SentriKat is currently in Early Access — all plans and features are available for free while we finalize our commercial offering. Here's what that means:

• Free access — No credit card required, no time limit. Both Cloud (SaaS) and on-premises deployments are free.
• Limited capacity — We're accepting up to 30 Cloud organizations and 15 on-premises licenses during this phase.
• Early Access limits — Each organization gets up to 10 agents and 3 users. Full feature access on all plans.
• What happens next — When pricing goes live, you'll be notified in advance. Early Access users will get priority and a loyalty discount.

Yes — SentriKat is available in two modes, both free during Early Access:

• Cloud (SaaS) — Managed platform at app.sentrikat.com. No infrastructure to manage. 10 agents, 3 users during Early Access.
• On-Premises — Deploy on your own infrastructure via Docker Compose. Your data never leaves your network. Air-gapped deployments fully supported.

Both modes offer the same vulnerability intelligence, compliance reports, and agent support.

Three key differences:

• Focus — SentriKat tracks the ~1,484 CISA Known Exploited Vulnerabilities, not all 250,000+ CVEs. This eliminates 99.4% of the noise.
• Vendor patch detection — Queries 4 vendor feeds daily and automatically marks vulnerabilities as resolved when a patch is available. Most scanners can't do this.
• Price — Free during Early Access. After launch: Pro at €199/mo (Cloud) or €4,999/yr (on-premises) vs. $10,000+ per module with enterprise scanners.

SentriKat monitors your full software stack with lightweight agents on Windows, Linux, and macOS:

• OS packages & applications — Installed software inventory (dpkg, RPM, WMI, Homebrew, system frameworks)
• Containers — Docker and Podman container images scanned automatically using Trivy
• Browser extensions — Chrome, Edge, and Firefox extensions matched against CVE databases
• IDE plugins — VS Code and JetBrains plugins inventoried and checked for known vulnerabilities
• Code dependencies — 11 lockfile formats across 7 ecosystems: Node.js (package-lock.json, yarn.lock, pnpm-lock.yaml), Python (Pipfile.lock, poetry.lock), Rust (Cargo.lock), Go (go.sum, go.mod), Ruby (Gemfile.lock), PHP (composer.lock), and .NET (packages.lock.json). Powered by Google's OSV.dev database with exact version matching — zero false positives.

Extension and dependency scanning are opt-in per API key — no client-side configuration needed. If a tool (e.g. pip) isn't installed, that ecosystem is silently skipped.

All inventory is matched against the CISA KEV catalog and enriched with vendor advisory data from OSV.dev, Red Hat, Microsoft MSRC, and Debian — synced automatically via background tasks.

SentriKat does not perform network-based vulnerability scanning — it focuses exclusively on known exploited vulnerabilities in your installed software.

SentriKat includes a built-in Software Composition Analysis (SCA) scanner that finds known vulnerabilities in your open-source dependencies:

• 11 lockfile formats, 7 ecosystems — Node.js (npm/yarn/pnpm), Python (pip/poetry), Rust, Go, Ruby, PHP, and .NET — all in a single tool
• OSV.dev powered — uses Google's open-source vulnerability database (the same source behind npm audit and pip-audit)
• Zero false positives — exact version matching from lockfiles, not CPE guessing
• CI/CD native — works with GitHub Actions, GitLab CI, and Jenkins. Use --fail-on critical to gate deployments
• EPSS + KEV prioritization — rank vulnerabilities by real-world exploitation probability, not just CVSS scores
• Self-hosted — results stay in your infrastructure. Only package names are sent to OSV.dev for lookups (no source code)

Unlike Snyk or Dependabot, SentriKat runs entirely server-side and covers all ecosystems in one tool. Unlike npm audit, it's not limited to a single ecosystem. Unlike Trivy, it's purpose-built for SCA — not bolted onto container scanning.

