XFA

Main service(s)

For many breaches, the initial attack vector is ‘exploitation of a known weakness’. Of course, the solution against this attack vector is patching and secure configuration. The industry has known about the importance of patching for a long time and yet, almost all organisations still struggle with it. It is just a very hard and persistent problem.

Inspired by the google BeyondCorp model, XFA handles the “client-side of zero trust”: their service checks user devices against the company policy before allowing the device to authenticate to an application.

In simple language: XFA sits between a device and the authentication layer and performs some security checks before a device is allowed to access certain applications. Example checks are: is the device operating system up to date? Is the disk encrypted? Is there a passcode and screen lock configured…

The idea is to lower (or outright remove) the number of potentially devices that have access to company data.

Note: With regards to classification of their solution, XFA prefers the term “Device Security”, as they only verify the security posture of the device. There is no device management included in the solution. I’ve still classified XFA under the “Device Management” subcategory, to keep the number of categories manageable and have included this note to provide more clarity.

Differentiators

Broad coverage of devices

XFA strives to have broad coverage of devices, which is an advantage against bigger industry players with a platform or lock-in strategy.

Many companies will run a heterogeneous technology stack over time (ie: best of breed technology strategy, acquiring companies with different tech stack or just a simple bring your own device policy). This makes the prospect of a lightweight solution to quickly raise the bar in a significant area very enticing.

Usability

XFA has built in usability from the start, both from an administration and end-user perspective.

This translates into a comprehensive self-onboarding experience which makes life easier from the administration side (quick and easy setup) and the end-user side (self-enrollment, friendly UI, help with fixing possible issues).

Privacy respecting and non-intrusive

A large use case of XFA is companies with a bring your own device policy. As the employees own these devices, they are often very sensitive with regards to installing company mandated or controlled software.

With this in mind, XFA has taken steps to make the solution as privacy respecting and non-intrusive as possible:

• XFA is very transparent in what data they collect and what they do. They also minimise the amount of data needed to function
• As XFA is headquartered in Belgium, GDPR is of course considered from the start
• XFA does not control the device itself (it is not a MDM solution), it only gates the applications.

Future plans

Now that XFA has successfully launched their solution, they are focusing on incorporating feedback from existing customers and adding new customers.

Company history

Lars Veelaert and Gijs Van Laer (the XFA founders) met at DPG Media, where they worked together. At DPG, they adopted the [BeyondCorp model from Google](https://cloud.google.com/beyondcorp) and worked on implementing it.

One of the missing pieces to implement a full BeyondCorp-based security strategy was a cross-platform solution to check devices for violations against the security policy.

After a couple of detours, Lars and Gijs decided to implement their own solution and founded XFA in 2021. They launched their MVP in 2022, which is now implemented in several companies. In November 2023, XFA took in 500k of funding and is now looking to bring their solution to market on a larger scale.