NHI Security Platform Pricing
Secure your non-human identities. Detection is free forever — pay only for AI-generated fix PRs.
Free
$0forever
Detect OIDC misconfigurations across 1 AWS account. Free CLI & GitHub Action.
- Initial scan on connect
- Unlimited CLI scanning
- Free GitHub Action
- All finding types
- Community support
Most popular
Pro
$499/month
AI-powered fixes validated by Policy Intelligence Engine™. Up to 5 AWS accounts.
- Everything in Free
- 5 AWS accounts
- 10 GitHub repo connects
- Unlimited on-demand scanning
- 50 AI fix credits/month
- Policy Intelligence Engine™ (5 of 6 layers)
- TrustFix Confidence Score™ (up to 80/100 · 5 validation layers)
- Priority email support
Best for Compliance
Team
$799/month
Full validation with cross-model review, SOC2 exports, built for security teams.
- Everything in Pro
- 15 AWS accounts
- 25 GitHub repo connects
- 200 AI fix credits/month
- Policy Intelligence Engine™ (all 6 layers)
- TrustFix Confidence Score™ (up to 100/100 · all 6 validation layers)
- Cross-model adversarial review
- SOC2 CC6 evidence export
- Team member management
- Priority Slack support
For Scale
Enterprise
Custom
Custom limits, SSO, SLA, and dedicated support for organizations at scale.
- Everything in Team
- Custom AWS accounts
- Custom GitHub repo connects
- Custom AI fix credits
- Policy Intelligence Engine™ (all 6 layers)
- TrustFix Confidence Score™ (up to 100/100 · all 6 validation layers)
- SSO / SAML integration
- SLA with uptime commitment
- Custom integrations available
- Dedicated support
- Annual contract with volume pricing
Starting with GitHub Actions + AWS. Multi-cloud support (GitLab CI, Azure AD, GCP Workload Identity) coming Q3-Q4 2026.
| Feature | Free | Pro | Team | Enterprise |
|---|---|---|---|---|
| Limits | ||||
| AWS accounts | 1 | 5 | 15 | Custom |
| GitHub repo connects | — | 10 | 25 | Custom |
| AI fix credits/month | — | 50 | 200 | Custom |
| Detection | ||||
| Platform scanning | Initial scan | On-demand | On-demand | On-demand |
| CLI & GitHub Action | ✓ | ✓ | ✓ | ✓ |
| Finding types | All | All | All | All |
| Remediation | ||||
| TrustFix Confidence Score™ | ✗ | Up to 80/100 | Up to 100/100 | Up to 100/100 |
| Validation layers | ✗ | 5 of 6 | All 6 | All 6 |
| Adversarial review | ✗ | ✗ | ✓ | ✓ |
| Compliance | ||||
| SOC2 CC6 export | ✗ | ✗ | ✓ | ✓ |
| Team management | ✗ | ✗ | ✓ | ✓ |
| SSO / SAML | ✗ | ✗ | ✗ | ✓ |
| SLA | ✗ | ✗ | ✗ | ✓ |
| Support | ||||
| Support | Community | Slack | Dedicated | |
Frequently asked questions
- What counts as an "AI fix credit"?
- Each time TrustFix calls Claude to generate a Terraform fix for a finding, that uses one credit. Credits are shared between Preview Fix and Generate Fix PR. If you preview a fix and then create a PR from the same result, only 1 credit is consumed (the cached result is reused). Detection scans and dashboard views are always free.
- Do credits roll over?
- No — credits reset on the 1st of each month. Unused credits do not carry over.
- Can I use TrustFix with multiple AWS accounts?
- Yes. Free includes 1 account, Pro includes 5, Team includes 15, and Enterprise offers custom limits. All paid plans include multi-account aggregation.
- What scanning is included on the Free tier?
- Free tier includes an initial scan when you connect your AWS account, plus unlimited CLI scanning via npx oidc-audit scan and the free GitHub Action. On-demand rescanning from the dashboard requires Pro or Team.
- Is there a contract or can I cancel anytime?
- Month-to-month, cancel anytime. Annual contracts with data portability clauses are available on request.
- Does TrustFix ever write to my AWS account?
- No. TrustFix only reads from AWS (read-only cross-account role). All fixes are proposed as GitHub PRs. You merge them — TrustFix never touches production.
Start scanning in 2 minutes
Free GitHub Action. No credit card. No AWS write access ever.
Learn more about NHI security on our blog.