Product & License Descriptions
As of
From continuous integration and delivery to advanced security testing, API protection, cloud cost optimization, and more our AI-Native Software Delivery Platform™ is purpose-built to secure and streamline every stage of your software delivery lifecycle. This page offers comprehensive details on each product module—complete with product descriptions, SKU identifiers, delivery formats, and licensing unit definitions—to help you make informed procurement and deployment decisions.
Explore our product catalog to see how they integrate seamlessly into your workflows, scale across teams, and support your security, compliance, and operational goals. For personalized guidance, our team is ready to assist.
Many of our product modules are licensed under the “Developer” license unit, so we’re incorporating its description directly below for convenience:
“Developer” means each person who is an employee, agent, or contractor of the Customer or Customer’s Affiliate that accesses Software or the Harness Platform directly, or contributes to code development, deployment, security, maintenance, optimization or any other technical activities related to software code that is managed with Harness products, across all production and non-production en. For clarity, even if a person undertakes more than one of the activities described above, each such person shall only be counted as one Developer. If a customer wishes to use bots or robotic process automation to run the Software or Harness Platform, Customer must first obtain Harness’s prior written consent and such usage may be subject to additional restrictions. Harness may revise the definition of a Developer upon notice to the Customer, however the modifications may not be retroactive or materially decrease Harness’s overall obligations during an Order Form license term.
For those product modules with license unit descriptions that include “Developer” and other supplemental license units, you’ll see “Developer +” along with the additional license unit definitions in the License Unit Description column.
Below you will also find details regarding our subprocessors which help power and support our products.
Please note, Harness may modify these descriptions to reflect new features or changing practices, but the modifications may not be retroactive or materially decrease Harness’s overall obligations during an order form term.
| Product | Description | SKUs (SaaS) | Delivery Method | License Unit Description |
|---|---|---|---|---|
| 1. Continuous Integration (CI) | Automates the process of building, testing, and integrating code changes into a shared codebase. | Continuous Integration - Enterprise - SaaS | SaaS or self-hosted | Developer |
| 2. Continuous Delivery (CD) | Automates the process of releasing code updates to production, making it faster, safer, and more reliable. | Continuous Delivery - Enterprise - SaaS | SaaS or self-hosted | Developer + Each Developer may use up to .33 CD Services. If there are more than 20 Service Instances in any of these CD Services, such additional CD Service Instances will count towards another Harness CD Service. A "CD Service" is an independent unit of software that is managed, tracked, and deployed using Harness Continuous Delivery (CD) and Harness GitOps. A CD Service may include, but is not limited to, the following: A binary running a daemon or application. A script or executable. A containerized service (e.g., Docker container). A virtual machine (VM). A serverless function (e.g., AWS Lambda, Google Cloud Function). An application synced via GitOps to a unique infrastructure. Custom definitions as configured within Harness Continuous Delivery. A “Service Instance” refers to the pods or instances of a CD Service deployed to a host. CD constantly tracks the instances of a Service deployed at a sixty (60) minute cadence. Harness tracks all SIs for all deployed Services at a sixty (60) minute cadence, when reporting for license consumption. Additionally, Harness takes the 95th percentile of all SI data points seen over the last 30 days for the Service, and uses this value as the number of SIs for the Service. |
| 3.Feature Flags (FF) | Helps teams control which features are enabled or disabled in their applications without needing to redeploy code. | Feature Flags - Enterprise - Users - SaaS Feature Flags - Enterprise - # MAUs - SaaS Feature Flags - Enterprise - Users - Self Hosted Feature Flags - Enterprise - # MAUs - Self Hosted |
SaaS or self-hosted | Developer +
"Monthly Tracked Keys" ("traffic keys") correspond to the number of unique user, device, account or other keys upon which feature flag decisions are based. Harness FF tracks your MTKs within a calendar month. |
| 4. Feature Management & Experimentation (FME) | Combines feature flagging with A/B testing and experimentation, improving teams’ ability to release, test, and optimize features more effectively. | Feature Management & Experimentation -
Enterprise - SaaS
Feature Management & Experimentation - # MTKs - SaaS Feature Management & Experimentation - # Events |
SaaS | Developer +
"Monthly Tracked Keys" ("traffic keys") correspond to the number of unique user, device, account or other keys upon which feature flag decisions are based. Harness FF tracks your MTKs within a calendar month. An "Event" is a record of user or system behavior. Events can be as simple as a page visited by a user, or a user interacting or seeing a feature controlled or managed by FME. |
| 5. Cloud Cost Management (CCM) | Helps teams monitor, optimize, and manage their cloud costs. | Cloud Cost Management - Enterprise - SaaS | SaaS or self-hosted | Fees are charged as a percentage of Managed Cloud Costs up to a certain agreed upon amount, as stated in the Order Form.
