Security overview¶
How Vex Raptor protects your data, your credentials, and the systems you test. This page is written for security and procurement teams evaluating Vex Raptor.
At a glance
- Self-hosted by default — scan data never leaves your infrastructure.
- Authorization-gated — every external target requires proven domain ownership.
- Least privilege — scoped API keys, RBAC, and short-lived session tokens.
- Auditable — every privileged action is written to an audit log.
Data handling¶
Vex Raptor is deployed inside your perimeter. Scan targets, findings, evidence, and reports are stored in your PostgreSQL and storage — Vex operates no cloud that receives your attack data. In the default configuration the only outbound call is license validation; AI depth and threat-intel enrichment are opt-in and documented per provider.
| Data class | Where it lives | Encryption | Retention |
|---|---|---|---|
| Session tokens (JWT) | Client + Redis JTI list | TLS in transit | 2-hour expiry |
| Scan findings & evidence | Your PostgreSQL | At rest via your DB/volume encryption | Configurable per org |
| Reports (HTML/PDF/JSON) | Your storage | At rest via your storage | Configurable |
| Auth credentials for authenticated scans | Encrypted at rest, redacted in logs | AES-GCM | Deleted with the scan |
See Data handling & privacy for the full model.
Authentication & access¶
- Sessions: JWT with a 2-hour expiry and a server-side revocation list (JTI). Logout and admin revocation take effect immediately.
- SSO/OIDC: on enterprise plans, users authenticate through your IdP; id-token signatures are verified against your IdP's JWKS. See SSO & RBAC.
- RBAC:
adminand operator roles; privileged routes requireadmin. - API keys: per-org, scoped, and revocable — used for CI and automation. See API keys.
Testing safety controls¶
Vex Raptor is offensive software; these controls keep it inside its lane.
- Scope-lock — the engine cannot emit traffic outside the authorized target set. Internal and cloud-metadata addresses are blocked and the check fails closed.
- SSRF protection — targets are resolved and validated against loopback, link-local, cloud-metadata, and private ranges, with anti-rebinding IP pinning.
- Rate limiting — a configurable per-target rate cap keeps tests non-disruptive; destructive checks are opt-in.
- Prompt-injection defense — observations returned to the AI agent are sanitized so a target cannot hijack the agent off-engagement.
Auditability¶
Every privileged action (login, scan start, key issuance, config change) is recorded with actor, timestamp, and org context. Export audit events via the API for your SIEM.
Compliance & certifications¶
See Compliance for framework status and how Vex Raptor maps customer scans to SOC 2, PCI-DSS, ISO 27001, and GDPR controls.
Report a vulnerability¶
Found a security issue in Vex Raptor itself? See Vulnerability disclosure.