Security Posture

Security is the product.

We build security software and run security assessments, so our own posture has to hold up to the same scrutiny we apply to clients. Sovereign by design, least-privilege by default, and tested by people who break things for a living.

Sovereign by design

Collection, analysis, and reporting stay on-box or on your infrastructure. No client data, evidence, or findings are sent to a third-party cloud, SaaS, or telemetry endpoint.

Encryption everywhere

TLS in transit; AES-GCM vaults and hashed credentials (PBKDF2 / bcrypt) at rest. Local evidence stores are encrypted; secrets live in scoped stores, never in source.

Least privilege

Role-based access (admin / investigator / evaluator / read-only), tag-scoped data retrieval, and per-application isolation so no component sees more than its mission requires.

Governed data

Internal corpora are classified, access-controlled, and never reproduced in customer-facing output. Investigative work is chain-of-custody aware and admissibility-minded.

Hardened edge

Production apps sit behind a managed WAF with bot mitigation, security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options), DNSSEC, and signature-verified webhooks.

Continuously tested

We run our own offensive, defensive, and dependency reviews on a recurring basis, mapped to MITRE ATT&CK, OWASP Top 10, and NIST CSF.

Control Map

How posture maps to framework

Control Implementation Framework
Identity & accessSSO, RBAC, MFA on privileged tiers, opaque session tokensPR.AC · ATT&CK TA0006
Data protectionTLS, AES-GCM at rest, hashed creds, on-box storagePR.DS
Application securityParameterized SQL, CORS allowlist, input validation, SQL-lint gateOWASP A01/A03
Edge & networkManaged WAF, bot mitigation, security headers, DNSSECPR.PT · DE.CM
Detection & responseError-triage pipeline, dependency auditing, IR runbooksDE.CM · RS.RP
Responsible Disclosure

Found something? Tell us first.

We welcome good-faith security research. If you discover a vulnerability in an Omega Point property, report it privately and give us a reasonable window to remediate before any public disclosure.

  • Email [email protected] with steps to reproduce and impact.
  • Do not access, modify, or exfiltrate data that isn't yours; do not run denial-of-service or automated mass-scanning.
  • Stay within scope and the law. We will not pursue good-faith researchers who follow this policy.

Safe harbor applies only to testing that is authorized by this policy. Unauthorized intrusion, data theft, or service disruption is outside scope and may be unlawful.

Engagement integrity. When we perform assessments for clients, all active testing is authorized in writing, scoped, and conducted within the Fourth Amendment and controlling caselaw. Work that requires a warrant, subpoena, or consent does not proceed until that authority exists. See Legal and Disclaimer.

Need your own posture tested?

The same discipline we apply to ourselves, applied to your environment, cyber, physical, or critical infrastructure.

Request an Assessment →