EPAS Reviews at Gartner
"Detack EPAS - Exceptional product and service for delivering compliance for passwords" (Program and Portfolio Manager / Finance Industry)
"Implementation was very easy and fast, the support in case of troubleshooting is excellent" (Head of Information Security in the Finance Industry)
"Implementation is easy and the ROI realized is almost instantaneous" (Dir Security Architecture & Engineering in the Finance Industry)
"Great solution for password analysis and quality enforcement" (CISO in the Chemical Industry)
”Very powerful / well throughout tool for password remediation with a top notch support team” (SOC Analyst in the Finance Industry)
“Easy installation / maximum benefit for password-quality” (CISO in the Finance Industry)
“Constructive flexible vendor with stable solutions” (IT Buyer in the Miscellaneous Industry)
EPAS Key Features

EPAS Audit

EPAS is a patented (USPTO 9,292,681 B2, EP2767922) solution developed by Detack GmbH and its Swiss partner Praetors AG. It is an on-premises SaaS solution for enterprise wide, automatic and regular password quality assessment and enforcement for a wide range of systems. EPAS addresses the overwhelming issue of maintaining secure passwords in large, heterogeneous environments containing Microsoft A/D, Linux/UNIX, IBM System z, SAP and more.

EPAS uses a self-developed, patented technology in order to extract all relevant password data from a target system and to use this information as well as bundled intelligence data and analytics algorithms to assess the resilience of passwords against attacks.

The password quality assessment determines the resilience of existing passwords against attacks: if they are sufficiently complex to resist brute force and dictionary attacks, if they are shared by multiple accounts, or if they are present in leaked credentials databases – with databases kept up to date, ensuring that the on-premises data contains all the credentials leaked over the past 20+ years. This covers all the password-related compliance requirements of major standards, such as NIST recommendations.

EPAS employs only legitimate cipher text extraction methods and therefore does not cause any system availability risk for the target, i.e., there is no "hacking" involved.

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Linux/UNIX, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying strictest privacy requirements and legislation. EPAS is an on-premises SaaS solution and delivered through appliances which are integrated into the client´s data center.

EPAS Enforcer

The EPAS Enforcer prevents the use of weak, reused, or shared passwords whenever the password is changed. It also prevents the users from setting passwords which have already been leaked, by checking them against all the credentials leaked over the past 20+ years. EPAS Enforcer integrates with Windows Active Directory domain controllers, Windows severs, Linux systems, etc., and ensures that passwords meet defined security requirements when set or changed, in line with a centralized policy mandated by the risk category of the information they protect. The new password is tested against the EPAS evaluation criteria and is accepted or rejected, depending on the defined security requirements.

If the password change attempt is unsuccessful, on supported systems, EPAS Enforcer displays the failure reasons (e.g., “Password must not be present in leaked credentials databases.”) to the end user. The security requirements for a password result from the security classification of the data to be protected, based on customer specific measurements.

Detailed and Legally Compliant Reporting

EPAS generates audit reports for each audit job. An executive summary provides full text and graphical data to visualize and explain the passwords’ overall quality. Included are recovery reasons, structure, compliance status and various other statistical data. Passwords are never displayed in clear text.

Built on 20+ years IT-Security Experience

EPAS was developed based on more than 20 years of IT-security auditing. The extensive experience of manual penetration tests sustainably shows that, without resilient passwords, all security measures are bound to fail. EPAS is unique and the only solution to offer a legally compliant view of your enterprise password landscape.

Selected EPAS reference customers


Designed for Enterprises

EPAS has been designed to meet the needs of modern enterprises. More than 30 different systems and databases, ranging from IBM, SAP, Oracle to Microsoft, are supported. Legally compliant reporting offers all security relevant password data whilst respecting the protection of personal data and satisfying strictest privacy requirements and legislation.

Customizable Password Assessment

EPAS audits the recovered passwords against two criteria: a customized password policy and an objective, entropy-based set of rule. EPAS simulates various attack methods used by cyber criminals, such as dictionary probing, brute force attacks, password spraying based on leaked credentials, or combinations of such methods. Latest generation of hardware-based acceleration is used for all cryptographic operations. Dictionaries are customizable regarding language and customer specific vocabulary or terms.

