Built so your security
team can say yes.
An AI with access to your environment must be safer than the risks it finds. Here is how TrueBreach is engineered for trust, and what we will and won't ever do.
Read-only, least privilege
We only ever request read-only credentials, scoped to in-scope assets. No write, modify, or destructive permissions to your cloud, code, or hosts.
Hard scope enforcement
An enforced allowlist of targets the engine cannot exceed. Scope is a technical boundary, not a prompt instruction the AI could ignore.
Immutable audit log
Every command, target, and action is logged with a timestamp: a complete, tamper-evident record for your security team and auditors.
Non-destructive validation
We prove exploitability with safe, non-destructive techniques. No data exfiltration, no service disruption, no production impact.
You stay in control
You authorize scope in writing before any test, and you can revoke our access at any time. Testing happens only with your explicit consent.
Data minimization
We collect only what is needed to prove a finding, encrypt data in transit and at rest, and delete engagement data on request.
Authorized engagements only.
TrueBreach performs security testing exclusively against assets the customer owns or is explicitly authorized to test, under a signed agreement that defines scope, timing, and rules of engagement. We do not test systems without authorization, and we expect our customers to confirm they have the authority to authorize testing of every in-scope asset.
What we will never do
- Request or use write/modify access to your systems
- Test assets outside the agreed, enforced scope
- Run destructive, disruptive, or data-exfiltrating exploits
- Share your data or findings with anyone outside your team
Found a vulnerability in TrueBreach itself? Email [email protected].