“Managed Cloud Costs” means the annual cloud costs data transmitted to and measured by CCM via an API integration. |
| 6. Security Testing & Orchestration (STO) | Helps teams integrate security testing into their software development pipeline, ensuring that security vulnerabilities are identified and addressed early in the development process. | Security Testing Orchestration - Enterprise - SaaS | SaaS or self-hosted | Developer +
Each Developer is entitled to one hundred (100) Security Scans per month. A “Security Scan” is a single execution of a security test initiated through STO against a unique application target, service, or codebase. Security Scans can be triggered via automation, scheduled jobs, or manual execution. Additionally, the Security Scan may cover multiple files or endpoints, depending on the configuration, but is counted as one Security Scan per test execution. |
| 7. Service Reliability Management (SRM) | Helps teams ensure the reliability and performance of their applications by automating monitoring, incident detection, and resolution. | Service Reliability Management - Enterprise - SaaS | SaaS or self-hosted | Developer +
Each Developer may use up to .33 SRM Services. An "SRM Service" is an independent unit of software that is managed and tracked using SRM. A SRM Service may include an application, metric, datapoint or other measurement that is managed by monitoring systems or tools like Prometheus or other application performance monitoring (APM) vendors. |
| 8. Chaos Engineering (CE) | Improves resilience by introducing failure scenarios intentionally. | Chaos Engineering - Enterprise - SaaS | SaaS or self-hosted | Developer +
Each Developer may use up to 0.33 CE Services. A “CE Service” is any Target Resource that undergoes chaos experiments during a 30-day period using CE. A Target Resource may include but is not limited to
Running a chaos experiment using CE on each of these Target Resources above counts as one CE Service. For any other Target Resources not listed above, 100 chaos experiments on the non-listed Target Resource is equal to one CE Service. Repeated experiments on the same Target Resource within the 30-day period do not count as additional CE Services. |
| 9. Software Engineering Insights (SEI) | Provides visibility into software development processes, helping teams optimize performance and identify areas for improvement. | Software Engineering Insights - Enterprise - SaaS | SaaS | Developer |
| 10. Infrastructure as Code Management (IaCM) | Manages and automates infrastructure provisioning and configuration using code. | Infrastructure as Code Management - Enterprise - SaaS | SaaS | Developer+
Each Developer is entitled to ten (10) Executions per month. An Execution is defined as a successful run of a Terraform apply or Terraform destroy command that results in resource changes (i.e., provisioning, updating, or decommissioning infrastructure). An Execution includes, but is not limited to: 11. A manual trigger using one of the commands above 12. An automated trigger (e.g., via webhook or API call) executing one of the commands above 13. In pipeline executions that include multiple apply or destroy commands, each successful command run is counted as a separate Execution |
| 11. Supply Chain Security (SCS) | Secures the entire software supply chain—from code development to deployment. | Supply Chain Security - Enterprise - SaaS | SaaS | Developer+
Each Developer is entitled to one hundred (100) supply chain Executions per month. An Execution is defined as a single end-to-end run of a security validation workflow initiated by SCS. This includes the scanning, analysis, or attestation of a software artifact, dependency set, build process, or pipeline stage for integrity, provenance, and risk signals. One Execution includes a complete scan or verification of an artifact (e.g., container image, software package, binary, or manifest) initiated by a user, pipeline, or automated policy. Executions may involve multiple steps such as SBOM (Software Bill of Materials) generation, signature validation, dependency scanning, and compliance checks—but are counted as one execution per artifact per scan event. Applies to both pre- and post-deployment validation workflows. |
| 12. Internal Developer Portal (IDP) | Provides a unified platform to simplify and accelerate the development process by providing developers with a self-service interface to access all the tools and services they need. | Internal Developer Portal - Enterprise - SaaS | SaaS | Developer |
| 13. Database DevOps (DB) | Streamlines the management of databases within the CI/CD pipeline, enabling teams to automate database changes alongside application code. | Database DevOps - Enterprise - Database Instances - SaaS | SaaS | "DB Instance" means each copy of a Schema deployed within a database environment.
