Platform · Deployment

Deploy KeenSafe the way your environment requires. Same control plane in every mode.

Four deployment modes share one engine, one evidence chain and one set of integrations. Move workloads between modes as governance evolves — without re-platforming and without losing your audit history.

Walk me through deployment View topology

Deployment modes

Four deployment modes. One product.

Same orchestrator. Same evidence model. Same integrations. Pick the mode that fits your governance — then change your mind without re-platforming.

SaaS — multi-tenant

Fastest path to production

Hosted by KeenSafe with cryptographic tenant isolation. Onboarding in days, not quarters. Used by the majority of our enterprise customers.

Best for

· Enterprises with vendor-onboarding approval for cloud security tooling
· MSSPs running multi-tenant programs
· Mid-market and growth-stage security teams

Platform controls

· Cryptographic tenant isolation · per-tenant KMS
· BYOK supported via AWS / Azure / GCP KMS
· Region pinning across 14 supported regions
· Egress filtering · operator zero-trust gateway

Production in 5–10 business days

Single-tenant — dedicated cloud

Vendor isolation without infra ownership

A dedicated KeenSafe control plane in the cloud region of your choice. Same product, same evidence chain — no shared compute with other customers.

Best for

· Financial services with regional regulator requirements
· Healthcare groups requiring PHI residency
· Government suppliers and defense primes

Platform controls

· Single-tenant compute + storage in your region
· HSM-backed keys · HYOK supported
· IP allow-listing · private connectivity (PrivateLink / Private Endpoint)
· Customer-managed encryption key rotation

Production in 2–4 weeks

On-premise

Inside your datacenter, your operating model

Customer-operated KeenSafe control plane inside your own datacenter or private cloud. Used by organizations where data-residency mandates prohibit any vendor-hosted control plane.

Best for

· Operators with strict data-residency mandates
· Sovereign-cloud customers (Bleu · Delos · GCC-High)
· Organizations with existing on-prem K8s footprint

Platform controls

· Customer-operated · KeenSafe ships signed releases
· Runs on RHEL 9 / Ubuntu 22.04 / OpenShift 4.x / RKE2
· Internal CA support · enterprise PKI integration
· No telemetry to vendor — local-only observability

Production in 4–8 weeks

Air-gapped

No egress, no compromise

Fully disconnected installation with signed offline content and signature updates. Used by classified defense programs and critical-infrastructure operators that cannot egress to a vendor cloud.

Best for

· Classified defense programs
· Critical-infrastructure operators (energy · water · transport)
· Air-gapped financial-trading networks

Platform controls

· Offline content packs · signed update bundles via WORM media
· No outbound network calls — verified by network ACLs
· Operator access via local zero-trust gateway
· Local FIPS 140-3 validated cryptography

Production in 6–12 weeks

Topology

How KeenSafe actually sits in your environment.

Whether KeenSafe runs in our cloud or yours, the topology is the same: an orchestration layer reaches your scope through authorized boundaries, evidence flows back via a signed chain, and telemetry streams to your SIEM / SOAR / ITSM.

Layers

Six layers, each with a single responsibility.

Edge ingress

Authenticated, rate-limited, signed entry to the control plane.

· mTLS to operator gateway
· Per-tenant API gateway
· WAF + DDoS protection

Orchestration

Where scope authorization is enforced and runs are scheduled.

· Authorization manifest engine
· Scope-bound run scheduler
· Crown-jewel boundary checks

Discovery & path engine

Surface and attack-graph generation against authorized scope.

· External / internal recon primitives
· Identity + cloud graph builder
· Attack-path synthesizer

Validation runtime

Safe proof-of-exploit with per-step evidence capture.

· Read-only primitives
· Sandboxed payload replay
· Per-step signed evidence

Evidence chain

Append-only, signed, WORM-backed evidence trail.

· Signed per-event evidence
· WORM storage · 7y default retention
· Cryptographic deletion on request

Telemetry & sinks

Streaming to your SIEM / SOAR / ITSM in real time.

