Pricing
Start on Free forever.
Upgrade when you need it.
Post-quantum crypto on every plan. 100 devices on Free. 60-day Business trial. No credit card to start. Honest limits, fully documented.
Free
For homelabs, founders, small teams.
$0 /mo forever
- 100 machines
- 3 users
- Community support
- PQC-encrypted ZTNA (ML-KEM-768)
- MagicDNS + WireGuard mesh
- ACL policies + device posture
- DNS filtering + cloud firewall
- AI Assistant (chat, ACL builder, digest)
- JIT access + access reviews
- SSO · GitHub · Google · TOTP MFA
- 4 global DERP relays
No credit card required
Most popular
Business
For growing teams · 60-day free trial.
$10 /mo
- 100 machines
- Unlimited users
- Priority email support
- Everything in Free
- Remote management + remote shell
- Session recording
- Compliance reports (SOC 2, ISO, HIPAA)
- Continuous compliance scanning
- Secrets vault (AES-256-GCM)
- Honeypot / deception
- SCIM 2.0 provisioning
- AI actions + incident response
- JIT recommendations
No credit card required
Workforce
For regulated orgs & distributed workforces.
Contact sales
- 100 machines
- Unlimited users
- Dedicated support + SLA
- Everything in Business
- Workforce analytics + DEM
- DLP + CASB + anomaly detection
- User risk scoring
- Remote desktop (WebRTC)
- Software inventory + patch overview
- App connector (reverse proxy)
- Database access broker
- Kubernetes access
- Cloud firewall sync (AWS/Azure/GCP)
- Terraform provider
- Org groups (departments)
No credit card required
Compare every feature
What's on each plan, row by row.
Derived directly from the feature-gate code. If it's here, it ships.
| Feature | Free | Business | Workforce |
|---|---|---|---|
| Core networking | |||
| Machines per org | 100 | 100 | 100 |
| Users per org | 3 | Unlimited | Unlimited |
| Post-quantum WireGuard (ML-KEM-768) | |||
| MagicDNS | |||
| DERP relays (4 global regions) | |||
| ABAC policies + device posture | |||
| Subnet routes + exit nodes | |||
| Auto-quarantine on posture fail | |||
| Identity | |||
| Email + password | |||
| GitHub / Google OAuth | |||
| SAML / OIDC SSO | |||
| TOTP MFA + backup codes | |||
| SCIM 2.0 provisioning | |||
| Org groups (departments) | |||
| AI assistant | |||
| AI chat | |||
| Natural-language ACL builder | |||
| Security digest (24h) | |||
| Event summarizer | |||
| Policy drift detection | |||
| Access heatmap | |||
| AI auto-remediation actions | |||
| Incident response playbooks | |||
| JIT access recommendations | |||
| Security & threat | |||
| DNS filtering | |||
| Cloud firewall (FaaS) | |||
| Deception / honeypot | |||
| Anomaly detection (UEBA) | |||
| Data Loss Prevention (DLP) | |||
| CASB + shadow-IT | |||
| User risk scoring | |||
| Governance & compliance | |||
| JIT access workflow | |||
| Access review campaigns | |||
| Policy versioning + rollback | |||
| Compliance reports (SOC 2, ISO, HIPAA) | |||
| Continuous compliance scanning | |||
| Session recording | |||
| Audit log retention | 90 days | 90 days | 90 days |
| Endpoint management | |||
| Device wipe / lock | |||
| OTA agent updates | |||
| Remote management + shell | |||
| Remote desktop (WebRTC) | |||
| Software inventory + patch overview | |||
| Data & access | |||
| Secrets vault (AES-256-GCM) | |||
| Database access broker | |||
| Kubernetes access proxy | |||
| Cloud firewall sync (AWS/Azure/GCP) | |||
| App connector (reverse proxy) | |||
| Webhook forwarder | |||
| Terraform provider | |||
| Workforce analytics | |||
| Session tracking | |||
| App / domain usage | |||
| Productivity scoring | |||
| Schedule compliance | |||
| Digital Experience Monitoring (DEM) | |||
| GDPR monitoring consent | |||
| Support & ops | |||
| Support channel | Community | Priority email | Dedicated + SLA |
| Trial | — | 60 days | Pilot on request |
| Custom invoicing | |||
| DPA + SOC 2 report on request | |||
FAQ
Questions, answered honestly.
Is post-quantum crypto really on the Free plan?
Yes. Every WireGuard tunnel, on every plan, uses X25519 + ML-KEM-768 hybrid key exchange. It's not a paid feature — it's the default. The PSK is derived via HKDF-SHA256 from both classical and post-quantum shared secrets.
Why only Razorpay? What about Stripe / wire / invoice?
We launched in India first, so Razorpay is the self-serve default (supports 100+ countries via Razorpay International). For non-Razorpay regions or invoice/wire/cheque payment, contact sales@quickztna.com. Stripe is on the 2026-Q2 roadmap.
What happens when I hit the 100-machine limit on Free?
A background job (runs every 5 min) flags excess machines as over-quota — they stop heartbeating until you either delete old machines or upgrade. Nothing is deleted. Upgrade → features unlock immediately, quota cleared.
Can I downgrade? What happens to my data?
Yes, any time from the Billing page. Paid features gate down immediately. No data is deleted — if you downgrade then re-upgrade, everything resumes where it left off.
What does the 60-day Business trial include?
All Business-tier features. No credit card required. On day 61 the org auto-downgrades to Free via the expire-trials cron. You can extend via sales if you need more runway for a pilot.
Is there a self-hosted / on-prem option?
The architecture supports it (Docker Compose + PostgreSQL + Valkey + S3-compatible object storage), but we haven't productized it yet. Contact sales if you need air-gapped deployment — we do custom for regulated industries.
Are superadmins bypassing plan gates?
No. Platform superadmins have cross-org read/write for support, but plan gates are enforced at handler level. A superadmin helping a Free-tier org still hits FEATURE_GATED on paid endpoints. This is intentional.
What are the real enforced limits?
Feature gates are strict (every paid handler calls requireFeature). Machine limits are enforced post-hoc by a background cron job (every 5 min), not at registration time — we're migrating to hard gates in Q3 2026. User limits are policy, not hard-gated in invite flow.
Ship 100 devices today. Quantum-safe forever.
Issue one auth key. Pipe one install command. Your whole workforce is on the tailnet.