Pricing
All plans include the full scan suite — Trivy, ClamAV, rkhunter, MalDet, SSH hardening, file integrity, and WordPress scanning. Upgrade for more sites and faster scan schedules.
Pick your entry route
Every plan includes both website monitoring and the Linux server agent — but the limits are independent and you don't have to use both. Start with whichever fits, add the other when you're ready.
Sites only
Monitor any URL externally — SSL, headers, blacklists, email security, and full WordPress CVE coverage. No agent install required.
Start with the free Starter plan, then jump to Basic for 5 sites.
How site monitoring works →Servers only
Install the lightweight agent on each server — Trivy, ClamAV, rkhunter, MalDet, SSH hardening, file integrity, and one-click patching from the dashboard.
Free Starter covers 1 server; Basic adds 2 more.
How the agent works →Both / agencies
Linked sites and servers unlock authenticated WP plugin scans, agent-assisted .htaccess fixes, scoped per-site forensic diagnostics, and one dashboard for the lot. Best fit for agencies and MSPs.
Professional or Agency tier (the Stripe SKUs below).
Read the docs →All prices include UK VAT at 20%. Receipts via Stripe show the tax breakdown.
Need a couple more sites without jumping a tier? Add extra site slots to any paid plan for £5/site/mo — manage from Settings → Billing once subscribed.
Free
1
WP site
1
server
24 hours
WP scan interval
£25/mo
or £240/yr — save £60
5
WP sites
2
servers
24 hours
WP scan interval
Everything in Starter, plus:
£65/mo
or £624/yr — save £156
25
WP sites
5
servers
12 hours
WP scan interval
Everything in Basic, plus:
£149/mo
or £1430/yr — save £358
125
WP sites
25
servers
6 hours
WP scan interval
Everything in Professional, plus:
14-day free trial on every paid plan · no credit card needed to start · cancel anytime
Want to see what reports look like? Download a sample monthly PDF report.
Add-on · any plan
Bolt a retainer onto any Astrari plan and our UK engineers handle the remediation side: patching, hardening, incident response, and routine portfolio care. Three tiers — Essential from £150/mo, Standard from £400/mo, Active from £950/mo. No annual lock-in.
Add-on · any plan · usage-based
Off-host, append-only backups for any server you already monitor. Snapshots land in EU-hosted Backblaze B2, encrypted client-side via restic, with a recovery score per asset. Sandbox restore from the dashboard with optional path filter — pulls files into a non-destructive folder on the host so you copy what you need, where you need it.
£0.05 per GB stored per month. No per-server fee, no minimum. Restore egress: £0.02/GB above 10 GB included free per month. Pay-as-you-store; the dashboard shows your live monthly bill estimate.
All plans share the same scan engines. The differences are in limits, alert channels and multi-tenancy.
| Feature | Starter | Basic | Professional | Agency |
|---|---|---|---|---|
| Limits | ||||
| Websites monitored | 1 | 5 | 25 | 125 |
| Linux servers monitored | 1 | 2 | 5 | 25 |
| WP scan schedule | 24 h | 24 h | 12 h | 6 h |
| Server scan schedule | Every 6 h | Every 6 h | Every 6 h | Every 6 h |
| Agent check-in interval | 30 sec | 30 sec | 30 sec | 30 sec |
| Data retention | 7 days | 30 days | 90 days | 1 year |
| Scanners (all plans) | ||||
| Trivy CVE scanning (OS packages) | ✓ | ✓ | ✓ | ✓ |
| ClamAV malware scanning | ✓ | ✓ | ✓ | ✓ |
| rkhunter rootkit detection | ✓ | ✓ | ✓ | ✓ |
| MalDet web malware (PHP shells) | ✓ | ✓ | ✓ | ✓ |
| SSH hardening checks + auto-fix | ✓ | ✓ | ✓ | ✓ |
| File integrity monitoring | ✓ | ✓ | ✓ | ✓ |
| Firewall + listening-port exposure | ✓ | ✓ | ✓ | ✓ |
| Exposure probes — bound interfaces, exposed files, weak TLS, admin panels | ✓ | ✓ | ✓ | ✓ |
| Auth-less Redis/Memcached/Elasticsearch detection | ✓ | ✓ | ✓ | ✓ |
| Custom probe rules — HTTP, port and file kinds (org-scoped or global) | ✓ | ✓ | ✓ | ✓ |
| WordPress plugin / theme / core CVEs | ✓ | ✓ | ✓ | ✓ |
| Security headers + cookie flags | ✓ | ✓ | ✓ | ✓ |
| SSL cert + domain expiry monitoring | ✓ | ✓ | ✓ | ✓ |
| SPF / DMARC / DNSSEC strength checks | ✓ | ✓ | ✓ | ✓ |
| TLS deep audit (protocols, keys, HSTS) | ✓ | ✓ | ✓ | ✓ |
| Exposed file detection | ✓ | ✓ | ✓ | ✓ |
| SEO spam, cloaking, hidden-link detection | ✓ | ✓ | ✓ | ✓ |
| WP database injection scan (agent) | ✓ | ✓ | ✓ | ✓ |
| Cloudflare edge integration (read-only) | ✓ | ✓ | ✓ | ✓ |
