Examples; Java, Python, Node.js, .NET, Maven, OpenJDK, Apache Spark
Examples; Spring Boot. Django, Ruby, Express.js, Flask, ASP.NET MVC / Core
Examples; Log4j / Logback, Apache Commons, Lodash, Jackson, OpenSSL, zlib
Kosai’s pricing is structured around three tiers of open source components: Runtimes, Frameworks, and Libraries. Each tier reflects a different level of architectural risk and operational impact. Runtimes cover core languages and systems, frameworks cover application logic, and libraries address embedded dependencies, allowing your team to prioritize what matters most.
You choose the specific components you want to secure within each tier. Coverage is applied universally across all environments, dev, staging, and production, with no additional charges for duplicative usage. Whether a covered component runs in one app or across your entire stack, you’re protected without surprise costs.
This model gives engineering and security teams the flexibility to evolve their architecture without compromising on security. As your stack changes, you can add or shift coverage across tiers, ensuring your investment always aligns with your current risk surface.
Add or reassign coverage as your stack evolves. No lock-in, no rigid bundles, just risk-driven OSS security that adapts to your priorities.
We secure the core runtimes your applications rely on, even legacy or unmaintained versions, with drop-in patches and no need for system-wide upgrades.
Build tools and package managers (e.g., Maven, Gradle, pip, npm)
Kosai maintains security coverage for frameworks and their entire dependency tres including transitive and EOL components. Examples;
Kosai maintains security coverage for critical open source libraries, including patched, signed versions and their full transitive dependencies. Examples;
Kosai’s tiered coverage model aligns with how software is structured in modern enterprise environments:
Runtime Coverage protects the foundational systems your software runs on, like Java, Python, Node.js, .NET, or Kubernetes. Vulnerabilities here can compromise your entire platform and affect multiple applications at once.
Framework Coverage secures the application-layer technologies that shape how your software behaves, like Spring Boot, Django, Rails, or Express.js. These frameworks typically handle business logic, integrations, and request routing.
Library Coverage focuses on embedded dependencies, reusable packages like Log4j, Apache Commons, or OpenSSL, that are included in your apps to provide specific functionality. These are often nested deep and silently introduce risk.
Each tier reflects a different level of exposure and operational impact, helping you prioritize where to apply security based on real architectural risk.
No, you only pay once per covered component, regardless of how many environments it runs in.
Kosai provides universal coverage across all your environments: development, staging, production, QA, and across all regions or deployments. There are no additional charges for duplicated usage of the same component.
Once a component is covered, it’s secured everywhere it runs within your organization. This keeps your costs predictable and ensures that security is applied consistently across your entire software delivery pipeline, without forcing you to track usage at the environment level.
This model is built for how modern teams actually deploy software: across multiple environments, regions, and containers, fast-moving, scalable, and secure by default.
Yes. Kosai is designed to be flexible, so you can create custom bundles of coverage across Runtimes, Frameworks, and Libraries based on your actual stack and risk priorities.
For example, you might start by securing 2 runtimes and 5 high-risk libraries, then later add application frameworks as audit requirements expand or new systems come online. This modular approach means you’re never locked into a rigid package, you can scale coverage as your architecture evolves.
Many enterprise customers begin with a coverage bundle such as:
3 Runtimes
3 Frameworks
5 Libraries
This structure makes it easy to align security investment with business risk, compliance needs, and platform maturity, while keeping total cost of ownership predictable.
If you stop using a covered component, Kosai allows you to reassign that coverage to another component within the same tier, at no additional cost.
We know that software stacks evolve. Teams may deprecate older services, consolidate platforms, or adopt new tools over time. Our model is designed to accommodate that change without penalizing you for being agile.
For example, if you retire Python 2 from your infrastructure mid-contract, you can reallocate that Runtime coverage to Go, Java, or another runtime you’re onboarding. The same applies to Framework and Library tiers, giving your team full control over where your security investment goes.
You can get a free subscription to Kosai.
