SECURITY POSTURE
Built by people who’ve read the breach post-mortems.
FAIL_CLOSED by default. HMAC-signed audit. Offline ML. AES-256-GCM at rest. Nothing leaves your network unless you configure an outbound provider.
Threat model
Ten attack vectors. Ten places Verosek catches them.
| Attack vector | Where Verosek catches it |
|---|---|
| Tool poisoning (malicious tool description) | Policy engine CHK-001, Shield CHK-020 |
| Prompt injection — direct | Shield CHK-013 / CHK-014 multilingual classifier |
| Prompt injection — indirect via tool output | Shield CHK-020 — the capability competitors can’t ship |
| Identity confusion (prompt overrides permissions) | Identity check at gateway; permissions in execution layer |
| Cross-tool privilege escalation | Session drift CHK-022 cumulative tracking |
| One-time auth persistence (MCP tokens never expire) | TTL on virtual keys + CHK-012 |
| Uncontrolled destructive operations (DROP TABLE) | CHK-003 / CHK-004 block DROP and DELETE |
| PII / secret exfiltration | CHK-005, CHK-009, CHK-015, CHK-016, CHK-018, CHK-019, CHK-021 |
| Hallucination of grounded-looking answers | CHK-023 offline grounding verdict |
| Scope creep (agent answers about unauthorised topics) | CHK-024 off-topic embedding similarity |
Data handling
Your data stays in your network.
In transit
TLS 1.3 to your configured providers. mTLS between gateway and ML container if enabled.
At rest
MCP credentials encrypted with AES-256-GCM. Signing keys stored in env / secrets manager of your choice.
Key storage
No multi-tenant key pool. Your deployment, your keys, your rotation cadence.
Fail-safe
FAIL_CLOSED by default. FAIL_OPEN is opt-in, per key.
FAIL_CLOSED
Gateway unreachable → tool calls blocked, structured error returned. The only safe default for keys with write access or sensitive data.
FAIL_OPEN
Gateway unreachable → tool calls pass with an alert flag in the audit. For read-only, low-sensitivity agents where availability wins.
PII handling
Four redaction modes. One PII engine.
mode: tag
Preserve the string; tag the span in the audit trace.
mode: fake
Replace with a realistic synthetic value of the same entity type.
mode: mask
Replace with asterisks (e.g. ****-****-****-1234).
mode: hash
Replace with a salted SHA-256. Deterministic per session.
Offline + air-gap
Every ML model ships inside your image.
No outbound inference calls. No third-party API telemetry. The Shield ML container runs entirely on-premises or in your VPC. Verify with verosek-verify-offline before going live.
Responsible disclosure
Found a vulnerability? Email us.
info@verosek.com — PGP key on /trust. We acknowledge within one business day, triage within five, and fix or mitigate within thirty for validated high-severity issues.
Request the security whitepaper.
Threat model, data flows, cryptographic primitives, and a mapping of our checks to MITRE ATLAS.