# Pricing — Whisper for Health

**Flat, per-device, predictable.** Priced per device or FHIR endpoint, per year — not per API transaction, not per query, not per analyst seat. Keyless verify is free forever. Additive to the IoMT visibility platform, SIEM and UDAP/TEFCA trust you already run, so the bill never spikes the week you're breached.

`whisper verify --trustless` costs nothing and needs no account — our own API is not in the trust path.

---

## Security you pay *more* for the moment you're breached is priced backwards.

Usage-metered tooling bills per API transaction, per query, per analyst seat — so the invoice climbs as your device fleet and FHIR footprint grow, and spikes exactly during the incident, when a hospital can least afford to ration a hunt and a HIE can least afford to slow one down. Against tens of thousands of networked machines and a ~279-day average to detect and contain, a meter is a number no HTM lead or CISO can forecast.

**We price the other way.** Flat, per device or FHIR endpoint, per year — **not** per transaction, per query, or per seat. Keyless verify is free forever, attribution is never metered. **One line item you can forecast — and defend to your board.**

### The numbers that frame it

- **$0** — Keyless verify, resolve and back-trace — free forever, no account
- **1×** — One flat per-device / per-endpoint / year figure — not per-transaction, per-query or per-seat
- **$7.42M** — the average US healthcare breach a flat line hedges against (IBM, 2025)
- **0** — usage meters on attribution — never ration a hunt mid-incident
- **1** — revoke replaces a fleet re-image or a recall truck-roll
- **~279 days** — average to detect and contain — a meter would bill every day of it

---

## The pricing principle

### A meter that climbs with your fleet — and spikes when you're attacked — isn't a price. It's a risk.

Two curves. One rises with every device you connect, every endpoint you publish, every API call, every query your analysts run chasing an operator across rotating egress — and peaks precisely during the incident. The other is a flat line you set once and forecast for years.

> **Flat vs. metered, over time.** A usage-metered curve (per transaction · per query · per seat) climbs steadily against device and endpoint growth, API volume and incident load — and spikes sharply under attack, billed most exactly when it hurts most. Whisper's flat per-device / endpoint / year line stays constant across the whole range: set once, forecast for years, attribution never metered. The gap between the two curves is the overage a flat price never charges.

Flat means the number you sign this year is the number you defend in every budget after. The meter you don't pay — the one that would have peaked mid-incident — is the whole point.

- **Per-device, not per-transaction.** Priced to the thing you actually govern — the device or the FHIR endpoint — so a busy fleet, a chatty HIE, or a noisy incident never moves the invoice. Add a service line, extend a product line, weather an attack: the figure holds.
- **Attribution is never metered.** Run `identify`, `walk`, `history` and Cypher as hard as an incident demands. No per-query tax means your SOC never rations a hunt while an operator keeps rotating across HIE partners, cloud and residential proxies.
- **Additive, not another bill.** It sits on top of the IoMT visibility platform, SIEM and UDAP/TEFCA trust you already own — as a feed. No per-analyst-seat licence, no data-egress fee, no new appliance to rack, no new console to staff.

---

## Three tiers · one primitive

### Start keyless and free. Prove it on a service line. Roll it across the HDO — flat the whole way.

POC → pilot → enterprise, exactly the path a device-security or interoperability program buys on. Every tier speaks the same *address-is-identity* primitive; you're only widening how much of the estate it covers, never re-platforming and never adding an appliance.

### POC — Free to start · $0

Keyless checks need no account, no card. A free sign-up adds a handful of identities to prove the bind — still $0. The keyless half of the platform — trustless, anchored at the IANA root, our API never in the path — needs no account:

- ✓ `whisper verify --trustless` any device or FHIR endpoint identity
- ✓ Resolve and reverse-resolve a /128, read its RDAP, read the public transparency log
- ✓ Back-trace a suspicious `/128` to the device behind it — reverse-DNS + RDAP, no key

Then a free key (still $0) adds:

- ✓ Bind a handful of devices / FHIR endpoints to the identifier they already carry (`Endpoint.identifier` or serial) and `dig -x` them

### Pilot — Flat engagement · Fixed scope

A device fleet or a service line, time-boxed, one flat price. Everything in POC, keyed to a defined device / endpoint count so a program owner can prove value before the board:

- ✓ Provision device & FHIR-endpoint identities from the key they already carry (`Endpoint.identifier`, device serial or UDI as `device_id`)
- ✓ Full control plane — attribution graph + egress governance (`policy · firewall · budget · lookups · revoke`), unmetered
- ✓ Machine-readable feed into your SIEM: Splunk & Microsoft Sentinel today (STIX 2.1 / TAXII on the roadmap)
- ✓ FDA §524B / HIPAA §164.312 / EU MDR evidence, each mint & revoke in the transparency log

### Enterprise — Flat per-device / year · Fleet quote

One rate, quoted to your HDO or product line. It doesn't move. The whole program, all three planes, across every device and endpoint — the way a CISO buys defence-in-depth:

- ✓ Identity, attribution graph and egress governance, organisation-wide
- ✓ Unlimited attribution — no per-query meter, ever
- ✓ Non-repudiable device attestation — sign a device's readings & telemetry to its /128 so a downstream system trusts they came from the real device
- ✓ On-prem or your own tenant — HIPAA / data-residency by construction
- ✓ Enterprise support & SLA, availability-safe fail-open — a Whisper outage never bricks a device

**Why a quote, not a sticker.** A fleet price is one number, but the right number depends on device and endpoint count, on-prem vs your own tenant, and the standards evidence you need — so we quote it flat and in writing, and it holds for the term. No usage true-ups, no surprise line at renewal.

