CyberSecAI Ltd / Commercial Licensing
Commercial Licensing
CyberSecAI publishes the MCPS protocol stack, AgentPass identity framework, and supporting libraries under the Business Source License 1.1. Non-production use is free. Production use requires a commercial licence.
Products covered by commercial licensing
mcps-go
Go reference implementation of the MCPS Secure MCP protocol. ECDSA P-256 signing, replay protection, tool integrity, agent passports.
BSL 1.1
v1.0.0
mcps-stdio
Drop-in MCPS-signing wrapper for any stdio MCP server. Zero-config message signing for existing Node and Python MCP implementations.
BSL 1.1
npm
mcps-openclaw
Active and passive scan rules library for detecting MCP and MCPS misconfigurations in AI infrastructure.
BSL 1.1
npm
AgentPass (future versions)
X.509 agent-identity certificate framework with L0-L4 trust levels and scope-based authorisation. v1.2.1 remains Apache 2.0; new feature versions ship under BSL 1.1.
BSL 1.1 (v1.3+)
MCPSaaS
Hosted MCPS proxy and observability for MCP fleets. Commercial SaaS -- not BSL distributed, sold as a service.
SaaS
Cybersecify Pro
Commercial scanner and AutoFix engine for MCP, AI agents, and the OWASP top-10 for LLM applications.
Commercial
What "production use" means
| Use case | Licence required | Cost |
|---|
| Read the source, learn from it, contribute back | None | Free |
| Run on your laptop for evaluation (up to 90 days) | None | Free |
| Academic, research, or teaching use | None | Free |
| Personal hobby projects, non-commercial OSS | None | Free |
| Internal corporate evaluation (up to 90 days) | None | Free |
| Production at a company, paid product, SaaS | Commercial | Paid |
| Embedded in a redistributable product | Commercial | Paid |
| Used in any system that supports revenue | Commercial | Paid |
| Downstream OSS (e.g., Watchman) run in production | Commercial | Paid |
Change Date: 6 May 2030. After this date, this version of the licensed libraries converts automatically to Apache License 2.0 and the commercial-licence requirement falls away for that version. New versions published after the Change Date will start their own 4-year BSL clock.
Commercial licence pricing
Starter
Production licence
£25,000 / year
One production deployment, one legal entity.
- One production deployment of one licensed library
- Email support, 1 working day response
- Security patches before public disclosure
- Non-exclusive patent grant for the licensed deployment
- Standard indemnity (subject to cap)
Multi-deployment
Enterprise
From £75,000 / year
Multiple deployments, multi-entity, SLA, on-prem allowed.
- Unlimited production deployments inside the licensed entity
- Multi-region, multi-environment, on-prem permitted
- Named technical contact, response SLA available
- Roadmap influence and priority feature consideration
- Quarterly briefing on protocol evolution and threat model
- Enhanced indemnity (negotiated cap)
OEM
Embed-and-resell
By quotation
Ship our libraries inside your commercial product to your customers.
- Redistribution rights to embed MCPS or AgentPass inside your product
- White-label or co-branded options
- Reseller arrangements available
- Custom indemnity and warranty terms
- Co-marketing optional
Discounts: Volume, multi-year, and design-partner discounts available. Design partners who agree to a published case study or share deployment telemetry under NDA qualify for 30-60% off year 1 and 15-30% off years 2-3.
How to obtain a commercial licence
1. Send an enquiry
Email [email protected] with: your company, the product or service that will embed the library, an estimate of production deployments, and any custom-terms requirements (FIPS, on-prem, export control).
2. Receive a written quotation
We respond within 2 working days with a written quotation, draft licence agreement, and an optional 30-minute scoping call.
3. Sign and pay
Signature, payment, and licence key issued typically within 5 working days. Annual or multi-year invoicing supported. Bank transfer (BACS or wire); card payment for amounts under £10,000.
4. Get production support
You receive a signed commercial licence agreement, support contact, security-advisory feed, and roadmap-influence rights for the term of the agreement.
Downstream operators
Running an OSS product that embeds our libraries?
If you operate an open-source product that embeds our libraries -- for example, moov-io/watchman with MCPS signing enabled, or any other MCP server that imports github.com/razashariff/mcps-go -- and you run that product to support commercial operations, you require a commercial licence from CyberSecAI Ltd.
This is the standard BSL 1.1 downstream model. The upstream OSS project is free to redistribute the library inside their codebase; the downstream operator who runs that codebase in production is the entity that requires the licence.
We do not pursue good-faith operators who reach out proactively. We much prefer a conversation to a dispute. Get in touch.
Patents
MCPS, AgentPass, and related protocols are covered by United Kingdom patent applications including GB2610372.1, GB2610349.9, and others, with PCT applications pending. A commercial licence to our libraries includes a non-exclusive, royalty-free patent licence for the licensed deployments for the term of the agreement.
The BSL 1.1 grant itself does not include a patent licence for production use. The Change Date conversion to Apache 2.0 in 2030 will include the Apache 2.0 patent grant for the converted version.
Frequently asked questions
- I'm a researcher writing a paper. Do I need a licence?
- No. Academic and research use is free under BSL 1.1.
- I'm a solo developer building a hobby project. Do I need a licence?
- No. Personal, non-commercial hobby use is free.
- I work at a startup and want to evaluate before committing. Can I do that for free?
- Yes, for up to 90 days. After 90 days, either stop production use or obtain a commercial licence.
- Can I fork your library and re-license under MIT?
- No. BSL 1.1 prohibits relicensing. Forks must inherit BSL 1.1 or its Change License (Apache 2.0 after 6 May 2030).
- I'm a Watchman operator running self-hosted Watchman with MCPS signing enabled. Do I need a licence?
- Yes, if Watchman is supporting commercial operations at your organisation. The standard Watchman-operator licence is the starter production tier (£25,000/year) and includes integration support.
- I'm an OSS maintainer of an MCP server. Can I add MCPS signing without a licence?
- Yes -- distributing our libraries inside another OSS project is permitted under BSL 1.1. Your OSS users who run it in production are the parties that may require a commercial licence.
- How is the £25,000 starting price set?
- It reflects the security-risk reduction at a regulated entity, the ongoing maintenance cost of cryptographic middleware, the FIPS-compatible algorithm choices that make it deployable in regulated environments, and the standard BSL-licensed middleware market rate. We do not negotiate the starter tier; we negotiate multi-deployment and enterprise tiers.
- Can I get a discount as a design partner?
- Yes. Design partners who allow case-study publication, share deployment telemetry under NDA, or contribute upstream patches qualify for 30-60% off year 1 and 15-30% off years 2-3.
- How long is a typical commercial licence agreement?
- Annual subscriptions by default. Multi-year agreements (2-3 years) available with discount. Term auto-renews unless cancelled in writing 60 days before renewal.
- Do you offer source-available terms different from BSL?
- BSL 1.1 is itself source-available. We do not offer proprietary closed-source terms. Enterprise customers requiring escrow or audited build artefacts can negotiate separately.