Enterprise Security

Security built into every layer

Cortex+Forge was designed from day one for enterprises that cannot compromise on security. Your data never leaves your cloud. Every agent action is logged, isolated, and auditable.

API keys stored per agent

Maximum certificate TTL

100%

Actions in immutable audit log

Shared kernels between agents

Six security pillars

Each pillar is independently enforced — a failure in one does not cascade to the others.

Data Residency

Your entire Cortex+Forge platform runs inside your GCP or AWS account. We issue licenses and ship updates — that's it. We never have access to your VPC, your KB content, your secrets, or your agent transcripts.

Cloud Run, Cloud SQL, Memorystore — all in your project
forge VMs deploy to your VPC with private-only IPs
No data crosses into Anthropic or Cortex infrastructure

Hardware Isolation

Every agent beam runs in its own Firecracker microVM — a separate kernel, separate memory, separate network stack. Breaking out of one VM gives you nothing but an empty sandbox.

Firecracker: hardware-virtualization (KVM) per beam
Root inside VM ≠ root on the host
Phase 1: Docker + seccomp + AppArmor; Firecracker in Phase 3
VM boots from a clean snapshot in ~125 ms

Certificate-Based Identity

Agents never receive API keys. Each beam gets a short-lived X.509 certificate signed by your tenant's embedded CA, scoped to one user, one task, one hour. Revoke the CA → all agents are immediately invalidated.

Certificate TTL: 1 hour (non-renewable)
Signed by forge-identity (per-tenant CA, keys on forge-data)
Certificate scope: user ID + beam ID + org slug
No long-lived credentials anywhere in agent path

Immutable Audit Log

Every state change in Cortex+Forge is appended to a hash-chained audit log. Past events cannot be modified or deleted — any tampering is detectable. Built for SOC 2, SOX, and eDiscovery requirements.

SHA-256 hash chain — each entry includes previous hash
Logged: KB proposals, approvals, beam lifecycle, agent API calls, vault access
Exportable via GET /api/v1/audit with signed pagination tokens
Object-lock retention policies for legal hold

Deny-by-Default Egress

Agent network access is completely blocked by default. You maintain an explicit allow-list of integrations each team can use. Every outbound request is logged, including DNS lookups.

Egress firewall enforced at VM-level by forge-vnet
Allow-list managed in org policy via /forge/policy
Allowed: GitHub, Slack, Jira (configured per team)
Blocked by default: all internet, cloud metadata APIs

BYO Key Management

All data at rest is encrypted with keys you control. Cortex never holds your encryption keys. Choose your own KMS and rotate on your schedule.

Google Cloud KMS (default for GCP deployments)
AWS KMS (for AWS deployments)
HashiCorp Vault (self-hosted KMS option)
Envelope encryption: DEKs wrapped with your CMK

Network Security Architecture

Defense in depth with multiple network boundaries between every component.

Internet
    │ HTTPS/TLS 1.3
    ▼
┌─────────────────────────────────────────────────────────────┐
│  Cloud Run (cortex.aicloud.so)                               │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Rate limiting (Redis)  •  Session validation       │    │
│  │  RBAC enforcement       •  Sensitivity tag checks   │    │
│  └─────────────────────────────────────────────────────┘    │
└──────────────────┬──────────────────────────────────────────┘
                   │ HMAC-SHA256 signed (X-Forge-Signature)
                   │ Private VPC peering (no internet)
                   ▼
┌─────────────────────────────────────────────────────────────┐
│  forge-control VPC (10.100.0.0/24)                           │
│                                                              │
│  forge-control (10.100.0.3)                                  │
│    • Validates HMAC signature                                │
│    • Checks approval tier                                    │
│    • Issues beam certificate                                 │
│    • Routes to forge-beams                                   │
│                                                              │
│  forge-beams   (10.100.0.4)          forge-data (10.100.0.2) │
│    • One microVM per beam              • PostgreSQL           │
│    • No internet egress by default     • Artifact store      │
│    • Kernel-level network namespace    • Keys (encrypted)    │
└─────────────────────────────────────────────────────────────┘

TLS everywhere

All external traffic is TLS 1.3. Internal forge-mesh traffic uses mTLS with certificates from the same CA that issues agent certs.

HMAC request signing

Cortex signs every request to forge-control with HMAC-SHA256 using a shared secret. forge-control rejects any request with an invalid or replayed signature (5-minute replay window).

Private VPC peering

Cloud Run connects to Cloud SQL and Memorystore over private VPC peering — no public IPs, no traffic on the internet.

