For CISOs, SREs, and platform teams

Find risk. Fix it. Prove it.

Control One is the unified control plane for compliance, privileged access, threat detection, and infrastructure provisioning. One place to see your posture, one place to act on it, one record to prove control to auditors.

Book a 30-minute demo See the platform
  • Hybrid by design · Linux, Windows, KVM, VMware, AWS, Azure
  • SOC 2 + ISO 27001 mapped · evidence-ready reports out of the box
  • Open standards · OIDC, WebAuthn, SSH certs, OTel

Built on standards your team already uses

  • OIDC
  • WebAuthn
  • SOC 2
  • ISO 27001
  • CIS
  • OpenTelemetry
  • Apache Doris
  • WireGuard

Why Control One

One platform, not seven dashboards

Most teams stitch together a SIEM, a PAM, a CMDB, a threat-intel feed, an MDM, and a half-dozen scripts. Each one ships its own dashboard, its own auth, its own gaps. Control One collapses that stack into a single control plane that talks to every host you run — bare metal, KVM, hypervisor, or cloud.

See it

Real-time posture across compliance, alerts, threats, and access. Searchable down to the command keystroke that triggered an incident.

Fix it

Author detection rules in plain language or a visual builder. Auto-remediate within change windows behind circuit breakers. Push policy live to every node in seconds.

Prove it

Tamper-evident audit trail, mapped to SOC 2 and ISO 27001 controls. Export CSV evidence for auditors in one click. Session recordings searchable by command.

Capabilities

Everything your security team needs in one place

Compliance & posture

Continuous policy evaluation across the fleet. Pre-built CIS, SOC 2, and ISO 27001 packs; customisable rules in DSL or visual blocks. Rollouts propagate live to every node — no waiting for the next pull cycle.

  • Author rules in DSL, port-monitoring, log-monitoring, or visual blocks
  • What-if simulator replays a draft against 30 days of history
  • Behavioural baselines surface drift before it becomes a finding
// rule: only listening ports we approved
allow port 22/tcp where labels.role == "bastion"
deny  port 3306/tcp on public_ip
alert severity=high if log ~ /failed login/ > 5/min

Privileged access (PAM)

Stop handing out standing root. Every privileged session is requested, time-bound, recorded, and scrubbable. Short-lived SSH certificates issued by a tenant-scoped CA the bastion holds — no shared keys, no copy-paste secrets.

  • Just-in-time access requests with approval workflow
  • Bastion SSH proxy with mTLS tunnel to the node-side enforcer
  • Session replay with command timeline and full transcript
  • Step-up MFA via TOTP and WebAuthn for the highest-risk actions

Threat intelligence + auto-block

Pull from Spamhaus, FireHOL, Tor exit lists, AbuseIPDB, AlienVault OTX, or your own honeypot dump. Operators add and remove sources without redeploys. The auto-block pipeline turns high-confidence indicators into firewall rules with a per-tenant cooldown, score floor, and allowlist guard.

  • ufw, firewalld, nftables, iptables, Windows netsh, fail2ban — auto-detected per host
  • Per-feed score floors and refresh intervals
  • Audit log of every block / suppress / rate-limit decision
  • healthy Spamhaus DROP — 1,084 indicators
  • healthy FireHOL Level 1 — 8,902 indicators
  • warning AbuseIPDB — auth refused
  • healthy Custom: SOC honeypot — 412 indicators

Infrastructure provisioning

Spin up nodes on KVM, VMware, AWS, or Azure with a single template. Fleet enrol existing hosts via SSH in bulk, watching each one walk the gate. Cluster lifecycle, change windows, and circuit breakers prevent half-finished rollouts from cascading.

  • Multi-host hypervisor adapters with stored credentials per datacenter
  • Cloud-init for KVM, customisation specs for VMware, UserData for AWS / Azure
  • Air-gapped offline bundle for hosts that must not see the public internet
$ controlone fleet enrol \
  --tenant prod \
  --token $ENROL \
  --targets hosts.txt

→ 24 hosts queued
→ 22 healthy · 2 awaiting first scan

Observability built for scale

Apache Doris is the analytic backbone. Millions of events per day, exact unique counts via BITMAP, partitioned daily for fast retention. Export to Loki or Elasticsearch when you want a single pane across teams. OpenTelemetry traces every request end-to-end.

