S4E is available in two deployment models: Cloud (SaaS) and On-Prem (self-hosted). Both editions share the same core scanning engine and user interface, but differ in operational responsibility, network access, and update mechanisms.
Comparison Matrix
| Aspect | S4E Cloud | S4E On-Prem |
|---|---|---|
| Hosting | Managed by S4E | Deployed in your own infrastructure |
| Data residency | S4E-managed cloud regions | All data remains within your network |
| Updates | Automatic, zero-downtime | Customer-controlled update schedule |
| Scaling | Auto-scaled by S4E | Customer-managed |
| Internal scanning | Requires a network agent or VPN tunnel | Direct access to internal IPs and private DNS |
| Air-gap support | Not available | Fully supported |
| Infrastructure management | None required | Customer manages servers, storage, networking |
| Compliance scope | Shared responsibility | Full customer control over audit scope |
| Cost model | Subscription (per-asset pricing) | License + customer infrastructure costs |
| Support | Standard SLA-based support | Dedicated on-prem support channel |
Operational Differences
Update and Upgrade Process
Cloud: Updates are deployed continuously by the S4E team. Customers receive new features and security patches automatically with no action required.
On-Prem: Updates are delivered as new container image versions. The customer controls when and how updates are applied:
- Receive the update notification from your S4E account representative.
- Review the release notes and changelog.
- Pull the updated images and restart services.
- Validate the deployment using health checks.
Update cadence
S4E publishes On-Prem releases on a regular cycle. Critical security patches are released out-of-band as needed.
Network Configuration
On-Prem: The platform runs inside your network, giving it direct access to:
- Private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Internal DNS zones and split-horizon domains
- Web applications behind corporate firewalls and VPNs
- Services on non-standard ports
No agent required
Since S4E On-Prem runs inside your network, there is no need for a network agent or VPN tunnel to scan internal assets.
Scaling and Performance
Cloud: S4E automatically scales workers and infrastructure based on scan load.
On-Prem: Scaling is the customer's responsibility:
- Adjust the number of worker instances for scan-intensive workloads.
- Allocate dedicated CPU cores and memory to scanner and crawler services.
- Monitor resource utilization and tune based on scan volume.
See the Scaling section for guidance.
Data Management
Cloud: S4E manages database backups, retention policies, and disaster recovery. Customers can export data through the API.
On-Prem: The customer is responsible for:
- Database backup and restore procedures.
- Storage volume management.
- Log retention and archival.
See the Recovery procedures for backup strategies.
Observability
Cloud: S4E provides a built-in dashboard with scan metrics, system health, and usage statistics.
On-Prem: All services emit structured JSON logs accessible via standard container log tooling. Customers can integrate with their existing monitoring and SIEM solutions.
See the Logs & Debugging page for details.
Feature Parity
Both Cloud and On-Prem editions include:
- Full vulnerability scanning engine with all scan categories
- Web crawling pipeline
- Asset management and grouping
- Actions and playbooks for remediation workflows
- Role-based access control (RBAC)
- API access and documentation
- Report generation and export
Feature availability timing
New features are typically available in Cloud first, followed by On-Prem in the next scheduled release. Consult the release notes for feature availability timelines.
Choosing the Right Model
| Choose Cloud if you... | Choose On-Prem if you... |
|---|---|
| Want zero infrastructure overhead | Must keep data within your network |
| Primarily scan external assets | Need to scan internal or private assets directly |
| Prefer automatic updates | Require change control over updates |
| Have no air-gap requirements | Operate in disconnected environments |
| Need rapid onboarding | Have compliance or data residency requirements |
Next Steps
- System requirements — verify that your infrastructure meets On-Prem prerequisites.
- Installation guide — deploy S4E On-Prem.