PRICING
Free for the community,
serious for F500
Four revenue tracks, mapped to four distinct customer types and reasons to pay.
- Community (free forever) — global sensor network and standard adoption pipeline, not a revenue stream.
- Enterprise SaaS — closes the compliance-evidence gap for regulated industries and migrates their existing rule assets into the AI agent era.
- Sovereign AI national reference — addresses the detection-IP sovereignty gap at the nation-state level.
- Vendor OEM license — for platform vendors already shipping ATR rules inside their own products.
No middle tier — by design. Rationale at the bottom of the page.
Community
Available todayWho it’s for
Individual developers, small teams, and any organisation that wants to self-host the full 7-layer PanGuard stack. Feature parity with Enterprise — only difference is self-hosted deployment and community support.
- 344 ATR detection rules (MIT licensed)
- Unlimited agents / endpoints / tenants
- 5 layers shipped today: L2 Audit · L3 Protect · L4 Detect · L5 Deceive · L6 Respond
- 2 layers coming Q2/Q3 2026: L1 Discover · L7 Govern
- Auto-registers as Threat Cloud sensor · anonymous telemetry (opt-out anytime)
- Threat Cloud rule updates (< 24h)
- Community support via GitHub Issues + Discord
- pga CLI: scan · audit · up · guard · status · sensor
Pilot
F500 bridgeWho it’s for
A pre-procurement pilot contract for F500. The IT Director can approve it without reaching CFO. The full $25K credits toward the Year 1 Enterprise contract on upgrade.
- On-prem / VPC / airgap deployment help
- 6 hours/week of senior engineering support
- Sample quarterly compliance evidence report (EU AI Act / NIST AI RMF / ISO 42001 / OWASP Agentic mapping)
- Custom ATR rule pack trial
- SIEM webhook integration template
- Clean exit or upgrade to Enterprise at day 90
- Full $25K credit to Y1 Enterprise contract on upgrade
Need a custom contract instead? Email sales
Enterprise
Early customersTarget $250-350K · up to $500K+
Who it’s for
Regulated industries — finance, healthcare, semiconductors, and quasi-government organisations that need an audit-ready AI agent security layer under EU AI Act, Colorado AI Act, and similar frameworks.
Three core modules
Migrator Pro
Automatically converts legacy Sigma, YARA, and Splunk rules from your SOC into AI agent rules.
AI Compliance Audit Evidence Module
Produces compliance evidence packs ready for auditors (NIST AI RMF, EU AI Act, plus three more frameworks).
Direct line to the ATR standard
Early access to draft rules; customer-contributed rules can flow upstream and be adopted by Cisco, Microsoft, and others.
Also included: unlimited agents/tenants, on-prem deployment, SAML SSO, SCIM, SIEM webhook, AIAM (target Q3 2026), SOC 2 Type 1 in flight (target Q3 2026), and a dedicated Customer Success Manager.
↓ See full specificationSovereign
Nation-stateActive dialogue · 1 Saudi PIF lead
Who it’s for
Sovereign AI infrastructure, central banks, defense, cross-ministry compliance platforms. ATR already inherited via announced Cisco / AMD / NVIDIA JVs — no new-vendor risk.
Sovereign spec
- Full airgap deployment · multi-tenant isolation
- Sovereign data residency · no egress
- Custom compliance evidence (national regs + EU AI Act + NIST AI RMF + ISO 42001 + OWASP Agentic)
- Sovereign-level ATR contribution channel · national red-team feedback
- Dedicated SLA · 24/7 nation-state support
- Pre-integrated with AMD / Cisco / NVIDIA JVs
- Optional: ATR national namespace (rule namespacing)
Founding 5 F500 pricing
The first 5 F500 Enterprise customers can lock the founding rate of $100K × 2 years (versus the standard $250K–$350K range), in exchange for public logo and case study rights. Standard pricing resumes from customer six onwards.
ENTERPRISE — FULL SPECIFICATION
Three core modules plus included platform infrastructure
The full content covered by the Enterprise plan. Each core module stands on its own; platform infrastructure is bundled with the contract.
Module 1 · Migrator Pro
Bridge two decades of accumulated SOC detection IP into AI agent defense rules — automatically.
Banks, hospitals, and semiconductor SOCs have built up large libraries of Sigma, YARA, Snort, Splunk queries, and CVE mappings. These rules don't directly catch prompt injection or tool poisoning, but the attack knowledge underneath still applies — SQL injection didn't vanish, it moved into tool calls; command injection didn't vanish, it changed substrate.
