# Wallarm Subscription Plans

[Wallarm AI Control Platform](https://docs.wallarm.com/7.x/about-wallarm/overview.md) covers AI security and API security across cloud-native and multi-cloud environments through four products — Wallarm API Security, Wallarm Infrastructure Discovery, Wallarm AI Hypervisor, and Wallarm API Security Testing. Each product has its own subscription model. This page describes the plans available across all four. Choose the set of functionality that best suits your needs.

## Core subscription plans

**Cloud Native WAAP** - WAAP (Web Application & API Protection) subscription provides web applications and APIs with protection against common threats such as SQLi, XSS, brute force, etc. It supports all API protocols but does not cover some specific API threats.

**WAAP + Advanced API Security**. This bundle enhances general WAAP capabilities with comprehensive API Security tools to cover all OWASP API Top-10 threats.

**Security Testing**. This bundle helps you proactively uncover security vulnerabilities in your applications and APIs before attackers do.

| Feature | WAAP | WAAP + API Security | Security Testing |
| ------- | ----------------- | --------------------- | --------------------- |
| **Real-time protection** | | | |
| [DDoS protection (L7)](https://docs.wallarm.com/7.x/admin-en/configuration-guides/protecting-against-ddos.md) | Yes | Yes | No |
| [Geo/source filtering](https://docs.wallarm.com/7.x/user-guides/ip-lists/overview.md) | Yes | Yes | No |
| [IP reputation feeds](https://docs.wallarm.com/7.x/user-guides/ip-lists/overview.md#malicious-ip-feeds) | Yes | Yes | No |
| [Attack stamps (SQLi, XSS, SSRF, etc.)](https://docs.wallarm.com/7.x/attacks-vulns-list.md#attack-types) | Yes | Yes | No |
| [Customer defined signatures](https://docs.wallarm.com/7.x/user-guides/rules/regex-rule.md) | Yes | Yes | No |
| [Virtual patching](https://docs.wallarm.com/7.x/user-guides/rules/vpatch-rule.md) | Yes | Yes | No |
| [Brute force protection](https://docs.wallarm.com/7.x/admin-en/configuration-guides/protecting-against-bruteforce.md) | Yes | Yes | No |
| [Forced browsing protection](https://docs.wallarm.com/7.x/admin-en/configuration-guides/protecting-against-forcedbrowsing.md) | Yes | Yes | No |
| [Distributed rate limiting](https://docs.wallarm.com/7.x/user-guides/rules/rate-limiting.md) | Yes | Yes | No |
| [BOLA protection](https://docs.wallarm.com/7.x/admin-en/configuration-guides/protecting-against-bola-trigger.md) | Manual triggers | Mitigation control | No |
| [API Abuse Prevention (bot management)](https://docs.wallarm.com/7.x/api-abuse-prevention/overview.md) | No | Yes | No |
| [Credential Stuffing Detection](https://docs.wallarm.com/7.x/about-wallarm/credential-stuffing.md) | No | Yes | No |
| [API Specification Enforcement](https://docs.wallarm.com/7.x/api-specification-enforcement/overview.md) | No | Yes | No |
| [GraphQL security policies](https://docs.wallarm.com/7.x/api-protection/graphql-rule.md) | No | Yes | No |
| [Enumeration attack protection](https://docs.wallarm.com/7.x/api-protection/enumeration-attack-protection.md) | No | Yes | No |
| [Mitigation controls](https://docs.wallarm.com/7.x/about-wallarm/mitigation-controls-overview.md) | No | Yes | No |
| [MCP mitigation controls](https://docs.wallarm.com/7.x/agentic-ai/mcp-mitigation-controls.md) | No | Yes | No |
| **API protocol support** | | | |
| Legacy (SOAP, XML-RPC, WebDAV, WebForm) | Yes | Yes | No |
| Mainstream (REST, GraphQL) | Yes | Yes | No |
| Modern and streaming (gRPC, WebSocket) | Yes | Yes | No |
| **Security posture** | | | |
| [API Attack Surface Management (AASM)](https://docs.wallarm.com/7.x/api-attack-surface/overview.md) | No | Yes | No |
| [Vulnerability assessment](https://docs.wallarm.com/7.x/user-guides/vulnerabilities.md) | Yes | Yes | No |
| [API Sessions](https://docs.wallarm.com/7.x/api-sessions/overview.md) | No | Yes | No |
| [MCP Sessions](https://docs.wallarm.com/7.x/api-sessions/mcp-sessions.md) | No | Yes | No |
| [API Discovery](https://docs.wallarm.com/7.x/api-discovery/overview.md) | No | Yes | No |
| [MCP server discovery](https://docs.wallarm.com/7.x/api-discovery/exploring.md#mcp-servers) | No | Yes | No |
| [Sensitive data detection](https://docs.wallarm.com/7.x/api-discovery/overview.md#sensitive-data-detection) | No | Yes | No |
| [Rogue API Detection (shadow, zombie)](https://docs.wallarm.com/7.x/api-discovery/rogue-api.md) | No | Yes | No |
| [BI Dashboards](https://docs.wallarm.com/7.x/user-guides/dashboards/bi-dashboards.md) | No | Yes | No |
| **Security testing** | | | |
| [Threat Replay Testing](https://docs.wallarm.com/7.x/vulnerability-detection/threat-replay-testing/overview.md) | No | Yes | Yes, with API Security |
| [Schema-Based Security Testing](https://docs.wallarm.com/7.x/vulnerability-detection/schema-based-testing/overview.md) | No | No | Yes |
| **Additional options** | | | |
| [Self-hosted Node deployment](https://docs.wallarm.com/7.x/installation/supported-deployment-options.md) | All | All | No |
| [Security Edge](https://docs.wallarm.com/7.x/installation/security-edge/overview.md) | No | No | No |
| [Integrations](https://docs.wallarm.com/7.x/user-guides/settings/integrations/integrations-intro.md) | All | All | All |
| [Number of users](https://docs.wallarm.com/7.x/user-guides/settings/users.md) | Unlimited | Unlimited | Unlimited |
| [SSO authentication](https://docs.wallarm.com/7.x/admin-en/configuration-guides/sso/intro.md) | Yes | Yes | Yes |
| [Role-based access control (RBAC)](https://docs.wallarm.com/7.x/user-guides/settings/users.md#user-roles) | Yes | Yes | Yes |
| [Multi-tenant](https://docs.wallarm.com/7.x/installation/multi-tenant/overview.md) | Yes (by request) | Yes (by request) | Yes (by request) |
| Period of event storage | 6 month | 6 month | 6 month |
| Support | Standard/<br>Advanced/<br>Platinum | Standard/<br>Advanced/<br>Platinum | Standard/<br>Advanced/<br>Platinum |