· Splunk · Sentinel · Chronicle · QRadar
· XSOAR · Splunk SOAR · Tines
· ServiceNow · Jira · PagerDuty

Integrations

Native integrations across SIEM, SOAR, ITSM, identity, cloud and OT.

KeenSafe is not the system of record for your security operations — your SIEM and ticketing stack are. The platform meets you where you live, with native sinks and pre-built content for the platforms below.

SIEM

Splunk Enterprise / Cloud
Native HEC sink + detection-content pack
Microsoft Sentinel
CEF + Logic Apps · Analytics rules pack
Google Chronicle / SecOps
UDM-formatted feed
Elastic Security
ECS-formatted feed · pre-built dashboards
IBM QRadar
Custom DSM · LEEF events
Exabeam · Securonix · Sumo Logic
Generic syslog + JSON sinks

SOAR

Palo Alto XSOAR
Native playbook pack · 14 actions
Splunk SOAR (Phantom)
App pack · attack-path → ticket auto-flow
Tines
API-first integration · evidence-bundle delivery
Microsoft Logic Apps
Sentinel-native automation
Swimlane · Torq · ThreatConnect
REST + webhook integration

ITSM & Ticketing

ServiceNow ITSM / SecOps
Bidirectional ticket sync · evidence attached
Jira / Jira Service Management
Project + queue mapping
Zendesk · Freshservice
Ticket creation + status sync
PagerDuty · Opsgenie
Critical-path paging

Identity

Okta · Entra ID · Ping
SAML + SCIM · group-to-role mapping
CyberArk · BeyondTrust · Delinea
Privileged-access enumeration
Active Directory · LDAP
Read-only enumeration via service account
AWS IAM · Azure AD · GCP IAM
Cloud identity graph ingestion

Cloud

AWS Organizations
Cross-account role · read-only · org-wide enumeration
Azure Subscriptions
Reader role · Graph API · multi-tenant supported
Google Cloud
Org-level service account · Cloud Asset Inventory
Kubernetes (EKS / AKS / GKE / on-prem)
Read-only kubeconfig · audit-log ingestion

Vulnerability Management

Tenable.io · Tenable.sc
Asset and finding ingestion · re-validation feedback
Qualys VMDR
Asset + finding sync · attack-path enrichment
Rapid7 InsightVM
Asset + finding sync
Snyk · Wiz · Orca Security
Cloud-finding ingestion

EDR / XDR

CrowdStrike Falcon
Detection-coverage validation · OAuth API
SentinelOne
Detection-coverage validation · API token
Microsoft Defender for Endpoint
Graph API · ATP integration
Cortex XDR · Sophos · Cybereason
REST API integration

OT / ICS

Claroty xDome / CTD
OT-asset graph ingestion · passive observation
Dragos Platform
OT-asset + threat-intel sync
Nozomi Networks
OT-asset graph ingestion
Tenable.ot
OT-asset + IT-OT bridge mapping

Agentless-first

No agents required — but a lightweight collector is available where it helps.

KeenSafe runs agentless against authorized scope by default. For deep segmentation and OT environments, an optional lightweight collector (~38 MB, no kernel hooks) can be deployed to extend reach without changing the security posture.

Agentless

External, identity, cloud and many internal flows run agentless. No installation, no rollout, no patch cycle. The default mode for most enterprise estates.

Lightweight collector

38 MB binary · userspace only · runs as a non-privileged service. Used for deep segmentation, OT bridge environments, and air-gapped scopes.

Hosted operator

A scoped operator runs inside KeenSafe-managed compute and is dispatched per authorized run. Default for SaaS deployments.

Customer-hosted operator

The operator runs inside your environment, with no outbound dependency on the vendor cloud. Default for on-prem and air-gapped modes.

Get Started

Get a deployment design tailored to your environment

Bring your network topology, your SIEM, your identity stack and your regulatory constraints — we'll respond with a deployment design, scope authorization plan and timeline within one business day.

Get my deployment design View Trust Center