Quadrazene
Quadrazene

Security · for the team defending AI in production

Enterprise-grade by design. Auditable by default.

Quadrazene is built for the security team that has to defend AI in production - with a named threat model, a six-gate Trust Layer that fires on every LLM call, hash-chained audit, federated identity, and BYOK at every tier.

Your data never leaves your control. Your LLM provider contract stays on your paper. And every decision the platform makes is one immutable row away from your SIEM.

See the AI threat model →For SecOps teams →

AI threat model

Five attacks we defend. With the lines we won't cross.

The Trust Layer is six gates in order, stricter wins. Here is what it stops, how, and, honestly, what we don't claim to do.

Attack

Prompt injection

What Quadrazene does

Gate 3. A heuristic detector catches ignore-previous instructions, jailbreak personas, role-tag injection, and system-prompt reveal attempts before the prompt reaches the model. Every match writes an immutable Trust Event.

What we don't claim

We won't claim we catch every novel attack chain. We publish our detection patterns, score every match with a confidence, and surface the long tail so you can tune the filter set as new attacks emerge.

Attack

Training-data leakage

What Quadrazene does

Quadrazene does not train models on customer data. Period. Our LLM provider contracts include no-training clauses. The response-side content filter catches model echoes of sensitive patterns (PII, secrets, regulated terms) before they reach the user.

What we don't claim

We don't claim your data has never been seen by an LLM. Every query you ask sends a sanitized prompt to the provider you chose. What we guarantee is the contract on the wire and the filter set on the return path.

Attack

Classification-cap breach (restricted data → hosted LLM)

What Quadrazene does

Gate 2 enforces a tenant-wide data-classification ceiling. Systems tagged restricted are pinned to on-prem-only model routing. Hosted providers are denied by default before any prompt is built.

What we don't claim

We don't claim classification is unbeatable. An operator with the right capability can downgrade a System's classification. The platform records every change with the before→after diff, so the policy decision is auditable, but the policy itself is yours.

Attack

Jailbreak persona / system-prompt extraction

What Quadrazene does

Gate 3 plus a response-side content filter: the system prompt is never echoed in outputs, and direct extraction patterns are caught on the way back. The model allowlist also bounds which providers can serve any given Reaction.

What we don't claim

We don't claim jailbreaks are impossible. Sufficiently novel persona chains may slip the detector. The response filter and the Trust Event log are how we learn fast and tighten patterns within the same release cycle.

Attack

Insider data exfiltration via NL query

What Quadrazene does

Query-in-place architecture (we don't move data) + per-System classification + the composite Risk score: a bulk read on a confidential System lands in the high band and auto-routes to HITL with a per-factor breakdown attached.

What we don't claim

We don't claim we prevent all insider abuse. A privileged operator who has legitimate access can still do harm. What the platform guarantees is detection: every read is scored, every override is on the record, and patterns surface in the Risk Center for forensics.

See the Trust Layer in detail →

Security pillars

Eight properties we don't compromise on.

Deny by default

No permission means no access. Every API call is authorized against RBAC + ABAC policy.

Tenant isolation

Database-level row security enforces tenancy. No cross-tenant leaks.

Encryption everywhere

TLS 1.3 in transit. AES-256-GCM at rest with per-tenant keys. BYOK optional.

Hash-chained audit

Immutable, tamper-evident audit ledger. Every decision recorded and defensible.

Federated identity

OIDC, SAML, SCIM, LDAP. Entra, Okta, Ping, Google Workspace. Your IdP is the source of truth.

Least-privilege secrets

Credentials never reach atom code, never logged, rotated on policy, KMS-sealed.

Sandboxed execution

Plugin code runs in WASM sandboxes with capability-based security.

Supply chain integrity

Signed artifacts. SBOM in every release. CVE-scanned in CI.

Trust boundaries

How customer data flows through the platform.

Three boundaries (your data, the Quadrazene tenant, the LLM provider) with six gates in between. Restricted Systems take the on-prem lane and never touch a hosted model.

YOUR DATAWarehouse · ERP · Mailboxread in place · never copiedqueriedin placeQUADRAZENETrust Layer · 6 sequential gatesOAuth / JWT · per-tenant RBAChash-chained audit on every gate eventsanitizes prompt before any model callsanitizedpromptLLM PROVIDERAnthropic · OpenAI · GoogleBYO key · no-training clauseRESTRICTED · on-prem Ollama only · no external egress① 6 GATES BETWEEN YOUAND THE MODELEvery LLM call: six checks, in order.Allowlist → Classification →Injection detector → Prompt filter→ LLM call → Response filter.Stricter gate wins. No prompt reachesa model until all 6 gates pass.② RESTRICTED DATA NEVERLEAVES THE BUILDINGGate 2 (Classification cap) pinsrestricted Systems to your on-premOllama instance only.No restricted-source prompt canroute to a hosted model.③ EVERY GATE EVENT IS ANIMMUTABLE TRUST EVENTEach gate decision — pass or deny —writes a hash-chained row to theaudit ledger. Tamper-evident.Re-walkable and exportableto your SIEM at any time.

