Skip to content
Now taking design partners.Roadmap →

Our security

We sell supply-chain security. We treat our own posture the same way.

Sekeye will be pen-tested. Everything here is how we prepare for that, and how we hold ourselves to the same standard we hold customers to.

Transport. Today

TLS + Bearer API key on ingest. Per-endpoint enrolment tokens. Agent is read-only, pull-only. No inbound path into the fleet.

Transport. M6

mTLS between agent and backend, protobuf snapshot bodies, certificate pinning. Replaces the Bearer path; landing with the Ed25519 licence + self-host package. Roadmap says it out loud.

Agent least-privilege

User-context scans where possible. A small privileged helper handles system-wide inventory on Windows and macOS.

No secret values

Env values, file contents, browsing, and keystrokes are outside the ingest schema. Records containing them are rejected server-side.

Signed everything

Binaries, update manifests, catalog bundles, and campaign payloads are Ed25519-signed. Agents verify before executing custom collector params.

Own SBOM

SBOM plus signed provenance planned for every release. We sell supply-chain security. We eat our own dog food.

SOC 2

SOC 2 is on the roadmap once design partners are in production. Type I to start, Type II afterwards. No claims until audited.