Kestra gives us a modern orchestration platform we can run ourselves without compromising on governance.
Public Services & Institutions
Modernize public-sector IT.
On a platform you fully control.
One orchestration engine for infrastructure, SOC, data, and modernization workflows. Integrate what you already run. Standardize how operations execute. Replace brittle orchestration silos when you're ready.
vmware-safe-patch 3.1s
✓ snapshot_before vmware.esxi.CreateVmSnapshot snapshot saved
✓ apply_patch scripts.shell.Commands ansible ok
✓ verify_health core.http.Request 200 OK
✓ change_approval core.flow.Pause Approved
✓ update_netbox netbox.CreateDevice registered
✓ notify_team notifications.slack sent
Trusted by public administrations, institutions & public-service IT operators 
One control plane for the platforms public-sector IT runs.
VMware lifecycle. Bare-metal commissioning. SOC alert response. GitOps delivery. Cross-department data. Whether you're orchestrating vSphere, MAAS, Argo CD, or a sovereign data platform, the engine is the same. Self-hosted, multi-tenant, audit-ready.
TRIGGER
API request / portal call
Schedule / batch window
SIEM / SOC alert
Git push / change event
vCenter / hypervisor event
ServiceNow ticket update
INGEST
vSphere, KVM, Nutanix, MAAS
Mainframe / Oracle / DB2 / SQL Server
Identity (LDAP, Keycloak, AD)
ServiceNow / NetBox / CMDB
Vault / CyberArk / Delinea
Lakehouse / dbt / warehouse
PROCESS
Terraform / Ansible / Argo CD
Snapshot / patch / verify / rollback
SOC enrichment & risk scoring
Policy & compliance checks
Human approval gates
AI-assisted triage & runbooks
ACT
Provision VMs / clusters / bare metal
Update CMDB & NetBox source-of-truth
Trigger remediation / isolation
Deploy / promote / release
Notify on-call / partner team
Sign and archive audit bundle
Each step is a declarative YAML task. Wrap an existing legacy job today. Modernize it in place tomorrow. No rewrite of the whole estate.
What public-sector IT teams actually run on Kestra.
Real workloads from real institutions. Self-service infrastructure at federal IT centres. SOC operations across multi-state estates. Sovereign data platforms in EU institutions. Incremental modernization of legacy automation.
Infrastructure & Platform Orchestration
VM Lifecycle & Self-Service Portals
Native plugins for vSphere, vCenter, ESXi, KVM, MAAS, and Nutanix orchestrate the full VM lifecycle: provision, snapshot, clone, template, restore. Expose it all as a self-service catalog with quota validation, approval gates, and CMDB updates.
Terraform, Ansible & Kubernetes Operations
Wrap your existing IaC with sovereign orchestration. Run Terraform plans and applies, Ansible playbooks, Argo CD syncs, and OpenShift or Kubernetes operations from one Git-backed control plane, with state isolation per environment.
Hybrid Cloud & Multi-Cluster Operations
Coordinate workloads across on-prem datacenters, sovereign clouds, and hyperscaler regions. Linux, Windows, and GPU workers run side-by-side on a shared control plane with worker-group isolation.
Cybersecurity & SOC Operations
Open SOC Triage & Alert Routing
An open alternative to Palo Alto SOAR, Splunk SOAR, and the Python glue between them. Receive alerts from your SIEM, enrich with threat intelligence, score risk with rules or ML, route to the right analyst queue. All on infrastructure your data-protection team has signed off on.
Incident Response & Threat Containment
Automate containment runbooks: isolate hosts, rotate credentials, snapshot evidence, open ServiceNow incidents, notify on-call. Mandatory analyst confirmation on irreversible actions. Replayable per alert, audit-ready by default.
Multi-Tenant SOC for Multi-Agency Estates
Operate one SOC platform across multiple states, agencies, or institutional clients. Namespace-scoped flows, secrets, and audit trails per tenant. Zero blast radius between environments.
Modernizing Legacy Automation
The Open Exit from VMware Aria & vRealize
Replace the brittle automation layer above your virtualization stack, not VMware itself. Integrate vSphere, vCenter, and ESXi directly. Standardize on YAML in Git, REST APIs, OIDC, OpenTelemetry. Procurement-friendly, no proprietary runtime lock-in.
From Schedulers & Runbook Tools to Declarative Flows
Retire Cron, Control-M, Autosys, vRO, Rundeck, HP Operations Orchestration, and hand-rolled wrappers. Replace them with declarative YAML, event triggers, and a unified execution history. At your own pace, without freezing existing jobs.
Incremental Migration from Mainframe & Legacy
Wrap existing JCL, AS/400, Oracle, SFTP, and MQ jobs first, then modernize incrementally. Plugins for JDBC, SFTP/FTPS, JMS/IBM MQ, Kafka, and shell. Integrate first, standardize next, replace only when you're ready.
Sovereign Data & AI Platforms
Cross-Department Data Pipelines
Move and transform data across departmental warehouses, lakehouses, and operational systems. dbt, SQL, Python, Spark, and Java tasks orchestrated with full lineage and replayability per tenant.
