Every pricing question, answered.

Every new workspace gets a 14-day full Sentinel trial. After day 14, if you haven't subscribed, the workspace drops to Discovery mode: aggregate counts only (last 7 days, no per-user attribution, no exports), capped at 5 active users. Discovery runs indefinitely - there's no 60-day cliff - so you can keep visibility into your team's AI tool inventory while you decide. Your detection history, policies, and team setup are preserved. Upgrade at any time and everything restores.

AI governance is an organisation-level outcome (compliance, audit-readiness, MCP gateway, integrations), not a per-employee one. The platform fee covers the org-wide layer - including the Compliance Evidence Pack that was previously sold separately for $12K-$72K as Northbeams Evidence. The per-seat covers the people actually using AI tools. Same shape Vanta and Drata use for SOC 2 platforms.

We charge for each active user (the people who've installed the extension and signed in), not for every seat in your directory. Seat count trues up at each anniversary on annual contracts.

Lighthouse (the $15/user "visibility but no enforcement" tier) is retired as of 2026-05-22. Existing Lighthouse customers stay at current pricing through the end of their current term, plus one additional renewal at the old Lighthouse price as a courtesy. New customers go directly from Discovery (free) to Sentinel.

Standalone Northbeams Evidence (the $12K Starter / $36K Pro / $72K+ Enterprise compliance product) is now bundled into every paid Sentinel and Fleet plan. Existing Evidence customers honour their current annual term and migrate to Sentinel or Fleet at renewal with the compliance pack already included (typically at comparable or lower price than Evidence-only-plus-Sentinel separately). The Evidence Stripe Payment Link is closed to new signups as of 2026-05-22.

Each tier is named after what it does, in lighthouse vocabulary. Discovery finds the ship in the dark (visibility). A Sentinel stands watch and keeps records (governance + compliance). A Fleet operates many beams together (enterprise).

Annual billing saves 20%. Sentinel monthly: $1,000/mo platform + $19/user/mo. Sentinel annual prepay: $9,600/yr platform + $15/user/mo (annualised), billed up front. Pay for the year up front, prorated when your team grows past the seat count of record at the next anniversary. Cancel any time; the year you've paid for runs to its end.

Three rungs: 1 year prepay saves 20% (default annual), 2 years saves 25%, 3 years saves 30%. Discount applies to both platform fee and per-seat. Seat count trues up at each anniversary; usage overages billed in arrears. Refunds are pro-rata for unused full months minus a 5% admin fee. Multi-year deals are sales-led - get a quote.

Sentinel includes 50,000 MCP gateway calls per month; Fleet includes 500,000. For context, a 60-person engineering team with heavy Claude Code / Cursor usage typically lands around 10-30K calls/month, well under the limit. Overage is advertised at $0.005 per call but overage billing is introduced in a future release - no charge before then. The dashboard surfaces usage so you'll see it coming.

Sentinel self-serve checkout via Stripe is coming as part of the 2026 rollout, capped at 100 seats (around $27.6K projected ACV at the 100-seat ceiling). Above 100 seats, or for any add-ons, we book a quick call so we can configure things properly. Fleet is always sales-led.

Email hello@northbeams.com for Fleet pricing or any custom requirements. Multi-currency (GBP / EUR), wire transfer, purchase order, SSO/SAML, BAA, on-prem classifier, and custom volume pricing all available on request.

Fleet is the enterprise tier for companies under audit. It adds SAML SSO and SCIM provisioning (Okta, Entra), MDM force-install kits (Jamf, Intune, Kandji), SIEM streaming (Splunk HEC, Microsoft Sentinel), and GRC evidence automation (Vanta, Drata, OneTrust, Scytale). Identity, SIEM, and GRC are delivered as part of your engagement, configured to your existing stack. Custom DPA + DPIA support, BAA for HIPAA, US or EU data residency, 7-year audit log retention, a dedicated Customer Success Manager, named technical contact, and a 99.9% uptime SLA with a quarterly business review. From $80K annually ($42,000/yr platform + $16/user/mo, 200-seat minimum). Contact sales →

A local stdio proxy that sits in the path between your team's coding agents (Claude Desktop, Cursor, Claude Code) and the MCP servers they call. It uses the existing MCP spec, so it works with anything those clients already know how to talk to. The Gateway classifies every tool argument on-device and ships only categorical labels (credentials, PII, source code, legal terms, customer data) plus a sha256 hash to your dashboard. From there you set per-tool rules: allow read tools, warn on mutating ones, block destructive ones. Argument values stay on the laptop. Sentinel and Fleet only.

Ten well-known servers ship with recommended per-tool policies on day one: filesystem, GitHub, Slack, Postgres, Puppeteer, Google Drive, Stripe, Brave Search, Memory, and Sequential Thinking. Anything else your team has configured shows up in the dashboard by binary name and your admins set the policy. The catalogue refreshes quarterly along with the rest of the tool catalogue.

The Gateway is bundled in the Mac and Windows desktop app. On Sentinel and Fleet workspaces it's on by default after install, with a wizard step asking the user to confirm. For unattended fleet rollouts, set the environment variable NBM_MCP_GATEWAY=1 through your MDM (Jamf, Intune, Kandji) and the Gateway scans and wraps the user's existing Claude Desktop, Cursor, and Claude Code configs the first time the daemon boots. Atomic, idempotent, with a timestamped backup of every original config. To unwind, run nbm sentinel mcp-gateway disable and the wraps come back out cleanly.

The desktop app still installs and the browser, desktop, and CLI surfaces still report aggregate counts. The MCP Gateway step in the installer wizard shows an upgrade CTA and the proxy stays inert until the workspace upgrades to Sentinel. If a workspace downgrades from Sentinel back to Discovery later, the daemon auto-unwraps every wrapped MCP config and removes the Gateway from the chain. No orphaned proxies.

Identity: Okta and Microsoft Entra (SAML SSO, SCIM provisioning). Device management: Jamf, Microsoft Intune, Kandji (force-install via MDM, no user action). SIEM and observability: Splunk (via HTTP Event Collector) and Microsoft Sentinel (via the Log Analytics API), both self-serve from Settings with a built-in connection test. Datadog and other SIEMs on request. GRC and compliance: Vanta and Drata (evidence pipeline for SOC 2 CC6.1, CC7.2, CC8.1), OneTrust (data mapping and TPRM, with PIA and DPIA pre-population), and Scytale. Don't see your stack? Talk to us.

Three add-on SKUs attach to Sentinel for org-specific needs: Cloud OCR (+$2,000/yr) for image / PDF upload OCR. SIEM streaming (+$5,000/yr) for Splunk HEC or Microsoft Sentinel (Fleet has this built in). Custom DPA + InfoSec review (+$3,000/yr) for vendor security review packets and custom Data Processing Agreements. Add-ons require sales-assist; self-serve checkout is no-add-ons by default.

Yes. Upgrade any time and the new tier kicks in immediately, prorated to the day. Downgrade takes effect at the end of the current billing period so you keep the features you paid for.

Yes. 50% off Sentinel for verified 501(c)(3) nonprofits and accredited educational institutions. Discount applies to both the platform fee and the per-seat. Email hello@northbeams.com with proof of status.