Security at DrillsForge

How we protect your exercise data, tenant isolation, and platform integrity.

Encrypted at Rest Encrypted in Transit Tenant Isolation Local AI Processing RBAC Enforced

1. Tenant Isolation

DrillsForge is a multi-tenant platform where each customer organization operates in a completely isolated workspace. Tenant isolation is enforced at every layer:

Database-Level Isolation — All queries are scoped by organization ID. There is no shared data between tenants. Cross-tenant data access is architecturally impossible through the application layer.
Subdomain Routing — Each workspace is accessed via a dedicated subdomain (e.g., acme-cyber.drillsforge.com). The tenant is resolved from the subdomain before any data is accessed.
Session Scoping — User sessions are bound to a specific organization. Authentication tokens cannot be used across workspaces.

2. Authentication & Access Control

Password Security — All passwords are hashed using bcrypt with a cost factor of 10. Plaintext passwords are never stored or logged.
Role-Based Access Control (RBAC) — Each user is assigned one of four roles: Admin, Facilitator, Player, or Observer. Permissions are enforced server-side on every API call.
SSO Integration — Enterprise workspaces can configure SAML-based Single Sign-On, delegating authentication to their identity provider (e.g., Okta, Azure AD, Google Workspace).
CSRF Protection — All state-changing operations are protected against cross-site request forgery attacks using per-session tokens.
Session Management — Sessions expire after a configurable period of inactivity. Admins can revoke sessions for any user in their workspace.

3. Data Encryption

In Transit

All connections to DrillsForge are encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. API endpoints enforce HTTPS-only access.

At Rest

Database storage is encrypted at rest using AES-256 encryption. Backups are encrypted using the same standard before being written to storage.

4. AI & Language Model Security

DrillsForge uses AI to generate reactive injects and after-action report narratives. Our approach to AI is designed with data privacy as the top priority:

Local Model Execution — The language model runs locally on DrillsForge infrastructure. No customer data — exercise content, player decisions, scenario details, or organizational information — is ever sent to third-party AI services (OpenAI, Anthropic, Google, etc.).
No Training on Customer Data — Customer exercise data is never used to train, fine-tune, or improve the language model. The model is a pre-trained, read-only deployment.
Scoped Context — AI prompts contain only the minimum scenario context required to generate a relevant inject or narrative. No cross-tenant data is included in any prompt.
Human Oversight — AI-generated content (reactive injects) is always presented to the Facilitator for review before being delivered to participants. AI never makes autonomous decisions about exercise state or scoring.

5. Infrastructure Security

Container Isolation — Application services run in isolated containers with minimal attack surface. Each service (web, database, AI) operates in its own container with restricted network access.
Security Headers — All responses include strict security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, X-XSS-Protection.
Input Validation — All user input is validated, sanitized, and parameterized. Database queries use prepared statements exclusively — no dynamic SQL construction.
File Access Controls — Sensitive files (SQL migrations, configuration, logs, shell scripts) are blocked from web access at the Apache level.
Dependency Management — Platform dependencies are reviewed and updated regularly to address known vulnerabilities.

6. Data Retention & Deletion

Active Workspaces — Exercise data is retained for the duration of the subscription. Organizations retain full ownership of their data at all times.
Cancelled Subscriptions — After a subscription ends, workspace data is retained for 30 days to allow for reactivation or export. After 30 days, all data is permanently deleted.
Data Export — Workspace administrators can export their exercise data (sessions, scores, after-action reports) at any time through the platform.
Right to Deletion — Customers may request complete deletion of their workspace and all associated data by contacting support. Deletion requests are processed within 5 business days.

7. Incident Response

In the event of a security incident affecting customer data, DrillsForge commits to:

Notifying affected customers within 72 hours of confirmed unauthorized access.
Providing a detailed incident report including scope, root cause, and remediation steps.
Cooperating with customer security teams during investigation.
Implementing preventive measures to address the root cause.

8. Responsible Disclosure

If you discover a security vulnerability in DrillsForge, we ask that you disclose it responsibly:

Email: security@drillsforge.com
Include a detailed description of the vulnerability and steps to reproduce.
Allow reasonable time for us to investigate and address the issue before public disclosure.
Do not access, modify, or delete data belonging to other customers.

We appreciate the security research community and will acknowledge researchers who report valid vulnerabilities (with their permission).

9. Compliance

DrillsForge is designed to support organizations subject to regulatory requirements:

NIST Cybersecurity Framework — Exercise programs map to the Identify, Protect, Detect, Respond, and Recover functions.
CISA Tabletop Exercise Packages (CTEPs) — Platform scenarios align with CISA exercise frameworks and methodologies.
HIPAA / PCI-DSS / SOX — Organizations in regulated industries can use DrillsForge to satisfy exercise and training requirements mandated by these frameworks.

10. Questions

For security questions, vulnerability reports, or to request our security documentation:

Security Team: security@drillsforge.com
General Support: support@drillsforge.com
Full Security Documentation: Available upon request — our comprehensive SECURITY.md covers authentication, RBAC, tenant isolation, AI security, infrastructure hardening, audit logging, and more.