Skip to content

Security & backup monitoring

For an MSP, “security” cuts two ways: keeping an eye on your clients’ security and backup posture, and keeping the PSA itself locked down. Opentra covers both.

Endpoint-security and backup tools — Huntress, MSPBackups and the like — feed the same alerts pipeline as RMM monitoring. A backup failure or a security detection lands as an alert against the right client, and a critical or high one becomes a ticket automatically, so a missed backup or a flagged endpoint is worked, not lost in an inbox.

Deeper security-posture surfacing (per-client scorecards, EDR status in the client record) is on the roadmap — the alert ingestion is the foundation it builds on.

Not every client can afford every control — and the ones they do pay for are easy to forget between renewals. The security coverage report makes what you protect explicit, in language a client’s owner actually understands.

Coverage is declared per organisation (set on the org page — it’s a stated position, not derived from an integration, so it works even for tools Opentra doesn’t connect to yet), across a fixed catalogue of managed security services:

Service In plain terms
Managed detection & response (EDR) Behaviour-based protection on every machine, watched by analysts, with the ability to isolate a compromised device within minutes.
Antivirus protection Continuously updated protection that blocks known threats, monitored centrally so a detection is visible immediately.
Email security & spam filtering Phishing, malicious attachments and impersonation quarantined before they reach the inbox.
Microsoft 365 security monitoring Watching for the signs of a compromised account — impossible-travel sign-ins, new forwarding rules, unusual mailbox access.
Backup monitoring & verification Daily checks that backups actually ran, failures chased, and restores periodically verified.
Firewall management Firewall rules, firmware and remote-access settings maintained so they don’t drift into holes.
Security awareness training Short, regular staff training and simulated phishing tests.
Password management A business password manager — strong, unique, shared securely and revocable in one click.
Multi-factor authentication A second proof of identity, so a stolen password alone can’t get in.

This coverage is what appears as “Your security coverage” in the automated monthly service report and on the client’s portal report page — turning security from an invisible line item into something the client can see they’re getting.

Because Opentra is self-hosted and single-tenant, your client data lives on infrastructure you control — no multi-tenant SaaS surface, no vendor sitting on your book of business. On top of that, the platform is hardened by default:

  • Role-based access, enforced at the server on every action — not just hidden in the UI. Commercial modules (pipeline, quotes, contracts, invoices, reports) check permissions on each read and mutation.
  • Portal security. Customer-portal links (contract, quote, change-request, project) use high-entropy random tokens that expire after 30 days, and every approval captures the client’s IP and user-agent for an audit trail.
  • Safe email rendering. Inbound email HTML is displayed in a sandboxed frame, never injected into the page — so a malicious email can’t run script against a staff session.
  • Rate limiting on public portal and webhook endpoints, keyed on the true client IP and failing closed.
  • Signed tracking links and hardened attachment serving, so links can’t be tampered with and files can’t be served as inline active content.