Security

Scanner security posture

The scanner treats every target and tool response as untrusted input.

Production scans are read only

Public and production measurements use discovery, initialization, listing, and other read-only protocol requests. Invokely does not execute production tools.

Dynamic tests use a test environment

Tool execution requires a staging endpoint or approved disposable tenant, proof of control, explicit authorization, and a selected test scope.

Credentials are scoped

Use a short-lived token limited to the target server and required scopes. Invokely does not ask for a general account password.

Dynamic runs are isolated

Each run has a hard time limit, process isolation, an outbound network policy, and a per-run workspace.

Scope minimization

The runner receives only the endpoint, test policy, and credentials required for that run.

Retention and deletion

Evidence is retained for the period shown in the account plan. Account owners can delete stored credentials at any time.

Finding publication

Public reports show the category and severity of a security finding. Exploit steps and sensitive evidence remain private.