Check Point Dome9

CloudGuard Dome9 is a comprehensive software platform for public cloud security and compliance orchestration. Using Dome9, organisations can visualize and assess their security posture, detect misconfigurations, model and enforce best practices, and protect against identity theft and data loss. Dome9 integrates with Amazon Web Services, Microsoft Azure, and Google Cloud.


  • Comprehensive compliance management including automated continuous enforcement of best-practices.
  • Active-Protection: Dynamic access leases, tamper protection, region-lock & IAM safety.
  • Network Security: Visual-view of your cloud-network topology exposing potential misconfigurations.
  • Threat Detection: Real-time detection of misconfiguration that will pose threat-to-instance.
  • IAM Protection: real-time privileged elevation over users, roles, actions.
  • CloudBots: Auto-remediation in AWS resolves dangerous misconfigurations and enforce compliance.
  • Tamper Protection: Continuous monitoring and automation reversion of unauthorised modifications.
  • Just-in-time privilege elevation with out-of-band authorisation for IAM actions


  • Compliance: Allows easy security,compliance management of public cloud environments
  • Enforces top security standards with auto remediation of unauthorised changes
  • Network Security: Spot misconfigurations quickly-and-easily, potentially preventing exposure
  • Threat Detection: Compliance with best-practices by spotting misconfigurations in real-time
  • IAM Protection: Ability to provide real-time privileged-elevation for AWS users.
  • CloudBots: Providing auto-remediation of dangerous misconfigurations, saving overheads and time.
  • Tamper Protection: Deny changes to network-security-groups, preventing unauthorised changes.
  • Privileged-Identity-Protection: Granular visibility control of users activities over native controls


£15,015 a licence

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

3 0 4 4 6 9 7 1 7 9 1 3 7 1 3


SEP2 LIMITED sep2 sales team
Telephone: 03300437372

Service scope

Software add-on or extension
What software services is the service an extension to
Dome9 is an extension to Microsoft Azure, Amazon Web Services and Google Cloud Platform.
Cloud deployment model
  • Public cloud
  • Private cloud
Service constraints
System requirements
You need to be using AWS, Azure or GCP already

User support

Email or online ticketing support
Email or online ticketing
Support response times
Sep2 support provides 24x7x365 support for Priority 1 incidents, with a response time of 30 minutes. Priority 2 incidents are responded to during office hours within 1 working hour. Priority 3 incidents are responded to during office hours within 4 working hours. Priority 4 incidents are responded to during office hours within 12 working hours.
User can manage status and priority of support tickets
Online ticketing support accessibility
None or don’t know
Phone support
Phone support availability
24 hours, 7 days a week
Web chat support
Onsite support
Yes, at extra cost
Support levels
All sep2 customers have an aligned account manager who manages all aspects of the customer relationship. sep2 support is priced depending on the number of licenses included. sep2 have 5 Check Point Security Masters working within the support team, ensuring a subject matter expert is available to support our customers as required. At an additional cost, a technical account manager can be aligned to a customer where additional technical resources are required.
Support available to third parties

Onboarding and offboarding

Getting started
Once purchased an admin and admin email must be nominated for initial providing of the link and account creation.
More onboarding details can be found here -
Service documentation
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
Users can create reports of final audit logs, compliance checks, asset reports, policy reports etc before access to the service is ended, as would have taken place during normal operation of the service.
End-of-contract process
When a contract is ended, the entire customers tenancy is deleted on the backend and all customer data is removed from the database systems associated with that tenancy ID.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The Dome9 mobile application can be used to create dynamic access leases or to open authorisation windows for IAM users.
Service interface
Description of service interface
You can access the web interface from a URL that after purchase can be linked to your domain. The mobile application can be downloaded from the Google Play and iOS app stores.
Accessibility standards
None or don’t know
Description of accessibility
Accessibility testing
What users can and can't do using the API
Application developers can access Dome9 functionality from within applications using the Dome9 API. With version 2 of this API, developers can access functions using RESTful HTTP requests.

The resources and methods listed in this API cover the Dome9 functionality that developer applications need to onboard and manage their cloud accounts in Dome9.

The resources are grouped into Dome9 entities and Cloud Inventory entities.

Dome9 entities include functional features such as Clarity, Compliance, Dome9 Alerts, and entities such as access leases, Compliance bundles and rules, and Dome9 users and roles.

