Every serious TPRM tool starts at $5,000–$16,500/yr and bills you more for each vendor you add. Covenant publishes its prices and never charges a per-vendor surcharge.
Every serious TPRM platform starts in the five figures, hides its pricing behind a sales call, and bills you again for each vendor you add. Here is the honest, line-by-line comparison — entry price, per-vendor surcharge, and the capabilities that actually matter to an SMB or MSP.
| Capability | Covenant$0–$1490/mo flat | UpGuard~$19.2k/yr Starter | SecurityScorecard~$16.5k/yr | WhisticQuote-only (enterprise) | Vanta VRM$5k–$15k/yr add-on | OneTrust TPRM$10k/yr floor |
|---|---|---|---|---|---|---|
| Pricing & access | ||||||
| Public, flat pricing | Yes — on this page | Partial | No (opaque) | No (quote) | No (quote) | No (quote) |
| Per-vendor surcharge | None | $79/mo each | $1,500–$2,000/yr each | Tiered by volume | By tier | By tier |
| Unlimited vendors at top tier | Yes — $1490/mo | No | No | No | No | No |
| Free tier | 10 vendors + BAA, forever | 5 vendors, capped | No | No | No | No |
| Self-serve, no sales call | Yes — no card | Self-serve to a point | Sales-led | Sales-led | Bundled w/ Vanta | Sales-led |
| HIPAA / BAA — the wedge | ||||||
| Native HIPAA BAA lifecycle | Yes — free | No | No | No | No | Privacy module add-on |
| §164.504(e) clause gap-check | 11 clauses checked | No | No | No | No | No |
| Subcontractor flow-down chain | Yes | No | No | No | No | Manual |
| BAA renewal / overdue reminders | 90/60/30-day | No | No | No | No | Generic tasks |
| Assessment & scoring | ||||||
| SIG & CAIQ questionnaire libraries | Included | Yes | Yes | Yes | Yes | Yes |
| No-account vendor portal (magic link) | Signed, expiring link + reminders | Account often required | Account often required | Trust Exchange | Account required | Account required |
| Evidence attachments + executed-BAA tracking | SOC 2 / ISO / pen-test + BAA, with expiry | Doc store | Doc store | Yes | Within platform | Within platform |
| Explainable, itemized scores | Every delta shown | Methodology opaque | Unexplained changes | Limited | Limited | Limited |
| External scanning & AI | ||||||
| Explainable external scanning | Email-auth live; TLS/headers/breach via runner — each finding shows its evidence | Internet-wide ratings | Letter-grade ratings | Breach detection | Limited | Add-on |
| AI questionnaire / evidence assist | BYO-key, no markup | Gated | Gated | Included (higher tier) | Paid AI tier | Add-on |
| Suite evidence graph (NIST SR / SOC 2 / ISO) | Native sync | No | No | No | Within Vanta only | Within OneTrust only |
| Typical first-year cost — 30-vendor clinic | $8149.80/yr | ~$5,000+/yr | ~$16,500/yr | 5-figure quote | $5k–$15k add-on | $10,000/yr floor |
Competitor figures from public pricing pages and third-party quotes (UpGuard, SecurityScorecard, Whistic, Vanta, OneTrust), 2025–2026; "Partial" denotes available but gated, tier-limited, or quote-dependent. Trademarks belong to their respective owners; Covenant is not affiliated with or endorsed by them.
UpGuard adds $79/mo for every vendor past five; SecurityScorecard bills $1,500–$2,000 per vendor per year. On Covenant Team, vendor 8 and vendor 800 cost the same flat $1490/mo.
Save thousands as you growBAA library, §164.504(e) gap-check, renewal reminders, and subcontractor flow-down are native and free for 10 vendors. UpGuard and SecurityScorecard simply don't track BAAs; OneTrust gates it behind a privacy module.
A whole product, $0OneTrust enforces a $10,000/yr minimum; SecurityScorecard quotes ~$16,500 just to start; Vanta's VRM is a $5k–$15k add-on you can only buy if you already own Vanta. Covenant Team is $15,198/yr, unlimited vendors, no add-on stack.
Undercuts the entry bandVanta and Secureframe gate AI questionnaire review behind higher tiers. Covenant's summarization, evidence extraction, and risk narratives run on your own LLM key — same capability, no inference cost passed through.
Pay the model, not us