Reference

Features by plan

Single source of truth for what ships, what plan gates it, and which backend handler implements it. Derived directly from backend/migrations/041_plan_features.sql and every requireFeature() call in the codebase.

Honest limits Machine limits (100 on every plan) are enforced post-hoc by a background cron job, not at registration time. Hard registration-time gates are on the Q3 2026 roadmap. User limits are policy ceilings on Free (3 users) and unlimited on paid plans.

At a glance

Free

$0 forever · 100 machines · 3 users · community support. All networking, AI assistant, DNS filtering, JIT workflow, posture, SSO included.

Business

$10/mo · 100 machines · unlimited users · 60-day trial · priority support. Adds session recording, compliance reports, secrets vault, SCIM, honeypot, AI actions.

Workforce

Contact sales · 100 machines · unlimited users · dedicated support + SLA. Adds workforce analytics, DLP, CASB, anomaly detection, user risk, remote desktop, DEM, cloud-VPC integrations.

Full feature matrix

Every row shows the exact backend handler and (where applicable) the requireFeature() key.

Networking & Connectivity

Core ZTNA primitives. Shipped on every plan, no gate, no trial.

Feature	Handler / key	Free	Business	Workforce
Post-Quantum WireGuard (ML-KEM-768)	key-exchange.ts
MagicDNS	dns-management.ts
DERP relays (4 regions)	derp-relay.ts
STUN NAT discovery	ztna/server/
ACL policies (ABAC)	acl-evaluate.ts
Subnet routing	machine-admin.ts
Exit nodes	machine-admin.ts
Device posture	posture-report.ts
Auto-quarantine	posture-report.ts
Tailnet IP allocation (atomic)	utils.ts

AI & Assistant

Claude-powered. Chat, ACL generation, event digests, incident response, auto-remediation.

Feature	Handler / key	Free	Business	Workforce
AI chat	ai-assist.ts ai_chat
Natural-language ACL builder	ai-assist.ts nl_acl_builder
Event summarizer	ai-assist.ts event_summarizer
Security digest (24h)	admin-insights.ts security_digest
Policy drift detection	admin-insights.ts policy_drift
Access heatmap	admin-insights.ts access_heatmap
AI actions (auto-remediation)	ai-assist.ts ai_actions
Incident response playbooks	ai-assist.ts incident_response
JIT access recommendations	admin-insights.ts jit_recommendations

Security & Threat Detection

Defense in depth — shipped in a single agent, not five separate tools.

Feature	Handler / key	Free	Business	Workforce
DNS filtering	dns-filter.ts dns_filtering
Cloud firewall (FaaS)	firewall-service.ts faas_firewall
Honeypot / deception	honeypot.ts deception
Anomaly detection (UEBA)	anomaly-detection.ts anomaly_detection
Data Loss Prevention (DLP)	dlp.ts dlp
CASB (shadow-IT)	casb.ts casb
User risk scoring	user-risk.ts user_risk_scoring

Governance & Compliance

Audit-ready by default. SOC 2 / ISO 27001 / HIPAA artifacts generated, not assembled.

Feature	Handler / key	Free	Business	Workforce
Compliance reports	admin-insights.ts compliance_reports
Continuous compliance	governance.ts continuous_compliance
Session recording	session-recording.ts session_recording
JIT access workflow	governance.ts
Access review campaigns	governance.ts
Policy version rollback	governance.ts

Identity & Provisioning

Bring your identity provider. SSO, SCIM, OAuth — all free. MFA-ready, device-bound.

Feature	Handler / key	Free	Business	Workforce
Email + password	auth.ts
GitHub / Google OAuth	github-auth.ts, google-auth.ts
SAML / OIDC SSO	sso-auth.ts
TOTP MFA + backup codes	auth.ts
SCIM 2.0 provisioning	scim.ts scim
Org groups (departments)	org-groups.ts org_groups

Endpoint Management

One agent — remote commands, secure shell, WebRTC desktop, OTA updates.

Feature	Handler / key	Free	Business	Workforce
Remote management (shell, commands)	agent-command.ts remote_management
Remote desktop (WebRTC)	remote-desktop.ts remote_desktop
Software inventory + patch	inventory-report.ts software_inventory
Device wipe / lock	machine-admin.ts
OTA agent updates	client-version.ts

Data & Access Layer

Protect internal apps, databases, Kubernetes, cloud VPCs — through the same tailnet.

Feature	Handler / key	Free	Business	Workforce
Secrets vault (AES-256-GCM)	secrets-vault.ts secrets_vault
Database access broker	db-access.ts cloud_vpc
Kubernetes access	k8s-access.ts cloud_vpc
Cloud firewall sync (AWS/Azure/GCP)	cloud-firewall.ts cloud_vpc
App connector (reverse proxy)	app-connector.ts app_gateway
Webhook forwarder	forward-webhook.ts app_gateway
Terraform provider	terraform-api.ts app_gateway

Workforce & Productivity

Built for distributed teams. Consent-first, GDPR-aware, compliance-ready.

Feature	Handler / key	Free	Business	Workforce
Session tracking	workforce-analytics.ts workforce_analytics
App / domain usage	workforce-analytics.ts workforce_analytics
Productivity scoring	workforce-analytics.ts workforce_analytics
Schedule compliance	workforce-analytics.ts workforce_analytics
Digital Experience Monitoring (DEM)	dem.ts dem
GDPR monitoring consent	workforce-analytics.ts workforce_analytics

Listed but not actually gated

Brutally honest: these are free on all plans today Three feature keys appear in the plan_features migration but have zero requireFeature() calls in any handler. They're effectively free for everyone. Investors and docs readers should know.

risk_engine

Listed in plan_features, never gated at runtime.

window_tracking

Marketed as Workforce-only, but no backend gate.

dns_analytics

Advanced DNS reports free for everyone today.

Superadmin

Hardcoded email in backend/src/middleware/superadmin.ts
Has cross-org read/write via /api/platform-admin
Returned as is_superadmin: true in /api/feature-check response
Does not bypass plan gates at backend — a superadmin on a Free org is still blocked from paid features at the handler level. Frontend uses the flag to show admin UI only.

Features by plan

At a glance

Full feature matrix

Networking & Connectivity

AI & Assistant

Security & Threat Detection

Governance & Compliance

Identity & Provisioning

Endpoint Management

Data & Access Layer

Workforce & Productivity

Listed but not actually gated

Superadmin

See also