A "Schema" is the structure or system that defines the organization of data, including tables, relationships, views, and other database objects. It provides a blueprint for how data is stored, accessed, and secured within the database. |
| 14. Incident Response (IR) | Provides proactive issue prevention and accelerated resolution capabilities. | Incident Response - Enterprise - Developers - SaaS | SaaS | Developer |
| 15. Artifact Registry (AR) | Simplifies software delivery processes with unified artifact management that provides secure storage, management, and sharing of all software artifacts. | Artifact Registry - Enterprise - GB Storage - SaaS | SaaS | "GB Storage" refers to the amount of digital storage, measured in gigabytes (GB), that is allocated for storing and managing artifacts within the Artifact Registry. Artifacts may include software packages, binaries, libraries, and other build-related components that are created, versioned, and stored for use in development and deployment processes. |
| 16. DevOps Essentials | The DevOps Essentials bundle gives organizations complete control over DevOps practices while enhancing developer efficiency.
|
DevOps Essentials - Developers - SaaS | SaaS | Developer+
The license unit descriptions of each of the included product modules will also apply, along with the following descriptions: CD A "Deployment Event" occurs when a CD Service is distributed, deployed, upgraded, or otherwise delivered to an Environment using any deployment strategy, including but not limited to manual, automated, blue-green, canary, or rolling deployments. Deployment Events are considered billable i) when a new CD Service is successfully deployed to an Environment, or ii) when an existing CD Service in an Environment is updated, upgraded, or modified. An "Environment" means a designated infrastructure or set of infrastructures where a Service is deployed, such as development, staging, or production environments. Exclusions: Deployment Events do not include processes or activities outside Harness CD and Harness GitOps unless specified in the applicable agreement. CI, STO, IaCM A "Cloud Credit" represents one minute of compute time consumed on Harness cloud infrastructure to execute pipeline stages or processes initiated by the customer. Cloud Credits are applicable when utilizing Harness modules that rely on Harness cloud resources for execution, including but not limited to Continuous Integration (CI), Security Testing Orchestration (STO), and Infrastructure as Code Management (IaCM). Cloud Credits are influenced by the following factors: - Operating System: The type of operating system used for the execution, which may affect resource consumption. - Allocated Resources: The virtual computing resources provided for execution, such as CPU, memory, and disk usage. Each pipeline stage or process executed on Harness cloud infrastructure, regardless of its complexity or duration, contributes to the consumption of Cloud Credits. Exclusions Cloud compute minutes do not include execution time or resources consumed on customer-owned infrastructure or external systems integrated with Harness unless explicitly specified in the customer agreement. IACM A "Deployment Event" occurs when executing an Infrastructure as Code Management (IaCM) stage within a pipeline that involves a Workspace through Terraform or OpenTofu commands. Each i) execution of an IaCM stage in a pipeline, or ii) action performed to create, update, destroy infrastructure resources defined in the state file associated with the Workspace, constitutes a billable Deployment Event. A "Workspace" is an independent unit that manages the lifecycle of resources defined by Terraform or OpenTofu within a shared state file. A Workspace serves as the context in which infrastructure resources are provisioned, modified, and tracked during IaCM stage execution. Exclusions. Actions or commands performed outside the IaCM stage in the Harness platform, and operations that do not involve referencing a Workspace or managing resources defined within a state file, are not considered Deployment Events. |
| 17. API Discovery & Posture Management | Helps teams discover and understand the APIs that pass through their API gateways. Also discovers edge APIs as well as internal APIs or services in their infrastructure. | API Discovery & Posture Management - Enterprise - API Endpoints - SaaS | SaaS | “API Endpoint” refers to a specific URL or location on a server where an API can access the resources or services it needs to perform its functions. |
| 18. External Attack Surface Assessment | Provides visibility into publicly exposed APIs before they become entry points for attackers, plus a point-in-time assessment to help teams understand and reduce their external attack surface. | External Attack Surface Assessment - Enterprise - API Endpoints - SaaS | SaaS | “API Endpoint” refers to a specific URL or location on a server where an API can access the resources or services it needs to perform its functions. |
| 19. API Security Testing (AST) | Eliminates the risk of vulnerable APIs in pre-prod, performs rapid scans that maintain speed of innovation, and automatically obtains remediation insights for developers to further secure their APIs. | Application Security Testing - Enterprise - API Endpoints - SaaS | SaaS | “API Endpoint” refers to a specific URL or location on a server where an API can access the resources or services it needs to perform its functions. |
| 20.API Protection | Analyzes user behavior, data flows, and transaction patterns in real time, enabling precise threat identification and automated blocking before damage can occur. | API Protection - Enterprise - API Calls - SaaS | SaaS | “API Call” means any discrete unit of communication initiated by a software component (including but not limited to a web browser, mobile application, API consumer, backend service, or automated script—to a service, endpoint, or resource that is processed and/or protected by the Platform measured on a rolling 3 month average. API Calls may occur over various supported protocols, including but not limited to HTTP, gRPC, or WebSocket, and originate from interactive user actions, background processes, system integrations, or automated workflows.
