> ## Documentation Index
> Fetch the complete documentation index at: https://docs.osto.one/llms.txt
> Use this file to discover all available pages before exploring further.

# Core Concepts

> A short tour of the model Osto uses across every module.

Once these four ideas are familiar, every other doc reads more easily.

## Assets — *what you're protecting*

Assets are the things in your environment Osto secures. You'll find them under **Assets** in the left sidebar:

* **Domains** — the websites, web apps, and subdomains you want Osto to protect. Manage the domains themselves and their TLS certificates.
* **Endpoint Users** — the people in your organization, with the devices they use. Osto applies endpoint protection and access policies through this list.
* **Server Access** — the servers Osto brokers access to:
  * **Secure Server** — a host where you install Osto's agent directly so access is granted through Osto.
  * **Secure Gateway** — a Linux host that brokers access to multiple child servers behind it (no agent install needed per child).
* **APIs** — discovered automatically from your protected domains and surfaced in dashboards under Insights. You don't register APIs manually.

<Note>
  Every policy, scan, and compliance control eventually points back to one of these assets. Onboard them early — the rest of the platform unlocks once they're in.
</Note>

## Objects — *reusable building blocks*

Objects are configurations you define once and reuse across many policies. They sit under **Objects** in the sidebar:

* **Domain Category** — group domains for policy targeting (e.g. *production sites*, *marketing sites*).
* **Application** — named applications used in App Control and DLP rules.
* **Port** — named network ports referenced in access and firewall rules.
* **Schedule** — time windows (e.g. *business hours*, *maintenance windows*) referenced in access policies.

<Tip>
  Objects keep policies short and consistent. Change a domain category in one place and every policy targeting that category updates with it.
</Tip>

## Policies — *how Osto behaves*

Policies attach security behavior to assets. The **Policies** section has three top-level sub-sections, organized by the asset type a policy applies to:

* **Endpoint Users** → Device Control, App Control, Domain Filtering, Data Leakage Prevention (with App File Access), Global Policy — controls what users can run, plug in, browse to, and copy out.
* **Domains** → Global Policies (DDoS, Bot) and Local Policies (Advanced, Custom Routing Rules, Policy Exceptions, API Discovery) — controls what reaches your websites and APIs, and how they're inspected.
* **Server Access** — the rules-list of who can reach which Secure Server (or child server behind a Secure Gateway), on which ports.

Customer-facing docs in this Knowledge Base cover these as three task-focused guides: the [User Protection Policy](/how-to-guides/policy-configuration/user-protection-policy), the [Website Protection Policy](/how-to-guides/policy-configuration/website-protection-policy), and the [Secure Server Access Policy](/how-to-guides/policy-configuration/secure-server-access-policy).

<Note>
  **Defaults that ship out of the box.** Osto comes with recommended defaults for every policy. You don't have to configure anything for protection to start — you only tune what's specific to your environment.
</Note>

## Modules you'll work alongside

Beyond Assets, Objects, and Policies, several sidebar sections layer additional capabilities on top of the model:

* **Scanner** — continuous vulnerability scanning for your domains (**Web Scanner**) and mobile apps (**App Scanner**).
* **Code Security** — source-code static analysis (**SAST**), integrated into your CI/CD.
* **Posture Management → Cloud Security** — connects AWS, Azure, and GCP for misconfiguration and drift detection.
* **Compliance** — controls, tasks, frameworks, and **Awareness Training** for SOC 2, ISO 27001, HIPAA, GDPR, and PCI DSS, drawing evidence from every other module.
* **Logs** — centralized records (Web App, Secure Server, Domain Filtering, Incident, Audit, Auth) usable for both daily monitoring and audit evidence.
* **Management** — admin access and usage / billing.

## Where to next

* New to the dashboard? Jump to the [Quick Start Guide](/getting-started/quick-start).
* Ready to bring assets onboard? See [Asset Management](/how-to-guides/asset-management/index).
* Want to tune protection? See [Policy Configuration](/how-to-guides/policy-configuration/index).