Lakehouse & dbt on Sovereign Infrastructure
Run modern data stacks inside your jurisdictional perimeter. Java-based engine fits enterprise environments where Python-only tools struggle. EU and US residency, no cross-region data transfer.
AI Workflows Inside Your Perimeter
Orchestrate OCR, LLM extraction, classification, and decision-support models alongside rule-based checks. Models, prompts, and PII never leave your environment. Humans-in-the-loop on every consequential decision.
1control plane for private cloud
3 weeksto validate compliance
0external dependencies
Built to the bar institutional IT actually needs.
Sovereign & Air-Gapped Deployment
Self-hosted, VPC, or fully air-gapped. EU or US data residency. Segment control plane and workers across restricted zones with zero egress required. Kestra runs entirely inside your jurisdictional perimeter.Kubernetes, OpenShift & Hybrid Workers
Docker, Helm, or OpenShift. Worker groups isolate Linux, Windows, GPU, and secure-zone runtimes on one shared control plane. PostgreSQL backend handles millions of executions. No Kafka or Elasticsearch required.Immutable, Replayable Execution
Every flow is YAML in Git. Every execution frozen in time. Replay any historical run with the exact code, secrets, and inputs, in one click. Years later, the audit holds.Multi-Tenant by Namespace, RBAC by Default
Each agency, programme, or environment owns its flows, secrets, and runtime on a shared platform. Namespace-scoped RBAC with SSO, SAML, OIDC, and SCIM. Zero blast radius between tenants.Approval Gates, Kill Switch & Apps
Pause any workflow pending human sign-off. Stop or contain a problematic execution from the UI in one click. Build self-service forms in front of flows with Apps. Governance at the speed of operations.Audit Logs, Lineage & SIEM Integration
Every execution, user action, and resource change recorded. Stream logs directly to Splunk, Elastic, or your preferred SIEM. Hand auditors a signed evidence bundle in minutes, not weeks.Patterns from real public-sector deployments.
Real workflows running today inside public-sector IT teams. Copy the YAML, adapt to your stack, deploy through your existing CI and approvals.
VMware safe-patch with rollback
SOC alert triage & containment
Bare metal + NetBox source-of-truth
Multi-tenant data pipeline
Snapshot, patch, verify, rollback. VMware orchestration with the safety net built in.
Snapshot the VM through the native vSphere plugin, apply the change, verify health, and roll back automatically if validation fails. The safe-patching pattern most teams build by hand, expressed as one declarative flow. Automation that fails safely.
Triage SIEM alerts, enrich, and contain. The open alternative to closed SOAR platforms.
Receive alerts from your SIEM, enrich with threat intelligence, score with a Python model, branch on severity, pause for analyst confirmation on critical events, isolate hosts, and open ServiceNow incidents. Replaces Palo Alto SOAR, Splunk SOAR, and the script glue between them.
Provision bare metal through MAAS and update NetBox in one execution. No drift by design.
Commission a server through MAAS, deploy the OS image, register the device in NetBox, assign the IP. If the inventory write fails, the workflow fails. Metal provisioning, source-of-truth, and downstream automation become one execution you can debug.
Per-tenant data pipeline with namespace isolation and signed lineage.
Each department or programme owns its own namespace, secrets, and runtime. The same flow shape runs per tenant: extract, transform with dbt, validate, publish to the sovereign lakehouse, archive lineage. Zero blast radius between teams. Full audit per run.
Ready for Production?
Managed or self-hosted, your choice.
Kestra Cloud
Fully managed. Zero maintenance.
Deploy instantly, scale automatically, pay only for what you use.
- Everything in Open Source
- Fully Managed Platform, zero ops
- Automatic Scaling
- SOC 2 Type II Certified
- Built-in Security & Governance
- Fast Onboarding, Pay-as-you-scale
Enterprise Edition
Self-host with enterprise governance.
Critical environments, compliance requirements, air-gapped or hybrid.
- Everything in Open Source
- SSO / SAML & Fine-Grained RBAC
- Audit Logs & Multi-Tenancy
- Air-Gapped & On-Prem Deployment
- Dedicated Customer Success Program
- SLA-Backed Enterprise Support
Integrates with the systems public-sector IT teams already run.
Native plugins for vSphere, vCenter, ESXi, KVM, Nutanix, MAAS, NetBox, Argo CD, Cloudflare, ServiceNow, Vault, CyberArk, Delinea, Splunk, Elastic, plus mainframe, SFTP, MQ, Kafka, and 1,200+ more. Or build the exact integration your environment needs.
Modernize public-sector IT on a platform you fully own.
Self-hosted, air-gapped, and procurement-friendly. Modernize legacy automation incrementally, run SOC and platform operations on-prem, and deploy AI inside your perimeter. One orchestration engine you fully control.
Frequently asked questions
Find answers to your questions right here, and don't hesitate to Contact Us if you couldn't find what you're looking for.