Carapace
Security Model

Defense in Depth

Six layers of protection from network edge to audit trail. Hardware-enforced, cryptographically verifiable, independently auditable.

6 Defense LayersAMD SEV-SNP100% Actions Receipted

Defense Layers

Security is not a single feature — it's layers working together. Each layer addresses different threat vectors, so even if one is bypassed, others remain.

LAYER 0

Network Isolation

Air-gapped from the public internet

  • No public IP addresses on confidential VMs
  • Private VNet with strict NSG rules
  • Egress allowlist — only approved endpoints
LAYER 1

TEE Isolation

Hardware-enforced memory encryption

  • AMD SEV-SNP hardware security processor
  • AES-128 memory encryption (keys in CPU)
  • Attestation signed by AMD hardware root key
  • Azure operators cannot access VM memory
LAYER 2

Credential Isolation

Credentials never leave the enclave

  • Azure Key Vault with Secure Key Release
  • Credentials only decrypt inside attested VMs
  • Agent never sees raw tokens
  • Credential broker mediates all access
LAYER 3

Policy Enforcement

Every action validated before execution

  • Plain-English policies compiled to rules
  • Pre-execution validation on all actions
  • Policy denials logged for review
  • Rate limits and capability grants
LAYER 4

Behavioral Monitoring

Anomaly detection and circuit breakers

  • Baseline behavior profiling
  • Automatic alerts at 3x baseline
  • Circuit breakers at 10x baseline
  • Real-time action monitoring
LAYER 5

Audit Trail

Cryptographically signed, tamper-evident

  • Ed25519 signed action receipts
  • Merkle tree chain integrity
  • Append-only log storage
  • Exportable for independent verification

Don't Trust, Verify

Every Carapace enclave produces an attestation report signed by AMD's hardware root key. You can independently verify that your agent runs in a genuine, unmodified secure environment.

1. CVM requests report from /dev/sev-guest

2. AMD PSP signs measurement with hardware key

3. Azure Attestation (MAA) validates signature

4. Key Vault releases credentials only if measurement matches

5. You can verify the chain against AMD's public root

Perception Attack Defenses

Even with TEE isolation, attackers who gain a foothold in the communication path could manipulate what you see. We defend against this with cryptographic receipts and out-of-band verification.

What Makes Us Different

Other platforms trust their hypervisor. We don't ask you to trust anyone — we give you the tools to verify.

Hardware-Rooted Trust

AMD SEV-SNP provides hardware-enforced security. Unlike hypervisor-based solutions, even the cloud provider cannot access your enclave memory. Verify against AMD's public root of trust.

Zero Credential Exposure

Your agent never sees raw credentials. The credential broker inside the enclave uses tokens on the agent's behalf. If the agent code is compromised, attackers still can't exfiltrate secrets.

No Temp Files

Credentials and sensitive data live only in memory, never touch disk. OAuth flows, device linking URIs, API keys — all memory-only with automatic cleanup. No artifacts left behind.

Ready to secure your agents?

Deploy with hardware-backed security in minutes. No infrastructure expertise required.

Get StartedView Pricing