KafkaGuard
Get started
FeaturesDocsEnterprisePricingBlogToolsGet started

Pricing

KafkaGuard is priced per Kafka cluster — the natural unit of compliance. Start free with the Community CLI and upgrade when your team needs more controls or centralized visibility.

Tiers at a Glance

CommunityStarterTeamEnterprise
PriceFree$99 / cluster / month$199 / cluster / month$299 / cluster / month
Billed annually$950 / cluster / yr$1,910 / cluster / yrContact sales
Clusters1Up to 2Up to 10Unlimited
UsersUp to 10Up to 10Unlimited
CLI scanner
Policyfinance-isoenterprise-defaultfinance-isofinance-iso
Controls55455555
Report formatsJSON, HTML, PDF, CSVJSON, HTML, PDF, CSVJSON, HTML, PDF, CSVJSON, HTML, PDF, CSV
Compliance mappingsPCI-DSS · SOC 2 · ISO 27001PCI-DSS · SOC 2 · ISO 27001PCI-DSS · SOC 2 · ISO 27001 + custom
On-prem dashboard
REST API
Slack / Teams alerting
Trend dashboard
Fleet compare
Audit trail
Air-gapped deploy
SSO / SAML / SCIMRoadmap
Custom policy authoring
White-label PDF reports
SupportCommunityEmail · 2 business daysEmail · 1 business dayDedicated SE · 24/7 SLA

Controls by Tier

Community provides the full finance-iso policy (55 controls) — the same depth as Team and Enterprise. Starter uses enterprise-default (45 controls) and adds compliance framework mappings (PCI-DSS, SOC 2, ISO 27001). Paid tiers differentiate on compliance report mappings, cluster count, and support level — not control count.

Community — finance-iso (55 controls)

Full security, compliance, and operational checks — the same finance-iso policy used by Team and Enterprise. No controls are gated behind a paid license.

CategoryControlsFocus
Security25SASL auth, SSL/TLS, ACLs, inter-broker encryption, KRaft controller security, advanced TLS
Reliability16Replication factors, ISR thresholds, log retention, partition health, KRaft quorum
Operational14Auto-create topics, delete topics, log dirs, GC logging, network threads, monitoring type

Included controls (sample):

  • KG-001: SASL authentication enabled
  • KG-002: SSL/TLS encryption enabled
  • KG-016: Replication factor ≥ 3
  • KG-017: Min in-sync replicas ≥ 2
  • KG-041: Audit logging enabled
  • KG-044: Broker-to-broker mutual TLS
  • KG-045: No deprecated TLS protocols (≥1.2)

Starter — enterprise-default (45 controls)

Full security controls covering authentication, encryption, authorization, and monitoring. Designed for production Kafka clusters with standard compliance requirements.

CategoryControlsFocus
Security16SASL auth, SSL/TLS, ACLs, inter-broker encryption, security protocol
Reliability16Replication factors, ISR thresholds, log retention, partition health, leader election, quota enforcement
Operational13Auto-create topics, delete topics, log dirs, GC logging, network threads

Included controls (sample):

  • KG-001: SASL authentication enabled
  • KG-002: SSL/TLS encryption enabled
  • KG-003: ACL authorization enabled
  • KG-007: Inter-broker encryption enabled
  • KG-008: ZooKeeper authentication enabled
  • KG-012: Client authentication required
  • KG-014: Security protocol valid
  • KG-015: Monitoring endpoint security

Also unlocks: PCI-DSS, SOC 2, ISO 27001 compliance mapping in all report formats.

Team / Enterprise — finance-iso (55 controls)

Everything in enterprise-default, plus 10 additional controls for KRaft-mode clusters, Confluent Platform, and finance/healthcare regulatory requirements. Also available to Community users via the free CLI.

