This page is a companion to the Overview — read that first for what each module does; this page explains how they fit together and how data flows.Documentation Index
Fetch the complete documentation index at: https://docs.osto.one/llms.txt
Use this file to discover all available pages before exploring further.
The three zones
🌐 Internet
Everything reaching your assets from the public web — legitimate users, partners, and integrations on one side; bots, scanners, and attackers on the other. Traffic enters Osto Cloud before it ever touches your origin.☁️ Osto Cloud
The platform itself. All 13 modules run here and share a single dashboard, a single identity model, and a single log stream — so a finding in one place becomes evidence for compliance in another without you wiring anything up.🏢 Your environment
The things Osto protects: your websites and APIs, your servers and databases, your cloud accounts on AWS / Azure / GCP, your source code repositories and CI, your end-user devices, and your mobile app binaries. Osto reaches in only where you grant access — read-only API for cloud posture, CI integration for code, agent-based for endpoints, and brokered access for servers.What each Osto Cloud module does
Protecting traffic
- Web App Protection — inspects every request reaching your websites; blocks OWASP-class attacks, DDoS, and bot traffic before it lands on your origin.
- API Protection & Discovery — discovers shadow APIs, enforces schema, and blocks malicious calls.
- Domain Filtering / DNS — controls which destinations users on your network can resolve.
Continuous assessment
- Web Scanner — crawls your public-facing properties for vulnerabilities on a schedule.
- App Scanner — tests iOS and Android binaries for mobile security issues.
- SAST — runs static analysis on source code in CI.
- SBOM / SCA — inventories dependencies and flags known CVEs.
- Cloud Posture (CSPM) — reads cloud provider APIs to detect misconfigurations across AWS, Azure, and GCP.
Endpoint & access
- Endpoint Agent — installs on laptops and desktops. Enforces Device Control (USB, Bluetooth, Wi-Fi), App Control, Domain Filtering, DLP (App File Access), Screen Lock, and Disk Encryption.
- Secure Server / Gateway — brokers Zero Trust access to servers. Users connect through Osto; direct SSH/RDP to the origin is blocked. MFA is enforced per session.
Compliance & evidence
- Compliance Engine — maps findings and telemetry from every module to SOC 2 Type II, ISO 27001, HIPAA, GDPR, and PCI DSS controls; collects evidence automatically.
- Awareness Training — delivers security training to your team and records completion as compliance evidence.
- Logs — centralizes Web App, Secure Server, Domain Filtering, Incident, Audit, and Auth logs across all modules into a single audit-ready stream.
How traffic flows — Web App Protection
- A request hits the Osto edge (your DNS A record points here).
- TLS is terminated. Osto presents your certificate (auto-generated or uploaded).
- The request passes through Attack Detection — TLS validation, protocol checks, header inspection.
- Advanced checks run: DDoS mitigation, Bot detection, OWASP rule set (SQL injection, XSS, path traversal, etc.).
- Clean traffic is forwarded to your origin over an encrypted connection. Malicious traffic is blocked (in Prevent Mode) or logged (in Detect Mode).
- The response comes back through Osto. Data Theft Protection optionally inspects it for outbound sensitive-data leakage.
- The full transaction is written to Logs → Web App and counted toward Compliance evidence.
How access flows — Secure Server
- A user authenticates to the Osto portal (SSO + MFA).
- The user selects the server they want to reach. The Server Access Policy is evaluated.
- If the policy permits the connection, Osto opens a brokered session (SSH, RDP, or custom port) for the duration of the configured Session Window.
- The origin server is never directly reachable — its inbound firewall allows only the Osto gateway IP.
- Session events stream to Logs → Secure Server as audit evidence.