Security Monitoring

Security Monitoring gives operators a continuous view of endpoint posture and threat-response readiness across the fleet — and Breeze itself is hardened at the platform layer so the tool you use to defend customers doesn’t become its own attack surface.

Endpoint Posture and Threat Operations

Breeze continuously collects security signals from every endpoint: AV provider state, real-time protection, firewall status, encryption posture, local admin exposure, and password policy indicators. Each device gets a posture score on a 0–100 scale with a clear risk level, and trends roll up to the organization so you can see where a customer is improving and where they’re slipping.

When something turns up, technicians can run quick, full, or custom scans on demand and act on detections — quarantine, remove, or restore — through explicit, audited workflows. The point is to close issues, not just observe them. For MSPs, that posture data also doubles as customer-facing reporting on baseline security hygiene.

Customer Data Stays Isolated

Multi-tenant isolation in Breeze is enforced at the database, not just in the application. Row-level security is forced on every tenant-scoped table, so even an application-layer bug — a missing tenant filter, a stale query, a mistaken join — cannot expose one customer’s data to another. The wrong query returns nothing instead of the wrong rows.

For an MSP running dozens or hundreds of customer fleets in a single instance, this is the difference between “we have controls” and “the database refuses to break tenancy.”

Secrets Stay Encrypted Even If a Session Leaks

Sensitive secrets at rest are encrypted with a dedicated key that’s separate from the key used to sign sessions. A leaked session key cannot decrypt secrets. A leaked secrets key cannot forge sessions. The two responsibilities are split so a single compromise can’t cascade.

Every existing MFA enrollment is re-encrypted under the new scheme, with a transitional fallback so users keep logging in normally through the upgrade — no one has to re-scan a QR code or burn a backup code because of a migration.

Webhooks You Can Verify

Outbound webhooks support HMAC signatures so receivers can confirm a delivery actually came from Breeze and wasn’t tampered with in transit. Legacy header-secret webhooks still deliver while integration owners migrate. See the Integrations page for verification details and the migration window.

The same posture extends to the request path: trusted reverse-proxy IPs are configured explicitly, so audit logs, rate limits, and IP-based controls always see the real client address. A request from outside the trusted set can’t forge an upstream header to spoof origin or bypass throttling. A tightened content security policy closes the inline-script and untrusted-source vectors that older CSPs leave open, shrinking the blast radius of any future XSS.

Hardening like this is paired with backwards-compatible read paths and deprecation warnings, so existing logins, integrations, and enrolled agents keep working through the upgrade.

Learn More

Read What AI Gets Right (and Wrong) About Security for an honest look at where AI-driven security monitoring excels and where human judgment is still essential.