External Pentest · 0 Critical · 0 High · April 2026

Security & Trust
Verified, Not Just Claimed

Independent penetration test by Pentx Security (April 7-14, 2026) — 182 tests across 9 attack categories, 0 critical and 0 high findings. CI-gated threat detection at 100% precision on the 241-sample test corpus. Hash-chained audit log with 7-year WORM retention.

External Pentest 0/0

100% CI Precision

HMAC-SHA256 Audit Chain

PBKDF2 600K Iterations

14-Framework Mapped

Contact Security Team Security Policy

0/0

Critical / High

Apr 2026 pentest

182

Pentest cases

9 attack categories

100%

CI precision

241-sample corpus

Compliance frameworks

2,000+ controls mapped

7yr

WORM retention

S3 Object Lock

CI security scanners

CodeQL · Trivy · ZAP …

TLS 1.3

Only

TLS 1.2 disabled

600K

PBKDF2 iters

OWASP 2024 spec

Why Security & Trust Matter

When you secure APIs, AI agents, LLM traffic, and deploy plugins — you need to trust the security platform itself

The Security Paradox

Your Security Tool is an Attack Vector

Every security platform you add to your stack becomes a potential target. If your API security gateway is breached, attackers have full visibility into your APIs and can disable protections.

Black Box Trust Problem

Most security vendors ask you to trust their infrastructure without visibility. You don't know who has access to your logs, how data is encrypted, or if compliance controls actually work.

Vendor Lock-In Risk

Cloud-only security platforms create single points of failure. If the vendor has an outage, your APIs go down. If they change pricing, you're stuck. If they shut down, you lose everything.

The G8KEPR Approach

Independently Verified Security

External pentest by Pentx Security (April 2026): 0 critical, 0 high, 3 medium remediated across 182 black-box tests. CI baseline enforces 100% precision and 87.96% recall on every commit — regression fails the build.

HMAC-Keyed Hash-Chain Audit

Audit log entries chained with HMAC-SHA256 + deployment secret — not raw SHA-256. An attacker with database access still cannot forge a valid chain entry without the key. 84-month WORM retention. Three verification levels (full chain, single entry, last-N).

Self-Hosting Available · No Lock-In

Run G8KEPR as SaaS or deploy on your own infrastructure via Docker containers and Kubernetes Helm charts. Export all data anytime in standard formats (JSON, CSV). Built on open standards (REST, OAuth, JWT) for portability.

Enterprise Security Controls

Production-ready security features protecting your APIs and AI agents

TLS 1.3 Only

AES-256-GCM and ChaCha20-Poly1305 cipher suites. TLS 1.2 explicitly disabled. mTLS for internal service-to-service traffic.

AES-256-GCM at Rest

Application-level encryption for API keys, OAuth secrets, TOTP, webhook secrets, MCP secrets. 96-bit nonce per operation, 128-bit auth tag.

PBKDF2 + bcrypt

PBKDF2-HMAC-SHA256 with 600,000 iterations (OWASP 2024). Passwords use bcrypt at cost factor 12+. Timing-safe comparisons everywhere.

HMAC Keyed Audit Chain

Each entry signed with HMAC-SHA256 + deployment-specific key. Genesis block derived from the key itself. DB access alone cannot forge a valid chain entry.

7-Year WORM Retention

90 days hot in PostgreSQL (monthly partitions), 7 years cold in S3 with Object Lock COMPLIANCE mode. 10-20x throughput from batch writes.

Three Verification Levels

Full-chain verification (every entry), single-entry spot check, and last-N rapid integrity check. Detect any retroactive modification by recomputing hashes.

8 CI Security Scanners

Every merge gates on CodeQL, Bandit, Trivy, pip-audit, npm audit, OWASP ZAP, Gitleaks, and Semgrep. Build fails on any new finding.

Key Rotation w/ Fallback

JWT_SECRET rotates every 90 days, ENCRYPTION_KEY every 1 year. Decryption keeps previous key as fallback so rotation is zero-downtime.

Independent Third-Party · April 7-14, 2026

External Penetration Test Results

Black-box external test by Pentx Security across api.g8kepr.com, app.g8kepr.com, and g8kepr.com. 182 tests across 9 attack categories.

Critical

—

High

—

Medium

Remediated

Low

Accepted risk

Info

No action

9 Attack Categories Tested

AuthenticationAuthorizationInjectionSSRFIDORRate LimitingSession ManagementCryptographyMisc Configuration & Data Exposure

Medium findings remediated:

Robots path disclosure cleanup, marketing-subdomain security headers, IPv4/IPv6 rate-limit normalization. Re-verified in same window.

Next test: Q3 2026 (July)

Expanded scope: authenticated dashboard, API-key lifecycle, billing flow. Black-box external scope unchanged.

Build-Gated Detection Baseline

100% Precision · CI-Verified

A 241-sample test corpus (191 attacks + 50 benign) is checked into the repo. Every commit runs the corpus through the detection engine. The build fails automatically if precision drops below 100% or recall drops below 87.96%.