Migrator Pro converts 15 source formats into ATR behavioral rules automatically, with a compliance evidence pack ready for auditors.
Supported source formats (15 total)
Capabilities included
- Joint LLM and human refinement at the quality level of Cisco-merged PRs
- Auto-mapping to five compliance frameworks: EU AI Act, NIST AI RMF, ISO/IEC 42001, OWASP Agentic, OWASP LLM Top 10
- Audit evidence packs signed with SHA-256 and Merkle tree
- 6-tab Web Dashboard with on-prem deployment
- Customer-contributed rules can flow back upstream into ATR and be adopted by Cisco, Microsoft, and other downstream vendors
Module 2 · AI Compliance Audit Evidence Module
Produce compliance evidence auditors can use directly — a capability Vanta and Drata cannot architecturally deliver.
Each detection event is mapped to a specific ATR rule ID and threaded across articles in six frameworks: EU AI Act, Colorado AI Act, NIST AI RMF, ISO/IEC 42001, OWASP Agentic Top 10, and OWASP LLM Top 10. Reports are delivered in PDF and JSON, signed with SHA-256 and Merkle tree.
Why Vanta and Drata cannot do this: they have no in-house detection engine, and they do not own ATR as the detection layer underneath. Lakera and Apono lack the full stack. PanGuard is the only product today that threads detection event → ATR rule → compliance article as a single audit-ready artefact.
Shipped capabilities
- NIST AI RMF 100% rule coverage (1,566 mappings, shipped in ATR v2.1.0)
- EU AI Act Articles 9, 12, 14, 15, and 50 auto-mapped
- Quarterly compliance reports threading detection event → ATR rule ID → 6-framework articles
- Tamper-evident PDF + JSON outputs signed with SHA-256 and Merkle tree
Module 3 · Direct line to the ATR standards maintainer
Customers don't passively adopt the standard — they participate in shaping ATR's roadmap.
Customers receive draft rules 30 days before public release, allowing internal deployment testing before attacks become public. Rules refined inside Migrator can also be sent back upstream — once merged into ATR, those rules ship across the ecosystem to Cisco AI Defense, Microsoft AGT, and others, effectively distributing your detection IP across the industry.
What the relationship includes
- Early access to draft rules 30 days before public release
- Upstream contribution path: customer rules can be adopted by Cisco, Microsoft, and other downstream vendors
- Priority rule update SLA within 4 hours (Community SLA is within 24 hours)
- Roadmap vote and quarterly executive review
Platform infrastructure (included)
SOVEREIGN AI NATIONAL REFERENCE
Reference deployment for sovereign AI nations
Every democracy is building sovereign AI models and compute, yet the security layer is still rented from US-private vendors. ATR, Migrator, and the Compliance module together form the open-standard answer to that gap.
Path 1 · Standards Reference
A national-level body (digital ministry, NCSC, AI safety agency) publicly cites ATR as the country's reference framework for AI agent security.
We list the country as an ecosystem reference on the sovereign-ai-defense page. Estimated time to commit: 1–2 weeks.
Path 2 · Technical Co-eval
The national red team runs its own adversarial corpus against ATR's full 330-rule library. We provide the detection engine, Migrator tooling, and full failure-case disclosure.
Output is an independent third-party validation report. All testing artifacts remain with the nation. Zero cost on both sides over a 90-day cycle.
Path 3 · Commercial Reference Deployment
Nation-scale reference deployment: full ATR, Migrator Pro, Compliance Module, Threat Cloud, in-region deployment, and custom rule packs.
Delivery is handled by a certified regional enterprise vendor partner, with PanGuard as the upstream ATR standards maintainer. The structure follows the Linux Foundation national-contract and Red Hat federal-contract precedent.
Why nations adopt this
Sovereign AI rests on three pillars: sovereign model, sovereign compute, and sovereign detection knowledge.
Nations have already invested billions building the first two in-house. The third is still rented from US-private vendors — exactly the dependency that sovereign AI programs were designed to eliminate.
Migrator bridges decades of a nation's accumulated SOC detection IP (Sigma, YARA, Snort, SCADA, and others) into the AI agent era — letting the nation keep sovereignty over its detection knowledge, with no rewriting and no rental from foreign vendors.
Full Sovereign AI Defense briefVENDOR OEM LICENSE
Ship ATR Pro Rule Pack inside your AI security product
Cisco AI Defense ships all 330 ATR rules. Microsoft AGT ships 287 rules with weekly auto-sync. NVIDIA garak, Gen Digital Sage, and IBM mcp-context-forge integrations are in flight. For vendors who need the Cisco-merge-PR-quality enriched version — early access to draft rules, five-framework compliance metadata, white-label deployment — the OEM tier is purpose-built for that scenario.
