Everything your security team needs,
on infrastructure your compliance team controls.

Your compliance team needs AI governance, and on-prem deployment.
Your security team needs automated reporting, remediation tracking, and a battle-tested platform.
Dradis delivers both.

  • LDAP/SAML/SSO + MFA - strong authentication for every user.
  • Granular access controls - only people who need access to projects and findings get it.
  • End-to-end audit logging - prove who changed what, and when, for every engagement.
  • Supports compliance with - FISMA, GDPR, HIPAA, NIS2, NIST 800-53, PCI-DSS, SOX, SOC 2.
  • Breeze through Procurement - Vendor onboarding, POs, payment terms, etc.

Every enterprise control, in one self-hosted platform

Authentication& Access

  • LDAP / Active Directory
  • Okta, Entra ID, SAML
  • Built-in MFA enforcement
  • Role-based access control

Compliance & Audit

Support & SLA

  • Dedicated success manager
  • Priority support with SLA
  • Done-for-you upgrades
  • Unlimited screen-share sessions

Enterprise Procurement

  • Pay by PO, NET30 terms
  • Vendor onboarding forms
  • Optional NDA

Perfect for Teams Working In Regulated Industries

If your pentests involve government contracts, financial data, or healthcare systems
- your tools need to meet the same compliance standards as your clients.

Without Enterprise-Grade Controls, You Risk:

  • Failing client security assessments due to missing audit logs
  • Losing government contracts that require NIST 800-53 compliance
  • PCI-DSS violations if you can't prove MFA enforcement
  • HIPAA penalties for inadequate access controls and audit trails
  • Blocked procurement because your tool doesn't integrate with enterprise SSO

Enterprise Delivers What Auditors Need:

  • SAML/LDAP/Okta integration - satisfy IA-2 (NIST) and PCI-DSS 8.3
  • Mandatory MFA enforcement - meet multi-factor requirements across frameworks
  • Complete audit logging - prove who accessed what, when (HIPAA 164.312(b), NIST AU-2)
  • Role-based access controls - demonstrate least privilege (NIST AC-6, SOX ITGC)
  • Self-hosted deployment - keep sensitive data behind your firewall

Every control your security review will ask for

Walk into your security review with an answer for every question on their checklist.

Enterprise

Remediate

Assess

Authentication and Identity
MFA with Azure
LDAP / Active Directory / Entra ID
Okta
SAML
Audit Logging
Support
Screen-share Troubleshooting 10 sessions/month 1 session/month 1 session/month
Done-for-your Upgrades
Priority Support
Vendor onboarding forms / portal
Pay by PO
Payment terms NET30 No No
Minor EULA tweaks
Optional NDA
Seats included 5 users 1 user 1 user
Get a Quote

Trusted by Security Teams Worldwide

More than 1,179 InfoSec teams in 81 countries have simplified their workflow with Dradis since 2007.

Enterprise SSO & MFA Out of the Box

Authenticate users through your existing identity provider - LDAP, Active Directory, SAML, Okta, Azure AD - no workarounds required.

Azure MultiFactor authentication logo

Azure

Azure Identity Platform and Authentication

LDAP logo

LDAP

Manage users with Active Directory or other directory services

Okta logo

Okta

Identity Management and Secure Single Sign On (SS0)

SAML logo

SAML

Secure authentication with SAML

Built-in Multi-Factor Authentication

Enforce OTP-based MFA across your entire instance - no third-party integrations required

Secure every account. Admins can enforce instance-wide MFA, and users get QR code setup with backup codes for easy onboarding.

  • Easy setup with QR codes - scan with your authenticator app, get backup codes instantly
  • Enforce MFA - protect password changes and admin functions
  • Instance-wide enforcement - admins can require MFA for all users from the console
  • Works with any OTP app - Google Authenticator, Authy, 1Password, and more
QR code setup screen for multi-factor authentication in Dradis

Self-Hosted, Behind Your Firewall

Keep sensitive pentest data on-premise or in your private cloud.
Complete control over deployment, integrations, and upgrades - with no internet connectivity required.

  • Meet data security requirements: comply with regulations that require on-premise or private cloud hosting
  • Integrate with internal systems: connect to LDAP, Active Directory, and proprietary tools via API
  • Air-gapped operation: deploy and upgrade without internet connectivity
  • Your assessment history is permanent and stays yours: it doesn't disappear when a vendor changes pricing, gets acquired, or sunsets features.
  • Your infrastructure, your rules: deploy on physical servers, VMs, or private cloud (AWS, Azure, GCP)
On-Premises Private Cloud Air-Gapped AWS Azure GCP
Deploy anywhere. Your data, your infrastructure, your control.

Audit Logging for Regulatory Compliance

Prove who changed what, when. Complete audit trails that satisfy FISMA, SOC 2, and internal compliance requirements

Track every critical action across your Dradis instance - project access, permission changes, user activity, and authentication events - with exportable logs and configurable retention.

  • Complete project activity logs - creation, edits, exports, and deletions
  • Permission and access tracking - know exactly who accessed what, and when
  • Export to CSV - for compliance reports, incident response, or archiving
  • Dedicated audit log UI - query and filter logs without accessing production data
Screenshot of the Dradis Audit Log interface showing filterable activity timeline

Enterprise-Grade Security & Control

Built by security experts, integrated with your IT infrastructure, and designed to pass audits, without slowing down your team.

