Hash-Chain Tamper-Proof Audit
Every audit event is cryptographically chained. Tampering with a single record breaks the entire chain, making unauthorized modifications instantly detectable.
SECURITY
Zero Trust. Full Confidence.
Every layer of CtrlLayer is designed with security as the foundation, not an afterthought. Here's how we protect your organization.
Defense in Depth
Eight layers of security built into every component of the platform.
AES-256 Encryption at Rest
All sensitive data is encrypted using AES-256-GCM. Policy caches on endpoints are encrypted with device-bound keys rotated on schedule.
JWT-Signed Elevation Grants
Every elevation grant is a signed JWT token with expiry, scope, device binding, and user identity. No unsigned grants ever reach an endpoint.
RBAC + ABAC Access Control
Role-based access control for coarse permissions, attribute-based access control for fine-grained policy targeting. Deny by default.
Rate Limiting & Anti-Abuse
Four-tier rate limiting on auth (10/5min), agent (60/min), security (30/min), and tenant endpoints. Automatic lockout on abuse detection.
SSRF Protection
All outbound requests from the API are validated against an allowlist. Internal network addresses are blocked at the request layer.
CSRF Protection
Origin header validation on all state-changing requests. SameSite cookies and double-submit token patterns for defense in depth.
Production Secret Enforcement
Startup validation ensures all secrets are set and non-default in production. The API refuses to start with development credentials in production mode.
10 Automated Compliance Checks
Continuous posture assessment against your security baselines.
| ID | Check | Description | Status |
|---|---|---|---|
| CC-001 | Antivirus Status | Verify real-time protection is active | PASS |
| CC-002 | Firewall Enabled | Windows Firewall must be active on all profiles | PASS |
| CC-003 | Disk Encryption | BitLocker or equivalent must be enabled | PASS |
| CC-004 | OS Patch Level | System must be within N days of latest patches | PASS |
| CC-005 | Password Policy | Minimum complexity and rotation requirements | PASS |
| CC-006 | USB Storage Control | Removable media policy must be enforced | PASS |
| CC-007 | Screen Lock Timeout | Automatic lock after configurable idle period | PASS |
| CC-008 | Admin Account Audit | No unauthorized local admin accounts | PASS |
| CC-009 | Agent Health | CtrlLayer agent must be running and reporting | PASS |
| CC-010 | Software Allowlist | No unauthorized software installed | PASS |
Security Grade Visualization
Every device receives a real-time A-F security grade based on posture assessment.
A Excellent
B Good
C Fair
D Poor
F Critical
A+ Your fleet's current grade
10/10 checks passed 0 critical findings All agents reporting