To activate the subscription plan, contact [sales@wallarm.com](mailto:sales@wallarm.com).

## Wallarm Infrastructure Discovery

Wallarm Infrastructure Discovery is available on **AWS only**. It provides cross-account AWS asset discovery, surfaces shadow AI within minutes of deployment, and makes findings from native AWS security services (Security Hub, GuardDuty, Inspector, Macie, IAM Access Analyzer) actionable on a single relationship graph.

Infrastructure Discovery is procured through the [AWS Marketplace listing](https://aws.amazon.com/marketplace/pp/prodview-kvqg6s3jjelv6). The listing describes all available plans — including the free tier and paid tiers — and is the entry point for self-service signup.

## Wallarm AI Hypervisor

Wallarm AI Hypervisor is available on **AWS only** and deploys on Amazon EKS. It instruments AI workloads at runtime with no application code changes, enforces policy inline at the connection level, and produces continuous compliance evidence — coverage heatmap, AI software bill of materials (AI-SBOM), session audit logs, and sensitive data flow records.

AI Hypervisor follows a **separate onboarding flow** with the Wallarm team. There is no self-service signup, free tier, or in-Console activation — AI Hypervisor is managed on a separate domain and is not configured through Wallarm Console.

To get access, contact [sales@wallarm.com](mailto:sales@wallarm.com). Sales will scope your deployment (EKS clusters, model providers, compliance framework targets such as EU AI Act or SOC 2) and provision access.

See the [AI Hypervisor overview](https://docs.wallarm.com/7.x/ai-hypervisor/overview.md) for product details.

## API Attack Surface

Variants: **Core (Free)**, **Enterprise (Paid)** - see comparison [here](https://www.wallarm.com/product/aasm-pricing).

!!! info "Relations to other plans"

    This subscription plan:

    * Is included into [Advanced API Security](#core-subscription-plans) plan
    * Can be added to [Cloud Native WAAP](#core-subscription-plans) plan
    * Can be used alone (no other plans or filtering node required)

The **API Attack Surface** subscription plan provides a comprehensive view of publicly exposed APIs and related information with **zero deployment** and minimal configuration.

