Independent Audits
OTseek is audited multiple times each year by independent third-party auditors. These audit reports are available via our Trust Center .
Pentests
OTseek conducts annual pentesting led by independent third-party pentesters who simulate attacks on OTseek. Any weaknesses identified are resolved within 24 hours. Additionally, OTseek conducts SAST, IAST, and DAST scanning after every change to the codebase which provides continuous security.
Encryption and TLS 1.3+
OTseek, in both multi-tenant and dedicated single-tenant deployments, encrypts all data in transit (TLS 1.3+) and at rest (AES-256). Backend services communicate via an encrypted service mesh, and all API endpoints are continuously monitored for security compliance.
Self-service Onboarding
OTseek provides a self-service onboarding Admin Portal which allows your organization’s security and IAM teams to seamlessly set up SAML or OIDC SSO, Directory Sync, Domain Verification, and retrieve Audit Log events. OTseek engineers are available to support throughout this fast setup process.
Auth
OTseek supports SAML and OIDC single sign-on (SSO) for all managed and custom IdPs, and supports SCIM for automated user lifecycle management. OTseek also supports traditional auth (email and password) including multi-factor (MFA/2FA) authentication. OTseek maintains default token and session expiration windows that can be customized to meet your organization’s needs.
Role-Based Access Control (RBAC)
The role-based access control (RBAC) in OTseek is based on users, organizations, teams, and roles:
Usersare authenticated individuals who access OTseek.Organizationsare the top-level entities that contain teams.Teamsgroup all OTseek data to allow for fine-grained role-based access control (RBAC).Rolesdefine the permissions of users within an organization and team.
SCIM
To create, update, or delete a user within OTseek, you can use the following SCIM v2.0 endpoints:
GET /ServiceProviderConfigGET /ResourceTypesGET /SchemasGET /UsersPOST /UsersGET /Users/{id}DELETE /Users/{id}
OTseek supports all common SCIM providers, including Azure (Entra ID), Okta, OneLogin, JumpCloud, and HRIS systems like Workday.
Network Security
OTseek deploys cloud-native WAF, IDR, and load balancing to mitigate DDoS and network intrusion attempts. OTseek allows ingress/egress only via its load balancer, and all backend services and datastores are privately networked.
If your organization uses OTseek in a dedicated single-tenant deployment, you can also request to limit access to a fixed list of static IPs.
Workload Security
OTseek continuously monitors all workloads via Cloud SIEM for automated threat detection and response. OTseek cloud workloads are processed via workload identity federation to eliminate risks related to secret leaking.
Supply Chain Security
OTseek services are deployed in continuously scanned hardened containers with signed SBOMs and SLSA Level 3 provenance, with complete CVE data. OTseek maintains minimum cool-off periods before adopting newly released packages and conducts malware and provenance scanning on all third-party dependencies.
Data Regions
OTseek and its subprocessors are currently restricted to US-only data regions.
Supported Identity Providers (IdPs)
OTseek currently supports the following SAML or OIDC Identity Providers (IdPs):
Okta SAML, Entra ID (Azure AD) SAML, Google SAML, ADP OpenID Connect, Auth0 SAML, CAS SAML, ClassLink SAML, Cloudflare SAML, Clever OpenID Connect, CyberArk SAML, Duo SAML, Entra ID OpenID Connect, JumpCloud SAML, Keycloak SAML, LastPass SAML, Login.gov OpenID Connect, Microsoft AD FS, miniOrange SAML, NetIQ SAML, Okta OpenID Connect, OneLogin, Oracle, PingFederate, PingOne, Rippling, Salesforce, Shibboleth Generic SAML, Shibboleth, SimpleSAMLphp SAML, VMWare Workspace One, Custom SAML, and Custom OIDC