Every pricing question, answered.

The workspace pauses. Your detection history, configured policies, and team setup are preserved. Re-subscribing to Lighthouse or Sentinel restores everything immediately. We don't delete data unless you cancel and don't return for 30 days.

The dashboard swaps to a "subscribe to keep monitoring" prompt. At more than 10 active users the manual workarounds (emailing people one-by-one) stop scaling anyway. That's the point at which you need Lighthouse's per-user view and one-click enforcement to keep up.

We charge for each active user (the people who've installed the extension and signed in) not for every seat in your directory. Per-user pricing matches how you buy every other security tool (CrowdStrike, 1Password, Okta).

Each tier is named after what it does, in lighthouse vocabulary. A Beam finds the ship in the dark (visibility). A Lighthouse warns and guides (governance). A Sentinel stands watch and keeps records (compliance). A Fleet operates many beams together (enterprise).

Annual billing saves 20%. Lighthouse: $15 per user per month, or $12 on annual. Sentinel: $25 per user per month, or $20 on annual. You pay for the year up front, prorated when your team grows. Cancel any time, but the year you've paid for runs to its end.

Email hello@northbeams.com for Fleet-tier pricing. SSO/SAML, BAA, on-prem classifier, and custom volume pricing on request.

Fleet is the enterprise tier for companies under audit. It adds SAML SSO and SCIM provisioning (Okta, Entra), MDM force-install kits (Jamf, Intune, Kandji), SIEM streaming (Splunk HEC, Datadog Logs), and GRC evidence automation (Vanta, Drata, OneTrust). Identity, SIEM, and GRC are delivered as part of your engagement, configured to your existing stack. Custom DPA + DPIA support, BAA for HIPAA, US or EU data residency, 7-year audit log retention, dedicated CSM with private Slack channel, and a 99.9% uptime SLA with a quarterly business review. Starts at $50K annually. Per-seat pricing on request. Contact sales →

A local stdio proxy that sits in the path between your team's coding agents (Claude Desktop, Cursor, Claude Code) and the MCP servers they call. It uses the existing MCP spec, so it works with anything those clients already know how to talk to. The Gateway classifies every tool argument on-device and ships only categorical labels (credentials, PII, source code, legal terms, customer data) plus a sha256 hash to your dashboard. From there you set per-tool rules: allow read tools, warn on mutating ones, block destructive ones. Argument values stay on the laptop. Sentinel and Fleet only.

Ten well-known servers ship with recommended per-tool policies on day one: filesystem, GitHub, Slack, Postgres, Puppeteer, Google Drive, Stripe, Brave Search, Memory, and Sequential Thinking. Anything else your team has configured shows up in the dashboard by binary name and your admins set the policy. The catalogue refreshes quarterly along with the rest of the tool catalogue.

The Gateway is bundled in the Mac and Windows desktop app. On Sentinel and Fleet workspaces it's on by default after install, with a wizard step asking the user to confirm. For unattended fleet rollouts, set the environment variable NBM_MCP_GATEWAY=1 through your MDM (Jamf, Intune, Kandji) and the Gateway scans and wraps the user's existing Claude Desktop, Cursor, and Claude Code configs the first time the daemon boots. Atomic, idempotent, with a timestamped backup of every original config. To unwind, run nbm sentinel mcp-gateway disable and the wraps come back out cleanly.

The desktop app still installs and the browser, desktop, and CLI surfaces still report. The MCP Gateway step in the installer wizard shows an upgrade CTA and the proxy stays inert until the workspace upgrades. If a workspace downgrades from Sentinel later, the daemon auto-unwraps every wrapped MCP config and removes the Gateway from the chain. No orphaned proxies.

Identity: Okta and Microsoft Entra (SAML SSO, SCIM provisioning). Device management: Jamf, Microsoft Intune, Kandji (force-install via MDM, no user action). SIEM and observability: Splunk (HEC + Splunkbase app, CIM-compliant) and Datadog (Logs ingestion + dashboard templates). GRC and compliance: Vanta and Drata (evidence pipeline for SOC 2 CC6.1, CC7.2, CC8.1) and OneTrust (data mapping and TPRM, with PIA and DPIA pre-population). Don't see your stack? Talk to us.

Yes. Upgrade any time and the new tier kicks in immediately, prorated to the day. Downgrade takes effect at the end of the current billing period so you keep the features you paid for.

Yes. 50% off Lighthouse and Sentinel for verified 501(c)(3) nonprofits and accredited educational institutions. Email hello@northbeams.com with proof of status.