One platform across every client. Their branding, your operations.
Astrari is multi-tenant from day one. Group every server and site under a named client. Invite a scoped login that sees only their estate. Send a polished monthly report on the 1st of every month — automatically, in your branding, from your domain. None of this is roadmap. It is shipped today and included on every paid plan.
01 · Multi-tenant
Group every asset under a named client
Every server and every site can be assigned to a client. The Client is a first-class object in the platform — it has its own contacts, its own integrations, its own monthly report cadence. Engineers in your agency see everything; the client sees their own assets in their own scoped login.
When you invite a CLIENT_OWNER, the API enforces that they can only read and act on assets attached to their client. The same role can invite their own team members to view alongside them — useful for a hand-off to an in-house IT lead at the client.
What that means in the code
Client / ClientServer / ClientSite models · CLIENT_OWNER role enforced at every API endpoint · per-finding alert routing reads clientId.
What you get out of the box
- Named client groupings, unlimited per plan
- Scoped CLIENT_OWNER login per client
- Client team-member invitations (the client invites their own people)
- Per-client notes, contacts, integrations
- Per-client monthly report opt-in toggle
02 · Branding
Run the dashboard at your own subdomain
Set a custom domain on your organisation and Astrari serves the dashboard from there. Replace our wordmark with yours. Set the brand colour. Configure the sender name and reply-to that every alert email and monthly report ships with.
Your clients log in at your domain, see your branding, get emails from your address. Astrari is the engine; you're the surface they interact with. We're upfront in the trust centre that we're the underlying provider, but the day-to-day relationship lives entirely in your brand.
What that means in the code
Organization.customDomain (unique constraint) · logoUrl · primaryColor · brandName · emailSenderName · emailReplyTo — all configured per-organisation in settings.
What white-label covers
- Custom (sub)domain — yours.example.com
- Logo + brand colour applied site-wide
- Sender name + reply-to address on every alert and report email
- “Sent on behalf of [your agency]” band on monthly reports
- No Astrari logo on emails or PDFs — only in the legal trust centre
03 · Reporting
Polished monthly reports, sent automatically
On the 1st of every month, every client with monthly reports enabled receives a polished PDF. Findings rolled up by severity, month-on-month trend, plain-English explanations written for the client rather than the engineer who'll act on them.
The cron is idempotent — re-running the trigger in the same calendar month is a no-op for clients who've already received their report. You don't have to remember to send it; we don't have to remember either.
What that means in the code
MonthlyStatusReport schema · Client.monthlyReportEnabled toggle · scheduler cron with calendar-month-aware idempotency.
What lands in their inbox
- Branded PDF — your logo, your colour, your sender
- Severity-rolled-up findings with month-on-month trend chart
- Plain-English remediation summaries (not raw CVE IDs)
- Per-asset score change since last month
- Per-client opt-in — pause for individual clients without affecting others
04 · Routing
Per-client alert contacts and integrations
Each client gets its own contacts and integrations. Their team's Slack, their NOC's webhook, their on-call rota — wired to alerts only on assets that belong to them. Your agency's existing contacts continue working alongside, picking up findings on assets in your own estate.
When a HIGH lands on a client's server, it routes to their contacts. When the same HIGH lands on your own server, it routes to your agency contacts. The platform enforces this automatically based on the asset's client assignment.
What that means in the code
AlertContact and AlertIntegration both carry an optional clientId · per-finding routing query joins on it · ServerAlertRecipient + SiteAlertRecipient explicitly wire which contacts get which assets.
What you can wire up
- Email contacts per client, with test-send
- Slack webhook per client
- Generic webhooks per client (with HMAC signature)
- Asset-level overrides (one server → different routing than the rest of its client)
- Severity threshold per recipient — separate noise from real
Pricing for agencies
No agency tier. No client-count multiplier. No white-label upcharge.
Most agencies sit on Pro at £45 / month — 25 servers, 100 sites, every multi-tenant feature included. Spin up clients, invite scoped logins, switch on white-label, set monthly reports running. No contract negotiation; the same plan every other Pro customer pays for.
Astrari is a service of Incus Technologies Limited, registered in England & Wales (no. 09253791). The team is small enough that the engineer who built the multi-tenant model is the same one who replies to your email.