Security

1. Our Security Commitment

Corxor builds security products. We hold ourselves to the same standards we expect from the solutions we deliver. Security is embedded into our architecture, development lifecycle, and operational procedures — not applied as an afterthought.

This page describes the security design of the QuickSecure platform, our infrastructure protections, and our responsible disclosure program. It is intended to be technically accurate rather than promotional. No security architecture eliminates all risk; our goal is to apply rigorous, layered controls that reduce risk to a commercially reasonable level.

2. QuickSecure Platform Architecture

2.1 User-Mode Endpoint Agent

The QuickSecure endpoint agent runs entirely in user mode. Unlike kernel-mode security drivers, this design:

• Reduces the risk of system-wide instability caused by agent failures
• Avoids kernel-level attack surface expansion
• Simplifies deployment and updates without requiring system reboots
• Maintains sufficient visibility through OS-provided telemetry interfaces

2.2 ETW-Based Monitoring

The agent leverages Event Tracing for Windows (ETW) as its primary telemetry source. ETW provides structured, high-fidelity process, file, network, and registry event data from the operating system without requiring custom kernel hooks or filter drivers.

2.3 Local ML Inference

The agent performs local ML inference using ONNX Runtime. The detection pipeline follows a multi-stage fallback architecture:

1. Primary: ONNX neural network model — highest accuracy, higher resource cost
2. Secondary: Random Forest model — lightweight fallback for constrained environments
3. Tertiary: Rules-based heuristics — deterministic fallback when ML inference is unavailable

This multi-stage design ensures that detection continues even if the primary model encounters errors or resource constraints. It does not guarantee detection of all threats.

2.4 Signed Model Distribution

ML models distributed through the Corxor model registry are cryptographically signed. The agent verifies model signatures before loading, preventing execution of tampered or unauthorized models. Model versioning ensures traceability from training to deployment.

3. ML Model Governance

3.1 Versioned Model Registry

All models are managed through a versioned registry with metadata including training parameters, evaluation metrics, signature hashes, and deployment history. This supports auditability and reproducibility of model lifecycle decisions.

3.2 Canary Deployment and Rollback

New model versions are deployed incrementally using a canary process. A subset of endpoints receives the new model while the majority continues on the current production version. Performance metrics are compared, and automatic rollback is triggered if degradation exceeds configured thresholds.

3.3 Drift Monitoring

The platform continuously monitors for distribution drift between training data and production inference data using Population Stability Index (PSI) and related metrics. Drift alerts trigger evaluation workflows that may lead to retraining or rollback decisions.

3.4 Tenant-Aware Model Selection

The platform supports both global models (shared across tenants) and tenant-dedicated models (trained on tenant-specific data). The inference pipeline selects the most specific available model: tenant-dedicated if available, global fallback otherwise.

4. Infrastructure Security

4.1 Hosting and Network

• Environment Isolation: Production, staging, and development environments are fully isolated
• Private Networking: Internal services communicate over private networks and are not exposed to the public internet
• Firewall and WAF: Network-level firewalls and web application firewall rules protect all publicly accessible endpoints
• TLS Termination: All external traffic is encrypted with TLS 1.2+ (TLS 1.3 preferred) via reverse proxy

4.2 Encryption

• In Transit: TLS 1.2+ for all external and inter-service communication
• At Rest: AES-256 encryption for stored data
• Key Management: Encryption keys are managed through dedicated secret management infrastructure, separate from application code

4.3 Multi-Tenant Data Isolation

Corxor operates a multi-tenant architecture with strict logical data isolation. Tenant boundaries are enforced at the application layer, database query layer, and API authorization layer. Each request is scoped to the authenticated tenant, and cross-tenant data access is architecturally prevented. Telemetry, configurations, and security events are partitioned by tenant identifier.

5. Application Security

5.1 Secure Development Practices

• Code Review: All code changes undergo peer review before merge
• Static Analysis: Automated scans on pull requests for common vulnerability patterns
• Dependency Scanning: Continuous monitoring of third-party dependencies for known vulnerabilities
• Security Testing: Periodic vulnerability assessments and penetration testing

5.2 Authentication and Authorization

• Password Security: Industry-standard one-way password hashing with salting
• Role-Based Access Control: Fine-grained RBAC with least-privilege assignment
• Session Management: Secure session handling with automatic expiration and server-side invalidation
• API Security: Bearer token authentication with rate limiting and request throttling
• Anti-Forgery: CSRF protection on all state-changing operations

5.3 Input Validation and Output Encoding

All user input is validated and sanitized server-side. Output encoding is applied to prevent cross-site scripting (XSS) and injection attacks. Content Security Policy (CSP) headers restrict executable content sources.

6. Operating Modes and Autonomous Actions

QuickSecure supports three configurable operating modes. The choice of mode is a customer decision and should be made in consultation with the customer's security team:

• Shadow Mode: Observation and logging only — no automated actions are taken
• Supervised Mode: Alerts and recommendations are generated for human review before action
• Full Autonomous Mode: Automated containment, quarantine, or blocking actions based on configured policy thresholds

Autonomous actions are executed according to customer-configured rules and ML confidence thresholds. Corxor does not guarantee error-free automated responses. Customers are responsible for reviewing and tuning their operating mode configurations to suit their environment.

7. Data Protection

• Automated Backups: Encrypted backups with tested restoration procedures
• Data Retention: Configurable retention policies aligned with customer requirements and applicable regulations
• Secure Deletion: Data is securely deleted when no longer required
• Audit Logging: Comprehensive audit trails for authentication, configuration changes, and security-relevant operations

8. Compliance Alignment

Corxor's security controls are designed to support alignment with recognized standards and regulations. Specific compliance status depends on the scope and timing of formal assessments:

• GDPR: Controls designed to support compliance with the EU General Data Protection Regulation
• KVKK: Controls designed to support compliance with the Turkish Personal Data Protection Law
• ISO 27001: Information security management practices aligned with ISO 27001 control objectives
• OWASP: Development practices follow the OWASP Top 10 and OWASP ASVS guidelines

Formal certification status, where applicable, is available upon request.

9. Incident Response

Corxor maintains a documented incident response plan that includes:

• Monitoring and alerting for security events
• Defined escalation procedures and response timelines
• Root cause analysis and post-incident reviews
• Customer notification of confirmed security incidents involving customer data, in accordance with applicable law and contractual obligations

10. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities in Corxor products and infrastructure.

10.1 How to Report

• Email: security@corxor.com
• Include a detailed description of the vulnerability and steps to reproduce
• Include proof-of-concept code or screenshots where applicable
• Do not publicly disclose the vulnerability before coordinated resolution

10.2 Our Commitment

• We will acknowledge your report within 48 hours
• We will investigate and validate the issue promptly
• We will keep you informed of remediation progress
• We will not pursue legal action against researchers who act in good faith and in accordance with this policy
• We will credit you (if desired) when the vulnerability is resolved

10.3 Scope

The following are in scope for responsible disclosure:

• corxor.com and all subdomains
• Corxor QuickSecure endpoint agent
• Corxor cloud platform APIs and web applications

The following activities are out of scope: denial-of-service attacks, social engineering of Corxor employees, physical security testing, and accessing or modifying other users' or tenants' data.

11. Employee Security

• Background verification for personnel with access to production systems
• Mandatory security awareness training
• Principle of least privilege for all system access
• Regular access reviews and prompt de-provisioning

12. Contact