GLPI is not a security tool. It's an ITSM platform that contributes to security in several specific, measurable ways — and it's important to know which. This article is the honest scope: what GLPI does for security posture, what it doesn't, and where it complements (rather than replaces) dedicated security tooling.
What GLPI genuinely contributes
1. Asset visibility for vulnerability management
You cannot patch what you don't know you have. GLPI's inventory (especially via GLPI Agent auto-discovery) gives the security team a real list of: which servers run which OS at which patch level, which laptops have which software installed, which network devices exist on which subnet. Vulnerability scanners (Nessus, OpenVAS, Qualys) consume this list to know what to scan.
Without GLPI: Excel spreadsheets that disagree with reality. With GLPI: a queryable database that updates daily.
2. RBAC and least privilege
GLPI's profile-based access control means a junior technician can see helpdesk tickets but not server inventory; a contractor can see only their entity. Entity-based RBAC done right is a real defence-in-depth control: even if a credential is compromised, the blast radius is limited to that profile's scope.
The caveat: out-of-the-box profiles are too permissive. Lock them down during deployment, not after the audit.
3. Audit-grade incident records
For ISO 27001, NIS2, SOC 2 audits, the question "show me your incident management evidence" is non-negotiable. GLPI's ticket database with timestamps, categorisation, and immutable audit log is what lets you answer in 5 minutes instead of 5 days. This is covered in depth in the audit case for ticket-tracking.
4. Integration with SIEM and detection tooling
The detection layer (Wazuh, Splunk, Microsoft Sentinel, Elastic Security) generates alerts. The case-management layer (GLPI) is where those alerts become tickets, get assigned, get worked, and get closed with documented resolution. Webhook integration from SIEM → GLPI is straightforward (see the GLPI API and webhooks guide).
5. Contract and certificate expiry tracking
SSL certificates that expire and break HTTPS. Antivirus licences that lapse and stop updating signatures. Vendor support contracts whose end-dates pass without renegotiation. GLPI's Contract objects with pre-expiry alerts catch these before they become incidents.
What GLPI does NOT do
To be clear, GLPI is not:
- A SIEM — it doesn't ingest logs, correlate events, or detect anomalies.
- An EDR/XDR — it doesn't watch endpoints for malicious behaviour.
- A vulnerability scanner — it lists what you have; it doesn't tell you which CVEs apply.
- An IAM platform — it has profiles, not full identity governance.
- A WAF or NGFW — it sits behind those, not in their place.
Pitching GLPI as a security tool is a category error. Its value is in being the connective tissue between the actual security tools (which are specialised and expensive) and the operational reality of running IT (assets, tickets, contracts, people).
Practical security hardening for GLPI itself
Beyond the security contribution, GLPI itself needs to be hardened — it holds inventory data and possibly credentials in plugin configurations, so a compromised GLPI is a meaningful breach:
- Run behind a reverse proxy with TLS (see reverse proxy guide) — terminate HTTPS, add HSTS, add security headers.
- Disable the default admin account (or change its password; default
glpi/glpiis a published default — change it on first login or your instance is owned). - Enforce SSO via LDAP/SAML with 2FA at the IdP — don't manage passwords inside GLPI.
- Restrict the API token to specific source IPs where possible. Rotate tokens annually.
- Patch promptly — GLPI publishes security advisories. Subscribe to the GLPI security mailing list.
- Audit the plugin set — every plugin is additional attack surface. Remove unused plugins; check community plugins for active maintenance before adding.
- Monitor the audit log — failed logins, profile changes, mass exports are signals worth alerting on.
The honest summary
GLPI helps your security posture in five concrete ways: visibility, least-privilege access, audit evidence, SIEM integration, and contract tracking. It doesn't replace any actual security product. The fastest way to use GLPI's security value is to (a) get an accurate inventory in it, (b) lock down the profiles, (c) wire SIEM webhook → ticket creation, and (d) treat the GLPI host itself like any other production system that needs hardening, patching, and monitoring. Pretending it's a security tool oversells; ignoring its security contributions undersells.