Security at Intreys

Network forensics tools handle some of the most sensitive data on a customer's network. We design Intreys assuming that data must never leave the customer's machine without their explicit action.

Our security principles

Offline by default. PCAPs, captures, alerts, and analysis results are processed locally. Nothing about your traffic leaves your machine unless you explicitly enable an online enrichment provider with your own API key.
Local AI by default. The AI assistant uses a local llama.cpp or MLX model on your hardware. Cloud AI providers (Claude, OpenAI, Grok, Azure) are opt-in and gated by an in-app privacy filter.
Signed binaries on every platform. macOS builds are notarized through Apple's Developer ID program. Windows builds are signed via Azure Trusted Signing. Linux packages are GPG-signed. Docker images are signed with Sigstore/cosign.
Defense in depth, not one big lock. PBKDF2-SHA256 (600 000 iterations) for password hashing, Fernet encryption for local secrets, Ed25519 signatures for license tokens, TLS 1.3 for transport.
Independent review. Every release is gated by an adversarial review pass; findings are tracked in our public changelog.

Architecture overview

Desktop application

Native desktop shell with a compiled Python core shipped as a signed binary — source is not distributed. Authentication uses HMAC-SHA256 session tokens with a 24-hour expiry and a persistent revocation blacklist.

License service

Cloudflare Worker at license.intreys.com. Ed25519-signed license tokens. Stripe handles all payment processing. We never see card numbers.

Local data

SQLite databases for accounts, audit, and SSO config. WAL mode + busy timeout. Application data lives under your OS data directory and is encrypted where supported.

Capture data

PCAPs and live captures stay on your filesystem. We do not upload, mirror, or transit them through Intreys infrastructure under any circumstances.

Cryptography summary

Use case	Algorithm
Password storage	PBKDF2-HMAC-SHA256, 600 000 iterations, per-user salt
Local secret encryption	Fernet (AES-128-CBC + HMAC-SHA256)
Session tokens	HMAC-SHA256, 24h expiry, persistent blacklist
License tokens	Ed25519 signature over JSON payload
OIDC ID tokens	RS256/RS384/RS512 verified against IdP JWKS, with PKCE on the authorization code flow
Transport	TLS 1.3

Reporting a vulnerability

Contact: [email protected]

For coordinated disclosure timelines, scope, safe-harbor language, and acknowledgments, see our Vulnerability Disclosure Policy. Machine-readable contact details are published at /.well-known/security.txt per RFC 9116.

Code signing & supply chain

macOS: Apple Developer ID code signing + notarization. Gatekeeper accepts signed builds without a right-click bypass.
Windows: Azure Trusted Signing certificate. SmartScreen reputation accrues on the publisher identity, not per-binary.
Linux: GPG-signed .deb and .rpm packages. Public key published at /.well-known/intreys-release.asc (forthcoming).
Docker: Images signed with Sigstore/cosign and pushed to ghcr.io/intreys/intreys. Verifiable via cosign verify.
Auto-updates: Update binaries are signed with the same Ed25519 key chain as licenses; a missing or invalid signature aborts the update (fail-closed).

What we do not do

We do not collect, transmit, or back up customer PCAPs or capture data.
We do not act as an intermediary for third-party threat-intel APIs (AbuseIPDB, VirusTotal, etc.); those calls go directly from your machine using your own API keys.
We do not store credit card numbers; Stripe handles all PCI scope.
We do not allow arbitrary plugin loading in v1.0; the plugin system is gated behind an opt-in environment flag while we build out signing and a sandbox.

Compliance & assurance roadmap

Intreys™ is a v1.0 launch. We are committed to publishing the following over the next four quarters:

External penetration test report (Q3 2026)
SOC 2 Type I readiness (Q4 2026)
SOC 2 Type II observation period (2027)
SBOM published with each release (CycloneDX)

Questions?

Anything not covered here? Email [email protected] for security-specific questions, or [email protected] for general help.