Cloud inventory includes entities such as Security Groups, instances, regions, and VPCs.

The API is based on HTTP requests and responses, and uses JSON blocks.
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
Customers can write their own compliance bundles and queries


Independence of resources
We have an autoscaling Service hosted on AWS that has been built from the gound up with multi tenancy in mind. The data segregation is implemented in all system layers, including the DB, allowing for seamless scaling with minimal impact between tenancies.


Service usage metrics
Metrics types
License Consuption, billiable instances, number of assets protected, number of cloud accounts protected
Reporting types
Real-time dashboards


Supplier type
Reseller providing extra support
Organisation whose services are being resold
Check Point Software Technologies

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Datacentre security standards
Supplier-defined controls
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Users can export reports on compliance, indentity management and other aspects of their environment such as policies created, assets protected, alerts created and audit trails of changes made on the system as pdf reports.
Data export formats
  • CSV
  • Other
Other data export formats
Data import formats
Other data import formats
Customers can script the onboarding of their Cloud Accounts

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
Users will be refunded via a credit scheme, where users will not be charged for the same amount of time that they suffered service degredations. SLA's can be found here -
Approach to resilience
Dome 9 is run in Amazon Web Services. To provide high-availability, Dome9 is ran from 2+ availability zones within the AWS “Northern Virginia” (us-east-1) Region.
Outage reporting
Yes via

Identity and authentication

User authentication needed
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
Access restrictions in management interfaces and support channels
Dome9 web applications and APIs are developed with a focus on OWASP controls. Providing strict protection against injections, CSRF, XSS, data segregation
- MFA - Dome9 Web Console Authentication supports hardened authentication using TOTP MFA
- Dome9 Agents are authenticated via x.509 certificates that are generated during the initial pairing process
- API authentication uses HTTP Basic authentication over a Secured SSL (TLS) channel. It is disabled by default.

All traffic to the Dome9 production system passes through a Web Application Firewall. The WAF protects against attacks to the web application as well as providing protection against DDoS attacks
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Who accredited the PCI DSS certification
PCI DSS accreditation date
What the PCI DSS doesn’t cover
Other security certifications
Any other security certifications

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
For our internal processes we strive to meet the same level as ISO 27001, however do not seek accreditation
Information security policies and processes
Supplier-defined controls

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Dome9 is an Agile SaaS shop that constantly delivers enhancements to our Product.
All Dome9 SW is developed under a source control system where code commits are peer reviewed.
All Dome9 servers’ installation and configuration is controlled under a CM system (SaltStack), where all system configurations are source and version controlled too.
Code deployment is automated by the CM system providing consistency in deployments, ability to quickly push fixes, and allows safe rollback if and when a new critical issue is found.
No SW is installed on the servers except in the standardised, approved, and source controlled channel.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We have consistent yearly penetration tests, enable virtual patching through IPS signatures and NGTP security gateways protecting the environtment, the underlying servers and infrastructure is patched by AWS
information on potential threats come from Check Points Threat Hunting team and research team as well as our Threat Cloud which is the worlds largest database of secuirty feeds, signatures, Hash's IoC's etc
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Our SEIM platform for the dome9 production env is monitored continuiously for potential threats, this is fed from our WAF, traditional network security controls, and yearly penetration tests.
All Dome9 servers are connected to centralized Log/SIEM system that is constantly monitored.
Underlying virtualization host is protected, patched and maintained under the responsibility of our cloud providers.
The environment is protected by network firewalls that are configured under strict policies as would be expected from FW management
All non production environments (Dev/Test/ Staging) are segregated into different VPCs and accounts.
access to production enviroment is only through hardened bastion server
Incident management type
Supplier-defined controls
Incident management approach
As a market leading security vendor we have predefined processes for common events if there are any, users can report incidents from within the help option within the dashboard or by reaching out to Check Point directly.
If an incident happens then we will inform customers / users when we have a full grasp of what had happened and why.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£15,015 a licence
Discount for educational organisations
Free trial available
Description of free trial
Fully featured evaluation license to prove POC, Support from UK SE team to assist with any challenges in deploying and configuring, There is a limited time period for evaluation of 30 days

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at Tell them what format you need. It will help if you say what assistive technology you use.