Password Re-Use Report

Recovered passwords are checked for multiple use. A password can either be used several times by the same user on different systems or one password can be used by several users. Both situations pose a high security risk and are subject to immediate risk mitigation measurements.

Leaked Passwords Detection & Prevention

Up to date databases containing all the credentials leaked over the past 20+ years are stored within the EPAS appliance and used to detect if any of the existing passwords have already been exposed. This data is used by both EPAS Audit – to detect – and by EPAS Enforcer – to prevent their use. This feature effectively blocks attacks using leaked credentials attacks and satisfies compliance requirements.

Integration & Automation

EPAS integrates out of the box with several enterprise security applications, such as CyberArk solutions. Without any customization, EPAS already provides extensive automation in job management and notifications. Additionally, a standardized (REST) API allows flexible integration with any enterprise system with minimal effort.

Highly Scalable

An intelligent job and queuing system permits programmable, regular password auditing with no job collisions. EPAS is highly scalable. A central installation with satellite units can process simultaneous parallel tasks and can audit millions of accounts on different systems, from multiple datacentres, over a single weekend, with no human intervention.

Trusted Computing and Encryption

All data EPAS processes is permanently encrypted. Trusted Computing, backed by a hardware TPM, is used to seal the platform and to ensure data integrity. EPAS employs both hardware and software monitoring elements to detect physical or software intrusion attempts. Security failsafe mechanisms log events and shut down in case of intrusion attempts.

Supported Audit Targets

EPAS can audit several types of systems, ranging from Microsoft products to IBM products (iSeries, zSeries, Domino) and other systems such as UNIX based systems, LDAP directories and the main database backends. The following system types are supported for account profile and password hash extraction:

Supported standard
target systems

  • Microsoft Active Directory Accounts

  • Microsoft Windows Local Accounts

  • IBM System z – zSeries – S/390 RACF (z/OS, z/VM)

  • IBM System i – iSeries – AS/400

  • IBM System p – pSeries – RS/6000

  • AIX IBM Lotus Domino Application Server

  • BSD Operating System

  • Linux Operating System

  • Sun Solaris – SunOS

  • Apache Basic – htpasswd

  • SAP NetWeaver – ABAP AS

  • LDAP Authentication Server

  • Apple macOS – Mac OS X

  • Cisco ISE – ASA – IOS – NX-OS

See all

Supported application
specific data storage

  • MongoDB System Accounts

  • MSSQL System Accounts

  • MySQL System Accounts

  • Oracle System Accounts

  • PostgreSQL System Accounts

  • Sybase ASE System Accounts

  • DB2 Database Custom Application

  • Informix Database Custom Application

  • MaxDB Database Custom Application

  • MSSQL Custom Database Application

  • MySQL Database Custom Application

  • Oracle Database Custom Application

  • PostgreSQL Custom Database Application

  • Sybase ASA Database Custom Application

  • Sybase ASE Database Custom Application

See all

Besides standard target systems, EPAS also supports application specific password encryption with data stored in several database types. EPAS employs only legitimate, vendor approved methods for retrieving the password data from audited systems. By using such methods, there is no risk to crash the target and there are no potentially malicious activities falsely detected or reported by antivirus or malware detection tools.

Supported Enforcer Targets

  • Microsoft Active Directory

  • Linux Accounts / PAM

  • Microsoft Windows Accounts

  • Microsoft Azure AD / Hybrid

  • Microsoft SQL Server

  • Micro Focus NetIQ SSPR

  • Web-Based Password Management

See all

How to achieve NIST compliance with EPAS

The National Institute of Standards and Technology (NIST) is one of the authorities which sets the best practices on how to secure identities and authentication of users. The updated version of NIST Special Publication 800-63 “Digital Identity Guidelines” was released in 2019. Various companies and organizations use NIST guidelines to establish their security practices, while US federal agencies are required to comply with NIST 800-63. These guidelines follow the Digital Identity Guidelines defined in the NIST Special Publication 800-63B. The following requirements notation and conventions are part of the aforementioned document. Whenever EPAS provides a feature that helps implement the given NIST recommendation, the feature is mentioned, together with the recommendation it covers, as well as a short explanation. A table summarizing the NIST recommendations covered is provided at the end. This document is intended as guidance for companies and organizations aiming to achieve compliance with NIST recommendations with the help of EPAS.


