Your entire IT stack,one platform, zero duct tape.
B-Brave Gatekeeper unites IT operations and security in a single environment — on-premise, cloud, hybrid, air-gapped, or distributed across remote locations.
Network discovery, CMDB, IPAM, ITSM, compliance automation, MDM, firewall & switch management, SOAR playbooks, on-call schedules, sites & rack diagrams, AI assistant, dark web monitoring, and a knowledge base — all native, no add-ons required.
- No external add-ons required
- Multi-tenant with role-based access
- Real-time data via Supabase Realtime
- Full REST API & webhook support
Total Assets
1,247
Across all sites
Compliance
94%
NIS2 / BIO / ISO
Open Alerts
3
Needs attention
CVEs Detected
12
Last 30 days
Compliance
Recent Alerts
Trusted by IT teams in regulated industries across Europe
“Gatekeeper replaced four separate tools. Our NIS2 compliance coverage went from 41 % to 94 % in six weeks — and we finally have a single view across all 23 sites.”
Head of IT Security
European Municipality · 600+ employees
“As an MSP managing 38 clients we needed one platform with proper tenant isolation, not tools hacked together per client. Gatekeeper also generates compliance reports our clients can hand straight to auditors.”
CTO
European MSP · 38 Managed Clients
“Our CISO required NIS2 evidence packages for three regulators simultaneously. Gatekeeper generated audit-ready PDFs for each framework in under a minute. That alone justified the entire platform cost.”
IT Security Lead
Financial Services · 2,400 employees
Built for every IT team
One platform, every role
IT Managers
Total infrastructure visibility
CMDB, asset lifecycle, compliance automation, ITSM, change management, and AI-powered reporting in a single platform.
- Auto-discovered CMDB with EOL tracking
- 60+ compliance frameworks
- SLA-tracked tickets & changes
Security Teams
Detect, respond, contain
SIEM, CVE tracking, dark web monitoring, SOAR automation, and incident management built directly into your IT operations platform.
- Real-time SIEM with custom rules
- SOAR playbooks & auto-response
- CVE-to-asset cross-referencing
Managed Service Providers
All your clients, one platform
Multi-tenant architecture with full client isolation, per-tenant RBAC, remote agents, and branded per-client reporting at scale.
- Unlimited tenant management
- Remote nodes & site agents
- Per-client compliance reports
Everything in one platform
Network Discovery
Auto-discover every device on your network
Threat Intelligence
SIEM, CVE tracking & dark web monitoring
Compliance (60+)
ISO 27001, NIS2, CIS, SOC 2 and more
MDM
Manage mobile devices and endpoints
Credentials Vault
Secure, encrypted credential management
SOAR Automation
Automated playbooks for incident response
Switch Connector
SNMP-based switch management & VLAN maps
Firewall Integration
FortiGate policy, routes & VPN management
Sites & Racks
Physical infrastructure rack diagrams
AI Assistant
AI-powered reports and platform guidance
On-Call Schedules
Escalation policies and on-call rotations
Knowledge Base
Integrated runbooks and documentation
What customers say
Trusted by IT and security teams across Europe
“We replaced four separate tools — network scanner, CMDB, ITSM and compliance tracker — with Gatekeeper. The NIS2 audit preparation that used to take weeks now takes an afternoon.”
Thomas V.
IT Security Manager
Dutch municipality, ~18 000 residents
“Multi-tenant isolation is rock solid. Each client environment is completely separate and we can generate white-label compliance reports in minutes. It’s become the backbone of our managed security offering.”
Anke B.
Head of Operations
Managed Service Provider, 35+ clients
“Air-gapped deployment works exactly as advertised. Zero outbound connections, full feature parity with the cloud edition, and the agent-based discovery covers our OT network segments without any issues.”
Lars M.
CISO
Critical infrastructure operator
Deployment options
Deploy on your terms
Every organisation has different infrastructure constraints. Gatekeeper runs wherever you need it, with the same core feature set across all deployment models — infrastructure topology and operational responsibilities vary by model.
Cloud
Multi-tenant SaaS hosted in your chosen region. Zero infrastructure overhead. Regional isolation guaranteed.
