Prometheus monitoring, Grafana dashboards, log aggregation, and vulnerability scanning ship with every Atmosphere deployment. Security and compliance are built in — not upsold.
Most cloud platforms treat security tooling like a rewards program. You start with bare metrics, maybe a basic health check. Then someone asks about vulnerability scanning, and suddenly you're looking at a premium tier. Compliance reporting? That's enterprise-only. Log aggregation with enough retention to actually matter? Please contact sales.
We think that model is broken.
If your platform can't tell you what's happening, what's exposed, and what's drifting out of compliance from day one, then it isn't production-ready — it's a demo with a billing system attached.
That's why Atmosphere ships with a full security and observability stack out of the box, on every deployment, from the very first tier. No upgrade prompts. No feature gates. No "talk to us about our security add-on" pages.
Observability Isn't a Feature. It's the Foundation.
Atmosphere is outfitted with a powerful monitoring and logging stack powered by proven cloud-native technologies, providing nearly 300 monitoring points and alarms out of the box for OpenStack clouds deployed using Atmosphere.
Here's what ships on every single Atmosphere deployment:
Prometheus handles metrics collection. The monitoring stack is powered by Prometheus, which scrapes multiple exporters, with AlertManager managing firing alarms from Prometheus — including native integration to send alerts to OpsGenie or PagerDuty and more.
Grafana provides dashboards. Prometheus and Loki are both exposed as data sources into an instance of Grafana, which includes many dashboards out of the box, secured by a Keycloak instance that enables single sign-on for every component of the cloud, from monitoring to dashboard and CLI.
Loki + Vector power log aggregation. The logging stack is powered by Loki, which provides the storage mechanism for all of the logs, with Vector being the log shipping tool which runs on every node and sends all system and container logs to the centralized instance of Loki.
AlertManager routes, deduplicates, and escalates. Prometheus Alertmanager handles routing and deduplication, and teams can integrate with tools like PagerDuty or Slack. Every alert is mapped to a clear operational consequence.
This isn't an optional monitoring module you toggle on after your first outage. Full day-2 operations for monitoring, logging, and alerting come out of the box using Prometheus, AlertManager, Grafana, and Loki. It deploys when your cloud deploys. Period.
Vulnerability Scanning That Doesn't Wait for an Incident
A monitoring stack that only tells you CPU utilization and disk IOPS is solving yesterday's problem. Modern private cloud environments face a different category of risk: unpatched images, drifting configurations, exposed services that nobody remembers deploying.
Vulnerability scanning in Atmosphere works at the infrastructure layer. It's not an agent you bolt on later. It operates within the same control plane that manages your workloads, so it catches problems where they originate — not after they've propagated across environments.
That starts at the container level. Every Docker image running inside Atmosphere is scanned for known vulnerabilities using Trivy, an open-source security scanner that checks for CVEs, misconfigurations, and exposed secrets before images ever reach production. This isn't a periodic audit someone triggers manually — it's embedded directly into the build and deployment pipeline, so vulnerable images get flagged and blocked automatically. If a base image ships with a critical CVE, your team knows before it lands on a node, not after it's been running for six weeks.
Beyond container images, Atmosphere embeds OpenStack security scans and config validations into CI/CD pipelines, automatically blocking deployments that violate security baselines — whether that means insecure ports, outdated packages, or non-compliant configurations.
Combined with Keycloak-backed identity management, built-in Prometheus, Grafana, and Loki logging capture metrics, logs, and events from all OpenStack components. Every API call, resource creation, and configuration change is tracked through Keystone identity mapping, so you know exactly who made changes and when.
That's not just monitoring. That's an audit trail.
Operational Assistants: Automation That Knows Your Stack
Alert fatigue is real. When your team receives 200 notifications and only three matter, the system isn't helping — it's contributing to the problem.
Atmosphere includes an integrated observability stack that covers real-time monitoring, log aggregation, tracing, and alerting. These tools give operators and SREs what they need to troubleshoot quickly, maintain reliability, and scale confidently.
Operational assistants in Atmosphere go beyond dumb alerting. They surface correlated events, highlight infrastructure patterns across compute, storage, and networking layers, and give your team the context to act instead of just react.
At the base tier, you get smart defaults: meaningful thresholds, pre-configured dashboards for Ceph storage, networking, and compute health, and alerting rules that are tuned to OpenStack realities — not generic templates.
Higher Tiers: From Observability to Intelligence
Everything described above ships on every Atmosphere deployment. But for organizations operating under stricter regulatory requirements or managing larger, multi-tenant environments, higher tiers unlock capabilities that compound on this foundation:
Intelligent alert correlation connects signals across layers. A disk latency spike in Ceph, a Nova scheduling delay, and a tenant complaint about VM performance become one correlated incident — not three separate tickets that get triaged by three separate people.
Automated remediation handles known failure modes without waking your team. If a node drifts out of its expected configuration or a service fails a health check, the system doesn't just tell you. It acts, following operator-defined playbooks.
Compliance reporting for SOC 2 and regulatory frameworks is where things get tangible for teams facing audits. Financial institutions need audit trails, not excuses. VEXXHOST's infrastructure is designed for compliance from the ground up — SOC 2, encryption at rest, role-based access, full logging.
SOC 2 and PCI-DSS controls are built into infrastructure from day one. The VEXXHOST team has helped financial services pass audits and knows what examiners look for.
This isn't a PDF template someone hands you before an audit. It's continuous compliance visibility backed by the same observability stack already running underneath your workloads — extended with policy engines, automated evidence collection, and report generation mapped to specific control frameworks.
For government deployments, infrastructure is designed for government compliance, with FedRAMP, ISO 27001, SOC 2, and regional security frameworks supported.
Why "Included" Matters More Than You Think
When security tooling is an add-on, three things happen:
- Teams delay adoption. They'll "get to it next quarter" because procurement needs approval and the budget isn't allocated yet.
- Coverage gaps compound. Months of unmonitored infrastructure create drift that takes even more effort to remediate than a clean install.
- Audit prep becomes a fire drill. Instead of pulling reports from continuous monitoring, teams scramble to retroactively prove compliance.
When security is built into the platform, these problems don't exist. Your first deployment is monitored. Your first VM is logged. Your first API call is tracked through identity mapping.
In fast-paced DevOps, speed is only valuable when paired with visibility and control. Atmosphere equips OpenStack private clouds with integrated auditing, monitoring, and rollback capabilities, ensuring every change is traceable, compliant, and reversible when necessary. These features allow teams to push updates rapidly while maintaining a strong security posture.
Security Posture Isn't a Tier. It's a Baseline.
Automation, observability, and security-by-default are priority investments in 2026. That's not a prediction — it's already the expectation from every serious buyer, regulator, and operator.
The question isn't whether your cloud platform has security features. It's whether those features are present on day one, operational without additional contracts, and integrated deeply enough to produce real compliance evidence — not just dashboards.
By including these capabilities from the start, Atmosphere gives operators the confidence to scale, troubleshoot quickly, and keep systems stable even when something goes wrong.
If your current stack makes you choose between security visibility and budget approval, the platform is the problem.
Talk to our team about deploying Atmosphere — with full observability, vulnerability scanning, and compliance reporting from the first node.