Precision

1.000

0 false positives

Recall

0.880

168 / 191 caught

0.936

composite

Detection under load: 99.71% threat-analysis success across 2,424 concurrent requests. Cache-hit overhead: under 1 millisecond.

Threat Model

STRIDE Coverage · All Six

Each STRIDE category mapped to a concrete platform mitigation, not generic hand-waving:

Spoofing

JWT signature validation · API key hashing · X-Forwarded-For validation

Tampering

Parameterized queries · CSP · CSRF tokens · hash-chain audit

Repudiation

Immutable HMAC-SHA256 audit log · 7-year WORM retention

Info Disclosure

Error sanitization · PII redaction · timing-safe comparisons

Denial of Service

Redis sliding-window rate limit · circuit breakers · body-size cap · timeouts

Elevation of Privilege

RBAC · RLS org_id checks · scope validation · JTI replay prevention

Compliance & Certifications

Building towards comprehensive compliance with transparency

2,000+ controls mapped across 14 compliance frameworks. Every audit-log entry, every rate-limit event, every policy decision is mapped to specific control IDs — auditors get exports, not spreadsheets. Maturity language follows the data-room baseline (March 2026).

1,000+

NIST 800-53 Rev5

300+

PCI DSS v4

197

CSA CCM v4

153

CIS Controls v8

110+

CMMC 2.0

106

NIST CSF 2.0

ISO 27001:2022

FedRAMP

NIST AI RMF

SOC 2

HIPAA

ISO 42001

EU AI Act

MITRE ATLAS

SOC 2 Type I

Ready for audit

SOC 2 Type II

Observation in progress

GDPR

Controls implemented

HIPAA

BAA workflow available

EU AI Act

Article mapping complete (Art. 9, 11-15)

ISO 27001:2022

Aligned (not certified)

Honest Compliance Boundaries

G8KEPR provides the technical controls and evidence — your auditor issues the certification. The maturity labels above match our internal data-room baseline. Below is what we will and will not say about ourselves until attested by a third party.

We say

· SOC 2 Type II observation in progress
· HIPAA-Ready with BAA workflow
· GDPR controls implemented (Art. 5, 12, 17, 28, 32)
· EU AI Act Article mapping complete (9, 11-15)
· ISO 27001-aligned (controls mapped)
· FedRAMP NIST 800-53 mapping artifacts available

We do NOT say (until attested)

· SOC 2 Type II Certified
· HIPAA Certified
· GDPR Certified
· EU AI Act Certified
· ISO 27001 Certified
· FedRAMP Authorized (no ATO yet)

GDPR Data Subject Rights · Implemented

Art. 15 — Right of Access

Data subject access request workflow generates a full data export per user

Art. 16 — Right to Rectification

Tracked via deletion_requests table

Art. 17 — Right to Erasure

Deletion covers PostgreSQL, Redis sessions, audit-log redaction. Backup/log PII tracked separately.

Independent Security Validation

Third-party verification of our security posture

Penetration Testing

Last testQ2 2026

Performed byThird-party security firm (name disclosed under NDA)

ScopeControl plane API, customer-VPC sensor, AI Gateway, MCP Security, distribution chain

FindingsZero critical — all high/medium findings remediated prior to GA

Next test scheduledQ2 2027 (annual cadence)

Full report available under NDA. Contact security@g8kepr.com

Cosign Signing Infrastructure

StandardSigstore Cosign (Ed25519)

Key generationGenerated in hardware — key never in plaintext

Key storageHardware security module (HSM)

Rotation policyAnnual or immediately upon any compromise indicator

Tamper detectionCompromise → immediate revocation + customer notification + DR drill

Public key pinning

The G8KEPR cosign public key fingerprint is published in our sensor documentation so customers can independently verify all pattern packs.

Why Choose G8KEPR for Security?

Secure your security platform

Externally Verified

Independent black-box pentest by Pentx Security (April 2026): 0 critical, 0 high across 182 tests in 9 categories. Next test scheduled Q3 2026 with expanded scope (auth dashboard, API key lifecycle, billing). Findings published, not hidden.

CI-Gated Quality

Detection precision is enforced at 100% on every commit — regression below that, or below 87.96% recall, fails the build. Plus 8 security scanners (CodeQL, Bandit, Trivy, pip-audit, npm audit, OWASP ZAP, Gitleaks, Semgrep) gate every merge.

Tamper-Evident by Design

Enterprise security controls built-in: TLS 1.3 + AES-256 encryption, RBAC with MFA, tamper-proof audit logs, real-time monitoring, Sigstore Cosign-signed pattern packs, and independent third-party penetration testing. All technical requirements for SOC 2, HIPAA, and PCI DSS compliance.

Security & Compliance FAQs

Common questions about G8KEPR security and trust

Questions About
Security or Compliance?

We're transparent about our security practices and compliance status.
Contact our security team for detailed discussions about your requirements.

Talk to Our Security Team View Security Policy

Run on your own infrastructure • Full data control • Enterprise security

Security & TrustVerified, Not Just Claimed