Identity & Access

Your IdP is the source of truth.

Federated SSO, per-tenant RBAC, capability gating on the dangerous verbs. Your operators don't get a separate password. They get exactly the access your IdP says they get.

SAML 2.0

Entra ID, Okta, Ping, Auth0, Google Workspace, Active Directory Federation Services. Assertion-encrypted. IdP-initiated and SP-initiated flows.

OIDC

PKCE on the front channel. Client_credentials for back-channel. Refresh-token rotation enforced.

SCIM 2.0

Auto-provisioning and deprovisioning from your IdP. Users land already mapped to the right role and tenant. Offboarding revokes within minutes.

Service-account JWT

For your orchestrator (Agent Core, Step Functions, n8n) to call the API as a service. Short-lived. Per-purpose. Auditable.

Per-tenant RBAC

Admin, operator, viewer baseline, plus custom roles. Roles attach to Skills, Formulas, Systems, and the Inbox.

ABAC by classification

Every Action and read is scoped against the System's data classification. A confidential System refuses a viewer at the connector boundary, before the model is even contacted.

Admin capability gate

Dangerous verbs. Commit a Compose draft, edit a policy, change a routing rule. Require the admin capability, audited per call.

Session management

Configurable session TTL, step-up MFA for privileged actions, force-logout on role change. Sessions invalidate on IdP-side revocation within the SCIM polling window.

Break-glass

Emergency override path with alarmed real-time SIEM notification, dual-approval required, full payload retained for the IR file.

Operational security

The boring parts, done.

Key management, security testing cadence, sub-processors, incident response. None of this differentiates a product on a slide, and all of it differentiates a product on the procurement call.

Key management · BYOK

Envelope encryption with your KMS.

  • · AES-256-GCM at rest, TLS 1.3 in transit (mTLS internal east-west)
  • · Per-tenant DEKs wrapped by a customer-owned CMK in your AWS / Azure / GCP KMS
  • · Quarterly key rotation, on-demand rotation triggered by SIEM signal
  • · Key-shred on tenant offboarding. DEKs unwrap-fail and the data is unreadable in minutes
  • · FIPS 140-3 validated providers on the customer KMS path supported

Security testing

Continuous + annual third-party.

  • · SAST + secret-scanning on every PR. Dependency scan on every CI run
  • · DAST against the staging tenant nightly. Weekly authenticated scan
  • · Bug bounty program. Safe-harbor + disclosure policy posted publicly
  • · Container images scanned + signed (Cosign). SBOM published per release

Sub-processors & Residency

Short list. Regional choice. No surprises.

  • · Infrastructure: AWS (us-east-1, us-west-2, eu-west-1, ap-southeast-2) or your VPC
  • · LLM: Anthropic, OpenAI, Google, AWS Bedrock, Ollama (your VM). Your contract on the wire
  • · Email transport: your own SMTP or AWS SES under your account
  • · No third-party analytics, no third-party CDNs on authenticated pages
  • · Full sub-processor list with 60-day change notice. Posted at /sub-processors

Incident response

SLA-bound. Customer-first.

  • · P1 acknowledgement within 30 minutes, 24/7
  • · Customer notification within 4 hours of confirmed material impact
  • · Status page (status.quadrazene.com) and webhook subscriptions for real-time
  • · Post-incident review delivered within 5 business days with audit-ledger evidence pack
  • · Tabletop exercises quarterly. Red-team retainer for AI-specific attack scenarios

Audit ledger

A tamper-evident audit log, by construction.

Every decision Quadrazene makes is recorded to an append-only ledger where each entry is cryptographically chained to all the history before it. Alter, delete, reorder, or backdate any past event and the chain stops verifying, and a periodic, signed anchor catches even a full rewrite.

Hash-chained entries

hash = sha256(prevHash ‖ canonical(entry)). Every entry commits to the entire chain before it.

Tamper detection

Any edit, deletion, reorder, or backdated insert breaks the link and surfaces the exact position of the first break.

Signed head anchors

The chain head is periodically snapshotted and HMAC-signed out-of-band, closing the full-rewrite gap.

Verify on demand

Re-walk the chain at any time to re-derive integrity. Returns intact, or the precise reason and position of a break.

Per-tenant isolation

Each tenant has an independent chain and its own anchors, preserving tenancy.

Exportable for auditors

Entries and anchors export so an auditor or SIEM can re-verify independently, offline.

Explore the audit ledger →

Evidence pack

What auditors and SIEMs actually receive.

The hash-chained ledger is the substrate. The evidence pack is what shows up on the auditor's desk. A portable, verifiable, schema-stable export.