SentriKat includes dedicated zero-day intelligence that goes beyond standard KEV tracking:

• Zero-day alerting — Instant notifications when a newly disclosed zero-day (a CVE with no available patch) matches software in your inventory. Alerts via email, Slack, Teams, or any configured webhook.
• Zero-day intelligence feed — Aggregates zero-day disclosures from CISA emergency directives, vendor security advisories (Microsoft MSRC, Red Hat, Debian, OSV.dev), and the ENISA EUVD exploited list.
• Zero-day tracking dashboard — Dedicated view to track unpatched zero-day vulnerabilities separately from regular KEV entries. See which endpoints are affected, monitor patch availability, and track remediation timelines.

Zero-day entries are automatically reclassified once a vendor patch is detected by the advisory sync engine.

Yes — fully air-gapped deployments are supported:

• License activation can be done offline
• KEV knowledge base can be imported manually via file transfer
• Agents communicate only with your local SentriKat server — no internet access required from endpoints

SentriKat supports the following frameworks out of the box:

• NIS2 Article 21 — compliance reports with Article 21(2)(e) vulnerability handling evidence
• CISA BOD 22-01 — remediation deadline tracking
• DORA — ICT vulnerability management requirements for financial sector
• ISO 27001 — Annex A control A.12.6 (Technical Vulnerability Management)

Executive summary PDFs include risk scores and KPIs ready for audit or board presentations. Learn more about NIS2 compliance.

Yes — SentriKat natively integrates ENISA EUVD, the European vulnerability database mandated by NIS2 Article 12. This provides:

• EU exploited vulnerability tracking — alongside CISA KEV for dual-continent coverage
• CVSS score enrichment — EUVD serves as a tertiary CVSS source when NVD and CVE.org don't have scores yet
• Per-CVE source attribution — every score includes a cvss_source tag so you know exactly where severity data comes from

Combined with NVD and CVE.org, this multi-source approach means your vulnerability intelligence never depends on a single database.

SentriKat is designed for European data sovereignty:

• On-premises option — deploy on your own EU-based infrastructure with zero cloud dependency
• Cloud hosted in Europe — managed platform with EU data residency
• Swiss-engineered — built in Ticino, Switzerland under Swiss privacy standards
• Multi-source intelligence — combines US (CISA, NVD) and EU (ENISA EUVD) databases locally, so you're not solely dependent on any single country's infrastructure

The only external connection is a lightweight license heartbeat — no customer data is transmitted.

Yes — SentriKat includes multi-tenant support with:

• Isolated organizations with role-based access control
• Separate inventories, dashboards, and reports per client
• White-label branding — customize with your own logo and colors

All integrations are included in the Pro license at no extra cost:

• Notifications — Email alerts with daily/weekly digests, Slack, Microsoft Teams, Discord webhooks (HMAC-SHA256 signed), custom alert rules, and 3-tier escalation policies
• Issue tracking — Jira, GitHub Issues, GitLab Issues, YouTrack
• SIEM — Syslog in CEF, JSON, or RFC 5424 format (Splunk, ELK, ArcSight, QRadar)
• Inventory import — Lansweeper, PDQ Deploy, SCCM, Intune, REST API, CSV
• Authentication — Active Directory, LDAP, SAML 2.0, TOTP 2FA
• Agent management — Heartbeat monitoring, server-side config push, minimum version enforcement, MDM-compatible macOS deployment (Jamf, Kandji, Mosyle)

Your SentriKat license is perpetual — the software continues to work indefinitely.

If your annual subscription (which covers updates and support) expires:

• You keep using the last installed version
• You won't receive new features, security patches, or technical support
• Your data and configuration are never affected

SentriKat scales from small teams to enterprise deployments with 10,000+ agents. Performance is tuned via environment variables — no code changes needed, just adjust and restart.

Deployment sizing guide:

• Small (<100 agents) — 4 Gunicorn workers, 2 background threads, 5 DB pool connections
• Medium (100–1K) — 8 workers, 4 threads, 10 DB connections
• Large (1K–5K) — 12 workers, 8 threads, 15 DB connections
• Enterprise (5K–10K+) — 16 workers, 16 threads, 20 DB connections

Background jobs use a concurrent worker pool with exponential backoff retry (up to 5 attempts). Health checks automatically alert when the pool is at capacity or failure rates spike.

For 10K+ agent deployments, run multiple SentriKat containers behind a load balancer and let your orchestrator (Docker Swarm, Kubernetes) scale replicas.