ISO/IEC 27001 Compliance Assisted by EPAS

ISO 27001 (officially known as ISO/IEC 27001:2013) is an international information security standard. This standard is used in an organization to implement, maintain, and to improve an information security management system (ISMS). Policies and procedures, including the legal, technical and physical controls involved in a company’s IT risk management processes, are part of the ISMS. IS27001 Implementing ISO 27001 supports organizations in blocking security risks, protecting sensitive data, and identifying the scope and bounds of their security programs. EPAS strongly assists organizations into managing specific requirements. Following, EPAS is mapped according to related ISO/IEC 27001:2013 control objectives and controls retrieved from Annex A.


PCI DSS Compliance Assisted by EPAS

The Payment Card Industry (PCI) initiated the first Data Security Standard (DSS) in 2004. Various revisions and updates have been done to the requirements since then. The PCI DSS contains twelve requirements for compliance, clustered by six logically connected controlled objectives. PCI DSS provides the bare minimum requirements for protection against breaches which have occurred in the past. Therefore, it has a significant importance on the payment card ecosystem. EPAS assists organizations preventing breaches based on several PCI DSS requirements, and especially one of the essential security rules of the standard concerning vendor default passwords and weak or shared passwords. Following, EPAS features are mapped according to related PCI DSS requirements.


How to achieve IAR compliance with EPAS IN UAE

A strategic priority for the United Arab Emirates is managing cyber threats and assuring the implementation of a secure national communications and information infrastructure. Therefore, Telecommunications Regulatory Authority (TRA) implemented the UAE Information Assurance Regulation v1.1 (IAR, March 2020) as a crucial component of the National Information Assurance Framework (NIAF) to specify prerequisites for enhancing the level of IA over all implementing organizations in the UAE. The UAE IA Standards grants technical and management data security controls to provide, develop, manage, and regularly update information assurance. TRA IA Regulation provides in-depth requirements for protection against cyber attacks, as well as indications of how to secure and maintain an IT infrastructure. The TRA IAR draws security relevant controls from existing standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27005, ISO/IEC 27010, ISO/IEC 27032, NIST 800-53 R4, ADSICv1, ADSICv2, etc.) while enhancing subcontrols and providing in-depth information about example implementations. EPAS assists organizations preventing breaches based on several TRA IAR recommendations, as detailed in the following pages. Following, the integrated relationships and interactions among individual sector entities implementing the TRA IAR are presented.



Meeting with Queensland’s Minister for Trade and Investment, September 2023, Frankfurt

Detack participates in a strategic meeting with Queensland’s Treasurer, Hon. Cameron Dick, Minister for Trade and Investment and his team in Frankfurt in order to discuss establishing a subsidiary company and regional hub in Queensland. Find out more

Gold Sponsor, Team Oceania, 2nd place, IC3 Games, August 2023, San Diego, USA

Detack is honoured to be the gold sponsor of Team Oceania, who impressively achieved 2nd place at the IC3 Games in San Diego. Find out more

Sponsoring Troy Hunt / HIBP, August 2023

Detack supports the renowned cybersecurity expert, Troy Hunt. Known for creating "Have I Been Pwned", Hunt aligns with Detack’s mission to provide top-tier IT security. Find out more

Detack collaborates with UQ Cyber, July 2023, Ludwigsburg, and Brisbane

Detack is delighted to announce a new collaboration with the University of Queensland Cyber. This partnership aims to advance knowledge and promote innovation in the field of cybersecurity. Find out more

Detack is partner of PasswordsCon 2023, Bergen, Norway

Detack sponsors as an industry partner PasswordsCon 2023 in Bergen, Norway. Passwords and other authentication solutions will be the primary focus of this conference, which will bring together experts in password security from all over the world. Find out more

Detack visits UQ Cyber, 17-20 January 2023, Brisbane, Australia

Detack meets Prof. Ryan Ko, Chair and Director of UQ Cyber, visits the UQ Cyber Security Hub and sponsors the participation of the Team Oceania at the International Cybersecurity Championship 2023 in San Diego. Find out more

