brink.
pricing

We charge when you would have lost data.
Not before.

The full price table is being built alongside our first ten production customers. Until then: design partners run free, enterprise scopes are bespoke, and the production tier is on email.

design partner
For one team, willing to break things together.
$0until we get in
  • one staging environment, ~50 routes
  • shared agent fleet — 1 recon, 1 authn, 1 authz
  • findings to email + a single slack channel
  • reproducible PoCs, no PR automation
  • attribution welcome, not required
We charge nothing until the first confirmed exploit hits your inbox.
productionmost relevant
Continuous coverage for real customer apps.
soonper confirmed exploit
  • staging + production targets, unlimited routes
  • dedicated agent fleet — full recon/authn/authz/race/SSRF coverage
  • github app, fix PRs auto-opened against the offending repo
  • slack/linear/jira integrations, on-call digest
  • token + wall-clock budgets you set, killed on breach
Pricing is a function of confirmed exploits per quarter, not seats or tokens. We post the table publicly when the first ten customers are live.
enterprise
Custom scopes, isolation, paper.
soonlet's talk
  • isolated tenant, dedicated infra in your region
  • SSO/SAML, audit log streaming, retention controls
  • red-team-as-a-service: bespoke agents for your stack
  • SOC2 Type II report, custom DPA, signed MSA
  • named offensive engineer + quarterly readouts
Annual minimums, multi-quarter commitments, the usual.
the gap
// brink vs. the alternative
quarterly pentest
A snapshot. Brittle, expensive, scheduled around vendor availability — not your release cadence.
~$30k · 2 weeks · stale day 8
bug bounty
Variable cost, variable signal. Triage burden falls on you; researchers are paid for theatrics.
pay per find · adversarial · noisy
brink
Continuous. Reproducible. The agents wake up, probe, write findings, sleep, repeat — every day.
$0 → confirmed-exploit pricing · 24/7
questions you actually have

FAQ.

Why is most of the table empty?

Because we have ten design partners and we are not pricing the production tier publicly until we have at least ten customers actually paying. Pricing pages that read like fiction are worse than pricing pages that read like a stub.

How do you bill?

Per confirmed exploit, with a monthly cap. A "confirmed exploit" is one that reproduced against a real-but-synthetic account, passed the validator, and was severity ≥ medium. Info-level findings are free.

What about false positives?

You do not pay for them. The validator runs before the finding hits your inbox, and our published false-positive rate is 0.4% across 813 confirmed exploits in the last 90 days. If a finding does not reproduce, you can dispute it in one click — we eat the cost.

Can I cap spend?

Yes. Every run has both a token budget and a wall-clock budget. You set both; we kill the run if either breaches. Default monthly cap is 100 confirmed exploits per project.

Do you offer a free tier forever?

No. Design-partner status converts to a paid tier once the production product ships. We will give you 60 days notice and matching credits.

still curious
If you need a number before you can move, send us your stack. We'll send a real one back.