Security Layer

Security & Redaction

Protect sensitive operational evidence before simulation and AI reasoning. Automatically detect and mask secrets, PII, infrastructure identifiers, and customer data.

How Redaction Works

The Redaction Engine runs as the mandatory first step before any AI model receives evidence. Raw operational data is scanned using pattern matching, entropy analysis, and context-aware classifiers. Detected sensitive values are replaced with deterministic pseudonyms that preserve analytical relationships.

Redaction Example
BEFORE REDACTION
Error connecting to db://admin:p@ssw0rd!@10.4.2.8:5432/payments
API call failed: Authorization: Bearer eyJhbGci...xQ2kz
Customer email: john.doe@acme.com (account: ACC-98712)
AFTER REDACTION
Error connecting to db://[REDACTED_CREDS]@[MASKED_IP]:5432/payments
API call failed: Authorization: Bearer [REDACTED_JWT]
Customer email: [REDACTED_EMAIL] (account: [MASKED_ACCOUNT_ID])

Detection Categories

Secret Detection

Automatically identify API keys, database passwords, OAuth tokens, webhook secrets, and service account credentials embedded in logs and configuration data.

AWS access keysDatabase passwordsWebhook secretsService account tokens

API Key & JWT Masking

Detect and mask bearer tokens, JWTs, API keys in headers and payloads. Preserve token structure metadata (issuer, expiry) while redacting the actual credential.

Bearer tokensJWT payloadsAPI key headersOAuth refresh tokens

PII Handling

Identify and redact personally identifiable information including email addresses, phone numbers, national IDs, and names across all evidence sources.

Email addressesPhone numbersNational IDsFull names

IP & Account Masking

Replace internal IP addresses, hostnames, account IDs, and customer identifiers with deterministic pseudonyms that preserve correlation without exposing real values.

Internal IPsHostnamesAWS account IDsCustomer identifiers

Auditability & Provenance

Redaction Metadata

Every redaction event is logged with the type detected, the masking rule applied, and the source location.

Source Provenance

Each piece of evidence maintains a verifiable chain back to the original source — log group, ticket ID, or document reference.

Audit Trail

Immutable audit logs track who accessed what data, when redaction rules were applied, and what model invocations occurred.

Compliance Reporting

Generate redaction compliance reports showing what categories of sensitive data were detected and masked across all evidence.

Previous
Integrations & Ingestion
Next
Debrief & Capability Reports