Honest pricing for a curated CTI
Three tiers. No seat tax. The Community plan stays free forever — yes, including the Suricata, Sigma, YARA, STIX, and per-vendor exports.
Community
free forever- ~50 OSINT feeds (Abuse.ch, Spamhaus, Hagezi, ET-Open, USOM)
- All export formats: Suricata · Sigma · YARA · STIX 2.1 / TAXII 2.1 · MISP · RPZ
- 8 vendor-native feeds: Fortinet · PAN · CheckPoint · Sophos · Cisco · Meraki · SRX · MikroTik
- Updates every 24h
- IOC scoring (confidence / threat / popularity / composite 0-100)
- MITRE ATT&CK coverage matrix & per-rule tactic/technique tagging
- No EASM scanner
- No brand-protection / typosquat watch
- Community Discord support only
Plus
recommended- Everything in Community
- Premium curated feeds (ThreatFox paid, abuse.ch DOH-confirmed)
- Updates every 4 hours
- External Attack Surface Management — up to 50 assets
- Brand-protection: 3 watches · typosquat & homograph detection
- Sightings API (which of your firewalls hit which IOC)
- Email + chat support · 1 business day SLA
Premium
enterprise- Everything in Plus
- Updates every 20 minutes
- Dedicated TAXII 2.1 server (private collections)
- EASM — unlimited assets, hourly scan cadence
- Brand-protection: unlimited watches, dark-web monitoring, takedown drafting + lifecycle tracking
- Detection signatures: Sigma + YARA + Suricata for your incidents (custom rule curation)
- Priority support · 4h SLA · named CTI analyst
- Ed25519-signed feed snapshots (compliance trail)
How Zedmos compares
A non-marketing comparison against the closest commercial peer (Q-Feeds) — feature-by-feature, no hand-waving. We don't list features they don't expose, and we don't claim features we don't ship.
| Capability | Zedmos | Q-Feeds (Premium) |
|---|---|---|
| Suricata rule export | ✓ priority + threat metadata | — |
| Sigma rule export (MITRE tagged) | ✓ tactics + techniques per category | — |
| YARA rule export | ✓ SHA-256 IOCs | — |
| STIX 2.1 / TAXII 2.1 | ✓ included | TAXII = extra licence |
| Vendor-native feeds | ✓ 16 (Fortinet, PAN, CheckPoint, Sophos, …) | 5 (Fortinet, Sophos, PAN, Check Point, OPNsense) |
| SHA-256 hash IOCs | ✓ | not advertised |
| IOC scoring (composite) | ✓ confidence / threat / popularity / composite | confidence / threat / popularity |
| MITRE ATT&CK mapping | ✓ tactic + technique + coverage matrix UI | mapping, no in-product matrix |
| EASM scanner | ✓ DNS · CNAME takeover · headers · exposed paths | vuln scanner only |
| Brand protection (typosquat) | ✓ 8 algorithms, DNS-validated | no |
| Takedown drafting + workflow | ✓ RDAP abuse lookup · lifecycle states | brand-protection takedown |
| Signed (ed25519) feed snapshots | ✓ | not advertised |
| Sovereign deployment option | ✓ self-host or EU-hosted SaaS | EU SaaS only |
| Turkish CERT (USOM) curated | ✓ live API ingest, 220k+ IOCs | — |
| Starting price (annual) | €0 / €99 / €249 | €0 / €99 / €249 |
Frequently asked
Is the Community tier really free forever?
Yes. The aggregation pipeline runs whether you pay or not; we don't gate the export formats. Paid tiers add private feed sources, faster refresh, EASM, and brand-protection.
Can I self-host?
Premium customers get a self-host bundle (Docker compose + Mongo + Redis) so your IOC traffic never leaves your network. Useful for air-gapped fleets and Türk public-sector requirements.
Per-firewall licence or seat-based?
Per-tenant. The tier price is total — you can pull feeds from however many firewalls you have. We profile per-tenant pull volume only to flag scraping abuse, not to bill.
How do you handle false positives?
Three layers: Bayesian confidence scoring, popular-domain tripwire, and operator review queue. Every feed has a sliding FP-rate window. See the verification log for any IOC.
Questions? sales@zedmos.com · cti.zedmos.net