S4E is available in two deployment models: S4E Cloud (SaaS) and S4E On-Prem (self-hosted). Both models provide the same core functionality - continuous scanning, findings management, actions, playbooks, and reporting - but differ in how the platform is hosted, managed, and operated.
This page helps you understand the differences so you can choose the right model for your organization.
Comparison Table
| Feature | S4E Cloud (SaaS) | S4E On-Prem (Self-Hosted) |
|---|---|---|
| Hosting | Managed by S4E | Your data center or private cloud |
| Setup time | Minutes (sign up and go) | Hours to days depending on environment |
| Infrastructure management | Fully managed by S4E | Managed by your team |
| Updates and patches | Automatic, zero-downtime | Self-managed upgrades |
| Data residency | S4E-managed cloud infrastructure | Your infrastructure, full data sovereignty |
| Internal asset scanning | Internet-facing assets only | Internal and internet-facing assets |
| Air-gapped support | Not available | Fully supported |
| Scaling | Automatic | Manual or automated, based on your setup |
| Deployment options | N/A (fully managed) | Docker Compose, Kubernetes, or custom |
| Uptime SLA | Provided by S4E | Managed by your operations team |
| Cost model | Subscription (per-asset or per-seat) | License + your infrastructure costs |
| Compliance | Managed by S4E | You control the compliance environment |
| Opservant agent | Optional (for hybrid setups) | Included and required |
| Support | S4E support team | S4E support + your infrastructure team |
S4E Cloud - When to Choose
S4E Cloud is the right choice when:
- You want to get started quickly. No infrastructure provisioning, no server management. Sign up, add your assets, and start scanning.
- You primarily scan internet-facing assets. Cloud is ideal for monitoring external attack surfaces: public domains, web applications, APIs, and internet-exposed services.
- You prefer managed operations. S4E handles all platform updates, scaling, backups, and availability. Your team focuses on security, not infrastructure.
- You need predictable costs. Subscription pricing with no infrastructure overhead to forecast or manage.
Tip
S4E Cloud can be extended with the Opservant agent for hybrid deployments where you need to scan some internal assets while keeping the management plane in the cloud.
S4E On-Prem - When to Choose
S4E On-Prem is the right choice when:
- Data sovereignty is a hard requirement. Regulated industries (finance, healthcare, government, defense) often require that all security data remain within controlled infrastructure. On-Prem ensures no scan data leaves your network.
- You need to scan internal assets. Assets on private networks, behind firewalls, or in segmented environments can only be reached from within your infrastructure.
- You operate in an air-gapped environment. On-Prem supports fully disconnected deployments with no internet dependency.
- You want full control over the platform lifecycle. Choose when to upgrade, how to scale, and how to configure every aspect of the deployment.
On-Prem deployment supports multiple infrastructure options including Docker Compose for simpler setups and Kubernetes for larger-scale environments.
Feature Parity
Both deployment models share the same core capabilities:
- Asset management (discovery, verification, tagging)
- All scan types and scan scheduling
- Findings management with severity and security scoring
- Actions (manual, automatic, AI-generated)
- Reporting and analytics dashboards
- Role-based access control and team management
- API access and webhook integrations
The key differences are operational: who manages the infrastructure, where the data lives, and what network environments can be scanned.
Hybrid Deployments
Some organizations choose a hybrid approach: S4E Cloud for the management plane and external scanning, combined with the Opservant agent deployed on-premises for internal asset scanning.
This hybrid model provides:
- The convenience of a managed SaaS platform
- The ability to reach internal, non-internet-facing assets
- Centralized visibility across both external and internal scan results
- Reduced infrastructure overhead compared to a full On-Prem deployment
Note
Hybrid deployments require the Opservant agent to communicate with the S4E Cloud platform over a secure channel. Ensure that outbound connectivity from your network to S4E Cloud endpoints is permitted.
Choosing the Right Model
Use the following decision guide:
-
Do you need to scan assets on private, non-internet-facing networks?
- Yes, and you cannot allow any data to leave your network → On-Prem
- Yes, but cloud management is acceptable → Hybrid (Cloud + Opservant)
- No, all assets are internet-facing → Cloud
-
Do you have regulatory requirements for data residency?
- Yes, strict data sovereignty → On-Prem
- No → Cloud or Hybrid
-
Do you want to minimize infrastructure management?
- Yes → Cloud
- Managing infrastructure is acceptable → On-Prem or Hybrid