As a software security provider, AttackForge is committed to providing highly secure and reliable software for our customers. Our SaaS platform (AttackForge.com) is built on Microsoft Azure (Azure) and MongoDB Cloud (Mongo) compute and storage ‘As-a-Service’ technologies, which are compliant with a wide variety of industry-accepted security standards.
Additionally, our engineers have security backgrounds and utilize proven security technologies and techniques in order to protect our systems, data, and information from unauthorized access in the best possible way.
We rely on a number of strict security controls built into our people, processes and technologies; as well as subject to third party assessments including penetration testing.
For data storage, analysis, and backups, AttackForge utilizes Azure and Mongo cloud services and therefore shares several Azure and Mongo standards and accreditations.
All virtualized servers are operated in the Australian region.
Amongst others, Azure is certified by the following security compliance standards:
ISO 27001, 27017, 27018
SOC 1, 2 and 3
Amongst others, Mongo is certified by the following security compliance standards:
SOC 2 Type II
EU-US Privacy Shield
AttackForge does not store bank information or credit card data. All payments are handled and managed by our payment provider Square (squareup.com).
AttackForge does not share customer data with third parties.
Administrative access to customer data is restricted to a small number of closely managed AttackForge administrators.
Access to production systems and data follows the security standard of Least Privilege.
All traffic to and from our service is encrypted using the TLS v1.2 protocol.
We enforce the usage of strong TLS cipher suites.
All systems are firewalled to a minimal number of access points.
Multi-Factor Authentication (TOTP) is mandatory and enforced on all application and administrative interfaces.
We enforce a strong password policy.
Passwords are stored hashed and salted (bcrypt).
Role-Based-Access-Controls (RBAC) on a user-level and project-level are utilized to manage authorization to data.
Access to an account, including actions performed by the account, is logged, tracked, and audited.
Anti-automation controls are utilized to prevent brute-force login attempts.
Session monitoring & management is utilized to prevent authenticated abuse of the platform.
Email notifications for events such as new logins from different IP addresses are enabled.
All operating systems are managed, patched and maintained by Azure and Mongo.
Unnecessary users, services, and components are disabled.
All systems are constantly monitored.
Secure Data Storage
Data is stored on virtualized servers on Azure and Mongo.
All data is encrypted in-transit and at-rest.
Database backups are stored and transmitted encrypted at all times.
Vulnerability reports are generated in memory on request by user, and never stored.