Skip to main content

Trust Center

Deploying an incident-response platform inside your security boundary is a trust ask. We're a new vendor — we don't expect that trust by default. Here is the full posture: what we publish today, what we promise, and what we're still earning.

Sovereign by design

Single-VM appliance inside your network. No SaaS dependency. No agents on endpoints.

Read-only by default

Connections to data sources are read-only. Optional response actions are explicit and audited.

Auditable everywhere

Chain of custody for every piece of evidence. Per-release SBOM. Public changelog of every security-relevant change.

What we publish

Your data stays on the VM

Investigations, evidence, IOCs, and reports are all stored locally on the appliance you run. CICADA does not phone home with investigation data. Licence activation is local; an air-gapped activation flow is supported for isolated networks. The only outbound traffic is the threat-intel providers you configure (VirusTotal, Shodan, AbuseIPDB, URLhaus, ThreatFox, OTX) — each opt-in.

Software bill of materials

Every CICADA IR release publishes a complete CycloneDX 1.6 SBOM covering both backend (Python) and frontend (Node) dependencies. Drop the JSON straight into Dependency-Track, Snyk, or GitHub Advanced Security and you have a real-time view of any CVE that affects your CICADA appliance. Per-release archive — never overwritten.
Browse SBOMs by release

Cloud LLM safeguards

Cloud LLM providers (Anthropic, Google, OpenAI) are opt-in per-provider, gated behind explicit consent toggles. PII and credentials in prompts are blocked from cloud LLMs by default; the analyst must flip a separate Allow Sensitive Data toggle (with audit-trail logging) before any sensitive content can leave the VM via the cloud-LLM route.

Local LLM is first-class

CICADA IR ships with first-class support for local LLM endpoints — Ollama, LM Studio, llama.cpp server, or any OpenAI-compatible local proxy. Sensitive workloads can run end-to-end without a single byte leaving your network.
Local LLM setup guide

Independent expert review

CICADA's reports are being reviewed by independent incident-response practitioners against frameworks including NIST SP 800-61, ISO/IEC 27035, MITRE ATT&CK, the OAIC NDB scheme, and APRA CPS 234. Findings drive template revisions; the audit trail lands in the public changelog so you can see what we changed and why.
Read the changelog

Coordinated vulnerability disclosure

Security researchers can report vulnerabilities to security@cicada-ir.ai. We acknowledge within 48 hours and target a fix — or a documented mitigation — before public disclosure. Audit-driven hotfix bundles are tracked in the release notes so you can verify what shipped when.

What we're still earning

We don't yet have SOC 2 Type II, ISO 27001, or pen-test reports we can hand you. We're not going to pretend otherwise. The Community Edition is free forever so you can run it on your own infrastructure and form your own view of how it behaves — that is the trust path we believe in. Deeper attestations follow customer demand and revenue. We'll publish them here as they land.

Found something?

We acknowledge security reports within 48 hours.

security@cicada-ir.aiBrowse SBOM