---

## What each tier includes

### The same platform, at three widths. Nothing behind the paywall is the security itself.

The keyless verification a patient's app, a QHIN, a regulator or a researcher needs to check a device or endpoint identity is free at every tier — on principle. The keyed tiers widen coverage and feed your stack; they never gate the ability to *verify*. Roadmap items are labelled honestly, never sold as shipped.

| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
| Trustless verify / resolve / RDAP (`whisper verify --trustless`) | ✓ | ✓ | ✓ |
| Trace a /128 to the device or endpoint behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| Public Merkle transparency log — every mint & revoke (`/checkpoint`, `/ledger`) | ✓ | ✓ | ✓ |
| Device & FHIR-endpoint identity (register /128, DANE-EE, `revoke`) | a handful | fleet slice | org-wide |
| Full attribution graph (`identify`, `origins`, `walk`, `history`, Cypher) | — | fleet slice | unlimited |
| Egress governance (`policy`, `firewall`, `budget`, `op:logs`) | — | fleet slice | org-wide |
| Non-repudiable device attestation — sign a device's readings/telemetry to its /128 | — | fleet slice | org-wide |
| Lookups — who resolved / RDAP-queried your identity (recon tripwire) | — | ✓ | ✓ |
| §524B / HIPAA §164.312 / EU MDR evidence — each mint & revoke in the transparency log | — | ✓ | ✓ |
| SIEM feed — **Splunk connector today** · CEF / ECS | — | ✓ | ✓ |
| STIX 2.1 / TAXII · H-ISAC JSON export | roadmap | roadmap | roadmap |
| First-class typed `--udi` arg (pass the UDI / `Endpoint.identifier` as `device_id` today) | roadmap | roadmap | roadmap |
| On-prem / own tenant (HIPAA, data residency) | — | — | ✓ |
| Enterprise support & SLA · availability-safe fail-open | — | pilot support | ✓ |
| Metered by usage (per transaction / query / seat) | never | never | never |

**On the roadmap, stated plainly.** The **Splunk** and Microsoft Sentinel connectors ship now (signed JSON → CEF/ECS). STIX 2.1 over TAXII, a machine-readable H-ISAC export, and a first-class typed `--udi` argument are *proposed and on the roadmap* — until they land you pass your UDI or `Endpoint.identifier` as `device_id`, which is shipped and live. The transparency log is **tamper-evident, Ed25519-signed and Bitcoin-anchored via OpenTimestamps today** — it speaks the `tlog-witness` protocol, but is *not yet independently witnessed*; that's the next step, and we say so.

---

## Where the flat number pays for itself

### The ROI isn't a promise — it's the costs the flat line takes off your books.

A predictable figure is only half the case. The other half is what it removes: analyst hours, incident blast radius, audit effort, re-platform risk, and the renewal surprise.

- **Analyst hours you stop burning.** Correlating a rotating, meaningless *last IP* across HIE partners, cloud and residential proxies is manual, and it never converges — and 41% of 2024 healthcare breaches started with a third party you don't monitor. The graph collapses the rotation to one operator with a replayable evidence chain, and `op:lookups` shows you who is enumerating your endpoints *before* the exfil — the hours go back to your SOC, and the meter never punishes them for looking harder.
- **Breach, ransomware and patient-safety exposure.** Catching fleet-scale enumeration before it becomes mass compromise is the difference between a revoke and a headline. An attack is now a measurable safety event — peer-reviewed research finds in-hospital mortality rises **35–41%** for patients already admitted when ransomware hits; the average US healthcare breach runs **$7.42M** and ~133M records were exposed in a single recent year. A flat line item hedges a variable-cost catastrophe.
- **One revoke, not a fleet re-image or recall.** A compromised device or endpoint is `revoke`d worldwide at DNS-TTL speed — no truck-roll, no re-imaging a 15-year-old machine you can't put an agent on, no CRL you hope every device fetched. The blast radius is one leaf key, never a shared root — the single-CA failure mode is structurally removed.
- **§524B & HIPAA evidence you don't reassemble.** Findings arrive already mapped to a built-in authentication + unauthorised-access control (FDA §524B(b)(2); EU MDR 17.4; IEC 62443 FR1) and to HIPAA §164.312(a)/(b)/(d) — with the transparency log as the postmarket-containment trail (§524B(b)(1)/CVD). When OCR asks *"what talked to ePHI, prove it,"* the answer is a signed replayable chain, not a forensics project. *Honest:* it is not your SBOM (§524B(b)(3)) — that stays yours.
- **A vendor that will still be here.** Security point-tools get acquired and sunset. Whisper is real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers — identities are DNSSEC/DANE objects you can verify without us. Longevity is the cheapest line in any TCO.
- **No shadow costs at renewal.** No per-transaction true-up, no per-seat creep as your SOC or HTM team grows, no data-egress fee, no appliance refresh. What you forecast in year one is what you sign in year three — the number a CFO can actually plan around.

