Threat Model
Components
- Agent (host process)
- Collector processes (GPU, Fabric)
- Control plane (single binary)
- Remediation binary
- Storage backends
- KMS
- SIEM forwarder
- Multi-tenant CP routing
Per-Component STRIDE
Agent
- Spoofing: Mitigated by mTLS with workload identity.
- Tampering: Mitigated by signed binaries + SBOM.
- Repudiation: Every action audit-logged.
- Information disclosure: TLS 1.3 only; payload encrypted at rest in CP.
- Denial of service: rate-limited by OTLP receiver.
- Elevation of privilege: drops to least privilege; drops capabilities on failure.
Control Plane
- Spoofing: SAML/OIDC, MFA.
- Tampering: append-only audit + hash chain.
- Repudiation: correlation-engine decisions audit-logged.
- Information disclosure: per-tenant RBAC + ABAC.
- Denial of service: rate limiting per tenant.
- Elevation of privilege: ServiceAccount-bound principals only.
Storage
- Envelope encryption, customer-managed keys.
- Audit on every read/write.
KMS
- Customer-managed key; HSM in air-gap tier.
- Audit on every sign/decrypt.
SIEM Forwarder
- HMAC-signed export.
- Audit on every send.
Multi-Tenant CP Routing
- Tenant id is required; missing returns 400.
- Cross-tenant operations require
platform_adminscope and are audit-logged withcross_tenant=true.
Adversary Capabilities
The model assumes:
- An adversary can compromise any single agent's host.
- An adversary can inject packets into the network.
- An insider with
readaccess on their own tenant data. - An insider with
srerole can attempt to escalate. - An adversary with PyPI/Crates supply-chain access (CVE-driven).
We DO NOT assume the customer has been rooted; if they have been rooted, all bets are off — that's not our threat model.