Deployment: Invicti Platform on-premises
Architecture of the Helm installation
Invicti Platform on-premises uses a modular, microservices-based architecture deployed via a Helm chart on Kubernetes. This design allows scalable, fault-tolerant operation and simplifies maintenance through isolated service updates.
Infrastructure layer
The Infrastructure layer provides foundational services for data persistence, caching, and messaging that support all higher-level components.
- valkey - In-memory data store (Redis-compatible) used for caching GraphQL schemas
- natsio - NATS messaging system that provides persistent, event-driven communication between microservices
- postgresql - Primary relational database (PostgreSQL 16+) for structured and transactional data
- mongodb - Document-oriented database for storing in-flight scan data
- seaweedfs - S3-compatible distributed object storage for scan results and artifacts
- elasticmq - AWS SQS-compatible message queue for distributing scan tasks
Presentation layer
The Presentation layer exposes the user-facing interfaces and API gateways through which users and integrations access the platform.
- nginx - Reverse proxy that handles routing and SSL/TLS termination
- static-assets - Hosts the single-page application’s static files
- federated-frontend-gateway - Unified GraphQL gateway aggregating front-end services
- platform-apis - Provides interactive REST API documentation for developers
Each microservice also exposes its own REST API, accessible through Nginx routing.
Core application layer
The Core Application layer delivers essential platform capabilities for authentication, notifications, and internal communication.
- appsec-identity - Identity provider and authentication service implementing OAuth 2.0 / OIDC
- notification-service - Handles in-app notifications
- message-consumer - Processes outgoing email notifications
AppSec layer
The AppSec layer manages application security, asset inventory, and integration services that enable centralized security management.
- appsec-inventory - Manages asset inventory and discovery
- appsec-externalscan - Orchestrates external vulnerability scanning
- apihub - Provides API discovery, management, and security functions
- integrations - Connects the platform to third-party systems such as Jira, Slack, and GitHub
- reporter - Generates DAST scan reports for analysis and compliance
DAST (Dynamic Application Security Testing) layer
The DAST layer provides services dedicated to web-application vulnerability scanning and automation.
- frontend - REST API server for the DAST backend
- gql - GraphQL server for scan data queries
- upload-frontend - File upload service for importing DAST scan results
- coordinator - Manages scan scheduling and orchestrationAutoscaling DAST scanning engine composed of several sub-components:Autoscaling DAST scanning engine with three sub-components:
- dast_orchestrator - Controls scan lifecycles and task scheduling
- dast_scanner - Core Invicti scanning engine deployed as KEDA-scaled jobs
- api_reconstruction_service - Discovers API endpoints and generates OpenAPI specifications
- keda - Kubernetes Event-Driven Autoscaler for scaling scanner jobs
- lsr-broker - Broker service for the Login Sequence Recorder
- lsr-worker - Worker processes that execute recorded login sequences
Monitoring stack (optional)
The Monitoring stack provides observability, logging, and autoscaling capabilities for the platform.
- kube-prometheus-stack - Includes Prometheus, Grafana, and Alertmanager for metrics collection and alerting
- monitoring-alloy - Grafana Alloy for telemetry aggregation
- monitoring-loki - Centralized log collection and querying with Loki
Next, review the prerequisites to ensure your environment is ready for installation.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center