Cloud Services and Annual Recurring Revenue
The 8 cloud services that drive ABS Core's sustainable annual recurring revenue model.
Cloud Services and Annual Recurring Revenue
ABS Core's revenue model is built on annual licenses with cloud services that provide continuous value. The engine runs on-premise; the cloud provides the support infrastructure.
Architecture: Data Plane vs. Control Plane
Customer Infrastructure (Data Plane)
+----------------------------------+
| ABS Core Engine | <-- ALL governance here
| Hash Chain Ledger | <-- ALL data here
| Ed25519 Keys | <-- ALL keys here
| Policy Files | <-- ALL rules here
+----------------------------------+
|
| HTTPS 443 (outbound only, optional)
v
ABS Cloud (Control Plane)
+----------------------------------+
| License | Updates | TSA Relay | <-- Zero customer data
| Threat Intel | Policy Hub |
| Backup Vault | Benchmarks |
| Support Channel |
+----------------------------------+The data plane is 100% customer-controlled. The control plane is managed by ABS Core.
The 8 Services
1. License Server
Validates annual license keys. Heartbeat: 1x per day. Sends: license key + machine fingerprint. Receives: valid/invalid.
No customer data is transmitted.
If offline for 30+ days: GRACE_PERIOD enforcement continues. After 30 days: AUDIT_ONLY mode (records but does not block).
ARR contribution: Primary revenue driver. Every deployment requires a license.
2. Update Channel
Delivers signed engine binaries, security patches, and new NIST control mappings.
Updates are signed with dual keys (development + offline production). The customer's system verifies both signatures before installation.
What it sends to customer: Signed binary + changelog + checksum. What it receives from customer: Version number only.
ARR contribution: Justifies renewal by delivering continuous security improvements.
3. TSA Relay (RFC 3161)
Proxy for Time Stamping Authorities. Routes SHA-256 hashes to the best available TSA.
What it receives from customer: SHA-256 hash only (mathematically irreversible). What it sends to customer: Signed timestamp token.
Automatic failover between multiple TSA providers (FreeTSA, DigiCert).
ARR contribution: Tier differentiator (FreeTSA for Startup, DigiCert for Business/Enterprise).
4. Threat Intelligence
Publishes alerts about new AI agent attack patterns, vulnerability disclosures, and recommended policy updates.
One-way broadcast. Customer receives alerts but sends nothing back.
Example alert:
[ABS THREAT INTEL] 2026-04-11
Pattern: "Prompt injection via tool argument encoding"
Affected: MCP tool calls with base64-encoded SQL
Action: Add blocked_pattern "base64" to db.query restrictionsARR contribution: Ongoing security value. Differentiator for Enterprise tier.
5. Policy Hub
Library of sector-specific governance policy templates:
| Template | Sector |
|---|---|
fintech-pci-dss.json | Payments and card data |
healthcare-hipaa.json | Health data (US) |
ecommerce-gdpr.json | Personal data (EU) |
govtech-fedramp.json | Federal government (US) |
automotive-iso26262.json | Automotive safety |
generic-soc2.json | General SOC 2 |
Customers download templates and customize locally. Policy files never leave the customer's server.
ARR contribution: Reduces time-to-value. New templates added quarterly.
6. Backup Vault (Opt-in)
Encrypted ledger backup with zero-knowledge architecture:
- Customer encrypts backup with their own key
- Encrypted blob is uploaded to ABS Cloud
- ABS Cloud stores the blob but cannot decrypt it
- Customer downloads and decrypts with their key for restore
ABS Core never has access to the decryption key.
ARR contribution: Tier differentiator (Business: 10GB, Enterprise: unlimited).
7. Benchmark Analytics
Anonymized governance scoring:
Your Governance Score: 94/100
Sector Average (Fintech): 71/100
Percentile: Top 8%What customer sends: Numeric score + sector tag. Zero underlying data. What customer receives: Benchmarking position vs. industry peers.
ARR contribution: CISOs use benchmark data to justify budget and demonstrate improvement to the board.
8. Support Channel
| Tier | Channel | SLA |
|---|---|---|
| Startup | Community (GitHub Issues) | Best effort |
| Business | 48-hour response | |
| Enterprise | Dedicated Slack/Teams + named engineer | 4-hour response |
ARR contribution: Enterprise support justifies premium pricing.
Revenue Model
Unit Economics
| Metric | Value |
|---|---|
| Average Contract Value (ACV) | $12,000 - $48,000 |
| Gross Margin | ~90% (software, no hosting customer data) |
| Expansion Path | Agent count increase, tier upgrade |
| Churn Mitigation | Hash chain lock-in (migrating loses audit history) |
Revenue Composition
| Revenue Source | % of ARR |
|---|---|
| License (enforcement + updates) | 70% |
| Support (SLA tiers) | 15% |
| Premium services (TSA, Vault, Intel) | 15% |
Why the Model is Defensible
No hosting costs for customer data -- ABS Core never processes or stores customer data. Cloud infrastructure costs scale with license count, not data volume.
Natural expansion -- As customers deploy more AI agents, they need more governed seats. Agent count growth drives organic upsell.
Switching cost -- The hash chain ledger is the compliance audit trail. Migrating away from ABS Core means losing verifiable governance history. This creates structural retention without vendor lock-in on the engine itself.
Related
- NRaaS Category -- Market positioning
- Economics of Accountability -- ROI analysis
- Sovereign Checklist -- What the customer sees at install