The subscription plan provides the [API Attack Surface Management (AASM)](https://docs.wallarm.com/7.x/api-attack-surface/overview.md) product which includes:

* [API Attack Surface Discovery](https://docs.wallarm.com/7.x/api-attack-surface/api-surface.md)
* [Security Issues Detection](https://docs.wallarm.com/7.x/api-attack-surface/security-issues.md)

To activate the subscription plan, do one of the following:

* If you do not have Wallarm account yet, get pricing information and activate AASM on the Wallarm's official site [here](https://www.wallarm.com/product/aasm).

    When activating, scanning of the used email's domain starts immediately while you negotiate sales team. After activation, you can add additional domains to the scope.

* If you already have Wallarm account, contact [sales@wallarm.com](mailto:sales@wallarm.com).

## Rogue MCP

!!! info "Relations to other plans"

    This subscription plan:

    * Can be added to any [core subscription plan](#core-subscription-plans)
    * Can be used alone (no other plans or filtering node required)

The **Rogue MCP** subscription plan provides access to the extended functions of Wallarm's MCP server, including [API Security Testing via Postman](https://docs.wallarm.com/7.x/vulnerability-detection/api-security-testing-via-postman/overview.md).

!!! info "Free features"
    [Rogue MCP Inspection](https://docs.wallarm.com/7.x/vulnerability-detection/api-security-testing-via-postman/overview.md#bonus-rogue-mcp-inspection-free) — auditing local MCP servers for supply-chain risks and excessive privileges — is always free and does not require a subscription or API key.

To activate this subscription:

* **New users**: register and subscribe at [roguemcp.wallarm.com](https://roguemcp.wallarm.com/).
* **Existing users**: contact [Wallarm Support](https://support.wallarm.com) to get the subscription added to your account.

## Security Edge (Paid Plan)

!!! info "Relations to other plans"

    This subscription plan:

    * Can be added to [Cloud Native WAAP](#core-subscription-plans) or [Advanced API Security](#core-subscription-plans) plan
    * Cannot be used alone

The Security Edge subscription plan allows you to deploy the Wallarm node on the managed environment, eliminating the need for onsite installation and management.

With Wallarm handling node hosting and maintenance, you can focus on your core infrastructure while benefiting from robust traffic filtering, attack detection, and secure communication - all backed by Wallarm.

Available Security Edge deployments include:

* [Security Edge Inline](https://docs.wallarm.com/7.x/installation/security-edge/inline/overview.md)
* [Security Edge Connectors](https://docs.wallarm.com/7.x/installation/security-edge/se-connector.md)

To inquire about this subscription, please contact [sales@wallarm.com](mailto:sales@wallarm.com).

## Security Edge Free Tier

For smaller companies and educational purposes, Wallarm offers the option to create a [Security Edge](#security-edge-paid-plan) Free Tier account yourself. You can choose the Wallarm cloud that best suits your storage preferences:

* [Create Free Tier account on the US Wallarm Cloud](https://us1.my.wallarm.com/signup)
* [Create Free Tier account on the ME Wallarm Cloud](https://me1.my.wallarm.com/signup)
* [Create Free Tier account on the EU Wallarm Cloud](https://my.wallarm.com/signup)

The Security Edge Free Tier account allows:

* Security Edge functionality, with some feature limitations.
* Process up to **500 thousand requests per month** with no limitation in time.
* Access to the Wallarm platform as [Advanced API Security](#core-subscription-plans), except for the following:

    * [Vulnerability assessment](https://docs.wallarm.com/7.x/user-guides/vulnerabilities.md)
    * [API Abuse Prevention](https://docs.wallarm.com/7.x/api-abuse-prevention/overview.md)
    * Limited to 3 users per company account
    * Telemetry portal of Security Edge
    * Multi-cloud Security Edge deployment
* Utilize the abilities of [Schema-Based Security Testing](https://docs.wallarm.com/7.x/vulnerability-detection/schema-based-testing/overview.md)

If a Free Tier account exceeds 100% of the monthly quota, your access to the Wallarm Console is disabled, along with all integrations. When reaching 200%, protection on your Wallarm nodes is disabled. These restrictions will be in effect until the first day of the next month.

To remove all restrictions, contact [sales@wallarm.com](mailto:sales@wallarm.com).