Detack and Troy Hunt @haveibeenpwned, October 2022

Detack sponsors the activities of Troy Hunt, the creator of @haveibeenpwned. Find out more

Mainframe passwords with Detack & IBM, May 2022

Discover how security is compromised today through exploiting password authentication weaknesses, with and without Multi-factor Authentication. We will explore how Detack’s clients prevent security incidents and achieve compliance for user authentication on mainframes with EPAS. Find out more

ENISA Cybersecurity Certification Conference 2021, December 2021

Detack participates at the 2021 edition of the European Cybersecurity Certification Conference. The conference focus on the future EU cybersecurity certification schemes. Find out more

EIC Summit 2021, November 2021

Detack participates at the European Innovation Council Summit 2021. The EIC was launched in March 2021 and the summit offers a cooperation platform between European start-ups, SMEs, innovators and investors. Find out more

TeleTrusT “WG State-of-the-art”, Berlin, November 2021

Experts from Detack participate actively in the TeleTrusT working group "State-of-the-art" and support the ongoing development and adaptation of the TeleTrusT Manual for "State-of-the-art", which was first published in 2016. Find out more

German-Australian Growth Summit 2021, October 2021

Detack participates at the first part of the German-Australian Growth Summit. The summit aims to put together the key business leaders from Australia and Germany in order to rise the business and technological cooperation between the two countries. Find out more

GovWare Conference Singapore, October 2021

Detack participates virtually at the GovWare Conference Singapore 2021. The conference takes place during the Singapore Cyber Week 2021 and presents latest trends in global cybersecurity with the focus on technology, organizational implementation and user perspectives. Find out more

European High-Level Conference on AI: “From ambition to Action”, September 2021

Detack participates at the High-Level Conference on AI. The event presents the harmonised rules on Artificial Intelligence (AI) and the updated Coordinated Plan on AI, published by the European Commission in April 2021 in order to establish a better AI cooperation in the EU. Find out more

Innovation Tour “Smart City Singapore”, June 2021, Singapore

Detack participates in a 5-day virtual innovation tour to Singapore. The aim of the project is to support an exchange about innovative solutions and technologies in the field of smart cities and the development of modern business models in the same context. Find out more

GISEC 2021, May 2021, Dubai, UAE

Detack participates at "Gulf Information Security Expo und Conference" (GISEC) 2021 in Dubai. GISEC is the largest and most impactful cybersecurity exhibition in the UAE. Find out more

Swiss Cyber Security Days, April 2021

Praetors AG represents Detack at the virtual Swiss Cyber Security Days (SCDS) 2021. The SCSD presents innovative cybersecurity solutions to protect critical infrastructure and puts together the Swiss cybersecurity stakeholders in order to achieve effective cooperation. Find out more

Mainframe Passwords Revisited, GSE UK, London, February 2021

Costin Enache, managing director at Detack, leads the panel discussion entitled "Mainframe passwords revisited: impact of the new security mechanisms" at the GSE UK Security Working Group conference. Find out more

Cybersecurity Standardization Conference 2021, Brussels, February 2021

Detack participates at the virtual Cybersecurity Standardization Conference. The conference aims to foster the exchange among various European cybersecurity stakeholders in order to more accelerate the implementation of the European Cybersecurity Act. Find out more

Virtual delegation “Mining”, Australia, October 2020

Detack takes part in a virtual business delegation and industry conference with the focus on mining industry in Australia, the delegation is supported by the German Federal Ministry for Economic Affairs and Energy. The slide deck is available. Find out more

COVID-19 ECSO Solidarity Campaign

Detack participates in the ECSO Cyber Solidarity Campaign Find out more

Workshop “Cybersecurity – You Cannot Live Without It”, February 2020, Singapore

You can meet Detack and its regional partners at the "Cybersecurity – You Cannot Live Without It" workshop , presented by SGInnovate & Tegasus International, on February 3rd, 2020 in Singapore. Find out more

2020 CTI-EU | Bonding EU Cyber Threat Intelligence Conference, January 2020, Brussels, Belgium

For the second time Detack is present at the CTI-EU Conference in Brussels. ENISA organizes this event with the aim to support exchanging ideas and experiences between the CTI experts across Europe. Find out more