Best for: organisations wanting immediate value with no on-prem setup
On-Premise
Full data sovereignty. Runs inside your own datacenter or private cloud. No data ever leaves your perimeter.
Best for: regulated industries, government, and strict data residency requirements
Hybrid
Cloud-managed control plane with on-prem Gatekeeper agents. Scan results processed locally; management console in the cloud.
Best for: distributed organisations with multiple sites
Air-Gapped
Fully offline deployment with zero outbound connections. No telemetry, no external calls, fully self-contained.
Best for: classified, critical, or defence infrastructure
Data residency
Your data, your region
Five fully independent regions — same feature set, TLS configuration, and SLA. Tenant data never crosses region boundaries. Infrastructure is fully isolated per region. Regional compliance certifications reflect local regulatory frameworks and may differ.
Europe
Frankfurt · Amsterdam · London · Paris · Stockholm · Dublin
Asia-Pacific
Singapore · Tokyo · Sydney · Mumbai · Auckland
Africa
Johannesburg · Nairobi · Cape Town
Middle East
Dubai · Abu Dhabi
Americas
Virginia · California · Miami · Dallas · Toronto · Montreal · Vancouver · São Paulo · Santiago · Buenos Aires · Mexico City · Nuuk
What data we process as a processor
- Network telemetry: IP addresses, MAC addresses, hostnames, open ports, SNMP data
- Asset inventory: device type, OS version, firmware, installed software
- Security events: SIEM alerts, CVE matches, scan results, traffic logs
- User account data: name, email, hashed credentials, MFA settings
- Operational data: tickets, changes, runbooks, on-call schedules
What stays entirely on-premise (self-hosted)
- All scan results and raw network telemetry — never transmitted externally
- Credentials vault contents — encrypted locally, never sent to cloud
- Device configurations and SNMP community strings
- FortiGate, switch, and AD connection credentials
- Agent scripts and custom automation playbook logic
Security controls
Built secure by default
Security is not a layer on top — it is the foundation. Every control below applies to all deployment models unless explicitly noted.
Encryption
AES-256 at rest, TLS 1.3 in transit. Credential vault uses envelope encryption with per-tenant keys.
Identity & Access
TOTP, WebAuthn passkeys, SAML 2.0 and OIDC support. MFA is enforced for all administrator roles.
Audit Logging
Tamper-evident audit trail with 12-month retention. Real-time alerting on privileged actions. Exportable as CSV or JSON.
Backups
Daily encrypted snapshots with 30-day retention. Quarterly restore tests. Cross-region replication for cloud tenants.
Patch Policy
Critical CVEs patched within 72 hours of disclosure. Minor vulnerabilities within 14 days. Public changelog maintained.
Row-Level Security
Tenant data isolated at the database level using Postgres RLS policies. No cross-tenant access is architecturally possible.
TLS & HTTP security hardening
Configured to achieve A+ on every security scanner
All HTTPS connections are governed by a strict TLS policy. HTTP security headers are deployed at the CDN edge and validated continuously against securityheaders.com and SSL Labs. Grades shown apply to the cloud-hosted tenant (bbravegatekeeper.cloud). On-premise deployments use the same configuration; TLS termination on customer-operated hosts is the customer’s responsibility.
SSL Labs
TLS configuration
Security Headers
HTTP response headers
HSTS Preload
Preload list status
Forward Secrecy
All cipher suites
Protocol support
TLS version enforcement — all clients
Accepted cipher suites
ECDHE only — forward secrecy guaranteed
RC4, DES, 3DES, EXPORT, NULL, anonymous DH, and CBC-mode suites are explicitly disabled.
