Security
How MANTIS protects your data and your cloud environment.
Encryption
All data stored in MANTIS databases is encrypted at rest using AES-256. This includes scan results, security findings, resource inventories, and all account data.
All data transmitted between your browser, the MANTIS CLI, and our API is protected by TLS 1.3. We enforce HTTPS everywhere and use HSTS headers to prevent downgrade attacks.
Cloud credentials (IAM keys, service account JSON files, role ARNs) are encrypted using Fernet symmetric encryption with PBKDF2-HMAC-SHA256 key derivation. The encryption key is derived from a secret stored separately from the encrypted credential data. Credentials are decrypted in memory only at scan time and never logged or written to disk in plaintext.
Read-Only Cloud Access
MANTIS scanners operate with strictly read-only access to your cloud environments. Our IAM policies use AWS's ReadOnlyAccess, GCP's roles/viewer, and equivalent read-only roles on Azure and Kubernetes.
Our scanner code does not call any write, create, update, or delete APIs. The permissions we request are the minimum required to enumerate resources and read their configurations. We publish our exact IAM policy requirements in the docs.
You can revoke MANTIS's access at any time by deleting the IAM role or access key. Scan results already stored in MANTIS are retained per your data retention settings.
Infrastructure Security
MANTIS infrastructure runs on AWS in isolated VPCs with strict security group rules. Production databases are not publicly accessible. All administrative access to production systems requires MFA and is logged.
- Production environment isolated from development and staging environments.
- Database credentials rotated regularly; never hardcoded in application code.
- Dependency vulnerability scanning on every build via automated CI/CD checks.
- Intrusion detection monitoring on all production hosts.
- Automated backups with point-in-time recovery, tested quarterly.
Access Control
Customer data is isolated by account using row-level security in the database. API authentication uses short-lived JWT tokens and long-lived API keys; both are scoped to a single account and cannot access other customers' data.
Internal access to customer data by MANTIS employees requires a documented support ticket, approval from a second engineer, and is fully logged. We maintain a complete audit trail of all internal data access events.
SOC 2 Compliance
SOC 2 Type II audit is in progress. We are currently implementing controls and expect to complete our first audit in Q3 2026. Enterprise customers may request our current security questionnaire and control documentation.
We follow SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality. Our security program includes annual penetration testing, continuous monitoring, incident response procedures, and employee security training.
Responsible Disclosure
We take security seriously and welcome responsible disclosure of vulnerabilities in MANTIS. If you discover a security issue, please follow these guidelines:
- Email your findings to security@mantis.dev
- Include a clear description, steps to reproduce, and potential impact.
- Do not access or modify customer data during your research.
- Do not disclose the vulnerability publicly until we have addressed it.
We will acknowledge your report within 24 hours, provide an initial assessment within 72 hours, and keep you informed throughout the remediation process. We target 30 days for critical vulnerabilities and 90 days for lower-severity issues.
We will not pursue legal action against researchers acting in good faith under these guidelines. We publicly credit researchers who report valid vulnerabilities (with their permission).