# Pricing — Whisper for Telecom · flat, predictable, per-NF

> Security you pay *more* for the moment you're attacked is priced backwards.
> Whisper is flat, per-NF, per year — not per transaction, per message, or per seat.
> Keyless verify is free forever, attribution is never metered. A line item you can forecast.

Usage-metered tooling bills per API transaction, per signaling message, per analyst seat — so
the invoice climbs as your core grows and spikes exactly during the incident, when you can
least afford to ration a hunt across roaming and IPX. Against the economics of a fraud problem
that ran to **$38.95B in 2023** (CFCA), a meter is a number you cannot forecast. **We price the
other way.**

`whisper verify --trustless` costs nothing and needs no account — our own API is not in the trust path.

- **$0** — Keyless verify, resolve and back-trace any NF, free forever, no account
- **1×** — One flat per-NF/year figure — not per-transaction, per-message or per-seat
- **$38.95B** — telecom fraud in 2023 (CFCA) — the economics a meter refuses to make predictable
- **0** — usage meters on attribution; never ration a hunt mid-incident across roaming / IPX
- **1** — cross-operator revoke replaces a slow, bilateral de-peering
- **≤€10M / 2%** — the NIS2 fine exposure for an essential entity — a flat line hedges the variable-cost catastrophe

---

## The pricing principle

**A meter that climbs with your core — and spikes when you're attacked — isn't a price.
It's a risk.** Two curves. One rises with every NF you add, every SBI transaction, every query
your analysts run chasing an operator across rotating IPX egress — and peaks precisely during
the incident. The other is a flat line you set once and forecast for years.

```
annual cost
  ▲
  │                                             ╱ usage-metered
  │                                        ╱╱      (per transaction · message · seat)
  │                                  ╱╱          ◀── under attack: billed most when it hurts most
  │                          ╱╱╱
  │                ╱╱╱╱
  │        ╱╱╱╱
  ├──────────────────────────────────────────── Whisper · flat per-NF / year
  │        (set once · forecast for years · attribution never metered)
  └──────────────────────────────────────────────▶ NF count · signaling volume · incident load
       the gap between the lines is the overage a flat price never charges
```

- **Per-NF, not per-transaction** — priced to the thing you govern, the network function, so a busy SBI or a noisy signaling incident never moves the invoice.
- **Attribution & lookups, never metered** — run `identify`, `walk`, `history` and Cypher — and `op:lookups` to see who's enumerating your NRF — as hard as an incident demands; no per-query tax means your SOC never rations a hunt.
- **Additive, not another bill** — it sits on top of the signaling firewall, SEPP, SIEM and operator PKI you already own as a feed; no per-seat licence, no data-egress fee, no new console to staff, no second CA to run.

---

## Three tiers · one primitive

Start keyless. Prove it on a slice or a peering. Roll it across the core — flat the whole way.
POC → pilot → enterprise, exactly the path a core-security program buys on. Every tier speaks
the same *address-is-identity* primitive; you only widen how many NFs it covers, never
re-platform and never stand up a second PKI.

### POC — free to start · **$0**

Keyless verify, open to all. A handful of NF identities to provision. The keyless lower half —
trustless, anchored at the IANA root, our API never in the path — plus enough provisioned NF
/128s to prove the control plane on your own bench:

- `whisper verify --trustless` any NF, NRF or SEPP identity
- Resolve and reverse-resolve a /128, read its RDAP; back-trace a suspicious peer, no key
- A handful of NF /128 identities — derive one from the NF's existing key + its `nfInstanceId`

### Pilot — flat engagement · fixed scope

One network slice, or one N32 roaming peering. Time-boxed, one flat price. Everything in POC,
keyed to a defined NF count so a core-security owner can prove value before the board:

- Provision NF /128 identities across the slice or the peering — DANE-pin the SBA cert they already present
- Full attribution graph — unmetered during the pilot
- Egress governance per NF: policy · `op:firewall` · `op:budget` · one-call `op:revoke`
- Splunk connector (signed JSON → CEF/ECS) · NIS2 Art.23 incident evidence · public transparency log

### Enterprise — flat per-NF / year · core quote

One rate, quoted to your NF count. It doesn't move. The whole core, all three planes, across
every NF — the way a CISO buys defence-in-depth:

- Identity, attribution graph and egress governance, core-wide
- Unlimited attribution — no per-query meter, ever, across roaming and IPX
- On-prem or your own tenant — NIS2 / data-residency by construction
- Enterprise support and SLA; verifiable peer identity at every N32 border

