Is Astra available for on-premises deployment?

Last updated: June 8, 2026

Introduction

If your organisation operates in a highly regulated environment or has strict data residency requirements, you may be evaluating whether Astra can be deployed within your own infrastructure. This article clarifies Astra's current deployment model, what is and is not available for on-premises use, and what options exist if you have specific infrastructure constraints.

Who Should Read This

This article is relevant for IT administrators, security architects, procurement teams, and compliance officers evaluating Astra as a security testing solution where on-premises deployment may be a requirement.

Current Deployment Model

Astra is a SaaS-based platform. All core platform components — including the vulnerability scanner, pentest dashboard, reporting engine, and compliance monitoring — are hosted and operated by Astra in the cloud.

At this time, Astra's vulnerability scanner is not available for on-premises deployment.

This means:

  • The scanning engine runs from Astra's cloud infrastructure and sends requests to your target from Astra's IP ranges

  • The dashboard, vulnerability management, and reporting features are accessed via your browser at my.getastra.com

  • All scan data, vulnerability reports, and certificates are stored and managed within Astra's cloud environment

What Is Available for On-Premises Environments

While the scanner itself is cloud-based, Astra does offer Penetration Testing services for on-premises environments. This means Astra's security engineers can conduct hands-on assessments of infrastructure, applications, and networks that are hosted within your private environment.

If your application or infrastructure is not publicly accessible, Astra provides several options to facilitate scanning without exposing your systems to the internet:

VPN Access For internal or private staging environments, Astra's team can connect via VPN to conduct assessments. You provide the necessary VPN credentials and access, and the pentest proceeds from within your network boundary. See [How to run a Vulnerability scan or Pentest on a private staging environment that requires VPN access?] for details.

IP Whitelisting If your environment is protected by a firewall but accessible over the internet, you can whitelist Astra's static scanner IP ranges to allow scan traffic through without opening your environment more broadly. See [Astra IP Ranges] for the full list of addresses to add.

Envoy Forward Proxy For internal applications, APIs, or IP ranges that cannot be exposed publicly, Astra supports routing scan traffic through an Envoy forward proxy deployed within your private network. This allows Astra's scanner to reach internal targets securely without requiring you to expose individual services. See [Scanning Internal Applications via Envoy Forward Proxy] for the full setup guide.

Astra Traffic Collector For API observability and security monitoring within private environments, Astra's Traffic Collector can be deployed inside your infrastructure — on a Linux VM, Windows machine, Kubernetes cluster, or via cloud marketplace — to capture and forward telemetry data to the Astra platform. See [How to setup Astra Traffic Collector in Linux] for setup instructions.

Considerations for Regulated or Air-Gapped Environments

If your organisation operates in a fully air-gapped environment with no outbound internet connectivity, the current SaaS model may not be compatible with your requirements without significant network configuration.

In these cases, we recommend:

  • Contacting the Astra sales or enterprise team to discuss your specific constraints

  • Exploring whether a hybrid approach — such as the Envoy forward proxy or VPN-based assessment — can meet your compliance and security requirements

  • Reviewing whether your compliance framework permits cloud-based scanning tools with appropriate data handling agreements in place

Astra maintains SOC 2 Type II and ISO 27001 certifications, which may support your organisation's due diligence process. Compliance documentation is available via the Astra Trust and Compliance portal at [compliance.getastra.com].

Best Practices

  • Engage the enterprise team early if on-premises or private environment scanning is a hard requirement. Custom arrangements may be possible depending on your specific needs.

  • Use IP whitelisting as the simplest way to allow Astra's cloud scanner to reach environments that are not publicly accessible but do have internet connectivity.

  • Consider the Envoy forward proxy if you need to scan multiple internal services without exposing each one individually.

  • Review Astra's compliance documentation if your procurement or legal team requires evidence of data handling practices before approving a cloud-based tool.

Troubleshooting

Our security policy requires all tools to run within our own infrastructure. Can Astra accommodate this? The vulnerability scanner itself cannot be deployed on-premises at this time. However, manual penetration testing services can be scoped for on-premises environments. Contact the Astra sales team to discuss your requirements and explore what arrangements are possible.

We have a private staging environment that is not accessible from the internet. Can Astra still scan it? Yes. Options include VPN access, IP whitelisting combined with firewall rules, or deploying an Envoy forward proxy within your network. See [How to run a Vulnerability scan or Pentest on a private staging environment that requires VPN access?] and [Scanning Internal Applications via Envoy Forward Proxy] for detailed setup instructions.

We are concerned about scan data leaving our environment. What data does Astra store? Astra stores vulnerability findings, scan metadata, and reports within its cloud platform. For detailed information on data handling, sub-processors, and retention policies, review the [List of Sub-processors] article and Astra's privacy policy, or contact the Astra compliance team via [compliance.getastra.com].

We need an on-premises solution for compliance reasons. What should we do? Reach out to the Astra sales or enterprise team and explain your compliance requirements in detail. The team can advise on whether your specific compliance framework permits cloud-based scanning under appropriate data processing agreements, and what options are available for your situation.

Next Steps

  • [How to run a Vulnerability scan or Pentest on a private staging environment that requires VPN access?] — Configure VPN access for private environment scanning

  • [Scanning Internal Applications via Envoy Forward Proxy] — Set up an Envoy proxy to reach internal applications

  • [Astra IP Ranges] — Whitelist Astra's scanner IPs in your firewall

  • [How to setup Astra Traffic Collector in Linux] — Deploy the Traffic Collector within your own infrastructure

  • [Astra Compliance Overview and Audit Reports] — Review Astra's security certifications and compliance documentation