# Wallarm Subscription Plans

Wallarm is the only solution that unifies API discovery, risk management, real-time protection, and testing capabilities to protect your entire API portfolio in multi-cloud and cloud-native environments. You can easily choose the set of functionality that best suits your needs.

## Core subscription plans

**Cloud Native WAAP** - WAAP (Web Application & API Protection) subscription provides web applications and APIs with protection against common threats such as SQLi, XSS, brute force, etc. It supports all API protocols but does not cover some specific API threats.

**WAAP + Advanced API Security**. This bundle enhances general WAAP capabilities with comprehensive API Security tools to cover all OWASP API Top-10 threats.

**Security Testing**. This bundle helps you proactively uncover security vulnerabilities in your applications and APIs before attackers do.

| Feature | WAAP | WAAP + API Security | Security Testing |
| ------- | ----------------- | --------------------- | --------------------- |
| **Real-time protection** | | | |
| [DDoS protection (L7)](https://docs.wallarm.com/admin-en/configuration-guides/protecting-against-ddos.md) | Yes | Yes | No |
| [Geo/source filtering](https://docs.wallarm.com/user-guides/ip-lists/overview.md) | Yes | Yes | No |
| [IP reputation feeds](https://docs.wallarm.com/user-guides/ip-lists/overview.md#malicious-ip-feeds) | Yes | Yes | No |
| [Attack stamps (SQLi, XSS, SSRF, etc.)](https://docs.wallarm.com/attacks-vulns-list.md#attack-types) | Yes | Yes | No |
| [Customer defined signatures](https://docs.wallarm.com/user-guides/rules/regex-rule.md) | Yes | Yes | No |
| [Virtual patching](https://docs.wallarm.com/user-guides/rules/vpatch-rule.md) | Yes | Yes | No |
| [Brute force protection](https://docs.wallarm.com/admin-en/configuration-guides/protecting-against-bruteforce.md) | Yes | Yes | No |
| [Forced browsing protection](https://docs.wallarm.com/admin-en/configuration-guides/protecting-against-forcedbrowsing.md) | Yes | Yes | No |
| [Distributed rate limiting](https://docs.wallarm.com/user-guides/rules/rate-limiting.md) | Yes | Yes | No |
| [BOLA protection](https://docs.wallarm.com/admin-en/configuration-guides/protecting-against-bola-trigger.md) | Manual triggers | Mitigation control | No |
| [API Abuse Prevention (bot management)](https://docs.wallarm.com/api-abuse-prevention/overview.md) | No | Yes | No |
| [Credential Stuffing Detection](https://docs.wallarm.com/about-wallarm/credential-stuffing.md) | No | Yes | No |
| [API Specification Enforcement](https://docs.wallarm.com/api-specification-enforcement/overview.md) | No | Yes | No |
| [GraphQL security policies](https://docs.wallarm.com/api-protection/graphql-rule.md) | No | Yes | No |
| [Enumeration attack protection](https://docs.wallarm.com/api-protection/enumeration-attack-protection.md) | No | Yes | No |
| [Mitigation controls](https://docs.wallarm.com/about-wallarm/mitigation-controls-overview.md) | No | Yes | No |
| **API protocol support** | | | |
| Legacy (SOAP, XML-RPC, WebDAV, WebForm) | Yes | Yes | No |
| Mainstream (REST, GraphQL) | Yes | Yes | No |
| Modern and streaming (gRPC, WebSocket) | Yes | Yes | No |
| **Security posture** | | | |
| [API Attack Surface Management (AASM)](https://docs.wallarm.com/api-attack-surface/overview.md) | No | Yes | No |
| [Vulnerability assessment](https://docs.wallarm.com/user-guides/vulnerabilities.md) | Yes | Yes | No |
| [API Sessions](https://docs.wallarm.com/api-sessions/overview.md) | No | Yes | No |
| [API Discovery](https://docs.wallarm.com/api-discovery/overview.md) | No | Yes | No |
| [Sensitive data detection](https://docs.wallarm.com/api-discovery/overview.md#sensitive-data-detection) | No | Yes | No |
| [Rogue API Detection (shadow, zombie)](https://docs.wallarm.com/api-discovery/rogue-api.md) | No | Yes | No |
| [BI Dashboards](https://docs.wallarm.com/user-guides/dashboards/bi-dashboards.md) | No | Yes | No |
| **Security testing** | | | |
| [Threat Replay Testing](https://docs.wallarm.com/vulnerability-detection/threat-replay-testing/overview.md) | No | Yes | Yes, with API Security |
| [Schema-Based Security Testing](https://docs.wallarm.com/vulnerability-detection/schema-based-testing/overview.md) | No | No | Yes |
| **Additional options** | | | |
| [Self-hosted Node deployment](https://docs.wallarm.com/installation/supported-deployment-options.md) | All | All | No |
| [Security Edge](https://docs.wallarm.com/installation/security-edge/overview.md) | No | No | No |
| [Integrations](https://docs.wallarm.com/user-guides/settings/integrations/integrations-intro.md) | All | All | All |
| [Number of users](https://docs.wallarm.com/user-guides/settings/users.md) | Unlimited | Unlimited | Unlimited |
| [SSO authentication](https://docs.wallarm.com/admin-en/configuration-guides/sso/intro.md) | Yes | Yes | Yes |
| [Role-based access control (RBAC)](https://docs.wallarm.com/user-guides/settings/users.md#user-roles) | Yes | Yes | Yes |
| [Multi-tenant](https://docs.wallarm.com/installation/multi-tenant/overview.md) | Yes (by request) | Yes (by request) | Yes (by request) |
| Period of event storage | 6 month | 6 month | 6 month |
| Support | Standard/<br>Advanced/<br>Platinum | Standard/<br>Advanced/<br>Platinum | Standard/<br>Advanced/<br>Platinum |

To activate the subscription plan, contact [sales@wallarm.com](mailto:sales@wallarm.com).

