Straight answers, no marketing hedge.
Product basics
What does Identrail actually do?
Identrail builds a single trust graph of every machine identity in your environment — across AWS IAM, Kubernetes, GitHub Actions OIDC, and the data stores those identities can reach. It then surfaces the paths that resolve to sensitive data, ranks them by reachable impact, and shows the smallest safe fix for each one.
Is it open source?
Yes. The full platform — connectors, graph engine, detection rules, policy simulator — is Apache 2.0 on GitHub. There is no closed core. The hosted Team and Enterprise plans run the same image you can self-host.
How long does the first scan take?
Under ten minutes for a single AWS account or Kubernetes cluster. First scan returns real findings; we do not require a multi-week onboarding before you see value.
Data and security
Is the scan really read-only?
Yes. Connector setup uses scoped read credentials only — you can audit the exact IAM policies in the repo. Policy enforcement is a separate, opt-in surface that you have to deliberately turn on.
What data do you store?
Trust-graph metadata (identities, role chains, RBAC bindings, resource ARNs), findings, and remediation history. Secret values are hashed at the edge — Identrail never stores raw credential material.
Where is hosted data stored?
Hosted Team customers pick US (us-east-1) or EU (eu-west-1). Enterprise customers pick a region or run a private single-tenant deployment in any region. Self-host puts the data in your own environment.
How do we delete our data?
In-app for Team customers, or a single email to security@identrail.com. Deletion completes within 30 days; audit log remains for compliance reasons.
Compliance
Are you SOC 2 compliant?
Type I is in progress with Drata, expected to close in H2 2026. Type II follows on the standard observation window. Until then, we are happy to walk through current controls under MNDA.
GDPR?
EU data residency available; standard contractual clauses and a DPA are available on request.
Have you done a third-party penetration test?
First test is scheduled before SOC 2 Type I closes. Past code review history is maintained internally and visible to enterprise prospects under MNDA.
Pricing and adoption
How much does it cost?
Open-source self-host is free forever. Hosted Team is $19/user/mo (or $15 annual) with a three-user minimum. Enterprise is custom-scoped — see /pricing.
Why is it cheaper than other security tools?
Because we do not amortise a private platform investment over every seat. The engine is open source. Hosted pricing reflects the genuine ongoing cost of running it for you, not a sales-led ceiling.
Can we start on Open source and migrate to Team later?
Yes. The data shape is identical — your graph, findings, and history move forward without re-platforming.