer is a signed replayable chain, not a forensics project. Honest: it is not your SBOM (§524B(b)(3)) — that stays yours.

A vendor that will still be here

Security point-tools get acquired and sunset. Whisper is real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers — identities are DNSSEC/DANE objects you can verify without us. Longevity is the cheapest line in any TCO.

No shadow costs at renewal

No per-transaction true-up, no per-seat creep as your SOC or HTM team grows, no data-egress fee, no appliance refresh. What you forecast in year one is what you sign in year three — the number a CFO can actually plan around.

A pricing model can be an attack surface. Ours isn't.

If security is metered, an adversary can run up your bill, and a defender rations their own hunt. We priced those failure modes out.

"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"

Never. The graph is unmetered on the keyed tiers — identify, walk, history and Cypher run as hard as the hunt demands, across HIE partners and rotating egress. There is no per-query line for an attacker to inflate and none for a defender to fear.

"Does my bill spike when I'm under attack, or just when my device fleet grows?"

Neither. The price is per device or endpoint, set once, for the term. A traffic flood, an enumeration campaign against your FHIR endpoints, or connecting a new service line moves your risk — it doesn't move the invoice. The meter that would have peaked during the incident simply doesn't exist.

"Is the free tier a real capability or a trap that expires into a sales call?"

Real, and permanent. Keyless verify is anchored at the IANA root — our own API is not in the trust path, so we couldn't gate it if we wanted to. Verifying a device or endpoint identity is a public check; charging for the truth would defeat the point.

Straight answers, before the call.

BILLING

What exactly is metered?

Nothing by usage. You pay a flat rate per device or FHIR endpoint, per year. No per-API-transaction charge, no per-query graph fee, no per-analyst seat, no data-egress bill, no appliance. The only variable is how many devices and endpoints the program covers.

ENTRY

Can I try it without procurement?

Yes. The keyless checks need no account at all — run whisper verify --trustless today, and resolve, reverse-resolve and read RDAP and the public transparency log for any /128. A free sign-up (still $0) then adds a handful of identities, so you can bind a few devices or FHIR endpoints to the identifier they already carry and dig -x them on your bench. When you're ready for a service line, a Pilot is a fixed, time-boxed engagement.

GROWTH

What happens when my fleet grows?

The per-device rate holds; the total scales linearly and predictably with device and endpoint count, quoted in writing for the term. No usage true-up, no renewal surprise, no penalty for a busy or attacked fleet.

STACK

Is this on top of my IoMT and SIEM cost?

It's a feed into the IoMT visibility platform, SIEM and UDAP/TEFCA trust you already run — the Splunk and Microsoft Sentinel connectors ship today — not a replacement, not a second appliance, not a console to staff. It makes the tools you already pay for sharper.

RESIDENCY

On-prem or hosted?

Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-device logs stay where your regulator needs them — HIPAA and data residency by construction, at no metered premium. And it's availability-safe: a Whisper outage degrades to your existing anchors, never bricking a device.

EXIT

What if I stop?

Identities are DNSSEC/DANE objects you can verify independently, every mint and revoke is in a public transparency log, and evidence exports are open formats (CEF, ECS; STIX and a per-sector JSON export on the roadmap). There's no proprietary lock on your own attestations or your compliance record.

Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the whole one.

You already pay for an IoMT visibility platform, a SIEM, and UDAP/TEFCA endpoint trust — and, on the OEM side, maybe a device-PKI product — and you should keep them all; Whisper is additive to every one. Where a per-transaction cloud makes the bill unforecastable and a rigid multi-module bundle makes you buy packages you don't need, a flat per-device line adds the two layers no one else owns — publicly verifiable DNS/DANE device & endpoint identity and attribution across rotating, cross-organization egress — anchored strictly at the IP/DNS/transport boundary, without a meter and without a new silo. It complements the device's own certificate and your community trust anchor; it never sits inside your clinical protocols or replaces them.

Pricing modelForecastable?Meter spikes under attack?
Per-API-transaction / usage-metered cloudhardyes
Rigid multi-module bundle (six-figure floor)partlyn/a — over-scoped
Whisper — flat per device / endpoint / yearyesno

It makes the Claroty, Armis or Forescout deployment and the Splunk SIEM you already carry sharper, as a machine-readable feed — not a thing they compete with. See the full comparison →

One flat number. Every device and endpoint, covered.

Keyless verify is free forever — start there, no account. When you're ready, a fleet quote is one flat per-device / per-endpoint / year figure you can forecast and defend. No meter, no surprise at renewal.

Or run whisper verify --trustless right now — it costs nothing.