What is a Device Trust Platform?

A Device Trust Platform is a security layer that continuously verifies the security posture of endpoint devices before granting access to corporate resources. Unlike siloed EDR, MDM, or identity tools, a Device Trust Platform combines device posture monitoring, endpoint compliance, and Zero Trust access signals into a single solution. Lorika performs 210+ checks across 13 categories on macOS, Windows, and Linux to determine whether a device can be trusted.

Lorika is a Device Trust Platform that runs 210+ automated security checks on macOS, Windows, and Linux devices. It calculates a real-time Security Score, maps findings to 18 compliance frameworks (CIS Controls v8.1, NIST 800-53, NIST CSF 2.0, NIST 800-171, ISO 27001, SOC 2, PCI DSS v4.0, NIS2, CMMC, UK Cyber Essentials, AU Essential Eight, SG Cyber Essentials, DORA, EU CRA, NBU №143, NBU №95, ДССЗЗІ №75), and scans every installed package for CVE vulnerabilities.

Yes. Lorika is free forever for personal use — up to 10 devices with full access to 210+ checks, 18 compliance frameworks, CVE scanning, and 90-day scan history. No credit card required.

How is Lorika different from an MDM or EDR?

MDM tools manage and control devices (wipe, install apps). EDR tools detect and respond to threats in real time. Lorika focuses on security posture — continuously auditing device configuration against security benchmarks and compliance frameworks. It is lighter, privacy-friendlier, and works without invasive MDM permissions.

Does Lorika work without MDM?

Yes. Lorika's desktop agent (macOS, Windows, Linux) requires no MDM. The upcoming mobile agent for iOS and Android is designed as a read-only advisor with no MDM permissions — BYOD-friendly and privacy-first.

Which compliance frameworks does Lorika support?

Lorika supports CIS Level 1, NIST 800-53, ISO 27001, SOC 2 Type II, PCI DSS v4.0, NBU Resolution №143 (non-banking financial providers), NBU Resolution №95 (banks), and SSSCIP Order №75 (critical infrastructure operators) out of the box, with a custom framework builder available in the dashboard.

What operating systems does Lorika support?

Lorika supports macOS 12 Monterey and later (Apple Silicon and Intel), Windows 10 (1903+) and Windows Server 2019+, and Linux distributions including Ubuntu 20.04+, Debian 10+, RHEL 8+, and Fedora 38+, on both x86_64 and ARM64 architectures.

How does Lorika detect vulnerabilities?

Lorika inventories all installed packages on a device and cross-references them against the OSV.dev CVE database. It shows severity tiers (Critical, High, Medium, Low), fix availability, and a per-device CVE timeline.

Can Lorika integrate with Okta or Azure AD?

Conditional Access integration with Okta, Google Workspace, JumpCloud, and Azure AD is on the roadmap for Phase 3. It will block device access when the Security Score drops below a configured threshold.

How to check if my Mac is secure?

Install the free Lorika agent on your Mac. It runs 210+ security checks covering firewall status, disk encryption (FileVault), password policy, SSH hardening, OS updates, screen lock, antivirus presence, and more. You get a real-time Security Score (0–100) and specific recommendations to fix any issues found.

Lorika — Device Trust Platform for Zero Trust Security | Verify Device Posture Before Access

210+ Security Checks

Auth, Network, Filesystem, Kernel, Software, Services, SSH, Audit — across macOS, Windows, and Linux. Continuous device security posture assessment.

18 Compliance Frameworks

CIS Controls v8.1, NIST 800-53, NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS v4.0, NIS2, CMMC, DORA, EU CRA, and more. With custom framework builder.

Software Inventory

Full package list via dpkg, rpm, apk, pacman, brew. Searchable. Tracked per scan for change detection.

Delta Scans

Agent caches previous results and only sends changed checks. ~90% bandwidth reduction on repeat scans.

Multi-Provider SSO

Sign in with Google Workspace or personal Gmail. Token rotation on every refresh. 30-minute idle auto-logout.

Multi-Tenant Orgs

Corporate domains auto-create organisations. Join by invite code or admin email. RBAC (admin/member).

Resource Monitoring

CPU, RAM, disk usage per device. Historical tracking. Infrastructure health dashboard (API, DB, Redis status).

Silent Auto-Update

Agent updates itself on startup + every 6 hours. SHA-256 verified. Zero downtime, zero user interaction.

i18n + Geo-IP

Dashboard in English + Ukrainian. Device country detection via Cloudflare. Real client IP behind proxies.

