Tiers and limits
What each tier sees, how often, and for how long. The same values drive the API rate limiter and the field redactor — so marketing and enforcement can't drift.
Overview
Five tiers. Two free, three paid. The free side is the give-to-get loop: Observer lets a researcher validate data without signing up, and Contributor rewards anyone running a sensor with full research-grade access. The paid side funds the fleet and opens up bulk + raw-event access for ML and threat-intel work.
Capability matrix
| Capability | Observer | Contributor | Sponsor | Researcher | Institutional |
|---|---|---|---|---|---|
| Rate limit | 100 / day | 1,000 / hour | 2,000 / hour | 100,000 / hour | Unlimited |
| History window | 7 days | 90 days | 180 days | 2 years | Full |
| Data freshness | 1h delay | Real-time | Real-time | Real-time | Real-time |
| Verdict + tags | ✓ | ✓ | ✓ | ✓ | ✓ |
| Sighting totals | ✓ | ✓ | ✓ | ✓ | ✓ |
| JA3 / JA4 / SSH | — | ✓ | ✓ | ✓ | ✓ |
| Per-sensor list | — | ✓ | ✓ | ✓ | ✓ |
| Commands & payloads | — | ✓ | ✓ | ✓ | ✓ |
| Bulk CSV / dataset export | — | Capped | Capped | ✓ | ✓ |
| ML-friendly paginated API | — | — | — | ✓ | ✓ |
| Raw event-level snapshots | — | — | — | Sampled | Full |
| Citation rights / DOI | — | ✓ | ✓ | ✓ | ✓ + DOI |
| Requires running a sensor | No | Yes | No | No | No |
For the full commercial comparison with CTAs, see /pricing.
Observer
Designed to be genuinely useful for research and shareable on Twitter. You can paste an IP and get a real verdict with confidence and sighting counts — enough to validate a finding without signing up.
Contributor
Free, earned. Run a sensor for 48 hours of valid telemetry and your key is promoted automatically. Full fingerprint access, 90-day history, real-time freshness, capped bulk lookup. The fastest path to research-grade data.
Sponsor
Paid individual tier for researchers who can't host a sensor — corporate networks, no spare hardware, or just preferring to pay. Same data surface as Contributor: full fingerprints, per-sensor sightings, 180-day history, 2,000 req/hour. $19/mo funds a Core honeypot whose data you use.
Researcher
For labs, ML teams, and journalists who need bulk access and reproducibility. Bulk CSV exports, ML-friendly paginated API with deterministic ordering, 2-year history, 100,000 req/hour. Citation rights included for non-commercial publication.
Institutional
Annual license for organizations that need to train, license, or republish: ML-security companies, threat-intel vendors, national CERTs, university labs. Raw event-level snapshots, full history, streaming feed, dataset DOI for formal citation, co-authored disclosure on aggregate findings.
How promotion works
- Deploy a sensor with an enrollment token
- Sensor reports telemetry to the mesh ingestion API
- After 48 hours of uniquesignatures (not just volume), the promotion check flips the key's tier
- Your next request sees the new rate limit and unredacted fields; no action needed on your end