Skip to content

Security Operations

Overview

Security isn't a feature — it's an operational discipline. The fleet runs on infrastructure that is actively defended, continuously monitored, and regularly tested by adversarial agents.

Defensive Posture

Network Hardening

  • UFW default deny — explicit allowlists only
  • SSH key-only authentication, IPv4 only, fail2ban monitoring
  • Sysctl hardened (ICMP redirect disabled, source routing disabled, SYN cookies enabled)
  • Cloudflare front-ending all public services — WAF, DDoS mitigation, bot management
  • Zero Trust access for all administrative and demo interfaces
  • WireGuard with pre-shared keys for host-to-host encrypted tunnels

Domain Security

  • SPF -all on all domains
  • DMARC reject policy
  • CAA records restricting certificate issuance
  • Cloudflare strict SSL — full (strict) mode, minimum TLS 1.2
  • HSTS enabled

Monitoring

  • Fail2ban with custom jail configurations
  • Automated security scanning on recurring schedules
  • Log aggregation and anomaly detection
  • Real-time dashboards — geo-enriched attacker intelligence, WAF event visualization

Red Team / Blue Team

Red Team

Adversarial testing runs on isolated infrastructure — separate from production, separate network, separate credentials. The red team:

  • Runs structured penetration tests against defined scope
  • Uses the Kali Linux offensive toolkit (nmap, nuclei, masscan, httpx, gobuster, katana)
  • Tests specific CVEs and attack vectors against controlled environments
  • Documents findings with proof-of-concept and remediation recommendations

Separation is absolute

Red team operations never touch production infrastructure. The attack surface under test is always isolated. This is not negotiable.

Blue Team

Blue team agents receive red team findings and implement hardening:

  • Firewall rule updates
  • Service configuration changes
  • Package updates and security patches
  • Access control reviews
  • Monitoring rule additions

The Loop

Red finds → Blue fixes → Red re-tests → iterate. This is continuous, not periodic. The red team doesn't wait for a quarterly audit schedule.

Live Security Dashboard

A real-time security operations dashboard provides:

  • Intrusion detection events — source IPs, attack vectors, geo-enrichment
  • WAF event visualization — blocked requests, rule triggers, threat categories
  • System audit results — Lynis scores, configuration compliance
  • Interactive threat maps — D3-based visualization with per-vector breakdowns, geographic origin tracking
  • Scan results — DNS hygiene, SSL posture, exposed services

This uses live operational data — real fail2ban events, real Cloudflare WAF logs, real scan results. Not synthetic demonstrations.

Attack Surface Management

External Exposure Monitoring

  • DNS record auditing across all zones
  • SSL certificate monitoring and expiration tracking
  • Service discovery scans against own infrastructure
  • Subdomain enumeration and verification

Incident Response

Real security incidents have been investigated and remediated:

  • Dispatch pipeline vulnerability — unauthenticated file-based execution path discovered and closed
  • Context leakage event — cross-instance information disclosure identified and contained
  • Anomalous dispatch activity — unexplained reconnaissance patterns investigated
  • Token collision — credential management gap identified and resolved with rotation

Each incident produced documented findings, root cause analysis, and preventive controls.

Lockdown Procedures

Graduated response capability:

Level Action
Status Current security posture assessment
Elevate Increased monitoring, tighter rate limits
DEFCON 1 Maximum restrictions, non-essential services suspended
Stand Down Return to normal operations
Block IP Immediate IP-level blocking via Cloudflare API
Block Country Geographic blocking via Cloudflare API

All lockdown actions are API-driven — Cloudflare WAF rules, Under Attack Mode, IP/country blocks can be activated programmatically within seconds.

OPSEC

All security documentation and dashboard content follows strict OPSEC rules:

  • No provider names, IP addresses, or port numbers in any public-facing content
  • No internal project codenames or pipeline names
  • No exact topology details that match internal state
  • Capabilities described generically — implementation details stay internal
  • Cloudflare Zero Trust referenced as standard enterprise tooling (not a secret)