Security & Trust

Security is the product.

Webatrisk is an isolation product. Here is an honest summary of our architecture, threat model, and where we stand on certifications.

Isolation
Firecracker microVMs

One microVM per user per session. Kernel-level isolation, same boundary used by AWS Lambda for untrusted code.

Retention
Zero session data

No cache, cookies, or history persisted after session end. microVM disk is destroyed, not reused.

Crypto
TLS 1.3, PQC-ready

All transport uses TLS 1.3. We support hybrid post-quantum key exchange (X25519 + ML-KEM-768) for enterprise tenants.

1. Threat model

Webatrisk is designed to neutralise the following classes of threat:

  • Drive-by browser exploits (zero-days in the user's browser). Mitigated because the user's browser never executes the target site's code.
  • Malicious JavaScript (crypto-miners, keyloggers). Executed inside the microVM; destroyed at session end.
  • Phishing / credential-harvesting pages. AI URL pre-check and optional policy-based block-listing.
  • Cookie theft / session hijacking. Cookies live inside the microVM; never synced to the user device.
  • Tracking pixels & fingerprinting. Blocked by the isolation proxy layer.

2. What we do not protect against (honest disclosure)

  • Compromised user devices already running malware before the session starts.
  • Users voluntarily submitting credentials to phishing sites (we reduce this risk with AI pre-check, but cannot eliminate user decisions).
  • Data exfiltration via screenshots of the viewer on the user device (this is fundamental to RBI and is handled with session recording / DLP integrations in Enterprise).

3. Architecture

  • Session orchestrator — authorises and places sessions on the warm pool. Scoped API keys per tenant.
  • Warm pool — pre-booted Firecracker microVMs, snapshot-based, ready to accept a navigation in under a second.
  • Isolation proxy — strips tracking, rewrites URLs, blocks known-bad destinations, streams sanitised DOM back to the viewer.
  • Viewer — iframe-embeddable, no plugin required, works in any modern browser.

4. Certifications

Webatrisk is a young product. We are honest about where we stand:

  • GDPR compliance program — in place.
  • ISO 27001 — in progress, targeting certification within 12 months.
  • SOC 2 Type II — in progress, targeting within 18 months.
  • HIPAA, PCI-DSS, NIS2, DORA — addressed through our parent compliance module for qualifying customers; contact sales.

5. Responsible disclosure

If you believe you have found a security vulnerability, please email [email protected]. We commit to acknowledge within 2 business days, keep you informed of progress, and publicly credit researchers (with permission) after a fix ships.

Please do not publicly disclose before we have had a reasonable opportunity to remediate (90 days, or sooner by agreement).

6. Contact

Security team: [email protected]
Questionnaires & RFPs: [email protected]