Security
Scanner security posture
The scanner treats every target and tool response as untrusted input.
Production scans are read only
Public and production measurements use discovery, initialization, listing, and other read-only protocol requests. Invokely does not execute production tools.
Dynamic tests use a test environment
Tool execution requires a staging endpoint or approved disposable tenant, proof of control, explicit authorization, and a selected test scope.
Credentials are scoped
Use a short-lived token limited to the target server and required scopes. Invokely does not ask for a general account password.
Dynamic runs are isolated
Each run has a hard time limit, process isolation, an outbound network policy, and a per-run workspace.
Scope minimization
The runner receives only the endpoint, test policy, and credentials required for that run.
Retention and deletion
Evidence is retained for the period shown in the account plan. Account owners can delete stored credentials at any time.
Finding publication
Public reports show the category and severity of a security finding. Exploit steps and sensitive evidence remain private.