APaaS Assure
Log in Book a demo

One platform for continuous CE+ compliance

Unified ITAM, MDM and agent inventory. KEV-aware risk register. 5Rs rationalisation. Everything you need to run continuous CE+ instead of an annual scramble.

Four capabilities in one console

5Rs rationalisation engine

Every product in your estate gets a per-app, per-version recommendation: Retain, Reduce, Replace, Remove or Replatform. Driven by real usage telemetry, vulnerability exposure and category. Manual override at any level.

KEV-aware risk register

NIST NVD plus CISA Known Exploited Vulnerabilities catalogues overlaid on your live estate. SLA clock starts the moment a KEV match is found. Automated alerts on breaches.

Unified inventory layer

Sam360 ITAM, Microsoft Intune MDM and our lightweight Windows agent feeding the same normalised view. AppNameAliases regex resolver handles the messy real-world product names from each source.

Compliance evidence on tap

One-click PDF export of executive summary, top-20 risk register and rationalisation plan. Mapped to CE+ Annex A controls. Send to auditors and board members without rebuilding the deck.

How the platform fits together

Four pieces. One data model. Designed so each layer can be swapped without rebuilding the others.

1. Data ingestion

Three feeds keep the estate view live:

  • sam360 ITAM aggregate · nightly snapshot of every product installed across every device, with publisher and version. Captures the long tail of estate sprawl.
  • Microsoft Intune · for managed devices, a normalised inventory of the Intune-published catalogue plus device compliance state.
  • APaaS agent · optional lightweight Windows agent that adds usage telemetry (last-launched dates) and full-build version reporting. Where sam360 reports "Edge v1", the agent fills in "Edge v148.0.7727.101".

2. Normalisation

An AppNameAliases regex resolver maps each raw product name from each source to a canonical AppId. So "Microsoft Edge", "Microsoft Edge Update" and "Edge GameAssist" don't all get treated as the same product. Categorisation maps to a 42-class canonical taxonomy (browsers, runtimes, BIM tools, antivirus, etc.).

3. Vulnerability correlation

Every 4 hours the platform pulls the latest CVE records from NIST NVD and CISA's KEV catalogue, matches them against your estate's CPE strings, and computes exposures. A high-confidence filter excludes major-only version matches by default so the risk register only shows actionable rows.

4. Decision & remediation

The 5Rs engine ranks every catalogued product by usage and exposure. Your IT team sees per-app and per-version action plans. Manual overrides are recorded with reviewer, date and notes. Decisions flow back into the rationalisation reports.

Integrations

Pre-built connectors. Add a credential, accept the consent, see your estate populate within hours.

Microsoft Intune

OAuth app registration in your tenant. Pulls device inventory, compliance state and published-app catalogue.

sam360

Tenant credentials. Nightly device + installed-app snapshot. Brings your historical ITAM dataset along.

APaaS agent

MSI-deployed via your existing SCCM, Intune or GPO. HMAC-signed reporting on a configurable interval.

CSV upload

For asset registers and licence schedules. Validated against the same normalisation pipeline.

NIST NVD & CISA KEV

Authoritative vulnerability sources. Refreshed every 4 hours. No work for you.

Webhook / API

Programmatic access to the risk register, applications and exposures. JSON, HMAC-authenticated.

Try it on your estate.

Free 30-day pilot · UK-based onboarding · No procurement friction