HTTP security headers
Deployed at CDN edge — applied to every response
Strict-Transport-Security
max-age=63072000; includeSubDomains; preload
HSTS with 2-year max-age, all subdomains, preload list eligible
Content-Security-Policy
default-src 'self'; script-src 'self'; …
Strict CSP — no unsafe-eval, no inline scripts, connect-src scoped to Supabase endpoints
X-Content-Type-Options
nosniff
Prevents MIME-type sniffing attacks in legacy browsers
X-Frame-Options
DENY
Blocks all iframe embedding; reinforced by CSP frame-ancestors: none
Referrer-Policy
strict-origin-when-cross-origin
Sends only origin on cross-origin requests; full URL only on same-origin
Permissions-Policy
camera=(), microphone=(), geolocation=(), payment=(), usb=()
Disables all sensitive browser APIs not required by the platform
Cross-Origin-Opener-Policy
same-origin
Isolates browsing context, enables high-resolution timers, mitigates Spectre
X-Permitted-Cross-Domain-Policies
none
Blocks Adobe Flash / Acrobat cross-domain policy inheritance
Certificate Transparency
All TLS certificates are logged to public CT logs (RFC 6962). SCT delivery via TLS extension and OCSP stapling.
DNS CAA Records
CAA DNS records restrict which Certificate Authorities may issue certificates for bbravegatekeeper.cloud and all subdomains.
OCSP Stapling
Server-side OCSP stapling enabled, eliminating client-side revocation check latency and privacy leakage.
DANE / TLSA
TLSA records published for primary domain. DANE validation available for clients that support it.
Forward Secrecy
ECDHE key exchange on all connections. Compromise of the server private key cannot decrypt historical session recordings.
Certificate Monitoring
Automated alerting on certificate expiry and unexpected CT log entries via continuous monitoring infrastructure.
Availability & incidents
99.9% uptime. Structured incident response.
We operate a publicly visible status page and a defined priority matrix for every incident type, with committed response and resolution targets.
99.9%
Monthly uptime SLA
5 regions
Europe, Americas, Asia-Pacific, Middle East, Africa
72 hour
Critical CVE patch SLA
Compliance mapping
Mapped to the frameworks that matter
The platform generates native compliance evidence packages for each mapped framework. No third-party GRC tool required to produce audit-ready artefacts.
Compliance controls are mapped to individual platform features. Each framework view in the platform shows control status, evidence links, and gaps — updated in real time as your infrastructure changes.
Self-service resources
Everything you need, without going through sales
Download the security overview, explore the architecture, check live platform health, and review the public pentest summary — all publicly available, no sign-in required.
Security One-Pager
Printable A4 overview of deployment models, security controls, compliance frameworks, and data handling. Save as PDF directly from your browser.
Architecture & Dataflow
Layered architecture diagrams, scan pipeline dataflow, per-deployment-model topology, and encryption boundary documentation.
Datacenters
Real-time datacenter monitoring, global infrastructure health, and network performance metrics.
Pentest Summary
Public summary of the Q1 2026 independent security assessment: scope, methodology, sanitised findings, and remediation status.
Legal & compliance documentation
Documents available on request
All contractual and compliance documents are available for qualified prospects and existing customers. Response within one business day.
Data Processing Agreement
Standard GDPR Art. 28 DPA, available for review and countersigning. Covers all processing activities under the platform.
Subprocessor List
Full list of third-party processors with name, location, processing category, and applicable SCCs or adequacy basis.
Service Level Agreement
Full SLA terms including uptime measurement method, credit schedule, exclusions, and support tier definitions.
Pentest & Hardening Report
Last assessed Q1 2026. Scope: web application, REST API, and network layer. Conducted by independent third-party auditor. Full report shared under NDA.
Security
Responsible Disclosure Policy
We welcome responsible disclosure from security researchers. If you discover a vulnerability in the Gatekeeper platform, please report it to our security team. We commit to acknowledging your report within 24 hours, providing an initial assessment within 72 hours, keeping you informed of our progress, and — where applicable — publicly crediting your contribution.
We will not pursue legal action against researchers who act in good faith, do not access customer data beyond what is necessary to demonstrate the vulnerability, and provide us with reasonable time to remediate before any public disclosure.
Security reports
security@bbravegatekeeper.cloudGeneral enquiries
info@bbravegatekeeper.cloudPGP key available on request via the security address above.
Get in touch
Get in touch
Talk to our team about your requirements
- Response within one business day
- No commitment required
- Custom demo available
No sign-up required
Explore the full platform — right now
Walk through every module with live data. No sales call, no commitment.