Security & Compliance Built In

  • Developed by the authors of the UK CPNI guide on secure web applications
  • Peer-reviewed and security-assessed before every release
  • Automated vulnerability scanning in CI/CD pipeline
  • Full-disk encryption for data at rest
  • Integrate with LDAP / Active Directory for password policy enforcement
  • Multi-factor authentication via Duo, Azure MFA, or built-in OTP

Deployment & Access Control You Own

  • Role-Based Access Control (RBAC) - assign permissions by role
  • Project-level permissions - users only see their assigned engagements
  • Sync with your identity provider - LDAP, AD, or SAML
  • Upgrade on your schedule - no forced updates or downtime windows
  • Test in staging first - validate changes before production
  • Air-gapped upgrades - no internet connection required
  • Secure SSH management - no web admin panel needed

Priority Support & Enterprise Procurement

White-glove support and flexible procurement terms designed for enterprise buyers

Priority Support Package

Get direct access to our engineering team with guaranteed response times and hands-on assistance for deployment, upgrades, and troubleshooting.

  • Dedicated success manager - your single point of contact
  • Service Level Agreement (SLA) - guaranteed response times for critical issues
  • Done-for-you configuration & upgrades - we handle the technical work
  • Unlimited screen-share troubleshooting - get live help when you need it
  • 98% GREAT ratings since 2020 - see our Happiness Report

All Enterprise customers also get: email and in-app support, access to community forums, and weekday chat support with our engineering team.

Enterprise Procurement Made Easy

We work with your procurement process - not against it. Get the contract terms and payment flexibility your organization requires.

  • Pay by PO with NET30 terms - no credit card required
  • Vendor onboarding forms and portals
  • Custom contract terms - annual, multi-year, or custom agreements
  • Optional NDA - we can sign yours or provide our standard agreement
  • Minor EULA adjustments - work with your legal team on specific requirements

Need something else? We're flexible. Talk to our team about custom procurement requirements.

Frequently Asked Questions

The questions your IT, security, legal, and procurement teams raise during evaluation

Dradis is self-hosted: it runs on your on-premises servers, your private cloud account (AWS, Azure, or GCP), or a fully air-gapped network with no internet connection. There are no external calls and no vendor cloud dependency, so the platform functions completely offline.

Upgrades happen on your schedule, not ours. You can test a release in staging before production, and Enterprise customers can have our team handle configuration and upgrades for them. Air-gapped instances upgrade without an internet connection.

See the deployment guides for on-premises, private cloud, and air-gapped setups.

Dradis keeps a complete audit trail of critical actions across your instance (project access, permission changes, user activity, and authentication events) with a dedicated audit log UI for querying and CSV export for compliance reporting or archiving. In practice, audit logging evidence alone is usually enough to clear an internal security review.

On the platform side, Dradis is peer-reviewed and security-assessed before every release, runs automated vulnerability scanning in its CI/CD pipeline, and is built by the authors of the UK CPNI guide on secure web applications.

Because the core is open-source, your team can inspect exactly how it works rather than taking our word for it.

Your engagement data never leaves the infrastructure you control. No finding, screenshot, client name, or AI-assisted write-up is transmitted to us or any third party, which keeps assessment data inside your compliance boundary.

This directly supports requirements under FISMA, GDPR, HIPAA, NIS2, NIST 800-53, PCI-DSS, SOX, and SOC 2, where data residency or controlled-infrastructure rules would otherwise disqualify a multi-tenant cloud tool.

This is the one thing a cloud SaaS competitor cannot match: a hosted platform, by definition, sends your data to infrastructure the vendor controls.

Yes. Enterprise supports payment by purchase order with NET30 terms (no credit card required), vendor onboarding forms and portals, and annual, multi-year, or custom agreements.

We can sign your NDA or provide our standard one, and we work with your legal team on minor EULA adjustments for specific requirements. There are no per-seat minimums until the Enterprise tier, so procurement has an accessible entry point even within a cautious approval process.

If you need something we have not listed, talk to our team about custom procurement requirements or request a quote.

Dradis authenticates users through your existing identity provider (LDAP or Active Directory, SAML, Okta, or Entra ID) with no workarounds required.

Admins can enforce OTP-based multi-factor authentication instance-wide from the console, and MFA works with any OTP app (Google Authenticator, Authy, 1Password) or with Duo and Azure MFA. Access is governed by role-based access control and project-level permissions, so users only see the engagements they are assigned to.

Together this satisfies the authentication and least-privilege controls auditors look for under NIST IA-2, PCI-DSS 8.3, and similar frameworks.

Ready to see how Dradis will help your team deliver consistent and accurate findings faster?

What to expect from the Dradis team

  • Free onboarding support and training for your team. We offer personalized training sessions to get your team up and running quickly and efficiently.
  • 30-day money-back guarantee. If the platform doesn't meet your expectations, we offer a complete refund. No questions asked.
  • Industry-leading retention. 9 out of 10 teams who try Dradis are actively using it after a year.
Screenshot of Dradis Project Summary page showing Issues, Team, and Methodology progress

Seven Strategies To Differentiate Your Cybersecurity Consultancy

You don’t need to reinvent the wheel to stand out from other cybersecurity consultancies. Often, it's about doing the simple things better, and clearly communicating what sets you apart.

  • Tell your story better
  • Improve your testimonials and case studies
  • Build strategic partnerships

Loading form...

Your email is kept private. We don't do the spam thing.