BETA Launching April 2026 — 25% off for early access! Request Demo

Security

How SentriKat protects your data and your infrastructure. Transparency is the foundation of trust.

Architecture & Data Flow

SentriKat deploys 100% on-premises. Every component — the FastAPI application server, PostgreSQL database, and nginx reverse proxy — runs in Docker containers on your infrastructure. No customer data is ever transmitted externally.

Outbound network connections are limited to public vulnerability feeds and license validation:

  • CISA KEV catalog — public JSON feed, no authentication required
  • NVD API — public CVE data, optional API key for higher rate limits
  • Vendor advisories — OSV.dev, Red Hat, Microsoft MSRC, Debian security feeds
  • NVD CPE dictionary — for software-to-CPE matching
  • License heartbeat — daily call to license.sentrikat.com transmitting only the license key and agent count (no customer data)

All vulnerability feed connections are download-only. No inventory data, vulnerability matches, or user information leaves your network.

For classified or restricted environments, SentriKat supports fully air-gapped deployment with manual feed imports.

Application Security Controls

Authentication

  • Password hashing: bcrypt with cost factor 12
  • Two-factor authentication: TOTP 2FA (RFC 6238) with encrypted secret storage
  • Enterprise SSO: LDAP/Active Directory and SAML integration
  • Secure session management with HttpOnly, Secure, SameSite cookies
  • Admin API: HMAC constant-time key comparison to prevent timing attacks

Encryption

  • Data at rest: Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256)
  • Data in transit: TLS 1.2+ enforced via nginx with HSTS
  • License signing: RSA digital signatures with offline verification
  • Secure cookie attributes enforced across all endpoints

Input Validation & Injection Prevention

  • SQLAlchemy ORM — parameterized queries prevent SQL injection
  • Pydantic v2 — strict input validation on all API endpoints
  • CSRF protection — token-based cross-site request forgery prevention
  • Content Security Policy headers, X-Frame-Options: DENY, X-Content-Type-Options: nosniff
  • Cloudflare Turnstile — bot protection on public forms

Rate Limiting

  • API endpoints: 1,000 requests/day, 200 requests/hour per client
  • Agent authentication via API key with per-installation scoping
  • Admin endpoints: separate authentication with dedicated API key

Infrastructure Security

  • Docker container isolation — each service runs in its own container with limited privileges
  • nginx reverse proxy — TLS termination, security headers, request filtering
  • PostgreSQL not exposed — database listens only on the internal Docker network, not on host interfaces
  • Audit logging — all administrative actions logged with timestamps, IP addresses, and user identification
  • Backup & restore — built-in database backup and restore functionality
  • Data retention — activation logs automatically purged after 90 days to minimize stored data

License Security

  • RSA-signed license JWTs — licenses are digitally signed and verified offline by the agent
  • No customer data in license calls — activation and heartbeat endpoints transmit only installation IDs and software inventory hashes
  • Installation binding — each license is bound to a specific installation, preventing unauthorized reuse
  • Offline verification — agents verify license validity locally using the embedded public key, no network call required after initial activation

Compliance Alignment

SentriKat is designed to help organizations meet the vulnerability management requirements of:

Tamper-Proof Compliance Reports

Exported compliance reports (CISA BOD 22-01, NIS2 Article 21) include cryptographic attestation and tamper-detection hashes. Each report contains a complete audit trail, ensuring document integrity can be independently verified. Pro license holders can apply white-label branding to exported documents.

NIS2 Article 21
Vulnerability handling and disclosure for EU essential and important entities
DORA (EU 2022/2554)
ICT vulnerability management for financial entities
CISA BOD 22-01
KEV remediation timelines for federal agencies and contractors
GDPR & nLPD
On-premises deployment ensures data sovereignty and minimizes processing scope
ISO 27001
Supports Annex A control A.12.6 (Technical Vulnerability Management)
Swiss FINMA
On-premises processing satisfies data residency requirements for Swiss financial regulation

OWASP ASVS Self-Assessment

SentriKat has completed a self-assessment against the OWASP Application Security Verification Standard (ASVS) v4.0.3 at Level 1. All 14 chapters pass with documented evidence per requirement.

OWASP ASVS Level 1 — Self-Assessment View Full ASVS Assessment
14/14
Chapters Passed
L1
ASVS Level
v4.0.3
Standard Version
Open
Full Evidence Published

This is a self-assessment, not an independent third-party audit. The full evidence tables are published transparently on GitHub for review.

Security Standards & Practices

SentriKat's codebase addresses the following industry-standard security frameworks. These are self-assessed based on the controls documented in our security audit.

OWASP Top 10 Mitigated
OWASP Top 10 — All Categories Addressed
  • A01 Broken Access Control — RBAC + multi-tenant isolation
  • A02 Cryptographic Failures — Fernet AES + bcrypt
  • A03 Injection — SQLAlchemy ORM, no raw SQL
  • A05 Security Misconfiguration — Talisman headers
  • A07 XSS — Jinja2 autoescaping + CSP
CWE Top 25 Mitigated
CWE Top 25 — Most Dangerous Software Weaknesses
  • CWE-79 XSS — autoescaping + Content Security Policy
  • CWE-89 SQL Injection — parameterized ORM queries
  • CWE-287 Auth — bcrypt + TOTP 2FA + account lockout
  • CWE-352 CSRF — token-based protection on all forms
  • CWE-862 Missing AuthZ — server-side RBAC decorators
12-Factor App Followed
12-Factor Application Methodology
  • Config — environment variables, no hardcoded secrets
  • Backing services — PostgreSQL as attached resource
  • Port binding — self-contained via gunicorn
  • Logs — structured log streams to stdout
  • Dev/prod parity — Docker Compose for all environments
Security Headers Hardened
HTTP Security Headers — Verifiable
  • Strict-Transport-Security — HSTS with 1-year max-age
  • Content-Security-Policy — restrictive CSP via Talisman
  • X-Frame-Options — DENY (clickjacking prevention)
  • X-Content-Type-Options — nosniff
  • Referrer-Policy — strict-origin-when-cross-origin

All claims above are self-assessed. OWASP Top 10 and CWE Top 25 coverage is based on controls documented in our security audit. Security headers can be independently verified against any SentriKat deployment.

Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability in SentriKat:

  • Email [email protected]
  • We will acknowledge your report within 48 hours
  • We will not take legal action against researchers acting in good faith
  • We will credit you (if desired) when the fix is released

Please provide sufficient detail to reproduce the issue. Include your PGP public key if you'd like encrypted communication.

Security Audit Report

Our full security audit report is publicly available on GitHub. It covers the complete security posture of the SentriKat platform including authentication, encryption, API security, infrastructure hardening, and compliance alignment.

View Security Audit Report on GitHub