Metadata API blocked

The cloud metadata API (169.254.169.254) is blocked at the VM network namespace level. Agents cannot steal instance credentials.

Compliance & Certifications

Architecture-first compliance. Every certification requirement is baked into the platform design, not bolted on.

In progress

SOC 2 Type II

Independent audit of security, availability, and confidentiality controls. Hash-chained audit log, access controls, and change management are audit-ready today.

Available on request

ISO 27001

Information security management system certification. Enterprise customers can request our current ISMS documentation and control mapping.

Architecture ready

HIPAA Compatible

PHI stays in your cloud account. Full audit trail of every access event. BAA available for Enterprise tier. No PHI ever touches our infrastructure.

Architecture ready

SOX Compliance

Immutable audit logs, segregation of duties, multi-person approval workflows, and complete change tracking for public company requirements.

Architecture ready

GDPR

Data residency in customer's EU cloud region. No third-party data sharing. Right-to-erasure supported via user deletion API. No cross-border data transfer.

Planned

FedRAMP

Government-ready architecture. Deploy to FedRAMP-certified GCP and AWS regions. GovCloud support planned for Enterprise customers in 2027.

Threat Model

Specific threats and how each architectural layer mitigates them.

Privilege Escalation

Attack Agent exploits a vulnerability to gain host-level privileges.

Mitigation Firecracker microVMs provide hardware isolation. Root inside the VM has zero privilege on the host. The KVM hypervisor enforces the boundary at the hardware level.

Lateral Movement

Attack Compromised agent attempts to pivot to other beams or infrastructure.

Mitigation Each beam has its own isolated network namespace. No shared network between beams. Egress is deny-by-default. Certs are scoped to one beam ID only.

Data Exfiltration

Attack Agent exfiltrates KB content, secrets, or customer data to an external destination.

Mitigation Deny-by-default egress blocks all outbound connections. Only explicitly approved domains are reachable. Every outbound request (including DNS) is logged to the immutable audit trail.

Credential Compromise

Attack Attacker extracts API keys or long-lived credentials from the agent environment.

Mitigation Agents never receive API keys. Identity is certificate-based with a 1-hour TTL. No long-lived secrets are stored in the beam environment. Compromised cert expires within 1 hour.

Audit Log Tampering

Attack Insider or attacker modifies or deletes audit events to cover tracks.

Mitigation Hash-chained append-only audit log. Each entry includes the SHA-256 hash of the previous entry. Any modification to a past event breaks the chain — immediately detectable by replaying all hashes.

Insider Threat

Attack Privileged employee takes unauthorized action or covers tracks.

Mitigation Full audit trail of every action by every user. Cross-team approval workflows for sensitive operations. Segregation of duties enforced by role. Break-glass access to vault requires dual approval.

Supply Chain Attack

Attack Malicious package in agent's dependency tree executes unauthorized code.

Mitigation Deny-by-default egress limits blast radius. Even if malicious code runs, it cannot exfiltrate data. Beam snapshots are signed and hash-verified before boot. Dependency pinning enforced in build pipeline.

Prompt Injection

Attack Malicious content in a repo or document hijacks agent instructions.

Mitigation Approval workflows require human sign-off before any KB change is published. Sensitive operations (PRs, webhooks) require explicit approval tier. All agent actions are logged and reviewable.

Data Handling & Encryption

At Rest

PostgreSQL encrypted with CMEK (your Cloud KMS key)
Redis encrypted at rest with Cloud KMS
Vault secrets use envelope encryption (DEK + CMK)
GCS / S3 artifacts use SSE with your KMS

In Transit

TLS 1.3 for all external connections
mTLS for forge-mesh internal communication
Private VPC peering for Cloud Run ↔ Cloud SQL
HMAC-signed webhooks (replay protection)

Retention & Deletion

KB pages: retained until explicitly deleted by org-admin
Audit log: append-only, configurable retention (default 7 years)
Beam artifacts: TTL-based expiry (configurable per org)
User data: deletable via API (GDPR right to erasure)

Sensitivity Classification

public — visible to all org members
internal — visible to authenticated org members
restricted — requires explicit access grant
confidential — requires secret-keeper role + audit log

Responsible Disclosure

Found a vulnerability? We follow coordinated disclosure. Report to security@cortex.ai — we'll acknowledge within 24 hours and patch within 72 hours for critical issues.

PGP key available on request. We do not pursue legal action against good-faith security researchers.

Security Reviews

Enterprise customers can request:

Architecture review call with our security team
Shared penetration test reports (NDA required)
Custom threat model walkthrough
SOC 2 evidence package

Contact security team