Trust and Security

About the Axonius Security Program

The Axonius security program is designed to safeguard the confidentiality, integrity, availability, and privacy of our information systems and data that Axonius stores or processes.

    Axonius has a formal cybersecurity program, with key aspects summarized below. The program is managed by a full-time security team and encompasses stakeholders across all Axonius departments. Consistent with customers’ expectations, the program is designed to safeguard the confidentiality, integrity, availability, and privacy of our information systems and data that Axonius stores or processes.

    The Axonius Security Program applies to the entire Axonius Asset Cloud, including the Axonius Platform and a set of discrete products built on top of that platform that span Cyber Assets, Software Assets, SaaS Applications, Exposures, and Identities. The Axonius Asset Cloud gathers data and integrates with other applications through a comprehensive library of bi-directional API integrations across hundreds of services and data sources. This data layer is aggregated and cleansed into a single model that represents every asset and every relationship, providing a foundation for visibility and actionability.

    Frameworks and certifications

    Axonius uses SOC 2 Trust Services Criteria for Security and ISO 27001 for structuring our security program. These respected frameworks help ensure that we implement comprehensive security measures such as access control, infrastructure and application defenses, risk management, and so on. They also map to other control catalogs, such as those published by NIST and CIS.

    These frameworks also provide a way for independent auditors to review our security and communicate it to our customers. To provide such assurance, we obtained an ISO 27001 certificate and the Type 2 SOC 2 attestation from Schellman, an experienced and accredited audit firm. To provide additional assurance to customers that process protected health information, we also obtained a Type 1 attestation for the HIPAA Security Rule and HITECH Breach Notification requirements from Schellman.

    Current and prospective Axonius customers can access our SOC 2 and HIPAA reports at the Axonius Trust Center after an NDA is executed with us.

    Product security

    Axonius incorporates security reviews into our Secure Development Lifecycle (SDL) process for the Axonius Asset Cloud, giving the Axonius security team the ability to offer feedback and guidance. It also includes automated scanning to identify security weaknesses. In addition to internal oversight, Axonius regularly commissions third-party experts to perform penetration testing to identify additional application vulnerabilities and help maintain our product’s security posture.

    The Axonius Asset Cloud stores sensitive configuration data, such as adapter credentials, encrypted at rest.  For product instances that we host on behalf of customers, we automatically enable a storage-layer encryption feature in AWS called EBS Volume Encryption. Customers can choose to enable storage-layer encryption in on-premises instances that they host to ensure that device and user metadata is also encrypted. 

    Axonius customers directly control much of the security configuration of their Axonius self-managed instances, as described in product documentation. The documentation describes the product architecture and includes instructions such as configuring third-party identity providers, using Role-Based Access Control (RBAC), and reviewing activity logs.

    Axonius customers can integrate their own SAML Single Sign-On (SSO) solution with the Axonius Asset Cloud.

    Infrastructure security

    Most customers leverage the Axonius Asset Cloud as a SaaS-hosted offering that is managed by Axonius. Customers can also choose to host their own instance of the Axonius Asset Cloud. Axonius hosts our solution in Amazon Web Services (AWS) in a single-tenant manner so that each Axonius customer has a dedicated, isolated environment. Customers can direct Axonius to host their product instance in available AWS regions.

    We control which Axonius personnel can access our infrastructure to provide the necessary services to our customers without exposing them to undue risks. Connecting to these systems requires first authenticating using our Single Sign-On (SSO) provider, which requires multi-factor authentication (MFA), enforces access restrictions, and identifies authentication anomalies. All network interactions are encrypted using modern cryptographic mechanisms.

    Axonius regularly patches our infrastructure to address relevant vulnerabilities in a timely and responsible manner. We use vulnerability scanning and other security tools to validate that patching works as expected and identify configuration weaknesses we may need to remediate. Not surprisingly, we use our own platform for maintaining an up-to-date asset inventory. Also, Axonius regularly commissions third-party experts to perform penetration testing of our infrastructure to help maintain our security posture.

    We capture and aggregate infrastructure security events to detect suspicious activities related to our infrastructure. Our security team investigates the relevant events to identify security anomalies whenever practical before they escalate into major incidents. We also have a formal incident response plan to handle security incidents in a methodical and responsible manner.

    Data protection and privacy

    Axonius has a formal data classification policy that guides our personnel regarding the security precautions necessary for handling different types of data, ranging from confidential to external. Depending on the classification, Axonius enforces access restrictions and other security controls to safeguard the data in an appropriate manner. Axonius uses modern encryption techniques to protect data in transit and, where appropriate, encrypts data at rest.

    In the context of data privacy, our customers control the type of information their product instance processes and whether that information includes personal data. Therefore, our customers are considered data controllers. For our standard policies and processes regarding personal data, including our role and obligations as a data processor, please see our Data Processing Agreement  (DPA). Legal and related details about our services and commitments are captured in Axonius Terms and Conditions.

    Recognizing the importance of managing security risks in our supply chain, Axonius has a proper vendor management program in place. It includes conducting security reviews of our third-party vendors that would act as a subprocessor and ensuring the appropriate terms are included in our contracts to safeguard our own and our customers’ data. The list of our subprocessors is published on our website.

    Reporting a vulnerability

    Axonius welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you.

    To report a potential security issue to Axonius, contact [email protected]. For details, see our Vulnerability Disclosure Policy, which explains how to report vulnerabilities to us, what we expect, and what you can expect from us. It applies to any digital assets owned, operated, or maintained by Axonius for which Axonius can legally authorize the testing.

    Trust Center

    We have a dedicated Axonius Trust Center site to outline key aspects of our security program. Please take a look to explore additional aspects of our security controls.

    See Axonius in action

    Discover what’s achievable with a product demo, or talk to an Axonius representative.

    • Request a demo
    • Speak with sales