Vulnerability Scanning

Every installed package is matched against OSV.dev CVE databases. Severity breakdown (Critical/High/Medium/Low), fix availability tracking, per-device CVE timeline.

Network & Services Discovery

Open port scanning, exposed service detection (20+ dangerous services), NAT detection, and external reachability verification.

Automated Fleet Lifecycle

Stale agents auto-deactivated after 30 days. Inactive accounts get email warnings before cleanup. Zero manual fleet maintenance.

1

Sign up & install

Create a free account. Your personalised install command is waiting in the dashboard — one line, unique to your organisation. Paste it, and the agent enrols automatically.

→

2

Agent runs silently

Lorika runs 210+ security checks with a three-timer architecture: quick scans every 15 min, full scans every 60 min. HMAC-signed payloads, delta compression, zero CPU overhead.

→

3

See your Security Score

Open the dashboard to see your live score, compliance status across 18 frameworks, per-device drill-down, and trend history.

🔒

Auth & Access Control

Password policy enforcement
SSH hardening (root login, key auth)
Brute-force protection (fail2ban)
NOPASSWD sudoers detection
MFA/2FA enforcement
Admin group audit

🌐

Network Security

Firewall status
Risky open ports detection
Dangerous exposed services (Redis, MongoDB, SMB, RDP + 17 more)
DNS-over-TLS & NTP config

💾

Filesystem Security

Disk encryption (FileVault / LUKS / BitLocker)
World-writable files
SUID/SGID binaries
Home directory permissions
Sensitive file permissions

⚙️

Kernel & Hardening

ASLR, NX/DEP, SIP (macOS)
Secure Boot verification
SELinux / AppArmor status
Core dump disabled
Kernel module blacklist

📦

Software & Patches

Pending OS updates
Unattended upgrades config
EOL OS detection
Pending kernel reboot
Untrusted package repos

🖥️

Services & Docker

Screen lock timeout
Antivirus / EDR presence
Docker daemon not on TCP
Docker privileged containers
Docker Content Trust

🔑

SSH Hardening

PermitRootLogin disabled
PasswordAuth disabled
MaxAuthTries limit
AllowTcpForwarding
ClientAliveInterval

📝

Audit & Logging

auditd running
Log retention policy
Syslog configured
Privileged command audit rules

CIS L1

CIS Level 1

Essential security hygiene benchmarks. Practical baseline for all workstations and servers.

NIST

NIST 800-53

US federal security controls baseline. Required for government contractors and FedRAMP.

ISO

ISO 27001

International ISMS standard. Map endpoint controls to your ISO 27001 certification requirements.

SOC 2

SOC 2 Type II

Automated endpoint evidence collection for SOC 2 audits. Every check mapped to SOC 2 controls — export a report when your auditor asks.

PCI

PCI DSS v4.0

Payment card industry data security. Continuous endpoint compliance for cardholder environments.

НБУ

NBU Resolution №143

Information security requirements for non-banking financial service providers regulated by NBU. 16 controls covering authentication, passwords, logging, network security, and OS hardening.

НБУ

NBU Resolution №95

Information security requirements for banks regulated by the National Bank of Ukraine. 18 controls covering MFA, account lockout, encryption, antivirus, network segmentation, and workstation hardening.

ДССЗЗІ

SSSCIP Order №75

Catalog of Cybersecurity Measures for critical infrastructure operators (NIST CSF 2.0). 14 controls covering identity management, data protection, platform security, network resilience, and continuous monitoring.

Continuous SOC 2 compliance. Without the spreadsheet chaos.

Automated evidence collection on every device, every day.

SOC 2 Type II requires ongoing evidence that your endpoints are secure — not just at audit time. Lorika maps every security check to SOC 2 controls and collects evidence automatically. When your auditor asks, you export a report. That’s it.

Need a custom framework? Build your own in the dashboard with custom control mappings.

View compliance dashboard →

✓ Phase 1 · Live Now

🛡️

The Auditor — Security Foundation

Know what’s wrong. Prove what’s right.

210+ security checks, 18 compliance frameworks, delta scans, software inventory, resource monitoring, multi-provider SSO (Google, Microsoft, GitHub, X, Apple), multi-tenant organisations, guided onboarding, and a full dashboard — deployed and running.

210+ checks across 13 categories (macOS/Win/Linux)
18 frameworks: CIS, NIST, ISO, SOC 2, PCI DSS, NIS2, DORA & more
Token rotation & 30-min idle timeout
Infrastructure health monitoring
Automated fleet lifecycle management

✓ Phase 2 · Partial

🔬

The Analyst — Vulnerability & Risk Intelligence

More than auditing — continuous risk control.