Each API Call is counted individually, regardless of its source or intended function, whether the request is allowed blocked or flagged by API Runtime Protection, and contributes to the Customer’s usage volume for billing and quota purposes. |
| 21. Web Application Protection | Protects applications from API threats, bot attacks, malicious requests, and DDoS attacks while ensuring seamless traffic routing and policy enforcement. | Web Application Protection - Enterprise - API Calls - SaaS | SaaS | “API Call” means any discrete unit of communication initiated by a software component (including but not limited to a web browser, mobile application, API consumer, backend service, or automated script—to a service, endpoint, or resource that is processed and/or protected by the Platform measured on a rolling 3 month average. API Calls may occur over various supported protocols, including but not limited to HTTP, gRPC, or WebSocket, and originate from interactive user actions, background processes, system integrations, or automated workflows.
Each API Call is counted individually, regardless of its source or intended function, whether the request is allowed blocked or flagged by API Runtime Protection, and contributes to the Customer’s usage volume for billing and quota purposes. |
| 22. Bot Protection | Detects and blocks malicious bots and identifies suspicious account and user behavior, in real time. | Bot Defense - Enterprise - API Calls - SaaS | SaaS | “API Call” means any discrete unit of communication initiated by a software component (including but not limited to a web browser, mobile application, API consumer, backend service, or automated script—to a service, endpoint, or resource that is processed and/or protected by the Platform measured on a rolling 3 month average. API Calls may occur over various supported protocols, including but not limited to HTTP, gRPC, or WebSocket, and originate from interactive user actions, background processes, system integrations, or automated workflows.
Each API Call is counted individually, regardless of its source or intended function, whether the request is allowed blocked or flagged by API Runtime Protection, and contributes to the Customer’s usage volume for billing and quota purposes. |
| 23. Application Discovery & Risk Assessment | The Application Discovery and Risk Assessment bundle includes API Discovery & Posture Management, and External Attack Surface Assessment | App Discovery & Risk Assessment - Enterprise - API Endpoints - SaaS | SaaS | “API Endpoint” refers to a specific URL or location on a server where an API can access the resources or services it needs to perform its functions. |
| 24. Application Runtime Protection (ARP) | The Application Runtime Protection bundle includes API Protection, Web Application Protection, and Bot Protection. | Application Runtime Protection - Enterprise - API Calls - SaaS | SaaS | “API Call” means any discrete unit of communication initiated by a software component (including but not limited to a web browser, mobile application, API consumer, backend service, or automated script—to a service, endpoint, or resource that is processed and/or protected by the Platform measured on a rolling 3 month average. API Calls may occur over various supported protocols, including but not limited to HTTP, gRPC, or WebSocket, and originate from interactive user actions, background processes, system integrations, or automated workflows.
Each API Call is counted individually, regardless of its source or intended function, whether the request is allowed blocked or flagged by API Runtime Protection, and contributes to the Customer’s usage volume for billing and quota purposes. |
SUBPROCESSORS
Our Subprocessors list can be found here. We recommend subscribing to this page so you can receive email notifications when changes to the Subprocessors list are made. To subscribe, visit https://trust.harness.io, scroll down to the “Trust Center Updates” section, and click “Subscribe to updates.”