The whole Hoxey infrastructure is built on a security-first, Zero-Trust approach from the ground up.
We do not just follow best practices and compliance requirements; we go further. Security for us is the core principle, not an afterthought.
To properly understand some concepts, it is advised to read the architecture documentation first.
The core philosophy
While our infrastructure follows very high security standards, far beyond what’s required by regulations, the core design principle is protecting you, the customer.
We know security very well, well enough to be fully aware that 100% security does not exist.
For this reason, we designed our infrastructure to protect you: even in case of disaster, a full compromise of every single bit of information on our servers, an adversary can’t access what’s not even there.
We do not have access to the device in your network and we do not store anything that’s not strictly necessary.
This means that the apocalyptic scenario for us is temporary service disruption and a name or email leak for you.
The device is not under our control
The micro appliance we ship does NOT allow any kind of connection to it. Period.
It is designed to forward, without processing, the packets destined to its network interface through the one-way encrypted Layer 3 tunnel and only allow the responses back.
Anything else is strictly and agnostically blocked.
- The device is designed to trust no one. Not even us.
- We cannot remotely manage the device in any way.
- An adversary inside the real Honeypot in our cloud cannot pivot back.
- We cannot ship updates to the device to change its behavior in ANY way.
- The device is immutable, with a read-only filesystem.
- It does not have any listening service, only the kernel’s network stack rerouting packets.
- In case of emergency or failure, we ship another disk image on an SD card, ready to be plugged in.
Our customers can request the source code of the device to audit it themselves. There are only about 500 lines of custom code.
Data Minimization
We only store what’s strictly necessary for operation. If you’re a customer, you might have noticed that on your profile page we do not ask for any extra information such as phone number or address.
Here’s what we have about you and your company:
- Name and surname
- Email address
- IP address (audit only)
- Company name and service tier
- Device subnet (audit only)
- Webhook(s) set for notifications
- A text field with management notes about your account, encrypted at rest
Subscription payments are handled by Stripe. We do not know any details about your payment methods.
Principle of Least Privilege
Our multi-tenant RBAC (Role-Based Access Controls) defines two separate types of accounts: Management (our staff) and Customers.
It’s important to note that Management and Customer accounts use fully separated API endpoints for operations, enforced by the first middleware in the request chain, which strictly uses the database as the sole source of truth.
Management accounts have three tiers:
- Admins with global read/write access to the whole infrastructure
- Managers with global read access, with write enabled only for non-critical operations
- Support with narrow read and even narrower write access, only for assigned customers
Customer accounts have two tiers:
- Owner with read/write access strictly limited to their organization
- Seat with read and partial write access to their organization
Web Application Security
The web app strictly follows the highest standards:
- Every input is strictly validated
- Every database query is parameterized
- Every output is sanitized
- Every action is cross-validated
- MFA is available
- The database is the only source of truth
- JWTs use HMAC-SHA256 (HS256) with a strong 256-bit secret
- Some fields are encrypted at rest inside the database with AES-256-GCM plus HMAC
- API endpoints are conservatively rate-limited
- Error messages are generic to avoid information leaks
- All dependencies use fixed versions and are manually upgraded
Military-grade encryption
Anything that does not require indexing is encrypted at rest with symmetric encryption.
Credentials are salted and hashed with bcrypt using multiple rounds. While we won’t disclose the exact parameters, they are intentionally generous and computationally intensive.
Secure tokens and UUIDs are widely used internally. No resource is accessed by incremental ID or name.
Needless to say, TLS is enforced everywhere. No connection, not even internal, is allowed without encryption. No fallback and full HSTS.
Comprehensive logging and auditing
In addition to standard system logs, we use a custom auditing system for our application that stores events in different locations.
These events are correlated using a rayID and sanitized by stripping away sensitive information.
Layered Isolation
Each service runs inside an unprivileged container. The container itself runs inside a Virtual Machine.
Systems are minimal and stripped of any unnecessary components. The operating system of choice is Debian.
Firewall rules filter both internal and external communications using a whitelist approach, limiting the attack surface to almost nothing.
The Hypervisors hosting the actual Honeypots are not clustered and are treated as untrusted systems by the heart of the platform, the Orchestrator. For us, an escape from a Honeypot VM is an interesting forensic exercise and case study, not a disaster. The infrastructure is designed to seamlessly handle a complete Hypervisor failure or compromise.
Business Continuity & Disaster Recovery
Our infrastructure and processes are designed to maintain service continuity and recover quickly in case of disaster.
They are built around a deployment automation approach and consist of multiple portable containers that can become fully operational in minutes, taking the place of broken or compromised ones.
We maintain playbooks to respond quickly and have predefined plans to react appropriately to different scenarios.
Third-party Security
We make extensive use of Open Source Software that powers the majority of the internet. We strictly rely on battle-tested solutions; no new or unproven software is allowed.
Suppliers are limited and carefully selected based on their track record and compliance with the highest standards (Hetzner, Stripe and Cloudflare).
We maintain an ongoing risk assessment and risk treatment program.
This process evaluates technical, operational and organizational risks and ensures that appropriate controls are implemented and maintained.
Risks are reviewed at planned intervals and whenever significant changes occur in the infrastructure or operating environment.