**Why a quote, not a sticker.** A core price is one number, but the right number depends on NF
count, on-prem vs your own tenant, and the standards evidence you need — so we quote it flat and
in writing, and it holds for the term. No usage true-ups, no surprise line at renewal.
Get a core quote → <https://console.whisper.security/sign-up>

---

## What each tier includes

The keyless verification a roaming partner, a regulator or a researcher needs to check an NF's
identity is free at every tier — on principle, because our API isn't in the trust path. The
keyed tiers widen coverage and feed your stack; they never gate the ability to *verify*.

| Capability | POC | Pilot | Enterprise |
|---|---|---|---|
| Trustless verify / resolve / RDAP (`whisper verify --trustless`) | ✓ | ✓ | ✓ |
| Trace a /128 to the NF behind it (reverse-DNS + RDAP) | ✓ | ✓ | ✓ |
| NF /128 identities (register /128, DANE-EE pin, `op:revoke`) | a handful | slice / peering | core-wide |
| Full attribution graph (`identify`, `origins`, `walk`, `history`, Cypher) | — | unmetered | unlimited |
| Egress governance (policy · `op:firewall` · `op:budget` · `op:lookups` · `op:revoke`) | — | slice / peering | core-wide |
| Transparency log — public mint + revoke ledger, Bitcoin-anchored † | read / verify | ✓ | ✓ |
| Splunk connector — signed JSON → CEF/ECS | — | ✓ | ✓ |
| NIS2 Art.23 incident evidence · GSMA FS.36 / EU 5G Toolbox mapping | — | ✓ | ✓ |
| On-prem / own tenant (NIS2 data-residency) | — | — | ✓ |
| Enterprise support & SLA · verifiable peer identity at N32 | — | pilot support | ✓ |
| Roadmap — STIX 2.1 / TAXII · first-class `--nf-id` arg | roadmap | roadmap | roadmap |
| Metered by usage (per transaction / message / seat) | never | never | never |

† The transparency log is append-only, Ed25519-signed and anchored to Bitcoin via
OpenTimestamps — *tamper-evident today; independent third-party witnessing is the next step* (it
already speaks the C2SP witness protocol, so any external witness can co-sign). Microsoft
Sentinel, STIX 2.1 over TAXII, and the first-class typed `--nf-id` argument are on the roadmap —
everything else in this table is shipped & live.

---

## Where the flat number pays for itself

The ROI isn't a promise — it's the costs the flat line takes off your books. A predictable
figure is only half the case; the other half is what it removes: analyst hours, de-peering
delay, incident-reporting effort, audit repetition, and re-platform risk.

- **Analyst hours you stop burning.** Correlating a rotating, meaningless *last IP* across IPX hubs, roaming partners and three clouds is manual and never converges. The graph collapses the rotation to one operator — infrastructure genealogy for the cloud hops, a `JA4` client fingerprint for a proxy swarm — with a replayable evidence chain, and the meter never punishes analysts for looking harder.
- **One revoke, not a bilateral de-peering.** A compromised NF or interconnect identity is `op:revoke`d worldwide at DNS-TTL speed — one signed record pulled, propagating at cache-TTL. No per-operator CRL you hope every partner fetched, no slow, commercial, bilateral de-peering. The blast radius is one `/128`, never a shared private root.
- **Faster NIS2 Art.23 reporting.** When the clock runs a **24-hour early warning**, a **72-hour notification** and a **one-month final report**, an attribution you can replay — the operator behind a rotating IPX egress, named with a reproducible evidence chain — is the difference between a warning you can file and a blank one. The final report writes itself from the transparency log.
- **Audit effort you don't repeat.** Findings arrive mapped to NIS2 Art.21/23, the EU 5G Toolbox and GSMA FS.36, and every mint and revoke is already in a public, Bitcoin-anchored ledger your regulator can replay. The compliance artefact is a byproduct of the tool. *Honest status: the log is tamper-evident today; independent witnessing is next.*
- **Re-platform risk you avoid.** Real routable address space (AS219419), run by people who ran the internet's regional address registry and operated one of its root DNS servers — anchored in the public DNSSEC root, not a private CA you'd one day have to migrate off. Longevity is the cheapest line in any TCO.
- **No shadow costs at renewal.** No per-message true-up, no per-seat creep as your SOC grows, no data-egress fee, no second PKI to operate. What you forecast in year one is what you sign in year three.

