Pricing
Flat fees. Self-serve. Start free.
Run the full scan free. Buy the signed report when the deal needs it: $750 one-time, or continuous from $299 a month so the evidence never goes stale. The fee listed is the whole fee.
Start free. Sign when your buyer's questionnaire asks.
Four plans you can buy without talking to anyone. The free scan needs no card. A one-time report is a snapshot; re-attestation (re-signing on a schedule)A re-attestation is a fresh signed report produced on a schedule, weekly on Starter and on every deploy on Growth. The same Trust link always serves the newest one, so a buyer never opens stale evidence. is what keeps Continuous current.
Scan
Free
See real findings from your own logs before you pay.
- Watermarked findings from your logs, in minutes.
- Permission and audit-trail checks included.
- One email address gets a key in seconds.
Signed Readiness Report
$750 one-time
The full audit, sealed. Your buyer verifies it offline.
- Ed25519-signed report tied to a stable report ID.
- Findings mapped to SOC 2, ISO 42001, NIST AI RMF, the EU AI Act, OWASP LLM Top 10 and MITRE ATLAS, so every finding maps into the framework work you already do. kolm does not replace your trust center; it is the agent-specific evidence that clears this deal now.
- Verified in the buyer's browser, no kolm server in the path.
Continuous Starter
$299 /mo
Re-attested weekly. Evidence never goes stale.
- Everything in the Signed Readiness Report.
- A fresh signed report every week, behind a stable Trust link.
- One agent, one public Trust link.
Continuous Growth
$999 /mo
Re-attested on every deploy, fleet-wide.
- Everything in Continuous Starter.
- Prompt-injection regression on every release.
- Your full agent fleet under one buyer portal.
All prices flat and final. The figure on this page is the figure at checkout, while most security-review tools quote only "contact sales". Estimate what a stalled review costs.
Who it is for · Scan
The team that wants to see a real finding before paying. Upload redacted logs, get watermarked findings in minutes.
Who it is for · Report
A reviewer is asking for proof on one live deal. A single signed report, tied to a stable ID, that your buyer verifies offline.
Who it is for · Continuous
Anyone who ships often. Evidence is re-signed on a cadence so the Trust link your buyer pins never goes stale.
Worked example · why monthly, not once
- Signed Readiness Report (one-time)$750
- Each deploy after itnot covered
- Continuous Starter, re-signed weekly$299/mo
- Always-current evidence, per month$299/mo
Worked from the prices listed above. The $750 report is correct the day it is signed and goes stale on your next deploy. If you ship weekly, a snapshot is out of date within days; Continuous Starter at $299/mo re-signs on schedule so the buyer always opens current evidence behind one stable link. Evidence that goes stale stops being evidence.
A guided deep audit across the fleet.
For a fleet of agents or a regulated buyer. Both tiers can be bought on this page; a scoping call is available, not required.
Full Readiness
A guided deep audit across your fleet. We help close the gaps.
- A guided engagement across your full control set and agent fleet.
- Remediation guidance for every finding before you sign.
- Signed Readiness Report plus a buyer portal at the end.
- Continuous re-attestation for the duration of the engagement.
Continuous-Plus
Continuous Growth for the whole fleet, with a team behind it.
- Everything in Continuous Growth, across your full agent fleet.
- A dedicated transparency log and an always-current Trust link your buyers pin.
- SSO and SCIM provisioning for your team.
- Priority support and a named contact.
Need white-label reports or a custom scope? Enterprise terms cover an MSA, BAA and a named SLA, or talk to us.
When a reviewer needs more than a signature.
Cryptography proves the bytes were not altered. A name proves a person reviewed them. The Reviewed Attestation puts both in front of the CISO.
Reviewed Attestation
A named, accredited human co-signs the audit.
- Everything in Full Readiness.
- A named reviewer co-signs beside the Ed25519 signature.
- Days, bounded by an SLA, against the four to eight weeks a from-scratch review takes.
- The strongest artifact kolm produces for a high-stakes review.
Add-on · adversarial
Deep Red-Team · +$10,000
A deeper adversarial pass on top of the standard prompt-injection battery, for the buyer who asks how hard you pushed.
Why a name
The signature is necessary, not always sufficient
The automated tiers need no human. For the deal where a reviewer wants a person to stand behind the finding, the co-signer is the difference between a passed review and another round of questions.
Scope is contractual. Permission posture, redaction and audit-trail integrity are assessed. Injection is tested and reported, not warranted.
What is in each plan.
| Capability | Scan | Report | Starter | Growth | Reviewed |
|---|---|---|---|---|---|
| Least-privilege permission audit | ✓ | ✓ | ✓ | ✓ | ✓ |
| Audit-trail & retention review | ✓ | ✓ | ✓ | ✓ | ✓ |
| Data-egress & redaction audit | Not included | ✓ | ✓ | ✓ | ✓ |
| Prompt-injection battery | Not included | ✓ | ✓ | ✓ | ✓ |
| Framework control-mapping | Not included | ✓ | ✓ | ✓ | ✓ |
| Ed25519-signed, offline-verifiable | watermarked | ✓ | ✓ | ✓ | ✓ |
| Re-attestation cadence | Not included | Not included | weekly | per deploy | per deploy |
| Live Trust link | Not included | Not included | ✓ | ✓ | ✓ |
| Named co-signer | Not included | Not included | Not included | Not included | ✓ |
| Price | Free | $750 | $299/mo | $999/mo | $25,000 |
The free scan is watermarked and scoped to what you upload. Every paid plan ships the full Ed25519-signed report your buyer verifies offline.
Common questions.
Do prices change with team size or usage?
No. Every fee is flat and final: $750 for the signed report, $299 or $999 per month for Continuous. There is no per-seat meter and no usage tier.
Is the free scan really free?
Yes. Upload redacted logs, get watermarked findings in minutes, no card. Most teams use it to see a real finding before they commit.
Why pay monthly when a report is one-time?
A point-in-time report goes stale on your next deploy. Continuous re-attests on a schedule, weekly on Starter and on every deploy on Growth, so the evidence your buyer checks is never older than your cadence.
What does the named co-signer add over the crypto?
The signature proves the bytes are intact. The name proves a person reviewed them. Enterprise reviewers ask for both, so the Reviewed Attestation puts a named, accredited reviewer beside the signature.
Do you warrant our application is secure?
No, and distrust anyone who does. We test and report with reproductions, scoped to exactly what we examined. The scope statement is part of the signed report. Try the sample verifier.
We already have an annual audit and a trust center. Why this?
kolm turns the specific agent or AI/API loop under review into signed, verifiable evidence that can be checked without trusting a dashboard. Findings can still map into SOC 2, ISO 42001 and NIST AI RMF programs.
Already a customer? View your reports and Trust links.
Start at zero. Sign at $750.
Run the free scan tonight. Buy the signed report the day your buyer asks for proof.
SCAN $0 · REPORT $750 ONE-TIME · CONTINUOUS $299/$999 PER MONTH · FULL READINESS $15,000 · REVIEWED ATTESTATION $25,000
Caveats: Scope is contractual. Permission posture, redaction and audit-trail integrity are assessed. Injection is tested and reported, not warranted.