Last Updated: April 7, 2026
Every database table is protected by row-level security (RLS) policies. Your assessment data, findings, credentials, and reports are isolated to your team — no other user or team can access them, even at the database level. Policies are enforced by PostgreSQL itself, not application code, eliminating an entire class of access-control bugs.
LLM API keys, MCP server authentication tokens, and assessment credentials are encrypted at rest in the database. Keys are never exposed in API responses or client-side code. All communication between the client and backend occurs over TLS 1.2+.
Credentials stored for use during Assessments — such as application login credentials or API tokens provided for authenticated testing — are treated as sensitive secrets. They are decrypted only at the moment of use within the assessment engine, held in memory for the duration of the operation, and never written to logs or findings output.
Team access is governed by a dedicated roles system (Owner, Admin, Member) stored in a separate security table with a SECURITY DEFINER function — preventing privilege escalation via client-side manipulation. Role checks are enforced server-side on every protected operation.
Every sign-in event is logged with IP address, browser fingerprint, and geolocated city/region/country. Team activity (assessments created, members invited, settings changed) is tracked in a dedicated audit log. All audit data is available to team administrators in the dashboard.
AI agent activity during Assessments is also logged — every tool invocation, decision step, and scope check is recorded and tied to the Assessment record. This provides a full, auditable trace of what the autonomous agent did and why, which is available to team administrators for review.
The AI assessment engine enforces scope boundaries in real time. Every tool call is validated against the defined scope before execution. DNS-resolved aliases of in-scope targets are automatically tracked to prevent false scope violations, while genuinely out-of-scope targets are blocked. Tool outputs are sanitized to strip noisy or irrelevant data before processing.
Scope enforcement operates at the infrastructure layer — not solely within the AI agent's reasoning — so that even unexpected or adversarially influenced AI behavior cannot result in out-of-scope tool execution. Scope boundaries are set at Assessment creation and cannot be modified by the AI agent during execution.
Because Phantava's Assessment feature operates autonomously with no human in the loop, we apply multiple layers of controls to constrain AI agent behavior:
Sandboxed execution. The AI agent operates within a controlled execution environment. Tool access is mediated through a permission layer that enforces scope, rate limits, and action type restrictions — the agent cannot invoke capabilities it has not been explicitly granted for a given Assessment.
Action rate limiting. Tool invocations are rate-limited per Assessment to prevent runaway behavior, loop conditions, or excessive impact on target systems. Limits are configurable per team and subscription tier.
Graceful termination. Assessments can be terminated at any time by an authorized team member. The agent is designed to halt cleanly on termination signals without leaving persistent state on target systems where avoidable.
Output validation. AI-generated findings undergo structured validation before being written to the database. Malformed, anomalous, or excessively large outputs are flagged and quarantined for review rather than persisted directly.
Phantava's AI agent retrieves and processes content directly from target systems during Assessments — including web pages, API responses, file contents, and error messages. This creates an inherent exposure to prompt injection attacks, where adversarial content embedded in a target system attempts to manipulate the AI agent's behavior.
We implement the following mitigations:
Structural separation of instructions and data. Agent instructions and retrieved target content are passed to the LLM in structurally separated contexts. System-level directives are delivered via privileged server-side injection (see Section 10) and cannot be overridden by content in the user or tool result context.
Output behavioral monitoring. Agent outputs are monitored for anomalous patterns consistent with prompt injection influence, including unexpected scope deviation attempts, instruction-like language in tool call parameters, or unusual action sequences.
Prompt injection event logging. Interactions where adversarial content in a target system appears to have influenced agent behavior are flagged and logged as prompt injection artifacts, available to team administrators for review.
We acknowledge that no prompt injection defense is absolute. Users should review AI agent activity logs after Assessments involving complex or potentially adversarial targets.
Phantava integrates with external tools and services via the Model Context Protocol (MCP) and other integration mechanisms. The following controls apply:
Authenticated connections only. MCP server connections require authenticated, credentialed configuration. Unauthenticated or misconfigured integrations cannot be activated.
Least-privilege tool access. The AI agent is granted access only to the tools explicitly enabled for a given Assessment. Unused integrations are not exposed to the agent's execution context.
Data minimization in transit. Data passed to third-party integrations is scoped to what is necessary for the specific tool operation. Credentials and sensitive findings are not passed to integrations unless explicitly required by the workflow.
No persistent third-party storage by default. Phantava does not configure third-party integrations to persist assessment data on external systems. Data processed by integrations in transit is subject to those providers' own policies, which are disclosed in our Privacy Policy.
Assessments generate sensitive evidence artifacts including HTTP request/response captures, payloads, screenshots, and exported findings. These artifacts are:
Assessment methodology prompts — including continuation strategies, phase transitions, and reasoning triggers — are injected server-side within edge functions. They are never included in API responses to the client. Even authenticated users inspecting network traffic will see only generic action flags and trigger IDs, ensuring zero methodology leakage.
Account registration requires email verification. Passwords are hashed using bcrypt via Supabase Auth. Password reset flows use time-limited, single-use tokens. Team invitations use cryptographically random tokens with configurable expiration.
Phantava supports TOTP-based multifactor authentication (MFA). When enabled, users must provide a one-time code from an authenticator app (such as Google Authenticator, Authy, or 1Password) at each sign-in — adding a critical second layer of defense against credential compromise.
Phantava is built on Supabase, which provides SOC 2 Type II certified infrastructure, automated backups, and encryption at rest and in transit. We undergo an annual CIS Critical Security Controls (CSC) audit, ensuring our organizational security practices are independently validated against industry-recognized benchmarks.
Penetration testing. We conduct periodic penetration testing of the Phantava platform itself — including the assessment engine, API surface, and authentication flows — performed by independent third-party security firms. As a security-first company, we hold our own infrastructure to the same standard we help our customers apply to theirs.
Dependency & supply chain security. Third-party software dependencies are tracked and monitored for known vulnerabilities. Critical dependencies are pinned and reviewed on update. We maintain a software bill of materials (SBOM) for core platform components.
We believe in responsible disclosure and welcome security researchers who identify vulnerabilities in the Phantava platform.
If you discover a security vulnerability, please report it to security@phantava.com. We ask that you:
We commit to acknowledging all reports within 48 hours, providing status updates throughout the remediation process, and not pursuing legal action against researchers acting in good faith.
Have a security concern? Contact us at security@phantava.com.