Safety & security

Defensive isn't a feature. It's the architecture.

FirewallIQ Secure was designed by people who have done red-team work — and decided not to ship those primitives. The platform exists to prove the perimeter works, never to break it.

The safety promise

Defensive isn't a feature. It's the architecture.

Offensive primitives aren't in our worker binaries. The safety profile is compiled-in, signed, and verified at startup — there is no runtime flag to flip.

What we never do

Exploit vulnerabilities (not even safe POCs)
Brute-force or spray credentials
Upload payloads or execute remote commands
Bypass authentication on target systems
Establish persistence or lateral movement
Exfiltrate data or modify target state
Run denial-of-service or destructive traffic
Attempt to evade detection

What we guarantee

Bind every scan to a signed scope document
Enforce dual approval for production-scope scans
Cap packet rate per the compiled-in safety profile
Emit immutable audit logs with hash-chained integrity
Refuse jobs that don't match the worker's signed profile
Store evidence in WORM-locked, encrypted storage
Require step-up MFA for any sensitive action
Show you every probe, every result, every operator

Engineering controls

We hold ourselves to the same bar we audit our customers against. Here are the controls that prevent both customer misuse and insider misuse.

Signed scope as contract

Every scan is bound to an Ed25519-signed scope document. Out-of-scope targets are rejected before queueing — by signature verification and CIDR containment.

Safety profile compiled-in

Offensive primitives are not present in worker binaries. The safety profile is signed, version-pinned, and verified at startup. There is no runtime flag to flip.

Dual approval + step-up MFA

Production-scope scans require two named approvers and a fresh MFA verification. The same is enforced for sensitive operations like evidence export.

Append-only audit log

App role cannot UPDATE or DELETE audit rows. Each row carries a hash chain. Daily snapshots are written to WORM-locked S3 for 7-year retention.

Encrypted evidence vault

Evidence lives in S3/MinIO with object-lock (compliance mode), KMS-managed encryption, and 5-minute pre-signed URLs for download.

Eight-layer tenant isolation

Token → app context → Postgres RLS → storage prefix → queue → service mesh → network policy → optional dedicated namespace. A bug at any layer cannot leak.

Top abuse cases — and what stops them

A malicious operator tries to scan a target they don't own.

01Scope must be Ed25519-signed by security_lead with MFA.
02Target must be inside the scope CIDR — orchestrator rejects out-of-bounds before queueing.
03Probes are non-exploitative — even if mis-directed, they cannot harm.
04Every action is auditable to a named user with IP and user agent.
05Customer SIEM receives a webhook on every scan — independent visibility.

An insider on our team tries to read customer data.

01Cross-tenant access requires a customer-initiated support ticket.
02Support sessions are pinned to one tenant; cross-tenant queries are impossible during the session.
03Production access requires hardware key + bastion. No laptop credentials.
04Anomalous volume → on-call paged within minutes.
05Quarterly access review with documented sign-off.

An attacker tries to alter the audit log to hide activity.

01App role has REVOKE UPDATE, DELETE on audit_log — DB rejects modifications.
02Each row references the prior row hash — chain breaks on tampering.
03Daily snapshots written to S3 object-lock (compliance mode, 7-year retention).
04External anchoring of daily head hash to an internal ledger for retrospective verification.

Walk into your next audit with evidence, not estimates.

A 30-minute demo on real findings. We'll walk through scope signing, a live scan, and a signed compliance report — all on a customer-style sandbox.

Request a 30-min demo Read the safety promise

No credit card. No agent install. Authorized-only by design.