| Uptime monitoring (5-min probes) | ✓ | ✓ | ✓ | ✓ |
| Content / defacement monitoring (6h) | ✓ | ✓ | ✓ | ✓ |
| JS supply-chain change detection | ✓ | ✓ | ✓ | ✓ |
| Subdomain takeover detection (weekly) | ✓ | ✓ | ✓ | ✓ |
| Performance regression alerts (weekly) | ✓ | ✓ | ✓ | ✓ |
| On-demand scans (any time, any tool) | ✓ | ✓ | ✓ | ✓ |
| Forensic diagnostics (boot, OOM, logs) | ✓ | ✓ | ✓ | ✓ |
| Alerts | ||||
| Dashboard alerts and findings inbox | ✓ | ✓ | ✓ | ✓ |
| Email alerts for new findings | — | ✓ | ✓ | ✓ |
| Slack integration | — | — | ✓ | ✓ |
| Microsoft Teams integration | — | — | ✓ | ✓ |
| PagerDuty integration | — | — | ✓ | ✓ |
| Generic webhook (HMAC-signed) | — | — | ✓ | ✓ |
| Per-asset routing + severity threshold | — | ✓ | ✓ | ✓ |
| Multi-tenant / agency | ||||
| Reports (PDF) — server, site, summary | ✓ | ✓ | ✓ | ✓ |
| Group servers + sites under named clients | — | — | ✓ | ✓ |
| Client sub-accounts (separate logins) | — | — | — | ✓ |
| Per-client API keys | — | — | — | ✓ |
| Org-wide API keys | — | — | ✓ | ✓ |
| Support | ||||
| Self-serve docs and FAQ | ✓ | ✓ | ✓ | ✓ |
| Email support | — | ✓ | ✓ | ✓ |
| Priority response (≤1 business day) | — | — | ✓ | ✓ |
| Direct incident line | — | — | — | ✓ |
Agency economics
On the Agency plan at £149/mo you can monitor up to 125 sites and 25 servers. Bill each client £25/mo for security monitoring — cover your plan cost with just 6 clients, and every additional client is pure margin.
£149/mo
your cost (Agency)
6 clients
to break even at £25/client
£351/mo
net margin at 20 clients
WordPress threat intelligence
All plans include access to a continuously updated vulnerability database powered by Wordfence Intelligence. New CVEs go live within minutes — your sites are evaluated automatically on each scan.
12,250+
vulnerabilities tracked
7,600+
plugins & themes covered
20–150
new CVEs added per week
< 5 min
from publication to alert
What counts as a 'WordPress site'?
Any WordPress URL you add to your dashboard for external scanning. No plugin install required — Astrari scans from outside your site over HTTP/HTTPS.
Do server slots count separately from WordPress sites?
Yes. Each plan has its own caps for both: Starter = 1 server / 1 site, Basic = 2 servers / 5 sites, Professional = 5 servers / 25 sites, Agency = 25 servers / 125 sites. Server monitoring (the Linux agent) and WordPress site scanning are tracked independently.
Is there a free trial? Do I need a card?
Every paid plan includes a 14-day free trial. No credit card required — just sign up and you're in. After 14 days, mutating actions (new scans, new sites/servers, alert changes) are paused until you choose a plan; viewing your existing dashboard stays available so you can subscribe at any time.
Do you offer annual billing?
Yes — annual billing saves 20% compared to monthly. You can switch interval at any time from the billing page or the Stripe customer portal.
Can I add extra sites without changing plan?
Yes. Any paid plan lets you stack extra site slots at £5 / €6 / $7 per site / month (annual variants save 20%). Go to Settings → Billing once subscribed and use the stepper to add as many as you need. Each extra adds a pro-rated line to your next invoice; reduce the count any time and Stripe credits the unused portion. Only WP sites are sold as add-ons today — server slots scale by plan tier.
How does currency selection work?
We bill in GBP, EUR, or USD — you pick at checkout and it's locked for that subscription. To change currency, cancel and re-subscribe in the new currency. Prices on the cards update live as you switch the picker.
How often are WordPress sites scanned?
Starter and Basic: every 24 hours. Professional: every 12 hours. Agency: every 6 hours. On-demand scans are available on all plans at any time.
What is the Agency client sub-accounts feature?
Agency plan customers can create separate client sub-accounts. Each client sees only their own sites and servers. Useful for agencies that manage infrastructure for multiple clients under one Astrari login.
Can I cancel at any time?
Yes — cancellation is handled from the Stripe customer portal we link to from your dashboard. Monthly plans run until the end of the current period. Annual plans are non-refundable after 14 days but can be cancelled to prevent renewal.
More questions? See the full FAQ or get in touch.