SpecterOps expands Identity Attack Path Management to Okta, GitHub, and Mac. Learn More

SpecterOps Security

Protecting customer data is foundational to how we operate. SpecterOps applies rigorous security controls, adversary-informed practices, and transparent governance to safeguard our systems and your information.

Trust Center

WEBSITE SECURITY

Our Approach to Security

Security

At SpecterOps, we integrate skilled people, proven processes, and modern technology to maintain a strong security posture across both our product ecosystems and internal operations.

Compliance

Our compliance efforts are aligned with industry-recognized standards and validated through independent third-party assessments. For more information, visit our Trust Center.

Privacy

We are committed to responsible data practices and clear communication about how customer information is collected, handled, stored, and protected throughout its lifecycle. For more information, visit our Privacy Policy.

Product Security

BloodHound Enterprise (BHE) is built with security at its core, engineered with rigorous safeguards, continuous monitoring, and ongoing testing. Below is an overview of the controls and practices we use to protect your data and keep the platform resilient.

Track
Overview
Track

Authentication & Access Controls

Overview
Strong authentication is enforced across all systems, with multi-factor 
authentication required where appropriate. Role-Based Access Control (RBAC) 
ensures access is granted only based on defined roles and legitimate business need. Access follows least-privilege and segregation-of-duties principles and is reviewed 
on a quarterly basis.
Track

Cloud & Infrastructure Security

Overview
Infrastructure is hosted in AWS, leveraging industry-recognized security 
certifications and independent third-party audits to maintain a hardened, compliant environment. Customer data is protected through a single-tenant architecture with isolated databases and services, encryption at rest (AES-256), and network-level isolation. Continuous monitoring and vulnerability management further strengthen 
the security posture.
Track

Secure Development Lifecycle

Overview
A formal Secure Development Lifecycle governs how software is designed, built, tested, deployed, and operated. Secure coding standards, automated security scanning, version control, and change management are enforced, with all code changes tested and approved before reaching production.
Track

Logging and Monitoring

Overview
Centralized logging and monitoring are utilized to detect suspicious activity and trigger automated alerts to the appropriate personnel. Logs are aggregated in a SIEM, replicated to immutable storage, and protected through strict integrity controls and access restrictions.
Track

Incident Response

Overview
A documented Incident Response Plan defines roles, escalation paths, and response procedures. The plan is tested annually and includes root cause analysis, lessons learned, and follow-up tracking. Incidents are prioritized and managed through internal tracking systems based on severity.
Track

Business Continuity & Disaster Recovery

Overview
Unified Business Continuity and Disaster Recovery plans cover all critical assets and operations. These plans define response and recovery procedures, roles, and responsibilities, and are tested annually. Daily backups are performed and retained 
on a defined schedule, supported by regular risk assessments and crisis 
management planning.
Track

Risk & Vendor Management

Overview
A leadership-sponsored enterprise risk management program identifies, evaluates, and addresses security and privacy risks. Vendor risk management includes initial and ongoing assessments, review of SOC 2 and ISO 27001 reports, and continuous monitoring defined through contractual requirements.

Trusted and Independently Validated

SpecterOps builds its security program on industry-leading practices and widely recognized security and privacy frameworks. Our controls and processes undergo regular evaluation by accredited third-party assessors to ensure they meet rigorous standards. In addition, our internal security and privacy teams continuously maintain alignment with applicable frameworks and data protection requirements.

SOC 2 Type II

SOC 2 Type II provides independent assurance that security, availability, and confidentiality controls are designed and operating effectively over time.

CREST Penetration Testing Accreditation

CREST accreditation indicates that penetration testing services meet internationally recognized standards for technical quality and professional conduct.

FedRAMP High Authorization

FedRAMP High authorization confirms that systems comply with the federal government’s most rigorous security requirements for high-impact data.

TX-RAMP Level 2 Certification

TX-RAMP Level 2 certification verifies alignment with the State of Texas standards for protecting sensitive or confidential information.

ISO 27001:2022

ISO 27001:2022 establishes a systematic, risk-based framework for managing and safeguarding information assets.

ISO 27017:2015

ISO 27017:2015 provides cloud-focused security guidelines and controls for protecting data in cloud service environments.

How SpecterOps Protects Your Data

What customer data does SpecterOps process?

SpecterOps may process information provided to us during the delivery of our services, including data generated from security assessments, training operations, and advisory engagements. The type and sensitivity of any data involved is determined by each customer’s own environment and configuration choices. SpecterOps does not require personally identifiable information (PII) or other sensitive data for most services, and customers retain control over what data is shared.

How does SpecterOps align with data privacy regulations?

SpecterOps maintains a dedicated privacy program that supports compliance with major data protection laws and frameworks, including GDPR and the EU-U.S. Data Privacy Framework (DPF) for lawful international data transfers. These commitments are further documented in our Data Protection Addendum (DPA).

More information about our privacy commitments can be found in our Privacy Policy.

Who are SpecterOps’ subprocessors?

SpecterOps uses Amazon Web Services (AWS) as its cloud hosting provider.

Contact Us

To ensure the security of our systems and address any potential concerns promptly, please report security incidents to security@specterops.io. For abuse-related issues, please report them to abuse@specterops.io. Your cooperation helps SpecterOps maintain a safe and secure environment for all of our users.

Need more information?

Contact Us