Skip to main content

Overview

IncidentFox is built with enterprise security as a core principle. This document covers the security architecture, compliance certifications, and best practices for secure deployment.

Security Architecture

Credentials Proxy

Secrets never touch the agent. IncidentFox uses an Envoy-based credentials proxy:
  1. Agent makes API call through Envoy proxy
  2. Envoy intercepts the request
  3. Credential Resolver fetches secrets from vault
  4. Envoy injects credentials at request time
  5. Request is forwarded to external API
  6. Secrets are never stored in agent memory

Benefits

Traditional ApproachIncidentFox Approach
Agent stores secretsSecrets in proxy only
Risk of memory exposureIsolated credential handling
Static credentialsDynamic credential injection
Audit gapsFull audit trail

Claude Sandbox Isolation

The Claude SDK SRE Agent runs in isolated Kubernetes sandboxes:

gVisor Isolation

  • User-space kernel intercepts all syscalls
  • Reduced kernel attack surface
  • Container-to-host isolation

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: agent-sandbox
spec:
  podSelector:
    matchLabels:
      app: sre-agent
  policyTypes:
    - Egress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              name: incidentfox
    - ports:
        - port: 443  # HTTPS only

Resource Limits

  • CPU: Bounded to prevent runaway processes
  • Memory: Capped to prevent OOM attacks
  • Time: Maximum investigation duration
  • Ephemeral: Sandbox destroyed after use

Authentication

Token Types

TypeFormatScopeExpiration
Global AdminADMIN_TOKEN env varFull accessNever
Org Admin{org_id}.{random}OrganizationConfigurable
Team Token{org_id}.{team_id}.{random}Team onlyConfigurable
OIDC JWTStandard JWTUser sessionShort-lived

SSO/OIDC Support

Supported identity providers:
  • Google Workspace
  • Azure AD / Entra ID
  • Okta
  • Generic OIDC

Configuration

{
  "auth": {
    "oidc": {
      "issuer": "https://accounts.google.com",
      "client_id": "your-client-id",
      "allowed_domains": ["your-company.com"]
    }
  }
}

Authorization (RBAC)

Roles

RolePermissions
ViewerRead investigations, view dashboards
OperatorTrigger investigations, view all data
AdminConfigure tools, manage team settings
Org AdminManage teams, configure org settings

Tool-Level Permissions

Restrict access to sensitive tools: 
{
  "tools": {
    "docker_exec": {
      "enabled": true,
      "allowed_roles": ["admin"],
      "require_approval": true
    }
  }
}

Approval Workflows

For high-risk operations, require approval: 
{
  "approval_workflows": {
    "enabled": true,
    "actions": {
      "pod_restart": {
        "required_approvers": 1,
        "timeout_minutes": 30,
        "notify_channel": "#sre-approvals"
      },
      "scale_deployment": {
        "required_approvers": 2,
        "timeout_minutes": 15
      }
    }
  }
}

Approval Flow

  1. Agent proposes action
  2. Notification sent to approvers
  3. Approver reviews and approves/denies
  4. Action executed or cancelled

Audit Logging

All operations are logged:

Event Types

EventLogged Data
Investigation startedUser, query, timestamp
Tool executedTool name, parameters, result status
Data accessedData source, query, row count
Configuration changedOld value, new value, user
Approval requested/grantedAction, approver, decision

Log Format

{
  "timestamp": "2024-01-15T14:30:00Z",
  "event_type": "tool_executed",
  "user_id": "user@company.com",
  "team_id": "team_123",
  "tool": "get_pod_logs",
  "parameters": {
    "namespace": "production",
    "pod": "api-server-xyz"
  },
  "duration_ms": 1234,
  "status": "success"
}

Log Destinations

  • CloudWatch Logs
  • Datadog
  • Splunk
  • Custom webhook

Compliance

SOC 2 Type II

IncidentFox maintains SOC 2 Type II certification:
ControlImplementation
Access ControlRBAC, SSO, MFA
EncryptionTLS 1.3, AES-256 at rest
LoggingComprehensive audit trail
MonitoringReal-time alerting
Incident ResponseDocumented procedures

Data Handling

Data TypeHandling
Investigation queriesLogged, retained 90 days
Tool resultsNot stored (passed through)
CredentialsNever stored in agent
Audit logsRetained per policy

Deployment Security

Self-Hosted

For maximum control:
  • Deploy in your VPC
  • Use your secrets manager
  • Control all network egress
  • Manage your own keys

Air-Gapped

For highly restricted environments:
  • No external network access
  • Local model inference
  • Internal secrets management
  • Manual updates

Best Practices

Credential Management

  1. Use vault references, never plain text
  2. Rotate credentials regularly
  3. Use service accounts with minimal permissions
  4. Enable audit logging for secret access

Network Security

  1. Use private endpoints where possible
  2. Enable VPC peering for cloud services
  3. Restrict agent egress to necessary destinations
  4. Use TLS for all communications

Access Control

  1. Enable SSO for all users
  2. Use team-scoped tokens
  3. Require MFA for admin access
  4. Regular access reviews

Monitoring

  1. Alert on authentication failures
  2. Monitor for unusual tool usage
  3. Track investigation patterns
  4. Review audit logs regularly

Incident Response

Security Incidents

If you discover a security issue:
  1. Email security@incidentfox.ai
  2. Do not disclose publicly
  3. We will respond within 24 hours

Vulnerability Disclosure

We follow responsible disclosure:
  • 90-day disclosure timeline
  • Credit for reporters
  • Bug bounty program available

Next Steps

Configuration

Configure security settings

API Authentication

API authentication details