A platform full of live attack tooling has to hold a higher bar. Here's how we protect your account, isolate the labs, and handle your data — described as practices we actually follow, not certifications we don't hold.
// the posture
Every control below exists in the codebase and is documented in our internal security posture. No hand-waving.
Passwords are hashed with Argon2id — memory-hard, with no legacy bcrypt or SHA fallback. Sessions use short-lived JWT access tokens (15 minutes) plus refresh tokens that rotate on every use and can be revoked by signing out. Optional TOTP MFA adds a second factor, with the secret encrypted at rest using AES-256-GCM.
Every lab boots locked down: --cap-drop ALL, no-new-privileges, a read-only root filesystem, and strict CPU/memory/PID ceilings. Containers attach to an internal-only Docker network — no internet, no host visibility, no cross-user visibility — and are torn down on a hard timeout. The Docker socket is never exposed inside a lab.
Challenge flags live only as SHA-256 hashes. Your submission is hashed and compared in constant time — the raw flag never sits in the app database. And the ARYA AI mentor is fed a redacted prompt: flag values are stripped before any model call, so the mentor can't leak the answer even if asked.
Traffic is served over TLS 1.3 with HSTS (includeSubDomains; preload). Production responses carry a strict Content-Security-Policy (default-src 'self', a locked connect-src, frame-ancestors 'none'), an exact-match CORS allowlist, request body-size caps, and per-IP plus per-route rate limiting.
Multi-tenant data is fenced two ways: a Prisma middleware injects the caller's tenant into every query, and PostgreSQL Row-Level Security enforces the same boundary at the database — so a forgotten scope can't leak another tenant's data. Payment webhooks are verified by HMAC-SHA-256 over the raw request bytes.
Falco watches every lab host with a Trinetra rule set that alerts on container-escape syscalls (cgroup writes, ptrace into PID 1, raw-disk reads, suspicious mounts) and pages on-call. Server-side 5xx errors flow to Sentry; CI audit suites pin the lab hardening config so a regression fails the build, not production.
We only claim what's true. Trinetra is a fast-moving product, not a certified enterprise vendor — yet. We are not SOC 2 or ISO 27001 certified, and we haven't completed a third-party penetration test. Those are on the roadmap, and we'll update this page when they ship.
Manage both from your account settings.
// honest about the gaps
// coordinated disclosure
We acknowledge reports within 48 hours and aim to fix or document a mitigation within 90 days. We credit researchers who follow coordinated disclosure.