Canonical audit row · NDJSON

{
  "ts": "2026-05-30T12:31:02.504Z",
  "tenantId": "tenant_q1z",
  "reactionId": "r-44a17e",
  "kind": "action.commit",
  "engineId": "actions",
  "skillId": "file-quality-notification",
  "systemId": "sap-ecc-qm",
  "actor": { "type": "service-account", "id": "agt-7f912c" },
  "result": { "status": 201, "ref": "Q3-820041" },
  "risk": { "score": 67, "band": "high", "factors": { "classification": 18, "sideEffects": 22, "reversibility": 10, "novelty": 7, "trust": 5, "guardrailBypass": 5 } },
  "hitl": { "approvedBy": "user_q1z_qe", "noteHash": "sha256:..." },
  "policyMatches": [ "threshold:qm-severity" ],
  "llm": { "profileId": "claude-sonnet", "scopeTier": "engine", "tokensIn": 412, "tokensOut": 188 },
  "trustEvents": [],
  "prev": "sha256:5b22f0d8a3...",
  "hash": "sha256:2f7c19abc4..."
}

One row per Reaction. Schema-stable across releases. Additive only. Every field documented.

Export formats

NDJSON, JSON, syslog (RFC 5424), CSV for spot checks. UTF-8, canonical key order.

SIEM destinations

Splunk HEC, Microsoft Sentinel, Chronicle, Datadog Logs, syslog/UDP, S3 sink, webhook.

Retention controls

Customer-set retention per tenant. Default 7 years. WORM-mode immutability available.

Auditor handover

One-click evidence pack: filtered NDJSON + the signed head anchors + a re-verification script. Auditor confirms integrity offline.

Continuous streaming

Every commit can stream to your SIEM in real time. Append-only at both ends.

Compliance

Certifications and frameworks

Honest status. We ship controls before we ship certifications.

SOC 2 Type II

On request

Controls aligned to the SOC 2 trust criteria. Control set available to customers under NDA.

ISO 27001

On request

Control objectives mapped to the ISO 27001 framework. Mapping documentation available to enterprise customers under NDA.

HIPAA

On request

Designed to support HIPAA-eligible workloads. BAA terms available to qualified customers on request.

GDPR

Aligned

Built around GDPR principles. Data minimization, purpose binding, and right-of-erasure. DPA terms available on request.

CCPA / CPRA

Aligned

Right-to-know and right-to-erasure handled through the same scope-delete model that supports GDPR.

FedRAMP

Open to discuss

The Moderate baseline informs our control thinking. Reach out if you have a public-sector mandate and we'll scope from there.

Data handling

Your data stays yours.

No model training on your data

Quadrazene does not train models on customer data. Period. We route queries through your LLM provider per your contract.

Query-in-place architecture

Connectors execute queries against your warehouse or ERP in place. We fetch only the minimum result set needed to answer your question.

PII auto-masking

Sensitive columns are masked at the connector boundary for users without clearance. PII never reaches the LLM unless explicitly permitted.

Right to erasure

Scope-delete APIs wipe memories and data for any user or subject with an immutable audit record of what was erased.

Regional data residency

US, EU, and regional deployments available. Your data stays in the jurisdiction you select.

Customer-controlled keys

BYOK encryption at enterprise tier. Integrate with cloud KMS or PKCS#11 HSM.

Deployment options

Run Quadrazene the way your security team wants.

Managed SaaS

We run it. You connect via HTTPS. Fastest time to value.

Customer VM

docker compose up -d on your hardware. We never see your data.

Customer Kubernetes

Our Helm chart in your EKS / AKS / GKE / OpenShift cluster.

Air-gapped

Offline bundle. No network egress. Local LLM. FIPS-ready.

For SecOps teams

Security isn't just a checkbox. It's a use case.

Three live walkthroughs put Quadrazene into a SecOps workflow. Failed-login correlation, quarterly access review, and AI red-team forensics. Plus the platform surfaces a SecOps team actually operates.

SecOps · 4 scenes

Failed-login + SoD correlation

Failed-login spike correlates with a privileged action. Finding raises. HITL revokes the session and forces step-up MFA. ServiceNow ticket filed in the same Reaction.

Start walkthrough →

SecOps · 4 scenes

Quarterly access review

Mass certify privileged roles. Dormant accounts surfaced. Drift highlighted. Approvers sign with notes. Evidence pack exported for the auditor.

Start walkthrough →

SecOps · 4 scenes

AI red-team forensics

Sift 30 days of Trust Events for prompt-injection patterns. Cluster by user, atom, system. Promote worst offenders. Tighten the filter set with one click.

Start walkthrough →

Trust Layer

The six-gate pipeline. Filters, injection detector, classification cap, model allowlist.

Risk scoring

0-100 composite per Reaction. High-risk auto-routes to HITL.

Records

Immutable provenance. Every atom, every model, every filter event.

Bring your CISO. We'll bring the threat model.

A working session. Walk the Trust Layer, the audit row schema, and any SecOps walkthrough on your own data.

Request a demoSecOps walkthroughs →