Pricing

Per-host. No per-seat tax.

You pay for the hosts you protect, not the engineers who access them. Open Source is free up to 5 hosts and self-hosted. Team is $25/host/mo for up to 50 hosts. Enterprise (50+ hosts, SAML, SCIM, on-prem) is contact sales.

Per-host math, worked out

Three real fleet sizes. No surprises, no “contact us for a quote” on the published tier.

Volume discounts

Applied per-tier, not per-host. Your blended rate falls as your fleet grows. The admin portal shows your effective rate live. Brackets past 50 hosts require Enterprise.

Frequently asked questions

Honest answers. No “contact sales for pricing” on questions we can answer in two sentences.

What counts as a host?

Any Linux machine your agent enrolls. A bare-metal server is 1 host. An EC2 instance is 1 host. A long-running VM in your own data center is 1 host. A container is 0 — we bill at the host level only and do not charge per container. Short-lived CI runners that come and go inside a 24-hour window count as 1 host for the day they ran. The admin portal shows your live host count and how it’s computed.

Why per-host instead of per-user?

Because your blast radius is per-host. If one host is compromised, the audit log for that host is what your auditor wants. Per-user pricing penalises you for having small teams with many hosts, which is exactly the Series-A/B pattern. A 6-engineer team running 80 staging hosts shouldn’t pay 80x the price of a 6-engineer team running 10 hosts.

Do you offer a free trial?

Yes, two ways. (1) Open Source is free forever up to 5 hosts and gives you the full SSH CA + audit flow — that’s a permanent trial of the core product. (2) For Team, we run a 30-day pilot at no charge on up to 25 hosts so you can validate SSO enforcement and SOC 2 evidence export against your actual fleet. Email mail@linuxidentity.com to start a pilot.

What’s the difference between Team and Enterprise?

Team is for fleets up to 50 hosts that need a hosted control plane, SSO enforcement, and SOC 2 evidence export. Enterprise is required above 50 hosts and adds SAML 2.0, SCIM provisioning, custom RBAC, an on-prem control plane option, a named SOC 2 contact, and a 24-hour SLA written into the contract. If you only need OIDC SSO and your fleet is under 50, Team is the right choice and saves you the procurement cycle.

Do you do annual contracts? What about monthly?

Both. Annual is $25/host/mo (the headline price). Month-to-month is $30/host/mo — a 20% premium that covers the higher churn risk. Enterprise contracts are annual minimum, multi-year preferred, with the per-host floor locked in for the term.

How do volume discounts apply?

Automatically and per-tier, not per-host. If you run 200 hosts (Enterprise territory), your first 25 are billed at $25, the next 25 at $22, the next 150 at $18 — a blended rate of about $19.31/host/mo. The admin portal shows your effective rate and projected next-tier savings.

Can I self-host the control plane?

Yes, two ways. (1) On Open Source you self-host the entire stack — that’s the deal: you bring Postgres and an object store, we ship the binary. (2) On Enterprise you can run the hosted control plane in your own cloud account via a Terraform module that deploys managed Postgres, the control plane binary, a KMS-equivalent key for the SSH CA, and edge delivery. Team does not include self-hosting — if that’s a hard requirement, talk to us about Enterprise.

How do you handle compliance audits (SOC 2, FedRAMP, HIPAA)?

Team includes a SOC 2 evidence export that maps audit-log rows to the CC6.x access-control criteria your auditor asks for. Enterprise adds a named SOC 2 contact who joins your auditor calls, custom controls mapping for FedRAMP Moderate, HIPAA-adjacent, and PCI-DSS, plus custom audit retention up to 7 years. We’re happy to walk through specific controls before you sign — that’s the point of having a named contact.

How does Linux Identity compare to Teleport on price?

Different pricing models. Teleport does not publish a price sheet below enterprise deals — you have to talk to sales to get a number. Our Team tier is $25/host/mo published on this page; volume discounts kick in past 25 hosts. For a 6-engineer team running 50 hosts, Team is $1,250/mo all-in. If you want a written side-by-side for your exact fleet shape, see /vs/teleport.

What’s in the open-source tier exactly?

Everything the hosted tier has for the core SSH CA flow: short-lived cert issuance tied to your OIDC IdP, the host agent (sudo capture, audit upload), the append-only audit log with hash chain. What’s not included: the hosted control plane (you run it), hosted audit storage (you bring your own Postgres + object store), and email support. The open-source code is at github.com/aws-proj/Linux-Identity.

Can I migrate from Teleport, StrongDM, or HashiCorp Vault SSH?

Yes. If you have an existing OpenSSH CA, we can read your CA private key into our managed KMS and rotate without re-trusting every host. The CLI ships a “linuxid migrate” subcommand later this year. Until then, migration is a manual process we walk you through on a call — we’ve done it from each of the three. Email mail@linuxidentity.com with your current setup.

How does pricing scale to 10,000 hosts?

Through Enterprise. Above 2,000 hosts the volume brackets stop publishing and we negotiate a per-host floor in writing. Email us and we’ll send a sheet with break-even math before you have to talk to anyone.