Every installed package is cross-referenced against OSV.dev vulnerability databases. Severity breakdown, fix availability tracking, fleet vulnerability dashboard, and exposed services detection — deployed and running.

✓ CVE matching against OSV.dev feeds
✓ Severity tiers (Critical/High/Medium/Low)
✓ Fix availability tracking
✓ Network services & NAT detection
Coming: Security Risk Score (CVSS + CIS deviation)
Coming: SIEM export to Elastic/Splunk

Coming · Phase 2

🔧

Active Remediation

Don’t just detect — fix automatically.

In paid tiers, the agent applies security fixes: enable firewalls, harden SSH, configure screen lock, deploy unattended upgrades. All actions logged, admin-approved, with dry-run preview.

One-click fix for detected issues
Admin approval workflow
Dry-run preview before apply
Full audit trail of all changes

Coming · Phase 3 · The Controller

🔑

Adaptive Conditional Access

Trust, but verify the device state.

Integrate with your Identity Provider. If a device’s Risk Score drops below the threshold — access to corporate systems is blocked until issues are resolved.

Okta, Google Workspace, JumpCloud, Azure AD
Three-tier trust: compliant / limited / blocked
Real-time enforcement on score change
Automatic access restoration after fix

Coming · Phase 3

📱

Mobile Agent — Read-Only Advisor

BYOD-friendly. Privacy-first. No MDM required.

A lightweight iOS & Android app that checks device security (OS version, passcode, encryption, jailbreak) and calculates a Security Score — without invasive MDM permissions. Non-compliant devices are blocked from corporate resources via Conditional Access.

No wipe, no surveillance — advisory only
Standard App Store / Google Play distribution
Push notifications with remediation guidance
Conditional Access enforcement (Okta/Google)

Coming · Phase 3

☁️

Cloud & SaaS Security (CSPM)

Protection beyond the perimeter.

Automatic audit of cloud service configurations: AWS, Azure, GCP, and Google Workspace. Detect open S3 buckets, excessive IAM permissions, and non-compliance — no agents needed in the cloud.

AWS, Azure, GCP, Google Workspace checks
Open storage & IAM overpermission alerts
Compliance mapping to CIS, SOC 2, PCI DSS
Scheduled & on-demand cloud scans

Coming · Phase 4 · The Guardian

🔒

ZTNA & Endpoint Defense

Zero Trust from agent to resource.

The agent evolves into a network access gateway. Every connection is verified against the device’s live Risk Score, with EDR integration and DNS filtering for malicious domains.

ZTNA — per-connection trust verification
EDR integration (Elastic/Endgame)
DNS filtering & domain blocking
Real-time anomaly detection

Coming · Phase 5 · The Ecosystem

🏢

IT Lifecycle & HRM

Single window for IT and HR.

From laptop issuance to digital offboarding checklist. Manage IT budgets, track licence costs, and automate identity lifecycle — all integrated with device security data.

IT asset registry with financial tracking
Software licence utilisation reports
Onboarding / offboarding automation
NFC badge + Geo-fencing mobile access

👤

Personal

Understand how secure your own devices are. Free forever, up to 10 devices. Live Security Score with email alerts.

Free plan →

💼

Corporate Fleet

Manage hundreds of employee devices from one dashboard. Enforce security policies, automate patching, integrate with Okta or Google Workspace.

Contact sales →

📱

BYOD / Remote Teams

Let employees use personal devices safely. The mobile Read-Only Advisor checks security without invasive MDM permissions — blocking non-compliant devices from corporate resources.

Coming soon →

🛡️

Cyber Insurance

Use Security Score as objective evidence for policy pricing. Continuous monitoring replaces point-in-time assessments.

Contact us →

🏦

Banking & Fintech

Surface endpoint security in client-bank sessions. Use the score as a signal for suspicious payment detection and step-up authentication.

Contact us →

📊

Compliance & Audit

Map device checks to CIS, NIST, ISO 27001, SOC 2, PCI DSS. Continuous evidence collection. Export reports for auditors.

