Free
$0
No signup. No account.
- 3 scans / 24h per network
- Full mutability + chain trace
- Reputation: Safe Browsing + URLhaus
- All 25 payload-type analyzers
Pricing
Camera decoding is free. Verdicts are metered.
Browser-side QR decoding runs on your device and never hits a server — that part stays free. Server-side classification (reputation, chain trace, mutability, sub-payload analysis) is metered. 3 anonymous scans per IP every 24 hours, then a paid tier when you need more.
Personal
$9/mo
For the security-aware individual.
- 300 scans / month
- Single user
- Saved scan history (30 days)
- 1 mutation alert
Starter
$29/mo
Small team, shared account.
- 3,000 scans / month
- Up to 5 team members
- REST API access
- 5 mutation alerts
- Chainabuse reputation
- Scan history (90 days)
Pro Most popular
$99/mo
For growing teams + brands.
- 20,000 scans / month
- Up to 25 team members
- Per-user API keys
- 25 mutation alerts
- Chainabuse + urlscan.io
- Bulk CSV scanning + webhooks
- Scan history (1 year)
Business
$299/mo
Mid-market security teams + MSSPs.
- 100,000 scans / month
- Up to 100 team members
- Everything in Pro
- SSO (OAuth) + audit logs
- Slack / Teams delivery
- 99.9% endpoint SLA
- Scan history (3 years)
Enterprise
$1,500/mo
Enterprise IT / security rollout.
- 750,000 scans / month
- Up to 1,000 team members
- SAML / OIDC SSO + SCIM
- MDM-distributed iOS / Android / desktop apps
- SIEM webhooks (Splunk, Sentinel, Sumo)
- VirusTotal Premium add-on
- BAA available · 99.95% SLA
Need more than Enterprise?
Enterprise Scale — custom scan + seat limits, negotiated MSA, BAA, custom SLA, US / EU / FedRAMP residency, private VPC or on-prem deployment, per-tenant indicator feeds, 24×7 incident response.
Pricing FAQ
What counts as a scan?
One scan = one decoded payload submitted to the server-side /api/scan endpoint. Browser-side decoding (the camera read or image upload that turns a QR into text) is not metered — that runs on your device. We only meter the verdict pipeline (chain walk, reputation queries, mutability classification, sub-payload analysis). Identical payloads scanned within the cache TTL count once.
How does the 3-scans-per-24h free cap work?
Free anonymous use is rate-limited by a hash of your IP (plus a server-held salt — we don't store IPs in cleartext). 3 successful classifications per 24-hour rolling window. The cap resets independently per IP. Signed-up free accounts get 25 scans/month on top.
What's a mutation alert?
You hand us a QR's decoded payload; we re-walk the redirect chain on a periodic cadence and email you if the terminal destination, redirect targets, or set of indirection-service operators changes. Catches the most common quishing pattern: print a clean QR, swap the destination to phishing months later, harvest scans from the printed asset. Personal includes 1 alert; Starter 5; Pro 25; Business and Enterprise unmetered.
What happens if I hit my cap?
The API returns a 429 with a retry_after header. We never silently downgrade verdict quality or stop classifying — you simply can't submit more scans until the window resets or you upgrade.
Do you offer annual billing?
Yes, at all paid tiers (Personal through Enterprise). Annual is two months free relative to monthly — same monthly cap, prepaid yearly. Enterprise Scale contracts are annual by default with custom terms.
Can I switch tiers mid-cycle?
Yes. Upgrades take effect immediately and we pro-rate the new tier. Downgrades take effect at the end of the current billing cycle.
Do you offer BAA, DPA, or HIPAA-aligned coverage?
BAA is available on Enterprise. DPA is included on every paid tier. For HIPAA-aligned workloads (Smart Health Card scanning, healthcare deployment), Enterprise + BAA is the supported configuration. Enterprise Scale can negotiate residency (US, EU, or FedRAMP-class) and on-prem deployment.
Why is server-side classification metered and camera decoding isn't?
Camera decoding is pure local compute on your device — there's nothing for us to meter and no marginal cost to us. Server-side classification consumes our infrastructure (reputation-service API quotas, redirect-chain walking bandwidth, CPU). The meter aligns price with the cost driver.
What if I'm a security researcher / non-profit / educator?
Email hello@abundera.ai with your use case. We grant Pro-tier free for academic security research, journalist investigations, and consumer-protection non-profits.