Start with a 14-day trial, then pay per active host. Vulnerabilities, compliance, ports, CVEs, and inventory stay in one platform.
Want to see it before you install? Explore the live demo →
Starter $12 / host | Growth $22 / host | Enterprise Custom | |
|---|---|---|---|
| Infrastructure | |||
| Active hosts | 30 | 300 | Unlimited |
| Team members | 3 | 10 | Unlimited |
| Workspaces | 1 | 5 | Unlimited |
| Scanning | |||
| Scan cadence | Weekly | Daily | No limit |
| Compliance (OS) scans | |||
| Ad-hoc scans | 1 / day | 5 / day | Unlimited |
| Package & CVE scanning | — | ||
| Network port scanning | — | ||
| Live (applied ≠ live) tracking | — | ||
| Compliance | |||
| Benchmarks | 1 swappable | All | All + custom |
| Guided Remediation | |||
| Evidence export | — | ||
| Policy overrides | — | — | |
| Data & access | |||
| Scan history | 30 days | 1 year | 2 years+ |
| API access (PAT) | — | ||
| SSO / SAML | — | — | |
| Air-gapped / self-hosted | — | — | |
| Support | Priority | Priority + SLA | |
Not ready to install? Click around the live demo with real fleet data first. Then start a 14-day free trial on up to 30 of your own hosts.
curl -fsSL https://packages.executepath.dev/install.sh \ | sudo EXPECTED_GPG_FINGERPRINT=13094D5AB037E6CD79CDFA3A51687EAC6B931A09 bash
A host is any enrolled system that is active, or was retired or decommissioned within the last 7 days. Your plan's host capacity limits how many host slots can be in use at once.
The host stops reporting and leaves active fleet views, but its slot remains reserved for 7 days to preserve history and prevent rapid slot reuse. After that window, the slot becomes available for another host.
No. Host capacity is based on active hosts plus recently retired or decommissioned hosts. Rotating hosts through the same plan still consumes capacity during the 7-day reuse window.
An ad-hoc scan is any scan you start manually with Scan now, such as a compliance scan, package/CVE scan, or port scan. Each manual scan action counts as one ad-hoc scan.
For compliance, one manual action may dispatch the right benchmark for each OS in scope. That still counts as one ad-hoc scan action, even if it creates multiple underlying scan runs.
Scheduled scans do not count against your ad-hoc scan limit.
Yes. Upgrades take effect immediately. Downgrades apply at the next billing cycle and require your active host count to fit within the lower plan. Your scan history, policies, and settings stay intact.
Not as a standard self-serve deployment today. oxharden was built with the foundations needed for self-hosted and air-gapped Enterprise environments, including agent-based collection, offline content workflows, and controlled update paths. If those are hard requirements, we can scope them with your team.
oxharden supports regulated Linux hardening workflows today, including CIS and DISA STIG evaluation and FIPS-related host checks. Formal FedRAMP, FIPS 140, and agency-specific deployment requirements are handled through Enterprise scoping so we can define the controls, architecture, and evidence needed before committing.
Yes. Retiring a host preserves its historical scans, findings, and evidence. Decommissioning removes it from active capacity, while retained history follows your plan's data retention policy.