| id | security |
|---|---|
| title | Security and Deployment |
| sidebar_position | 11 |
AdversaryGraph is self-hosted. Report content is sent only to the LLM provider configured by the operator. For fully private analysis, use a local or private LLM gateway. Reports, IOCs, feed records, enrichment state, and analyses may be stored in PostgreSQL.
Trusted-header authentication and admin, analyst, and viewer roles are supported when AUTH_ENABLED=true, but they depend on a correctly configured authenticating reverse proxy. Never expose trusted identity headers directly to clients.
- Store provider keys in
.envenvironment variables and never commit.env. - Restrict provider keys where possible and rotate exposed credentials.
- Protect the API and database; keys do not make an internet-facing deployment safe.
- Put the service behind VPN, SSO, OAuth proxy, or an access-controlled reverse proxy.
- Enable
AUTH_ENABLED=trueand configure trusted identity headers correctly. - Use TLS and strong secrets.
- Do not expose PostgreSQL publicly.
- Do not expose the API directly without authentication.
- Restrict CORS and network access.
- Limit upload size and configure retention.
- Back up PostgreSQL and test restore procedures.
- Review application, proxy, and provider logs.
- Rotate LLM API keys.
AdversaryGraph is suitable for local labs, private analyst workstations, internal CTI workflows, and controlled self-hosted deployments. Internet-facing deployments require additional access control and hardening.
Attack Simulation is for authorized lab validation only. Real telemetry comes from approved lab fixtures in the self-hosted Docker deployment. AI-generated telemetry is synthetic source-shaped data for SIEM parser, rule, and correlation exercises; it is not proof of exploit execution or production detection coverage.
Do not point simulations or SIEM forwarding at unauthorized systems. Store SIEM collector URLs only when they are approved for the lab, and keep bearer tokens, passwords, and custom header values out of screenshots and commits.
Use the authenticated Observability dashboard to review API health, request traces, route counters, latency, redacted log tails, and Prometheus metrics. Keep this dashboard behind the same access controls as the rest of the platform because operational metadata can still be sensitive.
The full scan and validation workflow is documented in Observability, Security Scanning, And Validation Examples.