EPAS Reviews at Gartner
"Implementation was very easy and fast, the support in case of troubleshooting is excellent" (Head of Information Security in the Finance Industry)
"Implementation is easy and the ROI realized is almost instantaneous" (Dir Security Architecture & Engineering in the Finance Industry)
"Great solution for password analysis and quality enforcement" (CISO in the Chemical Industry)
”Very powerful / well throughout tool for password remediation with a top notch support team” (SOC Analyst in the Finance Industry)
“Easy installation / maximum benefit for password-quality” (CISO in the Finance Industry)
“Constructive flexible vendor with stable solutions” (IT Buyer in the Miscellaneous Industry)
EPAS Key Features

EPAS Audit

EPAS is a patented (USPTO 9,292,681 B2, EP2767922) solution developed by Detack GmbH and its Swiss partner Praetors AG. It is an on-premises SaaS solution for enterprise wide, automatic and regular password quality assessment and enforcement for a wide range of systems. EPAS addresses the overwhelming issue of maintaining secure passwords in large, heterogeneous environments containing Microsoft A/D, Linux/UNIX, IBM System z, SAP and more.
EPAS uses a self-developed, patented technology in order to extract all relevant password data from a target system and to use this information as well as bundled intelligence data and analytics algorithms to assess the resilience of passwords against attacks. EPAS employs only legitimate cipher text extraction methods and therefore does not cause any system availability risk for the target.
EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Linux/UNIX, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements. EPAS is an on-premises SaaS solution and delivered through appliances which are integrated into the client´s data center.

EPAS Enforcer

The EPAS Enforcer licensed feature systematically prevents the use of weak, reused or shared passwords whenever the password is changed. EPAS Enforcer for A/D integrates as an LSA filter on the Windows Active Directory domain controllers and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements. This means that formerly permitted passwords like “Password123” or “Secret!” are not accepted any longer by the computer.
If the password change attempt is unsuccessful, an optional feature of the EPAS Enforcer displays the failure reasons (e.g. “Password must not be included in a dictionary.”) to the end user. The security requirements for a password result from the security classification of the data to be protected, based on customer specific measurements.

Detailed and Legally Compliant Reporting

EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.

Built on 15 years IT-Security Experience

EPAS was developed based on more than 15 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.

Selected EPAS reference customers


Designed for Enterprises

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying workers councils´ requirements.

Customizable Password Assessment

EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS can simulate various attack methods used by cyber criminals, such as dictionary or brute force attacks. Dictionaries are customizable regarding language and customer specific vocabulary or terms.

Password Re-Use Report

Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.

Technical and System Accounts

In addition to “heartbeat” users, all technical and system accounts are assessed and evaluated by EPAS. These accounts authenticate by using either very simple passwords, default vendor passwords, or no password at all. Yet these accounts usually have the highest privileges and are sometimes even exempt from a password policy. The authentication of technical and system accounts to other systems is one of the largest IT security risks.

Notification by E-Mail

Automatic notification is used to prompt users to change their passwords if these are too weak or do otherwise not comply with defined audit parameters. The same feature automatically notifies the service administrator of a completed password audit job and the availability of a report.

Audit Jobs & Job Queuing

An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. It can process simultaneous parallel tasks and can audit millions of accounts on different systems over a single weekend.

Trusted Computing and Encryption

All data EPAS processes is permanently encrypted. Trusted Computing is used to seal the platform, an additional TPM chip secures software and data integrity by employing cryptographic methods. EPAS applies various hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.

EPAS Supported Systems

EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:

Supported standard
target systems

  • Microsoft Active Directory Accounts

  • Microsoft Windows Local Accounts

  • IBM System z – zSeries – S/390 RACF (z/OS, z/VM)

  • IBM System i – iSeries – AS/400

  • IBM System p – pSeries – RS/6000

  • AIX IBM Lotus Domino Application Server

  • BSD Operating System

  • Linux Operating System

  • Sun Solaris – SunOS

  • Apache Basic – htpasswd

  • SAP NetWeaver – ABAP AS

  • LDAP Authentication Server

See all

Supported application
specific data storage

  • MSSQL System Accounts

  • MySQL System Accounts

  • Oracle System Accounts

  • PostgreSQL System Accounts

  • Sybase ASE System Accounts

  • DB2 Database Custom Application

  • Informix Database Custom Application

  • MaxDB Database Custom Application

  • MSSQL Custom Database Application

  • MySQL Database Custom Application

  • Oracle Database Custom Application

  • PostgreSQL Custom Database Application

  • Sybase ASA Database Custom Application

  • Sybase ASE Database Custom Application

See all

Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types. EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.