CategoryControlsFocus
Security25All enterprise-default security + KRaft controller security, advanced TLS
Reliability16Same as enterprise-default + KRaft quorum health
Operational14Same as enterprise-default + monitoring type

Additional controls over Starter (KRaft + Confluent):

  • KG-052: KRaft controller quorum healthy
  • KG-053: KRaft voter count ≥ 3
  • KG-054: KRaft metadata log lag ≤ 1000
  • KG-055: Confluent version matches Kafka version
  • KG-056: KRaft authorizer compatible with controller listener

Also unlocks (paid tiers): Compliance report mappings (PCI-DSS / SOC 2 / ISO 27001), and (Enterprise only) custom policy authoring and white-label PDF reports.

Community — Free

The KafkaGuard CLI is free forever. No license required.

# Download and run your first scan — free, forever
kafkaguard scan --bootstrap kafka-prod:9092 \
  --policy policies/finance-iso.yaml \
  -f json,html,pdf,csv

Includes:

  • 55 controls (finance-iso) — full security, reliability, and operational checks
  • All report formats: JSON, HTML, PDF, CSV
  • Slack, Microsoft Teams, and webhook alerting
  • On-prem dashboard — all features unlocked
  • SASL/SCRAM, SSL/TLS, mTLS, Kerberos authentication
  • CI/CD integration via exit codes and JSON output
  • No compliance framework mappings (PCI-DSS/SOC 2/ISO require Starter+)

Download CLI →

Starter — $99 / cluster / month

For teams preparing for their first SOC 2 or PCI-DSS audit. Self-serve checkout, 14-day free trial, no sales call needed.

Billed annually at $950 per cluster per year (20% off).
A 2-cluster deployment costs $1,900/year.

Includes everything in Community, plus:

  • 45 controls (enterprise-default policy)
  • Full PCI-DSS, SOC 2, ISO 27001 compliance mappings in reports
  • Multi-cluster support (up to 2 clusters in dashboard)
  • Offline RSA-signed license — no internet required

Start 14-day trial →

Team — $199 / cluster / month

For platform and security teams managing multiple Kafka clusters across multiple environments.

Billed annually at $1,910 per cluster per year (20% off).
A 5-cluster deployment costs $9,550/year.

Includes everything in Starter, plus:

  • 55 controls (finance-iso policy)
  • Up to 10 clusters

Start 14-day trial →

Enterprise — $299 / cluster / month

For regulated industries (finance, healthcare, government) running production Kafka at scale. Annual contract.

Includes everything in Team, plus:

  • Unlimited clusters with volume pricing
  • SSO / SAML 2.0 / SCIM provisioning (roadmap)
  • Fine-grained RBAC and audit logs
  • Custom compliance policy authoring (mapped to your framework)
  • White-label PDF reports with your organization's branding
  • Dedicated solutions engineer during onboarding
  • 24/7 support with contractual SLA
  • Quarterly business reviews
  • Priority access to new controls and policy tiers

Talk to sales →

Why Per-Cluster Pricing?

KafkaGuard's value scales directly with the number of Kafka clusters under compliance coverage — not the number of seats or brokers. Per-cluster pricing means:

  • Predictable costs — a cluster is a clear, auditable unit
  • No broker-counting — add brokers to a cluster without changing your bill
  • Land and expand — start with your production cluster, add staging and DR over time
  • Maps to compliance scope — auditors think in clusters, not hosts

Frequently Asked Questions

Can I run the CLI on more than one cluster for free? Yes — the Community CLI has no cluster limit. Tier limits apply to the on-prem dashboard and API only.

What counts as a cluster? One Kafka cluster = one bootstrap endpoint (set of brokers sharing a controller). A dev cluster and prod cluster are two clusters.

Is the on-prem deployment truly air-gapped? Yes. The installer bundles all Docker images in a tar archive. No internet access is required after installation. License validation is offline via RSA signature.

How do I activate my license? After purchase you'll receive a kg_... license key by email. Run kafkaguard license activate --key kg_... to activate. See License Activation for full details.

Can I upgrade from Starter to Team mid-year? Yes — contact sales@kafkaguard.com and we'll prorate the difference and issue a new license key.

What happens when my license expires? The dashboard enters read-only mode — you can still view historical data and download reports, but new scan ingestion is paused until renewal.

Do you offer non-profit or academic pricing? Yes. Contact sales@kafkaguard.com for details.

Questions?