Cloud · Free
no card€0
forever, for small teams getting started
- Up to 3 GitLab projects
- Up to 5 active runners
- 7-day violation history
- Anomaly detection on default baselines
- Email alerts
Pricing
Free to start. Pay when you scale.
Most teams start on Cloud. Regulated operators move to self-hosted when their compliance profile demands it. The agent is open source either way.
most teams pick this
Cloud · Team
SaaS€49 / month
+ €19 / active runner / month
billed monthly · cancel any time
- Unlimited projects
- 90-day violation history
- Custom profiles + baselines
- Slack + webhook alerting
- OIDC SSO
- MCP integration for AI triage
Cloud · Business
scale€199 / month
+ €15 / active runner / month
volume discount · from 20 runners
- Everything in Team
- 1-year violation history
- RBAC + immutable audit log
- SAML SSO
- Priority support
Self-hosted
EETalk to us
priced by cluster footprint · not by seat
- Everything in Business — same code path
- Runs entirely in your Kubernetes cluster
- No telemetry, no phone-home, air-gap supported
- Aligns with GDPR / NIS2 / DORA / CRA by deployment model
- Dedicated upgrade channel + custom SLAs
An active runner is one that processed at least one CI job in the billing month. Idle runners cost nothing.
Just the agent? Use CE.
The open-source Community Edition runs the same enforcement primitives. YAML allowlists, stdout / Prometheus / webhook output, MPL-2.0. Free forever.
- · All enforcement primitives (DNS proxy, eBPF egress, default-deny)
- · Process attribution on every blocked egress
- · YAML-driven allowlists, on disk per profile
- · Prometheus metrics + webhook reporting
- · Self-hosted agent, MPL-2.0, no telemetry
- · GitLab Runner: Kubernetes, Docker, podman
Cloud and Self-hosted run the same code path. Migrate either direction without re-writing policy.