## API Attack Surface

Variants: **Core (Free)**, **Enterprise (Paid)** - see comparison [here](https://www.wallarm.com/product/aasm-pricing).

!!! info "Relations to other plans"

    This subscription plan:

    * Is included into [Advanced API Security](#core-subscription-plans) plan
    * Can be added to [Cloud Native WAAP](#core-subscription-plans) plan
    * Can be used alone (no other plans or filtering node required)

The **API Attack Surface** subscription plan provides a comprehensive view of publicly exposed APIs and related information with **zero deployment** and minimal configuration.

The subscription plan provides the [API Attack Surface Management (AASM)](https://docs.wallarm.com/api-attack-surface/overview.md) product which includes:

* [API Attack Surface Discovery](https://docs.wallarm.com/api-attack-surface/api-surface.md)
* [Security Issues Detection](https://docs.wallarm.com/api-attack-surface/security-issues.md)

To activate the subscription plan, do one of the following:

* If you do not have Wallarm account yet, get pricing information and activate AASM on the Wallarm's official site [here](https://www.wallarm.com/product/aasm).

    When activating, scanning of the used email's domain starts immediately while you negotiate sales team. After activation, you can add additional domains to the scope.

* If you already have Wallarm account, contact [sales@wallarm.com](mailto:sales@wallarm.com).

## Rogue MCP

!!! info "Relations to other plans"

    This subscription plan:

    * Can be added to any [core subscription plan](#core-subscription-plans)
    * Can be used alone (no other plans or filtering node required)

The **Rogue MCP** subscription plan provides access to the extended functions of Wallarm's MCP server, including [API Security Testing via Postman](https://docs.wallarm.com/vulnerability-detection/api-security-testing-via-postman/overview.md).

!!! info "Free features"
    [Rogue MCP Inspection](https://docs.wallarm.com/agentic-ai/rogue-mcp-inspection.md) — auditing local MCP servers for supply-chain risks and excessive privileges — is always free and does not require a subscription or API key.

To activate this subscription:

* **New users**: register and subscribe at [roguemcp.wallarm.com](https://roguemcp.wallarm.com/).
* **Existing users**: contact [Wallarm Support](https://support.wallarm.com) to get the subscription added to your account.

## Security Edge (Paid Plan)

!!! info "Relations to other plans"

    This subscription plan:

    * Can be added to [Cloud Native WAAP](#core-subscription-plans) or [Advanced API Security](#core-subscription-plans) plan
    * Cannot be used alone

The Security Edge subscription plan allows you to deploy the Wallarm node on the managed environment, eliminating the need for onsite installation and management.

With Wallarm handling node hosting and maintenance, you can focus on your core infrastructure while benefiting from robust traffic filtering, attack detection, and secure communication - all backed by Wallarm.

Available Security Edge deployments include:

* [Security Edge Inline](https://docs.wallarm.com/installation/security-edge/inline/overview.md)
* [Security Edge Connectors](https://docs.wallarm.com/installation/security-edge/se-connector.md)

To inquire about this subscription, please contact [sales@wallarm.com](mailto:sales@wallarm.com).

## Security Edge Free Tier

For smaller companies and educational purposes, Wallarm offers the option to create a [Security Edge](#security-edge-paid-plan) Free Tier account yourself. You can choose the Wallarm cloud that best suits your storage preferences:

* [Create Free Tier account on the US Wallarm Cloud](https://us1.my.wallarm.com/signup)
* [Create Free Tier account on the ME Wallarm Cloud](https://me1.my.wallarm.com/signup)
* [Create Free Tier account on the EU Wallarm Cloud](https://my.wallarm.com/signup)

The Security Edge Free Tier account allows:

* Security Edge functionality, with some feature limitations.
* Process up to **500 thousand requests per month** with no limitation in time.
* Access to the Wallarm platform as [Advanced API Security](#core-subscription-plans), except for the following:

    * [Vulnerability assessment](https://docs.wallarm.com/user-guides/vulnerabilities.md)
    * [API Abuse Prevention](https://docs.wallarm.com/api-abuse-prevention/overview.md)
    * Limited to 3 users per company account
    * Telemetry portal of Security Edge
    * Multi-cloud Security Edge deployment
* Utilize the abilities of [Schema-Based Security Testing](https://docs.wallarm.com/vulnerability-detection/schema-based-testing/overview.md)

If a Free Tier account exceeds 100% of the monthly quota, your access to the Wallarm Console is disabled, along with all integrations. When reaching 200%, protection on your Wallarm nodes is disabled. These restrictions will be in effect until the first day of the next month.

To remove all restrictions, contact [sales@wallarm.com](mailto:sales@wallarm.com).