Security
Last updated: 2026-04-29
Short version
We process engagement data only to run the assessment. It lives in the EU (Supabase, eu-west-3), is isolated per tenant via Postgres Row-Level Security, and is never used to train models.
Encryption
Authentication
DeepMantis engagements today are operator-driven — there is no customer-facing login surface. The internal operator console authenticates via Supabase Auth (OAuth providers and password flows with JWT session tokens). Customer-facing authentication will roll out alongside the customer console; MFA is on the roadmap before any customer login goes live.
Data residency
Engagement data
Engagement data is processed only to run the assessment.
Customer engagement data is never used to train models. Methodology learnings — strategies and attack patterns that worked — inform our approach across customers; specific findings, targets, credentials, and customer data do not.
Findings are scoped per engagement and isolated by Postgres Row-Level Security. Access is limited to engagement operators on a per-tenant basis, and all access is logged.
Findings are retained for the engagement audit trail. Customers can request deletion at any time at security@deepmantis.io.
Production safety
1. Architecture isolation
Browser-based verification (XSS, stored attacks) runs in isolated Chromium instances scoped per finding under tenant + engagement + finding profile directories, with automatic cleanup on completion. Script execution runs in isolated sandboxes with configurable backend per assurance level — resource-capped subprocess for low-risk operations, hardware-isolated microVMs for high-assurance autonomous execution.
2. Access scope
Engagements default to read-only reconnaissance. Exploitation requires explicit per-engagement authorization. Detection-only engagements cannot dispatch exploit-class operations — enforced by the policy predicate chain at the platform layer.
3. Rate limiting and kill switch
Per-phase cost and wall-time quotas prevent runaway execution. Operators can pause and resume any engagement at phase boundaries from the console; pause events are logged with full audit trail. Submission to external platforms is gated behind explicit operator approval.
4. Full audit trail
Every phase, skill dispatch, auditor verdict, and tool invocation is instrumented with OpenTelemetry traces sent to Langfuse. Full trace lineage is available for audit, debugging, and compliance review.
Audits and certifications
DeepMantis is not currently pursuing third-party certification. The DeepMantis report format is structured to satisfy SOC 2, ISO 27001, and BSI C5 (OPS-19) pentest-evidence requirements; this is distinct from holding the certifications themselves. We will publish “in audit” status on this page when an audit begins.
Incident history
No incidents to report since 2026-04-29.
For incident-history requests, contact security@deepmantis.io.
Responsible disclosure
We welcome security research. Report vulnerabilities to security@deepmantis.io.
SLA. We target 48 hours for triage and acknowledgement.
Safe harbor.We won’t pursue legal action against good-faith research that respects scope, avoids degradation of service, and gives us reasonable disclosure time (90 days default, negotiable). Out of scope for the disclosure program: marketing-site DDoS, social engineering of staff, physical attacks against IJONIS UG offices.
Status
A public status page is on the roadmap. Until it ships, contact security@deepmantis.io for incident-history or uptime questions.
Contact
Delivered autonomous.