We publish our security posture openly — independent pentest results, CVE history, architecture controls, and SOC 2 progress. No marketing spin. Just the numbers.
Numbers an attacker has to defeat, not adjectives we picked for marketing.
Black-box external test by Pentx Security across api.g8kepr.com, app.g8kepr.com, www.g8kepr.com, and g8kepr.com. 182 tests across 9 attack categories.
No exploitable, immediate-impact issues
No high-severity findings
Remediated and re-verified in same window
Documented; compensating controls in place
Best-practice observations only
Robots path disclosure — internal route hints in robots.txt
Disposition: robots.txt hardened to remove path leaks; non-public routes excluded from sitemap and crawler hints
Marketing subdomain missing security headers (CSP, HSTS, Permissions-Policy)
Disposition: Full security-header set deployed across all marketing subdomains via shared middleware; verified at SSL Labs A+
IPv4/IPv6 rate-limit normalization gap — limits applied per-address-family
Disposition: Rate limiter now normalizes IPv4-mapped IPv6 (::ffff:x.x.x.x) to canonical IPv4 before bucket lookup; unified per-client enforcement
Two low-severity findings — accepted risk, documented
Disposition: Reviewed and formally accepted as low-impact in the engagement report. Compensating controls documented; tracked for revisit at next pentest.
Seven informational findings — no remediation required
Disposition: Best-practice observations from the report (e.g., header tuning, response-fingerprint variance). No security impact; no action required.
Full NDA-protected pentest report available to enterprise prospects on request. Request report →
A 241-sample test corpus (191 attack samples + 50 benign) is checked into the repository at .github/threat-detection-baseline.json. Every commit runs the corpus through the detection engine. The build fails automatically if precision drops below 100% or recall drops below 87.96%.
Most SaaS security is checkbox compliance — bolted on after the fact. G8KEPR built security into the core architecture from day one.
A breach must defeat every layer independently. Each layer is operated and verified separately — there is no single point of failure.
DDoS mitigation, origin IP hidden, TLS 1.3 terminated at edge
926 OWASP Core Rule Set rules active — blocks SQLi, XSS, RCE, path traversal
Rate limiting, JWT validation, scoped API keys, circuit breakers, MCP sandbox
PostgreSQL row-level security enforces tenant isolation at the DB layer
Section 18 of the platform reference identifies these as novel technical contributions not available in competing products. They are the difference between a security platform and a security platform that actually holds up under audit.
RLIMIT_CPU/AS/NOFILE/NPROC, setsid() process-group isolation, Linux capability dropping, two-stage SIGTERM→SIGKILL. The MCP spec mandates none of this — we built it because tool calls execute with real system permissions.
modules/mcp/sandbox/executor.pyRug-pull detection. Tool definitions hashed at tools/list time, re-verified on every tools/call. A malicious MCP server cannot silently swap a safe tool for a malicious one mid-session.
modules/mcp/tool_registry.pyStatistical baselines per provider per hour-of-day, not static thresholds. 4 rolling windows. Progressive recovery 10/25/50/100%. More resilient than Hystrix or Resilience4j against degradation attacks.
gateway/router.pyEvery event across API → Gateway → MCP → Verification shares one correlation ID. Forensics from a single query — impossible to stitch together when each pillar is a separate vendor product.
shared correlation_idEach entry signed via HMAC + deployment secret. Genesis derived from the key itself — unguessable. An attacker with full DB access still cannot forge a valid chain entry without the key.
genesis SHA-256 blockVerified against SSL Labs, securityheaders.com, and Mozilla Observatory. TLS 1.3 only — TLS 1.1 and 1.2 are disabled. All headers are enforced server-side, not just report-only.
Concrete primitives, not vague "industry-standard" promises. Algorithm choices match OWASP 2024 guidance.
TLS 1.2 explicitly disabled · mTLS for internal service-to-service
Application-level encryption for API keys, OAuth secrets, TOTP, webhooks, MCP secrets
Per OWASP 2024 password storage guidance · 256-bit output
Timing-safe comparisons via hmac.compare_digest() everywhere
DB access alone cannot forge an entry · genesis block derived from the key itself
Prefix in transit · SHA-256 hash at rest · timing-safe lookup
Decryption keeps previous key as fallback · zero-downtime rotation
Envelope encryption · KEK in KMS or HashiCorp Vault · per-record DEK
pip-audit + npm audit run as blocking CI gates on every pull request
No critical dependency vulnerabilities found in project lifetime
Next.js CVE-2025-29927 — header bypass. Patched same day, before any production traffic was routed
Automated alerts fire when a new CVE matches a pinned dependency version
SAST · Python + TypeScript
Python security linting
Container CVE scanning
Python dependency CVEs
Node dependency CVEs
Dynamic AppSec testing
Secret detection in git
Custom-rule SAST
Every PR runs all eight. Build fails on any new finding. TruffleHog scans every commit for accidentally committed credentials. SBOM diff is generated on every release.
All technical controls are implemented and independently verifiable. We are not SOC 2 certified — we say so plainly. External auditor engagement is scheduled H2 2026. We disclose our actual status, not a vaporware claim.
Found a vulnerability? We want to hear from you. Report privately to security@g8kepr.com and we will acknowledge within 24 hours with an initial severity assessment and remediation timeline.
Report privately
Email security@g8kepr.com — description, reproduction steps, and impact. PGP-encrypted reports welcome.
We acknowledge within 24h
You receive confirmation and an initial severity assessment. We commit to a remediation timeline.
We patch and keep you updated
P1/P2 issues are patched before public disclosure. We will keep you in the loop on progress.
Coordinated public disclosure
We work with you on timing and credit for public disclosure after the fix is deployed and verified.
Defined runbooks for every severity level — DR drills run quarterly
We publish our posture because we have nothing to hide. Need the full pentest report, an architecture review session, or a call with our security team — reach out.