Skip to content
Cyber Army LogoCyber Army™

Security

Security is our product. We apply the same rigor to protecting your data that we apply to securing your infrastructure: no credential sharing, isolated execution environments, and full auditability at every step.

AutoFix platform security

  • Prod-clone isolation: every fix executes in an isolated clone of your production environment. Nothing touches live systems until verification passes.
  • No persistent agents: AutoFix integrates via read-only connectors to AWS, GCP, Azure, GitHub, and Kubernetes. No agents installed, no credentials stored long-term.
  • Human approval gate: no fix deploys without explicit CISO or security team sign-off. Policy-as-code guardrails define what AutoFix can and cannot touch.
  • Full audit trail: every action is logged with timestamps and actor identity for compliance and forensics: discovery, fix generation, approval, deployment, and rollback.
  • Instant rollback: post-deploy monitoring triggers automatic rollback within 60 seconds on anomaly detection. Zero data loss.
  • Per-tenant isolation: customer environments and evidence are logically separated. No cross-tenant data access.

Cyber Swarm security

  • Domain verification required: we only scan domains you have verified via DNS TXT record. We never scan assets you have not explicitly authorised.
  • No credential sharing: Swarm tests your external attack surface, specifically everything reachable from the public internet. No VPN access, no API keys, no admin credentials required from you.
  • Conservative scan rates: port scanning is capped at 1,000 packets/second. All exploitation attempts use standard techniques that mirror real attacker behaviour, designed to find vulnerabilities, not cause downtime.
  • Evidence-backed findings only: every finding in your report was actively exploited. No theoretical scores, no false positives passed to your team.
  • Opt-out supported: contact cyberarmy@codeproof.com or add User-agent: CyberSwarm / Disallow: / to your robots.txt to exclude assets from scanning.

Operational controls

  • MFA everywhere: phishing-resistant (FIDO2/passkeys) where supported; SSO for all internal systems.
  • Least privilege: just-in-time access for sensitive resources; no standing admin access.
  • Encrypted in transit and at rest: TLS 1.2+ for all connections and AES-256 encryption at rest.
  • Device hardening: disk encryption, screen lock, patch management, and EDR on all devices.
  • Dependency hygiene: automated vulnerability monitoring, SBOM awareness, and regular updates.
  • Vendor management: subprocessors listed at /legal/subprocessors.

Data handling and retention

  • Minimise collection: we collect only what is necessary to deliver the service and prove findings.
  • No PII from your users: AutoFix and Swarm operate on infrastructure metadata: IPs, ports, DNS, TLS, and headers. We do not collect personal data from your end users.
  • Time-bound retention: scan results and evidence are retained per your contract and purged securely at closure.
  • No third-party sharing beyond approved subprocessors listed in your agreement.
  • BAA / DPA available: for regulated environments (HIPAA, GDPR). Contact us.

Incident response

  • Documented IR plan with defined roles, escalation paths, and external contacts.
  • Customer notification per contract and applicable law if we become aware of an issue affecting your data.
  • Forensics support and containment guidance available on request.

Compliance alignment

  • OWASP ASVS / MASVS for application security standards.
  • NIST SP 800-115 for penetration testing methodology.
  • CIS Benchmarks for cloud and infrastructure hardening baselines.
  • SOC 2 Type II evidence generation built into AutoFix and Swarm reports.

Responsible disclosure

If you believe you have found a vulnerability in Cyber Army's infrastructure or services, please contact us at cyberarmy@codeproof.com. Include reproduction steps, impact, and any supporting evidence.

  • Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
  • Avoid privacy violations, service disruption, or data destruction.
  • Give us reasonable time to investigate and remediate before any public disclosure.
  • We will acknowledge receipt promptly and keep you informed of our progress.

Our security.txt is published at https://cyberarmy.tech/.well-known/security.txt.

Questions

Security questions? cyberarmy@codeproof.com. Want to see AutoFix or Swarm in action? Request early access.