Skip to main content

Pricing

Free, or pay per term. No auto-renewal.

Free forever for the core scan. Pro adds compliance, portfolio, extended languages, and the deep detector packs at $19 a month or $149 a year. Custom Salesforce packages (AppExchange Security Review prep and consultancy multi-org audits) are available via [email protected]; see the strip below the cards. Every paid option is a one-time payment; we never auto-bill you. The 14-day trial unlocks Pro and then drops to Free on day 15, no card.

Free

Always free. No card. No expiry.

$0forever

no card · no expiry

  • Scans Python, JavaScript, TypeScript, and Go
  • Finds the OWASP API top 10: broken auth, injection, SSRF, leaky data, broken access control
  • Catches vulnerable dependencies and leaked secrets, including in your git history
  • Fast incident response when a known compromise hits the news
  • Audits your MCP server configs and your editor / browser extensions
  • SARIF output for GitHub Code Scanning, plus JSON for CI scripts
  • Vulnerability database updates on the same schedule as Pro, no delay
  • Unlimited projects in the CLI, one project at a time in the desktop console

Pro Monthly

One payment. 30 days. No renewal.

$19one-time

manual renewal · no auto-billing

  • Everything in Free, plus:
  • Audit-ready compliance reports for SOC 2, HIPAA, PCI, and ISO 27001
  • Scan many projects at once with a portfolio view
  • Adds Ruby, Java, Kotlin, C#, PHP, and full Salesforce coverage
  • Deeper detection: AI safety checks and live API probing
  • Complete Salesforce coverage: B2C Commerce, Marketing Cloud, Health Cloud, Financial Services Cloud, CRM Analytics, Functions, Heroku Connect
  • Drop-in replacements for PMD, ESLint, and RetireJS, with a curated security-only ruleset
  • AppExchange Security Review readiness report, ready to hand to your reviewer
  • Audit-grade report formats: SBOM, cryptographic BOM, executive PDF and HTML, GDPR Article 30 records
  • Email support, direct from the Vulkro team
Best value

Pro Annual

One payment. 365 days. No renewal.

$149one-time

manual renewal · no auto-billing

Save $79 vs monthly

  • Everything in Free, plus:
  • Audit-ready compliance reports for SOC 2, HIPAA, PCI, and ISO 27001
  • Scan many projects at once with a portfolio view
  • Adds Ruby, Java, Kotlin, C#, PHP, and full Salesforce coverage
  • Deeper detection: AI safety checks and live API probing
  • Complete Salesforce coverage: B2C Commerce, Marketing Cloud, Health Cloud, Financial Services Cloud, CRM Analytics, Functions, Heroku Connect
  • Drop-in replacements for PMD, ESLint, and RetireJS, with a curated security-only ruleset
  • AppExchange Security Review readiness report, ready to hand to your reviewer
  • Audit-grade report formats: SBOM, cryptographic BOM, executive PDF and HTML, GDPR Article 30 records
  • Email support, direct from the Vulkro team

Custom Salesforce packages

Salesforce ISVs preparing AppExchange Security Review submissions, and consultancies auditing 5 to 50 client orgs. Custom terms, manually issued.

  • AppExchange Submission Ready Pack (90 days)
  • Consultancy Pack (10 floating activations, 1 year)
  • Engagement-bundle multi-org report
  • Per-inquiry pricing, no auto-renewal
Contact us

Enterprise

Teams of 5 or more, off-menu requirements, air-gapped deployments. Custom terms; a license you control.

  • Multiple machines, your whole team
  • Air-gapped license server
  • Private rule packs (on roadmap)
  • On-prem CVE bundle mirror (on roadmap)
  • Direct line to the Vulkro team
Contact sales

Pricing questions, answered

What's actually in the 14-day trial?
Full Pro. Every detector, every output format, every language. No trial-only watermark, no truncated reports, no "preview" warnings on findings. The CLI tells you on day 12 that the trial is ending. On day 15 it drops to the Free tier and keeps scanning; Pro features prompt for purchase but nothing hard-blocks.
What happens when my Pro license expires?
Vulkro keeps working at the Free tier. Pro-only features prompt you to renew, but everything in Free (the core security scan, vulnerable-dependency check, secrets, broken-auth, injection, fast incident response, the MCP server and editor extension audits, CI integration) continues without interruption. The vulnerability database updates on the same schedule as Pro: we never punish you for not paying with a stale advisory feed. No auto-renewal, no surprise charges. Buy a fresh one-time Pro license whenever you are ready.
What does “one machine, single developer” mean?
Every Vulkro license is bound to one machine ID generated from your hardware. Run vulkro machine-id to see yours. Need it on more than one machine, including CI? Email [email protected].
Does Vulkro ever upload my source code?
Never. Vulkro runs entirely on your own machine. No cloud upload, no telemetry, no AI service in the loop. See the privacy policy for the full statement, or read the manifesto for the reasoning.
Is Vulkro open source?
No. The detection code is closed source - that is the product. What we do publish is the benchmark itself: the test code, the labelled examples, and the scoring rules. You can run the benchmark on your laptop in five minutes and compare our catch rate and false-positive rate against the alternatives on the same examples. We compete on reproducible results, not on source openness.
What's the line between Free and Pro?
Free covers what a single developer on one project needs to ship safely: the OWASP API top 10, vulnerable-dependency check, secret detection, auth bugs, injection, fast incident response, the MCP server and editor extension audits, and CI-friendly output for GitHub Code Scanning. Free supports Python, JavaScript, TypeScript, and Go. Pro adds what teams and regulated industries pay for: audit-ready compliance reports (SOC 2, HIPAA, PCI, ISO 27001), a portfolio view across many projects, more languages (Ruby, Java, Kotlin, C#, PHP, and the full Salesforce stack), the deeper detection packs, audit-grade report formats (SBOM, executive PDF and HTML), and live API probing. Both tiers get the same vulnerability database updates on the same schedule.
Do you offer refunds?
No. Once a license file is issued it cannot be revoked, so refunds are not offered as a matter of policy. If you're unhappy, reach out and we'll do what we can. See the refund policy for the full text.

Install free. Decide later.

14 days of full Pro on your laptop, then it drops to Free and keeps running. No card, no account. If you upgrade later your trial reports are still yours.

Install VulkroTalk to a human