Skip to content

Security overview

How Vex Raptor protects your data, your credentials, and the systems you test. This page is written for security and procurement teams evaluating Vex Raptor.

At a glance

  • Self-hosted by default — scan data never leaves your infrastructure.
  • Authorization-gated — every external target requires proven domain ownership.
  • Least privilege — scoped API keys, RBAC, and short-lived session tokens.
  • Auditable — every privileged action is written to an audit log.

Data handling

Vex Raptor is deployed inside your perimeter. Scan targets, findings, evidence, and reports are stored in your PostgreSQL and storage — Vex operates no cloud that receives your attack data. In the default configuration the only outbound call is license validation; AI depth and threat-intel enrichment are opt-in and documented per provider.

Data class Where it lives Encryption Retention
Session tokens (JWT) Client + Redis JTI list TLS in transit 2-hour expiry
Scan findings & evidence Your PostgreSQL At rest via your DB/volume encryption Configurable per org
Reports (HTML/PDF/JSON) Your storage At rest via your storage Configurable
Auth credentials for authenticated scans Encrypted at rest, redacted in logs AES-GCM Deleted with the scan

See Data handling & privacy for the full model.

Authentication & access

  • Sessions: JWT with a 2-hour expiry and a server-side revocation list (JTI). Logout and admin revocation take effect immediately.
  • SSO/OIDC: on enterprise plans, users authenticate through your IdP; id-token signatures are verified against your IdP's JWKS. See SSO & RBAC.
  • RBAC: admin and operator roles; privileged routes require admin.
  • API keys: per-org, scoped, and revocable — used for CI and automation. See API keys.

Testing safety controls

Vex Raptor is offensive software; these controls keep it inside its lane.

  • Scope-lock — the engine cannot emit traffic outside the authorized target set. Internal and cloud-metadata addresses are blocked and the check fails closed.
  • SSRF protection — targets are resolved and validated against loopback, link-local, cloud-metadata, and private ranges, with anti-rebinding IP pinning.
  • Rate limiting — a configurable per-target rate cap keeps tests non-disruptive; destructive checks are opt-in.
  • Prompt-injection defense — observations returned to the AI agent are sanitized so a target cannot hijack the agent off-engagement.

Auditability

Every privileged action (login, scan start, key issuance, config change) is recorded with actor, timestamp, and org context. Export audit events via the API for your SIEM.

Compliance & certifications

See Compliance for framework status and how Vex Raptor maps customer scans to SOC 2, PCI-DSS, ISO 27001, and GDPR controls.

Report a vulnerability

Found a security issue in Vex Raptor itself? See Vulnerability disclosure.