---

## For the person who breaks things

### A pricing model can be an attack surface. Ours isn't.

If security is metered, an adversary can run up your bill, and a defender rations their own hunt. We priced those failure modes out.

**"If attribution is metered, do my analysts have to ration lookups in the middle of an incident?"**
Never. The graph is unmetered on the keyed tiers — `identify`, `walk`, `history` and Cypher run as hard as the hunt demands, across HIE partners and rotating egress. There is no per-query line for an attacker to inflate and none for a defender to fear.

**"Does my bill spike when I'm under attack, or just when my device fleet grows?"**
Neither. The price is per device or endpoint, set once, for the term. A traffic flood, an enumeration campaign against your FHIR endpoints, or connecting a new service line moves your risk — it doesn't move the invoice. The meter that would have peaked during the incident simply doesn't exist.

**"Is the free tier a real capability or a trap that expires into a sales call?"**
Real, and permanent. Keyless `verify` is anchored at the IANA root — **our own API is not in the trust path**, so we couldn't gate it if we wanted to. Verifying a device or endpoint identity is a public check; charging for the truth would defeat the point.

---

## The questions procurement always asks

**BILLING — What exactly is metered?**
Nothing by usage. You pay a flat rate per device or FHIR endpoint, per year. No per-API-transaction charge, no per-query graph fee, no per-analyst seat, no data-egress bill, no appliance. The only variable is how many devices and endpoints the program covers.

**ENTRY — Can I try it without procurement?**
Yes. The keyless checks need no account at all — run `whisper verify --trustless` today, and resolve, reverse-resolve and read RDAP and the public transparency log for any /128. A free sign-up (still $0) then adds a handful of identities, so you can bind a few devices or FHIR endpoints to the identifier they already carry and `dig -x` them on your bench. When you're ready for a service line, a Pilot is a fixed, time-boxed engagement.

**GROWTH — What happens when my fleet grows?**
The per-device rate holds; the total scales linearly and predictably with device and endpoint count, quoted in writing for the term. No usage true-up, no renewal surprise, no penalty for a busy or attacked fleet.

**STACK — Is this on top of my IoMT and SIEM cost?**
It's a feed *into* the IoMT visibility platform, SIEM and UDAP/TEFCA trust you already run — the Splunk and Microsoft Sentinel connectors ship today — not a replacement, not a second appliance, not a console to staff. It makes the tools you already pay for sharper.

**RESIDENCY — On-prem or hosted?**
Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-device logs stay where your regulator needs them — HIPAA and data residency by construction, at no metered premium. And it's availability-safe: a Whisper outage degrades to your existing anchors, never bricking a device.

**EXIT — What if I stop?**
Identities are DNSSEC/DANE objects you can verify independently, every mint and revoke is in a public transparency log, and evidence exports are open formats (CEF, ECS; STIX and a per-sector JSON export on the roadmap). There's no proprietary lock on your own attestations or your compliance record.

---

## How it sits next to what you already buy

### Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the whole one.

You already pay for an IoMT visibility platform, a SIEM, and UDAP/TEFCA endpoint trust — and, on the OEM side, maybe a device-PKI product — and you should keep them all; Whisper is additive to every one. Where a per-transaction cloud makes the bill unforecastable and a rigid multi-module bundle makes you buy packages you don't need, a flat per-device line adds the two layers no one else owns — **publicly verifiable DNS/DANE device & endpoint identity** and **attribution across rotating, cross-organization egress** — anchored strictly at the IP/DNS/transport boundary, without a meter and without a new silo. It complements the device's own certificate and your community trust anchor; it never sits inside your clinical protocols or replaces them.

| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-API-transaction / usage-metered cloud | hard | yes |
| Rigid multi-module bundle (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per device / endpoint / year | yes | no |

It makes the Claroty, Armis or Forescout deployment and the Splunk SIEM you already carry sharper, as a machine-readable feed — not a thing they compete with. [See the full comparison →](/compare)

---

## One flat number. Every device and endpoint, covered.

Keyless verify is free forever — start there, no account. When you're ready, a fleet quote is one flat per-device / per-endpoint / year figure you can forecast and defend. No meter, no surprise at renewal.

[Secure your devices →](https://console.whisper.security/sign-up) · [For HDOs →](/for-hdos)

Or run `whisper verify --trustless` right now — it costs nothing.

---

*Identity on the wire for connected medical devices & FHIR endpoints. AS219419 · 2a04:2a01::/32. © 2026 viaGraph B.V. (dba Whisper Security)*
