Permafrost EPM
Skip to content
Get started

Pricing

Permafrost prices on identity-object count, not log volume. Every new customer starts with a 30-day free trial of full-coverage CIEM, then continues on the metered Professional Edition.

How pricing works

Permafrost prices on identity-object count, not log volume. Every new customer starts with a 30-day free trial of full-coverage CIEM, no card required.

After the trial, coverage continues on the metered Professional Edition: every identity object across all of a customer’s connected tenants, plus every workload surface, API access, and priority support. An administrator can also grant comped access without billing.

Professional Edition

Full coverage

Full coverage for serious least-privilege.

$3.50per human identity / month
$0.50per non-human identity / month

Billed monthly in arrears, exclusive of tax. The 10-Day Rule and group exclusion apply.

All identities
  • All surfaces, all data
  • Hourly sync
  • API access
  • Custom role export (ARM / Bicep / Terraform)
  • Full reports (PDF, CSV)
  • Priority email support
  • 30-day free trial included
Start 30-day trial

No card required. After 30 days, subscribe to keep full coverage.

How the trial works

One edition, one path to full CIEM coverage for your Microsoft Cloud identities.

  1. Start a 30-day free trial

    Connect a tenant with read-only consent. Full coverage of every human and non-human identity, no card.

  2. Subscribe to keep coverage

    After 30 days, subscribe to keep full coverage. Metered monthly in arrears at the rates above — you only pay for identities you actually run.

  3. Or get it comped

    Need it without billing? An admin can grant your account comped access with no subscription required.

How are identities counted?

Billing counts human identities (members, guests, named admins) at $3.50 per month and non-human identities (service principals, managed identities, app registrations, agents) at $0.50 per month. Groups are never counted. Microsoft first-party service principals are excluded.

What is the 10-Day Rule?

An identity is billed for a month only if it was enabled on at least 10 calendar days that month. An identity disabled for 10 days or more in a month is not counted, so short-lived and decommissioned identities do not inflate the bill.

What does the trial include?

The 30-day trial unlocks full Professional coverage with no card, up to 500 human and 2,500 non-human identities. After 30 days, subscribe to keep full coverage.

How principals are counted

A principal is any identity object in a customer’s connected Azure tenants that holds a role assignment. The billing count rolls up to one number per customer, across the set of tenants the customer has connected.

What gets counted:

  • Users. Members and guests in the directory who hold any role assignment.
  • Service principals. Application service principals provisioned to the directory, counted only when they hold a role assignment.
  • Managed identities. System-assigned and user-assigned managed identities with role assignments.
  • Agent identities. AI agent and copilot identities with role assignments.

What does not get counted:

  • Groups. Groups are containers, not principals. A group never counts toward billing, regardless of how many role assignments or members it holds. Billing counts the human and non-human principals themselves.
  • Microsoft first-party service principals (the built-in directory tenants that ship with Azure).
  • Identity objects that exist in the directory but hold no role assignments anywhere in the connected tenants.
  • Per-tenant doubles — if the same external identity has assignments in two of a customer’s connected tenants, that is two principals because the assignments are independent.

What Professional includes

Professional Edition models every identity object inside the customer’s connected tenants, plus the full surface set: Findings, Roles, PIM, custom-role export, API access, and all workload surfaces. The 30-day trial unlocks the same full coverage with no card; after it ends, subscribe to keep full coverage, or have an administrator grant comped access.

The full feature breakdown lives in the grid above. The live marketing page is at /pricing.

Why pricing on identity objects, not on logs

CIEM measures the gap between permissions granted and permissions used. The unit of work is the identity object, not the log row. Pricing on log volume rewards inflated ingestion and punishes customers who run quiet, well-instrumented tenants. Those are the customers most likely to get value out of a permission-posture tool in the first place. Permafrost prices on the unit it measures.