EPAS Enforcer Systems

  • Microsoft Active Directory

  • Linux Accounts / PAM

  • Microsoft Windows Accounts

  • Microsoft Azure AD / Hybrid

  • Microsoft SQL Server

  • Micro Focus NetIQ SSPR

  • Web-Based Password Management

See all

How to achieve NIST compliance with EPAS

The National Institute of Standards and Technology (NIST) is one of the authorities which sets the best practices on how to secure identities and authentication of users. The updated version of NIST Special Publication 800-63 “Digital Identity Guidelines” was released in 2019. Various companies and organizations use NIST guidelines to establish their security practices, while US federal agencies are required to comply with NIST 800-63. These guidelines follow the Digital Identity Guidelines defined in the NIST Special Publication 800-63B. The following requirements notation and conventions are part of the aforementioned document. Whenever EPAS provides a feature that helps implement the given NIST recommendation, the feature is mentioned, together with the recommendation it covers, as well as a short explanation. A table summarizing the NIST recommendations covered is provided at the end. This document is intended as guidance for companies and organizations aiming to achieve compliance with NIST recommendations with the help of EPAS.


ISO/IEC 27001 Compliance Assisted by EPAS

ISO 27001 (officially known as ISO/IEC 27001:2013) is an international information security standard. This standard is used in an organization to implement, maintain, and to improve an information security management system (ISMS). Policies and procedures, including the legal, technical and physical controls involved in a company’s IT risk management processes, are part of the ISMS. IS27001 Implementing ISO 27001 supports organizations in blocking security risks, protecting sensitive data, and identifying the scope and bounds of their security programs. EPAS strongly assists organizations into managing specific requirements. Following, EPAS is mapped according to related ISO/IEC 27001:2013 control objectives and controls retrieved from Annex A.


PCI DSS Compliance Assisted by EPAS

The Payment Card Industry (PCI) initiated the first Data Security Standard (DSS) in 2004. Various revisions and updates have been done to the requirements since then. The PCI DSS contains twelve requirements for compliance, clustered by six logically connected controlled objectives. PCI DSS provides the bare minimum requirements for protection against breaches which have occurred in the past. Therefore, it has a significant importance on the payment card ecosystem. EPAS assists organizations preventing breaches based on several PCI DSS requirements, and especially one of the essential security rules of the standard concerning vendor default passwords and weak or shared passwords. Following, EPAS features are mapped according to related PCI DSS requirements.


How to achieve IAR compliance with EPAS IN UAE

A strategic priority for the United Arab Emirates is managing cyber threats and assuring the implementation of a secure national communications and information infrastructure. Therefore, Telecommunications Regulatory Authority (TRA) implemented the UAE Information Assurance Regulation v1.1 (IAR, March 2020) as a crucial component of the National Information Assurance Framework (NIAF) to specify prerequisites for enhancing the level of IA over all implementing organizations in the UAE. The UAE IA Standards grants technical and management data security controls to provide, develop, manage, and regularly update information assurance. TRA IA Regulation provides in-depth requirements for protection against cyber attacks, as well as indications of how to secure and maintain an IT infrastructure. The TRA IAR draws security relevant controls from existing standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27010, ISO/IEC 27032, NIST 800-53 R4, ADSICv1, ADSICv2, etc.) while enhancing subcontrols and providing in-depth information about example implementations. EPAS assists organizations preventing breaches based on several TRA IAR recommendations, as detailed in the following pages. Following, the integrated relationships and interactions among individual sector entities implementing the TRA IAR are presented.



