Before deploying S4E On-Prem, verify that your server meets the following hardware, software, and network requirements.
Hardware Requirements
| Requirement | Minimum |
|---|---|
| CPU cores | 32 cores |
| RAM | 96 GB |
| Disk space | 512 GB SSD |
| Network interfaces | 1 |
| Architecture | x86_64 (amd64) |
ARM not supported
S4E On-Prem container images are built for linux/amd64. ARM-based servers (including Apple Silicon, AWS Graviton) are not supported.
Scan-heavy deployments
Scanner and crawler workers are CPU-intensive. For environments with high scan volumes (500+ assets), 64+ CPU cores are recommended. The installer automatically pins these workers to dedicated cores to avoid contention with other services.
Operating System
| OS | Status |
|---|---|
| Ubuntu 22.04 LTS | Fully tested, recommended |
| Ubuntu 20.04 LTS | Supported |
| Debian 12 (Bookworm) | Supported |
| Debian 11 (Bullseye) | Supported |
| CentOS / RHEL 8+ | Not tested |
| Other Linux | Not tested |
| Windows / macOS | Not tested |
The server must have a 64-bit Linux kernel (5.4+).
Software Prerequisites
The following software must be installed before running setup.sh. The installer will check for these and abort if they are missing.
| Software | Version | Purpose |
|---|---|---|
| Docker Engine | 24.0+ | Container runtime |
| Docker Compose (plugin) | 2.20+ | Service orchestration |
| Nginx | 1.18+ | Reverse proxy (host-level) |
| openssl | Any | TLS certificate generation |
| Python 3 | 3.8+ | Setup helper scripts |
| Git | 2.x | Template repository management |
| curl | Any | Registry and API connectivity checks |
Auto-installation
The setup.sh installer can install Docker, Docker Compose, and Nginx automatically on Debian/Ubuntu if they are not present. Run with sudo to allow this.
Network Requirements
Inbound (from your users)
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP → redirects to HTTPS |
| 443 | TCP | HTTPS — all user-facing services |
Outbound (from the server)
| Destination | Port | Purpose |
|---|---|---|
harbor.s4e.link |
443 | Pull Docker images |
api.s4e.io |
443 | Sync scan templates and action catalog |
| Your scan targets | Any | Vulnerability scanning (internal networks) |
| Your SMTP relay | 25/465/587 | Outbound email (optional) |
Firewall
If a firewall is active on the server, open ports 80 and 443 for inbound traffic. All other ports should remain closed externally — services communicate internally over the Docker network.
DNS
All S4E services are accessed via subdomains of your configured base domain (e.g., s4e.company.com). You must create DNS A records pointing each subdomain to the server's IP address, or add entries to your local /etc/hosts files.
The installer prints the exact host entries to add at the end of setup.
Storage Layout
The installer creates the following directories on the host:
/opt/s4e/
├── setup/ # Docker Compose files, .env, Nginx configs
│ ├── setup.sh
│ ├── setup.conf
│ ├── docker-compose.yml
│ ├── .env
│ └── nginx/
├── volumes/ # Persistent data (mounted into containers)
│ ├── postgres/
│ ├── redis/
│ ├── rabbitmq/
│ ├── mongodb/
│ ├── minio/
│ └── gitea/
└── ssl/ # TLS certificates
Do not delete /opt/s4e/volumes
This directory contains all persistent data. Deleting it will destroy all scan results, user accounts, and configuration. See the recovery guide for backup procedures.
Pre-Deployment Checklist
- [ ] Server meets minimum hardware requirements (4 CPU cores, 16 GB RAM, 100 GB disk).
- [ ] Ubuntu 22.04 or Debian 12 installed (fresh install recommended).
- [ ] Server has outbound internet access to
harbor.s4e.linkandapi.s4e.io. - [ ] Ports 80 and 443 are open for inbound connections.
- [ ] A base domain name is available (or
/etc/hostsentries will be used for testing). - [ ] You have received your S4E API key from your account representative.
- [ ] You have received the setup package (
.tar.gzor Git access). - [ ]
sudoaccess is available on the server.
Next Steps
Proceed to the installation guide.