RSA Conference 2019, San Francisco

In 2019, Detack is participating again at the RSA Conference in San Francisco, USA (March 4th – 8th, 2019). You can find us at the TeleTrusT German Pavillon (Booth No. 5671-4). The RSAC is the world’s leading IT Security event with international participation. Find out more about RSAC: https://www.rsaconference.com/events/us19 and about the German Pavilion: Find out more

“Bitkom Security Insights” Webinar, February 2019

John Waters, director of sales at Detack, was invited to hold a presentation on the paradigm shift in password security for the webinar series "Bitkom Security Insights". The recording of the webinar can be found at the following link: Find out more

Europe’s Cyber Future, Brussels, January 2019

Detack took part at the High-Level Roundtable on Europe’s Cyber Future organised by European Cyber Security Organisation (ECSO). The aim of the roundtable was to bring together key decision-makers from the European Union (EU) institutions, Member States and the private sector and help them to engage in a dialogue on how the European cyber security environment can be further settled. Find out more

The 2020 Cyber Riskers Talk Show, January 2019, Sydney Australia

Detack is present at the "2020 Cyber Riskers Talk Show" event in Sydney. This is one of the regular meetings of Australian experts in the fields of cyber security and risk management in the Sydney area. Find out more

ECSO – WG5: Education, awareness, training, cyber ranges, November 2019, Brussels

The representative of Detack is elected as one of the chairs of SWG 5.3: Awareness. The SWG promotes topics like awareness-raising and basic hygiene skills in the European Union. Find out more

PITS 2018: SEPTEMBER 10TH – 11TH, 2018, BERLIN

At this year’s PITS (Public-IT-Security) event, Detack will participate as an exhibitor as well as with a presentation in the expert round "Secure Access Rights". Visit us on site!


Detack GmbH will give a presentation on the topic of password security at the IHK (Chamber of Industry and Commerce) event "IT Security in SMEs #6" between 07.30 pm and 08.30 pm on May, 09th, 2018 in Stuttgart.

RSA Conference 2018, San Francisco

Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.


TeleTrusT and Detack GmbH (TeleTrusT-Regional Office Stuttgart) are organizing an information and discussion meeting on the topic "state of the art according to the EU data protection basic regulation" in the “Residenzschloss” (residential castle) in Ludwigsburg on March 21st. The press release can be downloaded below: Find out more

RSA Conference 2018, San Francisco

Like in the past two years Detack will again be participating as part of the TeleTrusT German Pavillon at the RSA Conference in San Francisco (April 16th – 20th, 2018). The RSAC is the world’s leading IT Security event with international participation.


it-sa 2017 (taking place 10. – 12.10.2017) is the only IT security exhibition in the German-speaking region. Detack will be exhibiting at booth 9-210 at the joint stand of BITKOM. Do not hesitate to contact us regarding an appointment or just come by!

The Future of Finance Summit: 8th – 9th June 2017, Singapore

For the first time Detack will be present, together with its Malaysian partner, SecureMetric, at the Future of Finance Summit from 8th – 9th June 2017 in Singapore: an exciting, all-inclusive annual gathering that will bring together a wide range of players - banks, fintech players, insurance companies, asset managers, investors and customers - who are shaping the future of finance. The Future of Finance will be a dialogue between the institutions and the customer so that they can experience and communicate their expectations of the industry. Find out more

RHT / EPAS Breakfast Session: 7th June, 2017, Singapore

Detack in cooperation with its partner RHT, is organizing a breakfast and a presentation on June 7th, 2017 in Singapore of how modern technology can be employed to prevent becoming victim of an IT security attack. We will discuss password-related IT security risks, meeting regulatory requirements without switching from passwords to alternative technologies, and we will show you how the solution proposed by RHT and Detack, EPAS, has helped enterprises in over 30 countries.


On January 23rd 2017 the event MEET SWISS INFOSEC! will again take place in Zurich, Switzerland. It is the leading event for IT Security in Switzerland, attracting both national and international IT Security experts and interested parties. Detack will again be talking about the topic of authentication with the presentation “Authentication 4.0 – Who am I?”

Request a PoC / Contact Us

An error occured please try again!

Thank you for contacting us!

I have read and agree to the processing of my personal data in accordance to the data privacy statement