MalCloud Pricing
Threat intelligence shouldn't cost more than the threats themselves
Community ships with all 13 extractors, Detection-as-Code, and full MISP/STIX/TAXII integration — free forever. Paid tiers unlock scale, enrichment, SIEM connectors, and dedicated infrastructure.
Community
Free forever
Individual researchers, students, small teams evaluating
- 3 users
- 30-day data retention
- 10K IOCs
- 1K API calls/month
- All 13 extractors
- Detection-as-Code
- MISP / STIX / TAXII
- Syslog / CEF connector
- Graph Context (annotations, audit, provenance)
Pro
$49 /month
Freelance analysts, boutique consultancies
- Everything in Community
- 10 users
- 1-year retention
- 100K IOCs
- 10K API calls/month
- All enrichment providers
- All integrations
- SIEM connectors (Elastic, Splunk, Sentinel, Chronicle)
- Trending intelligence
- Threat Pool velocity + sector signals
Most Popular
Team
$149 /month
5-25 person SOC teams, MSSPs
- Everything in Pro
- 25 users
- Unlimited retention + IOCs
- 50K API calls/month
- ZK-STIX (Zero-Knowledge Proof-of-Observation)
- SSO / SAML
- Custom RBAC
- Priority support
Enterprise
$499 /month
Large orgs, government, defense
- Everything in Team
- Unlimited users + API calls
- AI Co-Pilot
- Threat Pool (collective intelligence)
- Dedicated cloud infrastructure
- 4-hour SLA
- Dedicated CSM
On-Prem
$25K+ /year
Air-gapped networks, SCIF, defense contractors
- All Enterprise features
- Air-gapped deployment
- STIG-hardened images
- Deployment engineer included
- ITAR / CMMC compliance support
- Custom SLA
Cost comparison
5-person SOC on Team plan: $1,788/year — vs $100,000+ for Recorded Future or Anomali.
Feature comparison
| Feature | Community | Pro | Team | Enterprise | On-Prem |
|---|---|---|---|---|---|
| Capacity | |||||
| Max users | 3 | 10 | 25 | Unlimited | Unlimited |
| Data retention | 30 days | 1 year | Unlimited | Unlimited | Unlimited |
| IOC limit | 10K | 100K | Unlimited | Unlimited | Unlimited |
| API calls / month | 1K | 10K | 50K | Unlimited | Unlimited |
| Core Intelligence | |||||
| All 13 extractors | ✓ | ✓ | ✓ | ✓ | ✓ |
| Detection-as-Code | ✓ | ✓ | ✓ | ✓ | ✓ |
| MISP / STIX / TAXII | ✓ | ✓ | ✓ | ✓ | ✓ |
| Graph Context (annotations, audit, provenance) | ✓ | ✓ | ✓ | ✓ | ✓ |
| All enrichment providers | — | ✓ | ✓ | ✓ | ✓ |
| Trending intelligence | — | ✓ | ✓ | ✓ | ✓ |
| AI Co-Pilot | — | — | — | ✓ | ✓ |
| Connectors & Integrations | |||||
| Syslog / CEF | ✓ | ✓ | ✓ | ✓ | ✓ |
| SIEM connectors (Elastic, Splunk, Sentinel, Chronicle) | — | ✓ | ✓ | ✓ | ✓ |
| Threat Pool & Collaboration | |||||
| Threat Pool signals (counts) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Threat Pool velocity + sector signals | — | ✓ | ✓ | ✓ | ✓ |
| Threat Pool collective intelligence | — | — | — | ✓ | ✓ |
| ZK Proof-of-Observation (ZK-STIX) | — | — | ✓ | ✓ | ✓ |
| Access & Compliance | |||||
| SSO / SAML | — | — | ✓ | ✓ | ✓ |
| Custom RBAC | — | — | ✓ | ✓ | ✓ |
| ITAR / CMMC support | — | — | — | — | ✓ |
| Infrastructure & Support | |||||
| Dedicated cloud | — | — | — | ✓ | ✓ |
| Air-gapped deployment | — | — | — | — | ✓ |
| STIG-hardened images | — | — | — | — | ✓ |
| Deployment engineer | — | — | — | — | ✓ |
| Dedicated CSM | — | — | — | ✓ | ✓ |
| SLA | — | — | — | 4-hour | Custom |
Common questions
- Is Community actually free, or is there a catch?
- No catch. Community includes all 13 extractors, Detection-as-Code, full MISP/STIX/TAXII integration, Syslog/CEF connectors, and Graph Context. The limits are 3 users, 30-day retention, and 10K IOCs. No time-boxed trials. No "upgrade to unlock" prompts inside the platform.
- Why flat pricing instead of per-seat?
- Per-seat pricing penalizes you for growing your team. A 5-person SOC on our Team plan pays $149/month regardless. That's $1,788/year for the entire team — about what you'd spend on a single seat with legacy vendors. We want you to add analysts, not ration licenses.
- What is ZK-STIX?
- ZK-STIX uses zero-knowledge proofs to verify that a threat observation is authentic without revealing the source environment or internal telemetry. It lets you share indicators with ISACs, partners, or the Threat Pool while proving provenance cryptographically — no trust assumptions, no data leakage. Available on Team and above.
- What's included in On-Prem?
- On-Prem ships with STIG-hardened container images, a dedicated deployment engineer for installation, and all Enterprise features. Designed for air-gapped networks, SCIF environments, and organizations with strict data-sovereignty requirements. ITAR and CMMC compliance support included. Contact us to scope your deployment.
- Can I switch plans or add capacity later?
- Yes. Upgrades are prorated and take effect immediately. Downgrades apply at the start of the next billing cycle. No lock-in contracts on any cloud tier — cancel anytime.
Free forever
Start with Community
All 13 extractors, Detection-as-Code, MISP/STIX/TAXII. No credit card, no feature gates.
Get StartedEnterprise & On-Prem
Need dedicated infrastructure?
Dedicated cloud, air-gapped, STIG-hardened. We scope deployments for defense contractors and large SOCs.
Contact Us