Skip to content
Cyber ArmyCyber Army
ServicesSurace Monitor

Security

Security is our product. We protect customer data with agentless-by-design checks in Surface Monitor and apply the same operational rigor to our manual testingservices: least privilege, data minimization, and auditable processes.

Product security (Surface Monitor)

  • Agentless & read-only: no customer credentials or agents required.
  • Network-safety: low-impact checks with sensible rate limits; no destructive actions.
  • Isolation: per-tenant logical isolation; evidence separated by customer.
  • Transport & storage: TLS in transit; encrypted storage at rest.
  • Access controls: role-based access; least-privilege operations.
  • Monitoring: CT-log watch and config-drift alerts can notify Email/Slack/Teams.

Operational controls

  • MFA everywhere (phishing-resistant where supported); SSO for internal systems.
  • Least privilege & just-in-time access for sensitive resources.
  • Encrypted in transit and at rest; per-client segregation of evidence.
  • Device hardening: disk encryption, screen lock, patching, EDR.
  • Dependency hygiene: updates, vulnerability monitoring, SBOM awareness.

Data handling & retention

  • Minimize collection: only what’s necessary to test and prove impact.
  • Redaction by default for screenshots/logs; anonymize sensitive records when possible.
  • Time-bound retention (contract-defined) and secure purge at closure.
  • No third-party sharing beyond approved processors in the agreement.

Testing safety & authorization (manual)

  • Authorized testing only with signed Rules of Engagement (ROE).
  • Non-destructive by default; change windows for risky checks.
  • Traffic shaping, rate caps, and source-IP allowlisting on request.
  • Staging preferred; production supported with guardrails and rollback plans.

Access & secrets management

  • Short-lived credentials; no long-lived static keys in testing workflows.
  • Central secrets management; rotation on personnel change or detection.
  • Break-glass procedures with logging and rapid revocation.

Incident response

  • Documented IR plan and points of contact.
  • Customer notification per contract and law if we become aware of an issue affecting you.
  • Forensics support and containment guidance when requested.

Assurance & compliance alignment

  • Practices aligned to OWASP ASVS/MASVS, NIST SP 800-115, and CIS Benchmarks.
  • NDA/ROE; DPA or BAA available for regulated data.
  • Audit-friendly artifacts: traceable evidence, severity, and ownership.

Responsible disclosure

If you believe you’ve found a vulnerability in our site or services, contact us at security@cyberarmy.tech. Include reproduction steps, impact, and any logs or PoCs. Please do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue.

  • No testing of client environments without written authorization.
  • Avoid privacy violations, service disruption, or data destruction.
  • Give us reasonable time to remediate before any public disclosure.

security.txt

Our security.txt is published at https://cyberarmy.tech/.well-known/security.txt. Many tools look for that exact path. We also serve a convenience redirect from /security.txt to /.well-known/security.txt (if configured).

The file includes our Contact and Policy URLs, preferred language, and a canonical reference. Example:

Contact: mailto:security@cyberarmy.tech
Policy: https://cyberarmy.tech/security
Preferred-Languages: en
Canonical: https://cyberarmy.tech/.well-known/security.txt

Get started

Want continuous visibility with Surface Monitor or deeper manual testing? Join Early Access or request a pentest quote.