Security First Architecture

Built for secure execution of untrusted code.

Isolation Layers

Firecracker MicroVMs

  • VM-level isolation
  • Separate kernel space
  • Minimal attack surface

gVisor

  • User-space kernel
  • Syscall interception
  • Strong containment

Kubernetes Security

  • Namespace isolation
  • RBAC strict enforcement
  • Zero-trust network policies

Data Protection

AES-256 Encryption

All data at rest is encrypted using industry standard AES-256 encryption. Keys are managed via AWS KMS.

TLS 1.3 In Transit

All communication between components and external APIs is strictly enforced over TLS 1.3.

Secure Storage

Ephemeral storage for sandboxes is securely wiped immediately after termination using DoD 5220.22-M algorithms.

Audit Logging

Immutable audit logs tracking all control plane operations are retained for compliance and forensic analysis.

Threat Model & Flow

User
API Gateway
Sandbox Controller
Firecracker VM
Executed Workload

Responsible Disclosure

We take security seriously. If you find a vulnerability, please report it directly to our security team.

security@sentinal.io