OEM Use License
For vendors at the scale of Cisco, Microsoft, NVIDIA, or Gen Digital, embedding the enriched Pro Rule Pack inside their own product.
Includes early access to draft rules, five-framework compliance metadata, white-label deployment, custom attack classes, and ATR roadmap voting rights.
Strategic Partnership Terms
Reserved for vendors pursuing long-term ecosystem integration with ATR.
Negotiable terms include M&A right of first refusal, joint GTM, engineering collaboration, and an ATR Foundation governance seat.
SAMPLE AUDIT REPORT
What a Compliance Evidence report looks like
Below is an excerpt from the quarterly compliance evidence report Enterprise customers receive. Each detection is mapped to an ATR rule ID and threaded through specific articles in EU AI Act, NIST AI RMF, ISO/IEC 42001, and other frameworks — ready to submit directly to auditors.
Quarterly report excerpt
Q2 2026 Detection Evidence Report · Acme Corp ────────────────────────────────────────────── Total events intercepted by PanGuard Guard: 1,847 Mapping by compliance framework ────────────────────────────────────────────── EU AI Act Article 12 (logging requirement): 612 events └─ Primary rules: ATR-2026-00001, ATR-2026-00121, ATR-2026-00149 └─ Retention: 7-year audit log archive (Enterprise) NIST AI RMF Govern.1.1 (risk management): 488 events └─ Primary rules: ATR-2026-00080..00096 └─ Confidence: ≥0.90 across all flagged events ISO/IEC 42001 clause 6.2 (risk treatment): 347 events └─ Primary rules: ATR-2026-00040, ATR-2026-00099 Colorado AI Act SB24-205 (disclosure): 44 events OWASP Agentic Top 10 (ASI-01..10): 356 events (consolidated) OWASP LLM Top 10:2025 (LLM01..10): 289 events (consolidated) Auditor-ready artefacts ────────────────────────────────────────────── ✓ PDF report (signed, hash-verified) ✓ JSON export for SIEM ingestion ✓ Per-article evidence bundle ✓ ATR rule provenance chain
ATR STANDARDS ORGANIZATION
Open standard, independent governance, certification program
ATR is an MIT-licensed open detection protocol with governance independent of PanGuard. Anyone, any product, can use it freely. Skill certification is run by community reviewers at no cost (MITRE ATT&CK model). The only paid surface is Enterprise Membership — modeled on the Apache Software Foundation Platinum Sponsor pattern.
ATR Certified Skill
community-run review
Skill authors submit a PR free of charge to the ATR repo. Community volunteer reviewers audit transparently (MITRE ATT&CK / Let's Encrypt model). Certified skills get the badge, ATR registry listing, and PanGuard Community whitelist. PanGuard does not charge and does not decide outcomes — authority lives in transparency, not paywalls.
Submit on ATR GitHubATR Enterprise Member
annual membership
Logo on ATR registry · governance vote · priority PR review · early draft rule access · seat in annual roadmap meeting. Modeled on MITRE Engenuity and ISO working-group pattern.
Apply for membershipWHY NO TEAM / BUSINESS TIER
Middle tier is a trap for this product
For individual devs and SMB, the value is being a sensor, not a subscription. Agent security is runtime-centric — a developer running 2 Claude Code sessions does not need a monthly bill to watch them. Each Community install is a sensor that feeds telemetry back to Threat Cloud, which crystallizes new ATR rules, which strengthens detection for everyone. A paywall breaks this flywheel.
A self-serve middle tier needs a scaled customer-success and support organisation. 100 SMB customers at $500/month is equivalent to a full-time engineering team supporting low-LTV accounts — and that directly squeezes the engineering time F500 and sovereign customers actually pay for. Snyk and Datadog ran this model with 50+ engineers behind a dedicated support pipeline. PanGuard is not that shape today.
F500 does not need a middle tier as a bridge. F500 security teams naturally pilot on free Community for 90 days, then jump to Pilot → Enterprise when they need compliance, SOC2, and airgap. That matches real F500 procurement behaviour — a paid Team tier sits in nobody's way.
If Y2 data shows a real middle-tier demand, we will reevaluate. Today's data says: do not build it.
Still evaluating?
GRC procurement questions · on-prem architecture · compliance mapping specifics · F500 logo program — email us, 48h response.