Three tiers — Watchtower, Keep, and Citadel — sized for SMBs that take security seriously. No per-event surcharges, no log-volume gotchas, no professional services line items. We charge what a real SOC + a real AI defender costs to run, and we don't pretend otherwise.
The outer wall. Passive AI monitoring with weekly digests and the 30-minute analyst response that opens every door.
The inner stronghold. Everything in the AI-defender stack — Sparring, Edge Triage, auto-cascade, a named analyst, and the GCC compliance overlay.
The summit. A dedicated analyst pod, custom Sparring scenarios, AI-vs-AI campaigns, quarterly internal pen-test reports, and a 5-minute SLA.
A complete reference. If you're comparing us to an incumbent MSSP, this is the page to send to procurement.
| Watchtower$40 / device / mo | Keep$90 / device / mo | Citadel$200 / device / mo | |
|---|---|---|---|
| Coverage | |||
| Endpoints monitoredPer device, included | Up to 50 | 51–250 | Unlimited |
| Cloud accountsAWS · GCP · Azure | 1 | 5 | Unlimited |
| SaaS connectorsOAuth-based | 10 | 40+ | All + custom |
| Network & emailFirewalls, gateways, M365/Workspace email security | — | ● | ● |
| Behavioural baselinesPer-user / per-host fingerprints | Universal only | Per-user & per-host | + per-tenant |
| Custom Sigma detectionsAuthored for your environment | — | 5 included | Unlimited |
| Log retention | 30 days hot | 90 days hot | 90 hot · 365 cold |
| AI defender stack | |||
| AI GuardianAutonomous incident triage (latest frontier models) | ● | ● | ● |
| Edge TriageOn-device AI filter — data-residency + offline | — | ● | ● |
| SparringWeekly adversary simulation against your fleet | — | ● | ● |
| AI-vs-AI SparringAI-generated attacks tailored to your stack | — | — | ● |
| Custom Sparring scenariosAuthored by our red team | — | — | ● |
| Security operations | |||
| 24×7 monitoring | ● | ● | ● |
| 24×7 response | Business hours | ● | ● |
| Response SLA | 30 min | 15 min | 5 min |
| Auto-cascadeKill · quarantine · blocklist · isolate | — | ● | ● |
| Direct phone lineManned by SOC, not call centre | Email + portal | ● | ● |
| Named analyst | Pooled | ● | ● |
| Dedicated analyst pod3 named analysts on your tenant | — | — | ● |
| Executive briefingMonthly call with founder + CSO | — | — | ● |
| Compliance & reporting | |||
| Owner's weekly digest | ● | ● | ● |
| Monthly posture review | Async report | 30-min call | + on-site annually |
| SOC 2 evidence pack | Read-only | Full | Full + auditor liaison |
| ISO 27001 evidence | — | ● | ● |
| GCC overlayNESA · ITDA · NCA mappings | — | ● | ● |
| HIPAA · ADGM · PCI | — | — | ● |
| Cyber-insurance attestation | — | Annual | Quarterly |
| Exercises & testing | |||
| Onboarding tabletop | ● | ● | ● |
| Quarterly tabletop | — | ● | ● |
| Quarterly internal pen-testAuthored by our red team | — | — | ● |
| Annual external red-team | — | Add-on | ● |
| Phishing simulation | Add-on | Add-on | ● |
| Commercial | |||
| Minimum term | 12 months | 12 months | 24 months |
| Price-lock | 24 months | 24 months | 36 months |
| Implementation fee | $0 | $0 | Quoted |
| Out-clause | 30 days | 30 days | 60 days |
Plug in your seat count and tier. Real quotes are tighter than this — there are usually multi-year and bundle discounts available — but this is the right rough number to take to your CFO.
Adjust to match your business.
No bundling, no upsell traps. Add what you need; drop what you don't.
From $1,200 / month · 20 hours pooled
When something serious happens, you don't want to be sourcing a DFIR firm at 2am. We pre-stage hours so we move from response to investigation without procurement friction.
From $18,000 / engagement · 2 weeks
A real adversary simulation against your environment, delivered by our specialist channel partner's OSCP, CEH and CISSP-certified operators, working to OWASP, PTES and MITRE ATT&CK. Findings fed back into your detection stack. Optional purple-team replay with your IT team.
$3 / seat / month
Twelve campaigns a year, calibrated to your industry. Click rates trended in the owner portal. Just-in-time micro-training for users who fall for it — no shaming, no enterprise-LMS slog.
From $4,500 / audit cycle
A named IronCastle GRC engineer joins your auditor calls. They speak SOC 2 / ISO 27001 / HIPAA / IRAP fluently. We've shortened a lot of audits this way.
$1,800 / detection · or unlimited on Citadel
Have a workflow that's specific to your business — finance approval flows, R&D source-code egress, vendor portal abuse? We engineer detections for it.
$349 USD one-time — Coming Q3 2026
A purpose-built network sensor that passively fingerprints every device on your LAN, feeds telemetry directly into the SOC, and works without an agent. No drivers, no SPAN port required.
$0.04 / event-day · or 365d on Citadel
Beyond the included 30 / 90 days. Cold storage, retrieved into hot when an investigation needs it. Useful for IRAP / regulated tenants.
A short list — the rest live on the FAQ page.
No. Per-seat pricing covers the telemetry your business generates. We've never billed a customer a "log overage" and we don't intend to.
You're billed in 25-seat increments quarterly in arrears. No mid-term renegotiation. Your locked rate applies to all new seats.
Yes — 25% off list for registered non-profits and accredited educational institutions, no minimum term.
Yes — and we lock the FX at signing. We invoice in your local currency from the relevant Permus entity (Dubai, Sydney, or London).
Onboarding is included on Watchtower and Keep. For Citadel we quote implementation only when there's genuine custom work (air-gapped collector, custom detections, IRAP scoping, etc.) — never as a way to backfill a discount.
Yes. 30-day out-clause on Watchtower & Keep (60 days on Citadel). We'll export your telemetry to S3-compatible storage on the way out — no retention as a hostage.