Tufin offers three subscription options. The following details the functionality delivered in each solution tier and how subscriptions are priced.

  SecureTrack+ SecureChange+ Enterprise
Network health and communications
Policy visibility and change tracking
Compliance attestation and status
Compliance trends
Risk reduction cleanup
Continuous audit readiness evaluation
Vulnerability exploitability dashboard
Unified security policy
Individualized security policy builder
Continuous security policy management
Pre-built compliance technology integrations
Migration support; server policy cloning
Server decommissioning
Rule decommissioning
Network access decommissioning
Rule and group modification
Network access request
Automated change provisioning
Rule Lifecycle and Ownership
Rule recertification
Rule recertification management
Topology Mapping
Network visibility
Target selection
“What if” path analysis
Network connectivity troubleshooting
App-based Connectivity Management
Application centric security policy generation
Application dependency mapping
Application mapping to firewall rules with owners


Technical Specifications
IPAM-based zone definition with continuous syncing
Distributed architecture; including remote collectors and worker nodes
Up to 5,000 routers and switches included
Support* Standard Standard Premium 24/7
High availability with highly redundant multi-node clusters
Up to 500 applications included
Network Environment Expansion
Cloud virtual machines can be added in blocks of 100
Routers/switches can be added in packages of 20 over the included 5,000
20 routers/switches over the included 5,000 = 1 Firewall Unit
Applications can be added in packages of 20 over the included 500
20 applications over the included 500 = 1 Firewall Unit


Firewall Unit

Pricing is based on Firewall Units. A Firewall Unit is any one of the following:

  • Single physical or virtual firewall
  • Physical or virtual firewall cluster
  • Cisco ACI leaf
  • 4-pack of VMware-licensed NSX CPUs (counted according to VMware’s licensing policy)
  • 1000-pack of Zscaler users
  • Blue Coat ProxySG
  • 5-pack Cisco Meraki MX Networks
  • 10-pack of F5 BIG-IP LTM
  • Azure Firewall
  • 20 routers/switchers (5000 router/switch licenses included)
  • 300-pack of Prisma Access users