Security · XDR/SIEM

Threat detection on the fleet you already run

Alerts, vulnerabilities, file integrity, CIS compliance, and ATT&CK mapping run on the agent and console you already use to monitor your servers. Wazuh does the heavy lifting; we keep it tenant-isolated and write it all to the audit trail.

Start free, no credit card Book a live demo
What you get

Eight security capabilities, one agent

Each card below maps to a working panel in the console, not a roadmap promise. The numbers and views come straight from your own hosts.

Threat detection and alerts

Security alerts stream from the Wazuh Indexer in near real time. Filter by severity, watch how volume moves across 24-hour, 7-day, and 30-day windows, see which rules fire most, and export the full result set to CSV for a report or a ticket.

Vulnerability detection

Each agent reports its installed packages, and the vulnerability detector matches them against known CVEs. You get a severity breakdown, a CVSS-score distribution, and a list of the packages dragging your exposure up so you know what to patch first.

File integrity monitoring

Syscheck watches the paths that matter and records every file change as added, modified, or deleted. On Windows it tracks registry keys and values too. Kick off an on-demand scan when you need a fresh baseline rather than waiting for the next cycle.

Configuration assessment

Run CIS benchmark checks against each host and read the result as a per-policy score with pass, fail, and not-applicable counts. The failing checks come with the detail you need to fix the setting, not just a red number.

MITRE ATT&CK mapping

Alerts map to ATT&CK techniques and tactics, so instead of a flat list you see which tactics are showing up across the fleet. A tactic heatmap and a top-technique ranking turn raw events into something you can reason about.

System inventory

A live picture of every managed host: hardware, OS build, installed packages, listening ports, running processes, services, and Windows hotfixes. Useful for an audit, an incident, or just answering "what is actually on this box".

Agent management

Enroll, list, restart, and remove security agents per customer, with connection status at a glance. Agents are grouped by tenant, so each customer sees only their own machines.

Active response

When something needs handling now, an operator can run a remediation action straight from the console against the affected agent. Every execution is recorded in the audit trail with who ran it, on which host, and when. Reserved for admin roles.

Multi-tenant by design

One customer never sees another

  • Every agent belongs to a customer group, and queries are scoped to that group. A customer account can only ever see its own agents and its own alerts.
  • CIDR-based IP allowlisting controls where the console and APIs can be reached from, set per vendor or per customer.
  • High-severity alerts are forwarded automatically into the immutable audit trail, so a critical event is logged even if nobody is watching the dashboard at 3am.
  • Vendor operators get a fleet-wide view with each result tagged by customer; the same isolation rules still apply to actions.

Where security meets the audit trail

  • Critical and warning alerts forwarded to the audit trail every minute
  • Remediation actions logged with operator, host, and timestamp
  • Per-customer agent groups with row-level query scoping
  • CIDR IP allowlists per vendor and per customer
  • On-demand FIM scans when you need a fresh baseline
Questions

Before you turn it on

What is the engine behind this?
The security modules are powered by Wazuh, an open-source XDR and SIEM platform. We run the Manager and Indexer for you and put a multi-tenant, audit-logged console on top so you do not have to operate the stack yourself.
Do I need to install a separate security agent?
No second agent to babysit. Security telemetry rides alongside the monitoring you already run, so enrolling a host into threat detection, FIM, and inventory is part of the same workflow rather than a new deployment.
Which operating systems are covered?
Windows, Linux, and macOS hosts are supported. File integrity monitoring also covers the Windows registry, and inventory includes Windows hotfixes alongside packages and services on every platform.
How is one customer kept separate from another?
Agents are grouped by tenant and every security query is scoped to the requesting account. Customer users see only their own agents, alerts, and inventory. Remediation actions are limited to admin roles and written to an immutable audit log.
Which plan includes the security modules?
XDR and SIEM monitoring is available on the Business plan and up. Talk to us if you want it scoped to a specific set of customers or hosts.

Further reading

From the blog, where we go deeper than a feature page can.

See what your servers are telling you

Security monitoring is on the Business plan and up. Start a trial, or talk to us about scoping it to your customers.

Start free, no credit card Talk to sales