Optimal Premium Upgrade Setup
๐ก Why Organize Before Upgrading?โ
Premium upgrades apply to an entire Organization. You may not want Premium features for all environments. Typically only Production needs extended retention, higher quotas, and advanced protection.
By organizing your Security Engines before upgrading, you save costs and keep your infrastructure organized.
Common Multi-Environment Setupโ
Most teams have a mix of environments with different security requirements:
๐ฅ Production Environmentsโ
Needs Premium:
- Extended alert retention (12 months)
- Higher alert quotas (millions/month)
- Organization-wide blocklists
- CTI API access for SIEM integration
- Threat Forecast Blocklist
- Multi-seat team access
๐งช Dev / Test / Stagingโ
Community is sufficient:
- Basic alert monitoring (500/month)
- Short retention (2 months)
- Community blocklist (3k IPs)
- Individual engine management
- Single-user access
Recommended Setup Strategyโ
1๏ธโฃ Create Production Organizationโ
Create a new organization specifically for your Production environment.
Community accounts get 1 extra organization for free (beyond your Personal Account).
2๏ธโฃ Organize Your Enginesโ
- Personal Account: Keep Dev/Test/Staging engines here (Community tier)
- Production Org: Transfer Production engines to the new organization
You can transfer engines in two ways:
- Console: Transfer feature
- CLI: Re-enroll with
cscli
using--overwriteflag
3๏ธโฃ Upgrade Production Onlyโ
Upgrade only the Production organization to Premium.
Your Dev/Test/Staging environments remain on Community tier with no additional cost.
โ Alerts reappear in the new organization within minutes
Step-by-Step: Splitting Your Enginesโ
Option 1: Transfer via Console UIโ
Best for: Quick transfers of individual or small batches of engines
- Navigate to Security Engines page in Console
- Select the engine(s) you want to transfer
- Use the Transfer feature to move them to your Production organization
- Confirm the transfer
Option 2: Re-enroll via cscliโ
Best for: Bulk transfers, automation, or infrastructure-as-code deployments
# Get enrollment key from your Production organization
# Console โ Organizations โ Production โ Enrollment Keys
# Re-enroll the Security Engine with --overwrite flag
cscli console enroll <ENROLLMENT_KEY> --overwrite
The --overwrite flag forces the engine to move to the new organization, even if already enrolled elsewhere.
Example Organizational Structureโ
Before Organizing (All in Personal Account):
- 10 Production servers (web, API, database)
- 5 Staging servers
- 3 Dev laptops
After Organizing:
Personal Account (Community - Free):
- 5 Staging servers
- 3 Dev laptops
Production Organization (Premium - Paid):
- 10 Production servers
- Full Premium features
- Team collaboration with 3 seats
- Extended retention and quotas
Benefits of This Approachโ
Cost Optimization
Only pay for Premium where you need it. Dev/Test environments remain free on Community tier.
Clear Separation
Production and non-production environments are cleanly separated, reducing noise and improving security posture visibility.
Flexible Scaling
Add more organizations later (MSPs can create unlimited orgs). Start simple, expand when required.
No Downtime
Alerts reappear in new organization within minutes. No disruption to security monitoring.
When NOT to Separateโ
You may want all engines in a single Premium organization if:
- You need extended retention across all environments for compliance
- Your team investigates attacks in staging/dev environments regularly
- You want centralized allowlists and blocklists everywhere
- You're an MSP managing multiple client environments (use Multi-Organization instead)
Next Stepsโ
Ready to upgrade?โ
- Organize your Security Engines across Personal Account and Production Organization
- Upgrade the Production organization to Premium
- Test Premium features during your trial period (Testing Guide โ)
