Cipherwake compares your preview deploy against production and shows what changed on the public internet — scripts, headers, TLS, certs, SPKI, trust posture — before you ship. Free covers the recommended deploy-guard pattern (per-PR + per-release on 1 monitored domain, 100 CI calls/repo/mo, three named gate modes: Balanced / Advisory / Strict). Paid tiers unlock custom per-component thresholds, approved-vendor allowlist, higher CI quota, webhook delivery, team seats, and the dashboard with score history + audit log.
Strongest paid upgrade hooks for AI-coder workflows: custom block rules (e.g. "block if any new third-party script appears" or "block if DBR drops ≥ 0.5"), vendor allowlist (failed PR on unapproved new vendors), and higher CI quota (busy AI-coder deploys can hit 100/mo).
Every tier — including Free — gets daily monitoring + email alerts + the embedded trust-page badge + the open methodology. Paid tiers add more domains, faster cadence, webhook delivery, team seats, longer history, and API access.
The paid wall is scale + automation, not artificial feature crippling. Free gets fail-on-regression CI gating, vendor change alerts, HNDL / decryption blast-radius scoring, and the same scan quality. Founder Pro expands domains, raises quotas, and unlocks the CI threshold-customization layer.
| Feature | Free | Founder Pro $19.99 |
|---|---|---|
| Monitored domains | 1 | 5 |
| Monitoring cadence | Daily | 6-hour |
| Trust Diff / Preview Diff API quota / mo | 100 | 5,000 |
| Score history retention | 30 days | 365 days |
| GitHub Action — fail CI on regression | ✓ | ✓ |
Manual pqcheck deploy-check --ai CLI |
✓ | ✓ |
| Vendor change email + dashboard alerts | ✓ | ✓ |
| HNDL / Decryption Blast Radius scoring | ✓ | ✓ |
| Custom per-component thresholds | — | ✓ |
| Approved-vendor allowlist | — | ✓ |
| Vendor lockfile | read-only | ✓ |
| CI fail rules — per-rule severity gates | — | ✓ |
Founder pricing is locked while your subscription remains active. Early users get the launch price ($19.99/mo) — the standard price after launch is $29/mo, and your rate doesn't change while you stay subscribed. Fair-use limits apply.
Included with every Monitor subscription. Drop it on your trust page or security.txt as evidence of independent monitoring. Example shown is the public free badge; subscribers get the "MONITORED BY CIPHERWAKE" stamp + last-scan timestamp added.
The historical-data moat is the public product. We don’t hide it behind email walls or downgrade old observations. Paid Monitoring is for continuous alerts and portfolio scale — never for the depth of the free view.
npx pqcheck, browser extension/key/<spki> shows every domain reusing that private key/vendor/<host> shows every site that loads a given third-party scriptOur rule: free for public curiosity, paid for private memory, scale, alerts, and automation. The depth of the historical view is never the wall — the wall is the moment of intent: “alert me,” “across my portfolio,” “always-on.”
You configure thresholds for each alert type when you set up monitoring. Defaults: 30 / 14 / 7 days before cert expiry; score drop ≥0.5 points; any newly-detected key persistence event (cert rotated but private key didn't); any newly-detected subdomain takeover risk. Alerts fire to the email on your account and can be forwarded to any incoming-webhook URL (e.g. Slack, Discord, generic HTTP).
Free covers solo developers shipping a single project with deploy-gating via the GitHub Action. Founder Pro ($19.99/mo) is for AI-heavy builders who want to gate deploys with custom thresholds, an approved-vendor allowlist, a vendor lockfile, CI fail rules, and up to 5 watched domains. Both tiers include daily monitoring, what-changed diff alerts, the embedded trust-page badge, and 30+ days of score history.
Early users subscribing now get the launch price ($19.99/mo) and your monthly rate stays locked while your subscription remains active. The standard price after the launch promotion ends is $29/mo. The price-lock applies to the monthly rate — quotas and product scope continue to evolve in line with our roadmap (fair-use limits apply). Cancellation ends the founder rate; re-subscribing later pays the then-current price.
The Founder Pro card shows a "Notify me" form when its sales flag is closed. Drop your email and we'll send a personal checkout link the moment it opens. We don't charge anything until you accept and complete checkout.
The uptime monitors check whether your endpoint is reachable + whether the cert is valid today. They don't analyze the cryptographic posture underneath. Cipherwake Monitor tracks key rotation across cert rotations (the Heartbleed / SolarWinds lesson — your cert rotated, your team thought you remediated, but the same private key kept signing), subdomain takeover risk via CT log analysis, cipher class + TLS posture trends, and the Decryption Blast Radius score (harvest-now-decrypt-later exposure). Different signal, complementary tool.
The free public score is point-in-time — scan a domain, get the current grade. Anyone can do it free at cipherwake.io. Monitor adds continuous scanning, alerts when things change, 12-month history (evidence for customer reviews and vendor questionnaires), and the signed embeddable trust-page badge. If you only need to check a domain occasionally, the free scan is enough. If you need to know within hours when something changes, Monitor is the tool.
You get an alert email (configurable threshold). The cleanest path forward is to fix the underlying crypto posture (cert rotation, key rotation, header gaps) — that's what the monitoring is for. The badge auto-updates after the next verified scan.
Yes — Founder Pro covers 5 monitored domains. Need more on a single account, or want a custom integration? Email us for a custom quote.
The free public score is free forever — that's the product, not a teaser. What you pay for is continuous verified monitoring, the artifact you can show on your trust page, the history, and the alerts. Per our pricing discipline, free preview + paid for depth + monitoring is the dominant tier.
Daily verified scans on the standard plan. The badge image is edge-cached for 15 minutes (no perceptible lag for a viewer; saves 15× the infra cost vs. minute-by-minute polling). If your score genuinely changes, the badge reflects it within 15 minutes.
Anytime, after you start. Stripe customer portal. We don't make it hard. The embedded badge stops rendering "Verified" within 24 hours of cancellation and falls back to the free public-grade variant.