Per-asset pricing is the #1 SMB complaint about Qualys, Tenable and Rapid7. Perimeter charges a flat price with generous caps, so your bill is predictable. Annual billing saves 15%.
DIY / single small org
Small org, light surface
Growing, compliance-driven SMB
+ ~$8 / managed client
Every price below is the vendor's own published or widely-cited figure. The pattern is consistent: the SMB-friendly tools (Intruder, Detectify) leave out internal authenticated scanning or container/SBOM, and the enterprise tools (Nessus, Qualys, Rapid7) charge per-asset or per-scanner and sell ASM, prioritization and compliance as separate line items. Perimeter ships all of it in one flat per-company price.
| Capability | Perimeter | Intruder.io | Nessus (Tenable) | Qualys VMDR | Rapid7 InsightVM | Detectify |
|---|---|---|---|---|---|---|
| External attack-surface management | Yes | Yes | Expert tier only | Add-on | Separate product | Yes |
| Internal authenticated network scan | Free tier | $499 Pro gate | Yes | Yes (appliance) | Yes | No |
| Container / SBOM / dependency CVEs | Included | No | No | Separate module | Separate module | No |
| IaC misconfiguration scanning | Included | No | No | Add-on | Add-on | No |
| Exploit-first ranking (EPSS + KEV over CVSS) | Free | Yes | VPR (Pro+) | TruRisk (paid) | Yes | Partial |
| Transparent FP suppression + reasons | Yes | No | No | No | No | No |
| FP feedback loop (remembered across rescans) | Yes | No | No | Manual mute | Manual mute | No |
| Multi-engine corroboration | Yes | No | No | No | No | No |
| Findings = signed compliance evidence | PCI/HIPAA/SOC2/ISO/CMMC | Thin | Reports only | Separate module | Reports only | No |
| Cross-product evidence graph | Sightline + Bastion | No | No | No | No | No |
| No scanner-appliance fee | Runs on Lookout agent | SaaS | Per scanner | ~$8–9k/yr each | SaaS | SaaS |
| No per-asset bill / asset minimum | Flat + caps | Per-target | Per scanner | ~$199–250/asset | ≥512-asset min | Per-subdomain |
| Genuinely useful free tier | Full engine, signed evidence | Trial only | No | No | No | No |
| Entry price | $0 / $142 | $149/mo | $4,390/yr | ~$199–250/asset | ~$23/asset (≥512) | ~€82/mo |
| Full-triad price | $285/mo | $499/mo | $6,390/yr* | $5-figure + modules | $5-figure + ASM | ~€275/mo (ext only) |
Sources: Intruder pricing, Tenable buy, Qualys pricing (CyCognito), Rapid7 InsightVM pricing, Detectify pricing. Figures as published / widely cited at time of writing; we update as vendors change. See the full breakdowns: vs Intruder · vs Tenable / Nessus · vs Qualys.
Intruder has the cleanest SMB UX in the category — and we respect it. But it gates internal authenticated scanning to its $499/mo Pro tier, has no container or SBOM scanning, and its compliance-evidence mapping is thin. Perimeter ships the full triad and native control mapping starting at $0.
| Capability | Perimeter | Intruder.io |
|---|---|---|
| External attack-surface management | Yes | Yes |
| Internal authenticated scanning | Free tier (Lookout agent) | Gated to $499 Pro |
| Container image scanning | Yes (Trivy) | No |
| SBOM / dependency CVE scanning | Yes (Trivy) | No |
| IaC misconfiguration scanning | Yes (Trivy) | No |
| Exploit-first ranking (EPSS + KEV over CVSS) | Free | Yes |
| FP suppression + reasons + feedback loop | Yes | No |
| Subdomain-takeover detection | Yes | Yes |
| Emerging-threat / rapid-response runs | Yes (free tier) | Yes |
| Findings = signed compliance evidence | PCI/HIPAA/SOC2/ISO/CMMC | Thin |
| Cross-product evidence graph | Sightline + Bastion + Ward | No (single product) |
| No scanner-appliance fee | Runs on Lookout agent | SaaS |
| Starting price | $0 | $149/mo |
Intruder pricing and feature gating per intruder.io/pricing at time of writing. We update comparisons as vendors change.
If you only need clean external scanning and never want to deploy an agent, Intruder's onboarding is excellent. Perimeter's edge shows up the moment you need internal authenticated scans, container/SBOM coverage, or you have a compliance auditor asking for control-level evidence — that's where the $499 gate and the missing scan types bite.
Intruder reserves internal authenticated scanning for its $499/mo Pro plan. Perimeter includes it on the free tier via the Lookout agent.
vs Intruder: $499/mo → $0Intruder, Nessus and Detectify don't scan container images or dependency/SBOM CVEs at all; Qualys and Rapid7 sell them as extra modules. Perimeter bundles Trivy in Pro.
vs Qualys/Rapid7: +modules → includedQualys runs ~$199–250 per asset/yr plus ~$8–9k scanner appliances; Rapid7 forces a ≥512-asset minimum. Perimeter is flat per-company with generous caps.
vs Qualys: ~$199–250/asset → flatWhere the enterprise tools sell compliance reporting as another module and the SMB tools skip it, every Perimeter finding auto-maps to PCI / HIPAA / SOC 2 / ISO / CMMC and exports as an HMAC-signed evidence record.
vs all: extra module → native + signedThe common complaint about Qualys and Nessus is the false-positive flood. Perimeter ranks exploit-first and suppresses likely FPs with a reason — and remembers when you mark one, free on every tier.
vs incumbents: ~30% FP noise → suppressedNo $8–9k/yr scanner appliance fees (Qualys) — internal scans run on your existing Lookout agent box. No ≥512-asset minimum commit (Rapid7). No paywall on the exploit-prioritization layer (Tenable VPR / Qualys TruRisk). And AI remediation guidance is bring-your-own-key — we never charge you for inference.