Pricing

Hitt Hosting Security is free.

No tiers, no subscription, no card. Every feature unlocks the moment you sign in with your Hitt Hosting account.

Free for everyone
$0forever

Security just works on login. Nothing is metered, nothing is locked behind a plan, and there's no upsell waiting on the other side.

Everything you get — at no cost

  • Cross-product monitoring across every product on your account
  • Dark-web & breach monitoring for your domain and team (rolling out — reports as a not-connected source until the intel feed is wired, never a false all-clear)
  • Identity & credential hygiene — live today: MFA-gap detection on every scan plus breached-password checks against the HIBP corpus (k-anonymity, never stored); impossible-travel detection rolling out
  • Severity-ranked findings, per-product worst-of
  • True finding age from a first-seen ledger — every weakness is dated from the moment we first saw it, so age buckets, SLA clocks, escalation, and POA&M "Identified" dates reflect real elapsed time, not the last scan
  • Remediation tracking (resolve / reopen / evidence) with due dates and owners
  • Compliance framework coverage — your latest scan mapped to cross-framework control areas (CIS Controls v8 · OWASP · NIST CSF): Access Control, Change Management & Audit Logging, Data Protection, Vendor & Supply-Chain, Account & Billing Integrity, Identity & Credential Hygiene, each with covered/open/source-not-connected status, rolled up into the JSON evidence pack. Self-assessment, not certification
  • Compliance control-area sign-off — mark each control area Reviewed or Accept-risk with a dated note; the attestation persists and travels into your JSON evidence pack, POA&M, and branded posture report, so you hand an assessor a dated record of what you reviewed, not just a live scan. Self-assessment, not a certification
  • Configurable severity SLA thresholds — set your own critical and warning escalation windows (1–90 days) to match your compliance commitments
  • Time-to-breach countdown — a forward-looking "Approaching SLA breach" panel projecting each open finding's age against your configured window, so you see what's about to breach (and how many days are left to fix it) before it does, findings closest to the line first — your targets, not a guarantee
  • Remediation velocity — mean time-to-remediate by severity and your SLA-breach rate, computed from your own finding history, so you can prove your remediation process is getting faster (observed metrics, not an SLA guarantee)
  • Free-text working notes on any finding — keep the remediation conversation on the record, in one timeline with the finding's lifecycle history
  • Saved finding views — filter by severity, product, owner, due date, or free-text search, then save the slices you work from (My overdue criticals, Unowned, etc.) as one-click views
  • Bulk finding actions — select across the filtered slice and acknowledge, resolve, mute, assign, or set a due date on the whole set in one click, with a per-finding audit-trail entry preserved for each
  • Accept-risk mute with a reason on the record
  • Idempotent critical email digests
  • Reliable webhook delivery — HMAC-signed HTTP fan-out to Slack, PagerDuty, ticketing, or any HTTP endpoint; severity floor per endpoint; failed deliveries auto-retried with a per-endpoint delivery log so a broken endpoint never silently swallows a critical
  • Security posture score — one risk-weighted 0–100 number, tracked daily
  • Weekly posture report — a plain-English email recap of your security score trend, what opened and closed this week, and your oldest unresolved critical (on by default, one-click opt-out)
  • What changed since your last scan — an itemized appeared/cleared diff between your two most recent scans (cleared findings carry their last-seen severity), updated by scheduled scans too and exported with the evidence pack
  • Scan history — see every scan that ran, when it ran, and how your finding counts moved scan-over-scan, so a stalled scheduled scan can never hide; a read-only activity log with a prominent last-scan timestamp and per-scan critical/warning/info deltas
  • Recurring-finding watch — findings that clear and reappear on their own across scans are flagged with an appearance count, surfaced on the finding and in the JSON evidence pack (observed behavior, not a certification)
  • Append-only audit log and posture history
  • One-click findings export (CSV + JSON evidence pack)
  • Built-in remediation guidance — every finding ships with a recommended fix (clear corrective-action steps on the card) that also auto-fills the corrective-action column of your assessor-ready POA&M export, so you never hand over a weakness list with a blank remediation column; deterministic and offline (no AI call, no rate limit), and your own note always wins when you've written one. Self-assessment, not a certification
  • POA&M (Plan of Action & Milestones) export — one row per open finding in the canonical NIST/CMMC layout, with control reference, owner, scheduled completion date, and status; the artifact your CMMC/NIST 800-171 assessor actually asks for. Self-assessment aid, not a certification
  • Remediation milestones — attach dated, staged remediation steps to any finding ("Rotate exposed key — 2026-07-20; Enforce MFA — 2026-08-05 [done]"); they populate the POA&M "Milestones with Completion Dates" column your assessor expects — not just one lump due date — and thread into the JSON evidence pack. Self-assessment planning, not a certification
  • On-demand branded posture report — a single one-click, print-to-PDF document composing your posture score and trend, severity distribution, remediation velocity, compliance control-area coverage, and finding age; hand it to a prime, insurer, or assessor instead of a spreadsheet. Self-assessment, not a certification
  • AI policy assistant (Anthropic Claude)
  • Persisted AI security briefing — the Claude-powered cross-product analysis (correlations, predicted emerging risks, plain-language recommendations) is dated and saved on every generation instead of evaporating on refresh; the panel shows when it was generated with a one-click Previous analysis view (no new AI call), and the latest briefing threads into your JSON evidence pack and branded posture report so the analysis you read is the one you hand an auditor. Self-assessment aid, not a certification
  • Shareable trust page + security badge — publish a live, always-current summary of your posture (overall score, severity counts, compliance-coverage %, last-scanned date) at a shareable public link, plus an embeddable badge for your own site; prove you're secure to prospects and partners without emailing spreadsheets. You choose which summary cards are visible and can rotate or revoke the link anytime — only aggregate summary data is ever exposed, never finding details. Self-attested posture from your own scan, clearly labeled — not a certification or audit

Even better with the rest of the suite.

Security is free on its own. The more Hitt Hosting products you use, the more data Security watches — CRM, Books, HR, Desk, Sign, Field, SE, and Hosting all feed into one Security Center.

Questions, answered.

Is Hitt Hosting Security really free?

Yes. Security is completely free for everyone — there's no tier to pick, no card to enter, and nothing that gets locked behind a plan. You just need a Hitt Hosting account (the same login as the rest of the suite). Sign in and every feature is unlocked.

Do I need another Hosting product to use Security?

No. Security stands on its own and is free regardless of what else you use. If you do use other Hosting products (CRM, Books, HR, Desk, Sign, Field, SE, Hosting), Security watches the data they already store — but nothing about Security itself is gated on having them.

Will there be paid tiers later?

Not today. Security is free and ungated. If anything ever changes we'll say so plainly — but right now there is no upsell, no per-seat tax, and no metered limit.

Does the dark-web monitoring really scan the dark web?

Dark-web and breach-corpus monitoring is rolling out. Once a feed is connected we'll check leak databases and breach corpora for any email/domain tied to your account — we don't crawl the dark web directly; we partner with feeds that do that responsibly. Until then the dashboard reports this source as not-connected, never a false all-clear. What's live today: an interactive breached-password check against the Have I Been Pwned corpus (k-anonymity, nothing stored).

Can I limit who in my team sees findings?

Today Security is single-tenant per account — one Hitt Hosting login owns the findings, and per-account isolation is enforced server-side. Multi-user team access with role-based roles (owner, admin, accountant, viewer) is on the 2026 roadmap and will match the rest of the suite when it ships.

Start watching your account today.

Sign in with your Hitt Hosting account and Security turns on — free, fully unlocked, nothing to buy.