View frameworks →

Personal

Free forever

✓ Up to 10 devices
✓ 210+ security checks
✓ 18 compliance frameworks
✓ Vulnerability scanning (CVE)
✓ Software inventory
✓ Network services discovery
✓ Multi-provider SSO
✓ Threat Landscape & kill chain analysis
✓ 90-day scan history
✗ AI recommendations
✗ Maturity assessment
✗ Remediation actions

Get started

Popular

Business

€4 / device / month

✓ Up to 100 devices
✓ Everything in Personal
✓ AI-powered security recommendations
✓ Cybersecurity maturity assessment & roadmap
✓ Industry benchmarking (29 industries)
✓ Active remediation
✓ CVE matching & Risk Score
✓ Team management (RBAC) — 3 admins
✓ Score sharing API & webhooks
✓ 1-year scan history
✓ Priority email support (48h)
✗ SIEM / Jira integrations
✗ Conditional Access

Get started

Enterprise

Custom pricing

✓ Unlimited devices
✓ Everything in Business
✓ SIEM integration (Splunk, Elastic, Sentinel)
✓ Jira / ServiceNow auto-ticketing
✓ Slack & Teams native alerts
✓ Advanced RBAC (Admin / Auditor / Viewer / Device Manager)
✓ SSO (SAML / OIDC)
✓ Conditional Access (Okta / Azure AD)
✓ CSPM (AWS / GCP / Azure)
✓ Full REST API
✓ 2-year scan history + custom retention
✓ Audit log (1 year + export)
✓ Custom compliance frameworks
✓ White-label reports
✓ Dedicated support & SLA (99.9%, 4h response)

Contact sales

Why upgrade?

Personal → Business

→ AI recommendations — not just “what’s broken”, but “what to do and why”
→ Maturity roadmap — demonstrate progress to leadership and auditors
→ Industry benchmarking — compare your posture against peers in your sector
→ More than 10 devices
→ Active remediation — fix issues in one click

Business → Enterprise

→ SIEM integration — Lorika becomes part of your SOC ecosystem
→ Jira / ServiceNow — auto-create tickets from AI recommendations
→ Advanced RBAC — CISO sees everything, IT admin sees their devices, auditor gets read-only
→ SSO (SAML / OIDC) — mandatory for enterprise procurement
→ Full API — automation, custom dashboards, internal integrations
→ SLA + priority support — for companies where downtime = money

macOS

Apple Silicon (M1 / M2 / M3 / M4) & Intel

macOS 12 Monterey or later

Windows

x64 architecture

Windows 10 (1903+) or Server 2019+

Linux

x86_64 & ARM64 (aarch64)

Ubuntu 20.04+, Debian 10+, RHEL 8+, Fedora 38+

Go to dashboard for install command →

HMAC-SHA256 signed payloads

Every scan result is cryptographically signed with the device token. Tampered payloads are rejected.

Token rotation

Refresh tokens carry a version claim. Each refresh increments the version. Logout invalidates all sessions instantly.

Binary integrity

SHA-256 checksums verify agent binaries before installation and every auto-update cycle.

Cloudflare proxy

Server IP hidden behind Cloudflare. All DNS records proxied. Real client IP extracted via CF-Connecting-IP header.

Idle timeout

30-minute inactivity auto-logout. Activity tracked across all API interactions.

Zero secrets in code

All credentials via environment variables. Device tokens stored as SHA-256 hashes. Enrolment tokens expire in 24h, single-use.

Know your security posture — always.

What’s working today

210+ Security Checks

18 Compliance Frameworks

Software Inventory

Delta Scans

Multi-Provider SSO

Multi-Tenant Orgs

Resource Monitoring

Silent Auto-Update

i18n + Geo-IP

Vulnerability Scanning

Network & Services Discovery

Automated Fleet Lifecycle

How it works

Sign up & install

Agent runs silently

See your Security Score

210+ security checks across 13 categories

Auth & Access Control

Network Security

Filesystem Security

Kernel & Hardening

Software & Patches

Services & Docker

SSH Hardening

Audit & Logging

Built-in Compliance Frameworks

CIS Level 1

NIST 800-53

ISO 27001

SOC 2 Type II

PCI DSS v4.0

NBU Resolution №143

NBU Resolution №95

SSSCIP Order №75

Continuous SOC 2 compliance. Without the spreadsheet chaos.

Platform Evolution

The Auditor — Security Foundation

The Analyst — Vulnerability & Risk Intelligence

Active Remediation

Adaptive Conditional Access

Mobile Agent — Read-Only Advisor

Cloud & SaaS Security (CSPM)

ZTNA & Endpoint Defense

IT Lifecycle & HRM

Built for every scale

Personal

Corporate Fleet

BYOD / Remote Teams

Cyber Insurance

Banking & Fintech

Compliance & Audit

Simple, transparent pricing

Why upgrade?

Personal → Business

Business → Enterprise

Supported Platforms

Security by design

Start monitoring your devices today

Know your
security posture
— always.