The pattern of treating every device as untrusted by default and requiring proof of secure configuration before granting access to any resource. The device-posture half of the broader Zero-Trust model — the other half being identity.
The original Zero-Trust framing focused on identity: stop trusting the network perimeter, authenticate every request, give the right user access to the right resource. That works only if the user's device is also trustworthy. A correctly-authenticated user on a device with a disabled firewall, no disk encryption, and a kernel six months behind on patches is a successful attack vector wearing the right badge. Zero-Trust device verification closes that gap by making the device's posture an explicit precondition for access — the same way the user's identity already is.
A lightweight agent runs on every device — corporate-owned, BYOD, contractor — and reports configuration state (firewall, encryption, SSH, OS patches, CVEs, audit-log settings, dozens more) to a central authority.
The authority computes a per-device Security Score and per-category pass/fail signal, time-series-tracked, exposed via API. Access-gating systems (Okta, Azure AD, Tailscale, Cloudflare Access) consume the signal.
At access time, the gate consults the signal. Device score above threshold → access granted. Score drops below → access immediately revoked, even mid-session for short-lived tokens.
Lorika is the measure-and-score half of the model. 190+ continuous checks across 8 categories, a 0–100 Security Score per device updated at every scan, time-series history accessible via API. The signal feeds Conditional Access integrations on the roadmap (Okta, Google Workspace, Azure AD, JumpCloud, Tailscale) — and in the meantime, any Conditional Access platform that can consume an external HTTP signal can be wired in directly.
Free for up to 10 devices. Per-device Security Score. Continuous, time-series, framework-mapped.
Get started free →