[ Legal ]

Security Policy

LAST UPDATED — JUNE 16, 2026

Cybörü operates an autonomous offensive-security platform that runs real attacks against systems you authorize us to test. Because our product handles sensitive findings, credentials, and proof of exploitation, security is not a feature bolted on afterward — it is the design constraint that shapes every layer of the platform. This document summarizes the controls we apply, how we contain engagements, and how to report a vulnerability. It is a plain-language overview; binding terms may be governed by your engagement agreement, and real counsel and our security team should review specific obligations.

1. Security commitment

We hold ourselves to the standard we test others against. Cybörü is built on defense-in-depth, least-privilege, and fail-closed principles, so an error or compromise in any single component cannot cascade into customer data or out-of-scope systems. We continuously assess our own infrastructure with the same autonomous engine our customers use, and we treat findings against ourselves with the urgency we expect of our customers.

2. Infrastructure & isolation

Every engagement runs inside a dedicated, ephemeral sandbox. Agent execution, captured artifacts, and network egress are isolated per run so that one customer's engagement can never observe or reach another's. Sandboxes are provisioned on demand and destroyed when the run completes.

  • Per-run network namespaces with a deny-by-default egress policy; traffic is permitted only to assets inside the authorized scope.
  • Tenant separation enforced at the compute, storage, and network layers — not merely by application-level checks.
  • Hardened, minimal base images, patched and rebuilt on a regular cadence, with no persistent operator shell access in the production runtime.
  • Infrastructure defined as code and change-controlled, so every modification is reviewed, versioned, and auditable.

3. Encryption in transit & at rest

All data is encrypted end to end. Connections to the platform and between internal services use TLS 1.2 or higher with modern cipher suites. Data at rest — including engagement findings, captured evidence, and credentials supplied for testing — is encrypted using AES-256. Encryption keys are managed through a dedicated key-management service with strict rotation and access logging, and secrets are never written to logs or stored in plaintext.

4. Access control & least privilege

Access to customer data is restricted to the minimum set of personnel required to operate and support the platform, and every grant is scoped, time-bound, and logged.

  • Role-based access control with mandatory multi-factor authentication for all administrative and production access.
  • Just-in-time, approval-gated elevation for any access to production systems or customer engagement data.
  • Comprehensive audit logging of administrative actions, with logs retained and monitored for anomalies.
  • Regular access reviews and prompt deprovisioning when roles change or personnel depart.

5. Scope enforcement & fail-closed controls

Because Cybörü conducts real exploitation, staying inside the authorized scope is a safety-critical guarantee, not a preference. Scope is enforced by the platform itself rather than left to agent discretion.

  • The targets, domains, and address ranges you authorize define a hard boundary; any action against an asset outside it is blocked at the network layer.
  • Controls fail closed — if scope cannot be verified, the action is denied rather than allowed.
  • Destructive or high-impact techniques are gated and can be disabled per engagement, with safe defaults that prioritize non-disruptive proof of exploitability.
  • You can pause or terminate any engagement at any time, and the platform halts active execution promptly on request.

6. Vulnerability disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability in Cybörü's platform, please report it to us privately so we can investigate and remediate before any public disclosure.

  • Send details to security@cyboru.com, including reproduction steps and any supporting evidence.
  • Please give us a reasonable window to remediate before publicizing findings, and avoid accessing or modifying data that is not your own.
  • We will acknowledge receipt, keep you informed of remediation progress, and credit researchers who responsibly disclose, with their permission.

We will not pursue legal action against researchers who act in good faith and adhere to this policy.

7. Compliance

Cybörü is undergoing a SOC 2 Type II examination and aligns its control framework with widely recognized standards for information security. We maintain documented policies, conduct periodic independent assessments, and can share our current compliance status and reports under NDA with qualified prospects and customers. Attestations and certifications will be published as they are completed.

8. Incident response

We maintain a documented incident response plan with defined roles, severity tiers, and escalation paths. Production systems are monitored for anomalous activity, and our team is on call to triage and contain events.

  • Detect, contain, eradicate, and recover — with post-incident reviews to address root causes.
  • In the event of a security incident affecting your data, we will notify you without undue delay, consistent with applicable law and your engagement agreement.
  • We exercise our response procedures periodically to keep them effective.

9. Engagement data handling

Engagement data — findings, captured evidence, and any credentials you provide for testing — is collected only to deliver and validate results. We minimize what we retain, encrypt it throughout its lifecycle, and restrict access to authorized personnel.

  • Findings deliver proof of exploitability — not raw exfiltration of your sensitive data beyond what is necessary to demonstrate impact.
  • Test credentials and artifacts are stored encrypted and purged according to the retention settings defined in your engagement.
  • You retain ownership of your engagement data and can request its deletion, subject to legal and contractual retention requirements.

10. Contact the security team

For security questions, disclosure reports, or compliance documentation requests, reach our security team at security@cyboru.com. We aim to respond to all good-faith security inquiries promptly. This policy is a plain-language summary; real counsel and our security team should review any binding commitments.

Questions? Contact us.