Solution Tiers

Since September 2022, Tufin Orchestration Suite has three solution tiers, which can be purchased on a subscription basis:

  • SecureTrack+: Offers security policy management, vulnerability prioritization and mitigation, compliance monitoring and reporting, policy optimization and cleanup automation, policy control for cloud-native applications, and distributed architecture.

  • SecureChange+: Offers everything included in SecureTrack+, as well as network access change request automation, rule lifecycle management, vulnerability-based change automation, and topology mapping.

  • Enterprise: Offers everything included in SecureTrack+ and SecureChange+, as well as change implementation (provisioning), application-based connectivity management, best in class high availability, and premium 24x7 follow-the-sun support.

These tiers are aimed at simplifying Tufin's pricing model while simultaneously adding greater value to each tier (for example, Tufin extensions (formerly Tufin Marketplace apps) have been added to the different tiers). Capabilities have been bundled together to cover more use-cases, and pricing is determined according to the size of your environment. Each tier has a fixed price for each firewall unit or cloud virtual machine.

You are required to choose a single tier for your entire TOS deployment (both production and lab environments), and it is always possible to change to a higher tier later on.

If you are an existing Tufin customer, sales support will help you choose the tier that best suits your needs. Contact [email protected]

The full capabilities of each tier are listed in the table below.

  SecureTrack+ SecureChange+ Enterprise
Compliance, Monitoring and Reporting X X X

Security policy management:

Zone-based Unified Security Policy (USP)

Security Policy Builder (SPB)

IPAM-based zone definition with continuous synching (ISPA)


Policy Optimization and Cleanup Automation: Rule and Object Cleanup Reporting

Server Policy Cloning Workflow

Decommission Network Object Workflow

Rule Decommissioning Workflow

Vulnerability Prioritization and Mitigation (VMA)  X X X

Up to 5,000 routers and switches included




Distributed Architecture, including remote collectors and worker nodes X X X

Rule Lifecycle and Ownership:

Rule and Group Modification Workflows Rule Recertification Workflow Rule Lifecycle Management (RLM) 

  X X
Vulnerability-based Change Automation (VCA)     X X
Access Request Workflow   X X
Topology Mapping: Visibility, Target Selection, “What If” Path Analysis    X X
Change Implementation (Provisioning)     X
SecureApp: Application-based Connectivity Management, up to 500 apps.     X
High Availability with highly redundant, multi-node clusters     X
Support Standard Standard Premium 24/7