Integrations
The One Security integrates with the rest of The One Stack and external services to provide a unified security workflow.
Hub SSO
All users authenticate via Hub SSO. There is no separate username/password for The One Security.
- Users access
app.theonesecurity.appvia the Hub waffle menu - Roles are inherited from Hub (Owner, Admin, Member, Viewer)
- User lists for SAT campaigns and dark web monitoring sync from Hub
PSA Integration
Incidents and vulnerability findings can create PSA tickets automatically:
- Critical/High incidents → PSA incident ticket with full details
- Vulnerability remediation tasks → PSA service request
- SLA tracking for incident response tied to PSA SLA policies
Configure the PSA integration in Settings → Integrations.
RMM Integration
The One RMM provides device context that enriches vulnerability findings:
- Device inventory from RMM appears in scan target suggestions
- Device criticality and OS version enrich vulnerability severity
- RMM agent version and patch status visible in vulnerability context
Defend Integration
The One Defend (EDR) and The One Security share data bidirectionally:
- Defend alerts flow into the Security Command Center as SIEM alerts
- IOCs discovered in Defend threat hunts are shared with The One Security threat intel feeds
- Incident response from Security can trigger Defend response actions (isolate, quarantine)
On-Call Integration
Critical incidents can page the on-call technician via The One On-Call:
- Severity threshold for on-call escalation is configurable
- On-call receives a push notification with incident title and severity
- On-call acknowledgement is logged in the incident timeline
Configure the On-Call integration in Settings → Integrations.
CMDB Integration
The One CMDB provides asset context for vulnerability management:
- Asset criticality (PHI, PCI, etc.) from CMDB increases vulnerability priority
- Device records in CMDB are linked to scan targets
- Asset ownership determines default assignment for vulnerability remediation
Microsoft 365 Graph API
Used for M365 Posture monitoring. Required permissions:
AuditLog.Read.AllDirectory.Read.AllPolicy.Read.AllSecurityEvents.Read.All
OAuth consent flow initiated from SecOps → SaaS Posture → Connected Tenants.
HaveIBeenPwned API
Used for dark web monitoring. The HIBP API v3 is queried per monitored email address on a 12-hour schedule. Requires a valid HIBP API key configured in Key Vault (HIBP-API-KEY).
AWS SES (Email)
Phishing simulation emails are sent via Amazon SES from the theonesecurity.app domain:
- IAM user:
theonesecurity-ses-sender - Config set:
security-transactional - From address:
The One Security <[email protected]>
Stripe (Billing)
Subscription billing is managed via Stripe. Tiers and their Stripe product IDs are configured in the billing module. Managed user counts for User Protection billing are reported monthly via the billing-usage-reporter background function.
GitHub App
The AppSec / vulnerability management module connects to GitHub repositories via the The One Security GitHub App (App ID configured in environment). This provides:
- Dependency inventory from
package.json,requirements.txt,go.mod, etc. - Secret scanning integration
- SAST result ingestion