Security
Cipher is a team of autonomous agents. They reason, adapt, and operate with agency. That requires a different security model than a static SaaS product.
ISOLATION BY DESIGN.
The project is the boundary.
Every assessment runs inside strict isolation containers. The project isolates your data, credentials, findings, and configuration. Nothing crosses the boundary.
No shared state. No shared memory. No data leakage.
Systemic Resilience.
We treat prompt injection as a hostile vector. If a target application tries to manipulate Cipher's agents, the architecture fights back.
The Defense.
Our multi-agent system uses adversarial verification. A finding — or a non-finding — must survive independent review by a separate "Judge" agent before it is reported. One compromised agent does not compromise the assessment.
SCORCHED EARTH DELETION.
When it's gone, it's gone.
When you delete a project, the destruction is permanent. Credentials, findings, reports, and reproducible exploits are wiped.
One-off assessments: Data is automatically destroyed when the assessment window expires.
Ongoing integrations: Data persists only until you explicitly kill the project.
THE AI SUPPLY CHAIN.
We don't pretend AI is magic.
Cipher is an agentic system. Your data flows through a pipeline of planning agents, attack agents, and verification agents powered by frontier models from Anthropic and Google.
Data Privacy.
We operate under enterprise agreements (Anthropic Zero-Retention, Google Cloud Data Governance) that explicitly prohibit model providers from training on your data.
The Reality.
We control the agents, but we do not control what happens inside their infrastructure. This is the reality of building on third-party AI. We choose to be honest about it rather than hiding behind a generic SOC2 badge.
KINETIC IMPACT.
Testing is intrusive.
Cipher does not just scan read-only endpoints. It acts like an attacker. It creates data, triggers logic, and exploits race conditions.
The Risk.
Like a human pentester, Cipher can trigger rate limits, corrupt test data, or impact availability if the target is fragile.
The Control.
You define the scope. We recommend running Cipher against staging environments unless you are confident in your production resilience.
WHAT YOU CONTROL.
Scope. You define the target. Cipher never operates outside the boundary you draw.
Duration. You can terminate an assessment and wipe the data at any point.
Artifacts. Reports and reproducible exploits are yours to download. Once the project is deleted, they vanish.
VULNERABILITY DISCLOSURE.
Found a bug in APX?
If you break our platform, tell us. We take every report seriously. We don't currently offer monetary bounties, but we acknowledge and credit responsible disclosure.