---

## A pricing model can be an attack surface. Ours isn't.

If security is metered, an adversary can run up your bill, and a defender rations their own
hunt. We priced those failure modes out.

> **"If attribution is metered, do my analysts have to ration lookups in the middle of an incident — across roaming and IPX?"**
> Never. The graph is unmetered on the keyed tiers — `identify`, `walk`, `history` and Cypher run
> as hard as the hunt demands, and so does `op:lookups` on who's enumerating your NRF. There is no
> per-query line for an attacker to inflate and none for a defender to fear.

> **"Does my bill spike when I'm under attack, or just when I add NFs, a slice, or a new roaming peering?"**
> Neither. The price is per-NF, set once, for the term. A signaling flood, an NRF-enumeration
> campaign, or lighting up a new N32 peering moves your risk — it doesn't move the invoice.

> **"Is the free tier a real capability or a trap that expires into a sales call?"**
> Real, and permanent. Keyless `verify` is anchored at the IANA root — *our own API is not in the
> trust path*, so we couldn't gate it if we wanted to. Verifying an NF's identity is a public check
> a roaming partner or regulator can run against the DNSSEC root; charging for the truth would
> defeat the point.

---

## The questions procurement always asks

- **What exactly is metered?** Nothing by usage. A flat rate per NF, per year — no per-transaction charge, no per-signaling-message fee, no per-query graph fee, no per-seat licence, no data-egress bill. The only variable is how many NFs the program covers.
- **Can I try it without procurement?** Yes — keyless verify is free and needs no account. A POC then hands you a handful of NF /128 identities to provision and prove the control plane on your bench.
- **What happens as I add NFs, slices or peerings?** The per-NF rate holds; the total scales linearly and predictably with NF count, quoted in writing for the term. No usage true-up, no renewal surprise.
- **Is this on top of my SIEM and firewall cost?** It's a feed *into* the signaling firewall, SEPP and SIEM you already run — the Splunk and Microsoft Sentinel connectors ship today — not a replacement and not a second console to staff. It never replaces mTLS or OAuth2.
- **On-prem or hosted?** Either. The Enterprise tier runs on-prem or in your own tenant, so the graph and per-NF logs stay where your regulator needs them — NIS2 and data residency by construction, at no metered premium.
- **What if I stop?** Identities are DNSSEC/DANE objects you can verify independently, every mint and revoke is in a public transparency log, and evidence exports are open formats (CEF, ECS; STIX and per-sector JSON on the roadmap). No proprietary lock on your own attestations or compliance record.

---

## How it sits next to what you already buy

**Flat depth on top of the stack you already run — it doesn't replace a line, it de-risks the
whole one.** You already pay for a signaling firewall, a SEPP at the N32 border, an operator PKI,
and a SIEM — and you should keep every one; Whisper is additive to all of them and **never
replaces the mandatory mTLS + OAuth2** that binds an NF at the handshake. Where a per-message
signaling cloud makes the bill unforecastable and a rigid carrier suite makes you buy modules you
don't need, a flat per-NF line adds the layers no one else owns — a publicly verifiable NF
identity (DNSSEC + DANE, no cross-certification), cross-operator attribution across rotating IPX
and cloud egress, and revocation at DNS-TTL — without a meter and without a new silo.

| Pricing model | Forecastable? | Meter spikes under attack? |
|---|---|---|
| Per-message / usage-metered signaling cloud | hard | yes |
| Rigid multi-module carrier suite (six-figure floor) | partly | n/a — over-scoped |
| Whisper — flat per-NF / year | yes | no |

It makes the signaling firewall, SEPP and SIEM investments you already carry sharper, as a
machine-readable feed — not a thing they compete with. It anchors at the IP / DNS / transport
boundary, complements your private PKI and never sits inside the signaling plane.
[See the full comparison →](/compare)

---

## One flat number. Every NF, accounted for.

Keyless verify is free forever — start there, no account. When you're ready, a core quote is one
flat per-NF/year figure you can forecast and defend against core-network economics. No meter, no
surprise at renewal.

Get a core quote → <https://console.whisper.security/sign-up> · [For operators →](/for-operators)

Or run `whisper verify --trustless` right now — it costs nothing.

---

*Whisper for Telecom · Identity on the wire for 5G network functions · AS219419 · 2a04:2a01::/32*
*© viaGraph B.V. (dba Whisper Security)*