COVID-19 Computer Power Donation

Detack helps Folding@home by donating computer power to run simulations. Find out more

COVID-19 ECSO Solidarity Campaign

Detack participates in the ECSO Cyber Solidarity Campaign Find out more

COVID-19 TeleTrust initiative

Detack participates in the TeleTrusT COVID-19 response action. Find out more

Workshop “Cybersecurity – You Cannot Live Without It”, February 2020, Singapore

You can meet Detack and its regional partners at the "Cybersecurity – You Cannot Live Without It" workshop , presented by SGInnovate & Tegasus International, on February 3rd, 2020 in Singapore. Find out more

2020 CTI-EU | Bonding EU Cyber Threat Intelligence Conference, January 2020, Brussels, Belgium

For the second time Detack is present at the CTI-EU Conference in Brussels. ENISA organizes this event with the aim to support exchanging ideas and experiences between the CTI experts across Europe. Find out more

RSA Conference 2019, San Francisco

In 2019, Detack is participating again at the RSA Conference in San Francisco, USA (March 4th – 8th, 2019). You can find us at the TeleTrusT German Pavillon (Booth No. 5671-4). The RSAC is the world’s leading IT Security event with international participation. Find out more about RSAC: https://www.rsaconference.com/events/us19 and about the German Pavilion: Find out more

“Bitkom Security Insights” Webinar, February 2019

John Waters, director of sales at Detack, was invited to hold a presentation on the paradigm shift in password security for the webinar series "Bitkom Security Insights". The recording of the webinar can be found at the following link: Find out more

Europe’s Cyber Future, Brussels, January 2019

Detack took part at the High-Level Roundtable on Europe’s Cyber Future organised by European Cyber Security Organisation (ECSO). The aim of the roundtable was to bring together key decision-makers from the European Union (EU) institutions, Member States and the private sector and help them to engage in a dialogue on how the European cyber security environment can be further settled. Find out more

The 2020 Cyber Riskers Talk Show, January 2019, Sydney Australia

Detack is present at the "2020 Cyber Riskers Talk Show" event in Sydney. This is one of the regular meetings of Australian experts in the fields of cyber security and risk management in the Sydney area. Find out more

ECSO – WG5: Education, awareness, training, cyber ranges, November 2019, Brussels

The representative of Detack is elected as one of the chairs of SWG 5.3: Awareness. The SWG promotes topics like awareness-raising and basic hygiene skills in the European Union. Find out more

PITS 2018: SEPTEMBER 10TH – 11TH, 2018, BERLIN

At this year’s PITS (Public-IT-Security) event, Detack will participate as an exhibitor as well as with a presentation in the expert round "Secure Access Rights". Visit us on site!


Detack GmbH will give a presentation on the topic of password security at the IHK (Chamber of Industry and Commerce) event "IT Security in SMEs #6" between 07.30 pm and 08.30 pm on May, 09th, 2018 in Stuttgart.

RSA Conference 2018, San Francisco

Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.


TeleTrusT and Detack GmbH (TeleTrusT-Regional Office Stuttgart) are organizing an information and discussion meeting on the topic "state of the art according to the EU data protection basic regulation" in the “Residenzschloss” (residential castle) in Ludwigsburg on March 21st. The press release can be downloaded below: Find out more

RSA Conference 2018, San Francisco

Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.


it-sa 2017 (taking place 10. – 12.10.2017) is the only IT security exhibition in the German-speaking region. Detack will be exhibiting at booth 9-210 at the joint stand of BITKOM. Do not hesitate to contact us regarding an appointment or just come by!

The Future of Finance Summit: 8th – 9th June 2017, Singapore

For the first time Detack will be present, together with its Malaysian partner, SecureMetric, at the Future of Finance Summit from 8th – 9th June 2017 in Singapore: an exciting, all-inclusive annual gathering that will bring together a wide range of players - banks, fintech players, insurance companies, asset managers, investors and customers - who are shaping the future of finance. The Future of Finance will be a dialogue between the institutions and the customer so that they can experience and communicate their expectations of the industry. Find out more

RHT / EPAS Breakfast Session: 7th June, 2017, Singapore

Detack in cooperation with its partner RHT, is organizing a breakfast and a presentation on June 7th, 2017 in Singapore of how modern technology can be employed to prevent becoming victim of an IT security attack. We will discuss password-related IT security risks, meeting regulatory requirements without switching from passwords to alternative technologies, and we will show you how the solution proposed by RHT and Detack, EPAS, has helped enterprises in over 30 countries.


On January 23rd 2017 the event MEET SWISS INFOSEC! will again take place in Zurich, Switzerland. It is the leading event for IT Security in Switzerland, attracting both national and international IT Security experts and interested parties. Detack will again be talking about the topic of authentication with the presentation “Authentication 4.0 – Who am I?”

Request a demo / get more information

An error occured please try again!

Thank you for contacting us!

I have read and agree to the processing of my personal data in accordance to the data privacy statement