  • Inverted index over log messages — sub-second free-text search
  • Cold archival to any S3-compatible bucket on TTL
  • Grafana dashboards for posture, queue depth, and remediation success

How it works

One installer. Every host.

  1. 1

    Bootstrap the control plane

    Deploy via Docker, Kubernetes, or the offline bundle. Bring your own Postgres + Redis or use the embedded ones.

  2. 2

    Enrol your hosts

    One-line installer for Ubuntu, Debian, RHEL, Rocky, Alma, Fedora, SUSE, Alpine, and Windows. Or bulk-enrol over SSH.

  3. 3

    Set posture, ship rules

    Pick a policy pack or author your own. Promote, simulate, roll out — every node sees the change in seconds via SSE.

  4. 4

    Prove it to auditors

    Schedule CSV reports, hand over session recordings, point at the audit trail. Done in an afternoon.

Security & trust

Built like infrastructure security teams expect

Zero standing privilege

Every privileged session is JIT and time-bound. SSH certs are signed by a tenant CA and expire in minutes.

Encrypted at rest

AES-256-GCM on every credential, API key, and SSH CA private key. Operator never sees plaintext after save.

Step-up MFA

TOTP and WebAuthn (FIDO2) for the highest-risk actions: rotate CA, approve change-window override, delete tenant.

Tamper-evident audit

Append-only audit log with actor, target, action, and metadata. Mapped to SOC 2 CC and ISO 27001 controls.

WireGuard mesh

Optional encrypted overlay between control plane and nodes. Bastion never traverses the public internet.

Open formats

tlog session recordings, OpenTelemetry traces, OIDC auth, standard SSH certs. No proprietary lock-in.

Air-gap ready

Self-contained install bundle. Offline threat-feed mirroring. No phone-home telemetry without consent.

RBAC & multi-tenant

Role-based access at the page, route, and action level. Tenants are isolated from the database up.

Who it's for

Different teams, same control plane

For the CISO

One number on the board: how compliant are we, right now? Evidence packs that hand auditors what they want without engineering time. SOC 2 in weeks, not quarters.

For the SRE / DevOps lead

A single tool that knows about every host, every cluster, every rule. Visual rule builder for newcomers; YAML and API for automation pipelines. Open standards, no vendor lock-in.

For the sysadmin

Bulk enrol existing fleets over SSH. Distro-aware installer that respects your init system. Every host firewall — ufw, firewalld, iptables, Windows — speaks one API.

Pricing

Pick a tier. Switch any time.

Starter

For teams < 50 hosts

£0 · self-hosted

  • Up to 50 hosts
  • Compliance + posture
  • Threat intel feeds
  • Single tenant
  • Community support
Get started

Business

Most popular

£12 / host / month

  • Unlimited hosts
  • Privileged access (PAM) with replay
  • Auto-remediation + circuit breakers
  • Multi-tenant + RBAC
  • SOC 2 evidence pack
  • Email + chat support, 1-hour SLA
Book demo

Enterprise

For regulated estates

Custom

  • Air-gapped deployment
  • BYO Postgres / Redis / Doris
  • WireGuard mesh + bastion proxy
  • FedRAMP / IRAP scoping
  • Named TAM, 24×7 SLA
Talk to sales

FAQ

Questions we get asked a lot

Does Control One replace my SIEM?

It can. The Apache Doris backbone handles millions of events per day with exact-distinct counts and free-text search. If you already have Splunk, Loki, or Elastic, the log forwarder ships events out without losing the local view.

Where does the data live?

Wherever you put it. Self-hosted by default — Postgres for transactional state, Doris for events, S3-compatible cold archival for retention. We never see customer data on the standard plans.

What about Windows hosts?

Native Windows Service via SCM, signed PowerShell installer, netsh advfirewall integration, and Sysmon log ingestion. The same rules apply across the fleet.

Can I bring my own threat-intel feeds?

Yes. The threat-sources page accepts any URL serving a line list or Spamhaus-format payload. Paste a SOC honeypot dump, a partner share, or a paid commercial feed — same UI, same scoring.

What does air-gap actually mean here?

One tarball, no outbound calls. The offline bundle script ships every binary, migration, and threat-feed mirror you need. The included docker-compose runs Postgres, Redis, the control plane, and the operator console with no internet egress.

Get a demo

See your fleet in 30 minutes.

We'll spin up a sandbox with synthetic data, walk through compliance, PAM, threat intel, and rule rollout, and answer the questions your team needs answered before a buy.