Built for Organizations Where Data Can't Leave
StratoLens runs in your Azure tenant. Your infrastructure metadata never touches an external server. Designed for organizations with strict data residency requirements.
How Your Data Flows
Every component runs inside your environment. Nothing external.
Designed for Strict Data Residency
StratoLens's customer-hosted architecture supports your compliance posture regardless of your regulatory environment.
Financial Services
Designed for environments with strict data residency requirements. Your infrastructure metadata stays in your tenant.
Healthcare
Customer-hosted architecture means no infrastructure data leaves your environment, supporting your compliance posture.
Government & Defense
Deploy within your own sovereign Azure tenant. Full control over data residency and access.
European Organizations
Your infrastructure metadata stays in your Azure region, supporting compliance with data residency regulations.
Security Architecture
Built on the same Azure security primitives your organization already trusts.
Customer-hosted
StratoLens deploys entirely in your Azure tenant as a single container on Azure Container Apps.
Zero data exfiltration
No infrastructure metadata is sent to any external service. All data stays in your environment.
Entra ID authentication
Users sign in with your existing identity provider. No separate accounts to manage.
Key Vault integration
All secrets are stored in your Azure Key Vault instance. StratoLens never stores credentials itself.
Managed Identities
No stored credentials. StratoLens authenticates to Azure APIs using managed identities only.
Private endpoint support
Deploy with private endpoints for full network isolation. No public internet exposure required.
Features for Compliance Teams
The tools you need to audit access, track changes, and prove compliance.
Access Optimization
Correlate role assignments with 365 days of activity logs. Identify stale, unused, and over-privileged access across your entire estate.
Learn moreChange Tracking
Full audit trail of every infrastructure change. Compare any two points in time to see what changed, who changed it, and when.
Learn morePolicy Governance
Track policy assignment changes, compliance state transitions, and exemption expirations across your Azure hierarchy.
Learn moreActivity Explorer
Search and filter Activity Log entries across all subscriptions in one view. Investigate user actions without switching between portals.
Learn moreCommon Questions
What data does StratoLens access?
StratoLens reads Azure Resource Manager metadata, Activity Logs, cost data, and Entra ID information (users, groups, role assignments). It reads infrastructure metadata only. It does not access the contents of your resources (e.g., database records, storage blobs, or application data).
Where is data stored?
All data is stored in an Azure Cosmos DB instance running in your Azure subscription. The database is created during deployment and belongs entirely to you. StratoLens has no external database. Your infrastructure metadata is never sent to us.
What permissions does StratoLens require?
StratoLens uses a managed identity with Reader access at the management group or subscription level. It also requires Directory Reader in Entra ID for group membership resolution. All permissions are read-only.
Can I restrict which subscriptions StratoLens scans?
Yes. You can select which Azure subscriptions to include or exclude from scanning. Only included subscriptions count toward your billing tier.
Does StratoLens phone home or send telemetry?
StratoLens sends minimal license validation data after each scan (installation ID, tenant ID, subscription and resource counts, version number). No infrastructure metadata, resource names, or configuration details are ever transmitted. Application Privacy Policy
See It Running in Your Tenant
Join the beta and deploy StratoLens in your own Azure environment. Free access during the beta period.