Pricing
Priced to your operating record.
Sifr is priced to the identity environment we govern with you — not by seat, not by connector. Every quote is sized to your actual deployment, with all evidence sealing included from day one.
Starter
First deployment
Quoted · single workspace
For teams discovering AI agents and non-human identities for the first time. Single workspace, the full connector library, and ownership workflows out of the box.
- Discovery across the connector library
- NHI & AI-agent registry
- Ownership & orphan workflows
- Signed evidence pack export
- Email support
- SoD / JIT controls
- SAML SSO
Growth
Operating at scale
Quoted · multi-workspace
For security teams running governance as a continuous workflow. Adds SoD/JIT request enforcement, SAML SSO, audit-grade reporting, and the full API + MCP surface.
- Everything in Starter
- SoD enforcement & JIT access
- Custom approval routing
- SAML SSO + SCIM provisioning
- Public REST API + MCP server
- Activity log retained & signed
- Single-tenant infrastructure
Enterprise
Regulated & dedicated
Contract · single-tenant
For regulated industries and the largest identity environments. Dedicated infrastructure, deployment-region choice, security review on request, contract pricing.
- Everything in Growth
- Single-tenant deployment
- Deployment-region selection
- Custom connector engagements
- Security architecture review
- Direct security team contact
What's in each tier
| Capability | Starter | Growth | Enterprise |
|---|---|---|---|
| Discovery & inventory | |||
| Connector library | All | All + custom | Custom + private |
| Identity types (human · NHI · agent · OAuth · workload) | ✓ | ✓ | ✓ |
| AI-agent discovery & staging | ✓ | ✓ | ✓ |
| Governance | |||
| Owner assignment & orphan workflows | ✓ | ✓ | ✓ |
| SoD enforcement | — | ✓ | ✓ |
| JIT access & request routing | — | ✓ | ✓ |
| Lifecycle & certification campaigns | — | ✓ | ✓ |
| Evidence & audit | |||
| Signed evidence packs | ✓ | ✓ | ✓ |
| Audit log & activity stream | ✓ | ✓ | ✓ |
| Configurable retention | — | ✓ | ✓ |
| Platform | |||
| REST API | — | ✓ | ✓ |
| MCP server access | — | ✓ | ✓ |
| SAML SSO + SCIM | — | ✓ | ✓ |
| Single-tenant infrastructure | — | — | ✓ |
| Security architecture review | — | — | ✓ |
Pricing questions.
Still wondering? Talk to us →
Why no published prices?+
Sifr's deployments range from a single security team auditing a few hundred identities to regulated environments governing tens of thousands. A single sticker price would be wrong for most of them. We quote based on your environment after a short scoping call.
How do you count an "identity"?+
Any record produced by a connector that maps to a human, service account, OAuth app, non-human identity, or workload. Identities that exist in more than one source (e.g. a human in Okta and GitHub) count as one identity.
Are evidence packs really included at every tier?+
Yes. Every tier produces signed evidence packs out of the box. Tier differences live in retention, the addition of SoD/JIT controls, and the platform surface (API + MCP), not in evidence access itself.
Do you charge for connectors?+
No. The connector library is included at every tier. Custom connectors are available on Growth (in partnership with the Sifr team) and Enterprise (with a dedicated engagement).
Can I self-host?+
Single-tenant deployments are available on Enterprise. Fully on-premise installation is not currently offered; deployment region selection is included on Enterprise for customers with data-residency requirements.