> ## Documentation Index
> Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> Understand the policy layers Altostrat SDX gives you for content control, threat mitigation, firewall rules, vulnerability scanning, and auditability.

Altostrat SDX centralizes the controls that are usually scattered across routers, scripts, spreadsheets, and security tools. You define security intent in the portal, attach it to the right sites, and use monitoring, reports, and audit logs to verify what changed.

Security in SDX is layered. DNS policies influence where users can browse. Security Essentials policies block known-risk network destinations. Security groups shape allowed traffic. Vulnerability schedules identify exposed CVEs. Audit logs help you investigate who changed what.

```mermaid theme={null}
flowchart LR
  User["Users and devices"] --> DNS["DNS content filtering"]
  User --> SG["Security groups"]
  Internet["Internet destinations"] --> Essentials["Security Essentials"]
  Router["Managed MikroTik sites"] --> CVE["Vulnerability schedules"]
  DNS --> Audit["Audit logs"]
  SG --> Audit
  Essentials --> Audit
  CVE --> Audit
```

## Choose the Right Control

Use each security feature for a different part of your operating model.

<CardGroup cols={2}>
  <Card title="DNS Content Filtering" icon="list-filter" href="./dns-content-filtering">
    Apply category, SafeSearch, domain allow-list, and domain block-list policies to sites.
  </Card>

  <Card title="Security Essentials" icon="shield-x" href="./bgp-threat-mitigation">
    Attach continuously updated threat mitigation lists to reduce exposure to known-risk networks.
  </Card>

  <Card title="Security Groups" icon="brick-wall" href="./security-groups">
    Build reusable firewall policies with ordered rules, common services, custom ports, CIDRs, and prefix lists.
  </Card>

  <Card title="Vulnerability Scanning" icon="scan-search" href="./vulnerability-scanning">
    Schedule CVE scans, review affected hosts, and track remediation status across sites.
  </Card>

  <Card title="Audit Logs" icon="history" href="./audit-logs">
    Search workspace activity when you need to understand a change, investigate access, or support compliance review.
  </Card>
</CardGroup>

## Operating Pattern

1. Start with broad site segmentation using teams, tags, and security groups.
2. Add DNS content policies for user-facing environments.
3. Attach Security Essentials policies where internet egress needs threat mitigation.
4. Schedule vulnerability scans for networks with devices you are responsible for maintaining.
5. Review audit logs and monitoring data before and after high-risk changes.

<Tip>
  Use tags from [Metadata and Tags](../fleet/metadata-and-tags) to keep security assignments scalable. A tag-driven operating model is easier to maintain than one-off policy exceptions per site.
</Tip>