threaded.fyi
threaded.fyi / Security
S/01·Trust posture

Threaded ships software, not a service.
It runs in your cluster, under your perimeter.

The agent has shell access to a workspace. The workspace clones your repo. The preview URL fronts a real dev server. Each is a real attack surface, and each is engineered for it. The difference: it all runs inside your Kubernetes cluster, behind your VPC, audited by your tooling. This page describes how the software is built so that's a defensible posture.

01/Posture

Your audit boundary, not ours.

Threaded ships as software you install in your cluster. The deployment model itself does most of the compliance work — your existing SOC 2, ISO 27001, HIPAA, or FedRAMP boundary covers the install. We don't carry duplicate certifications because there's no Threaded-operated tenant for them to apply to. Here's the posture that matters.

The deployment
Self-hosted, no SaaS plane

The software is a Helm chart you install. There is no Threaded-operated tenant your data passes through.

● shipping
The architecture
Engineered to ISO 27001 controls

Designed against the ISO 27001:2022 control set so the install fits an existing ISMS without bespoke exceptions.

● aligned
Compatibility
HIPAA / FedRAMP-deployable

Runs inside HIPAA-eligible or FedRAMP-aligned clusters. The certification is yours; we don't break it.

● deployable
When it makes sense
SOC 2 · GDPR DPA

The self-hosted model doesn't need them — your audit covers the install. We'll pursue them when the customer mix and product shape call for it.

● tracked
02/Architecture

Per-thread isolation, all the way down.

A thread is a sandbox running inside your cluster. The agent operates inside that sandbox, with no read path to other threads, other teams, or the host. Compromising one workspace pod does not compromise anything else — and the blast radius is bounded by your cluster, not ours.

Isolation
One Kubernetes pod per thread, in your cluster. gVisor sandbox, seccomp profiles, no privileged mode, no host network. Workspaces cannot reach each other or the control plane.
Encryption
TLS 1.3 in transit. AES-256 at rest. Storage encryption uses your cluster's KMS — AWS KMS, GCP KMS, or HashiCorp Vault Transit. We never hold the key.
Auth
SAML SSO + SCIM provisioning. Plug into your IdP — Okta, Azure AD, Google Workspace, JumpCloud. MFA enforcement is yours to mandate.
Secrets
Mounted from your secret manager. Vault, 1Password, Doppler, AWS Secrets Manager, External Secrets Operator. Never read by the agent. Never logged.
Egress
Allowlist enforced per workspace. Default-deny on outbound network. The agent's only required egress is your model provider; everything else is opt-in. Air-gapped installs supported.
Audit log
Every action, signed and append-only. Agent runs, human edits, permission changes, exports. Streamable to your SIEM via webhook — Splunk, Datadog, Panther, Elastic.
03/The agent boundary

What the agent can and cannot do.

The agent runs inside the workspace pod — a pod inside your cluster. It has shell access scoped to the workspace, file access scoped to the cloned repo, and network egress scoped to your allowlist.

It does not have access to your other repos, your other threads, or any account-level credentials. It cannot push to main. It cannot delete branches outside its thread. It cannot reach the Threaded control plane, because for self-hosted installs there isn't one.

04/Reporting issues

Email us. We'll listen.

We don't have a paid bounty program yet — we're too early. We do read and respond to every report. Safe harbor for good-faith research is the standing policy.

Reach the team at security@threaded.fyi. We'll respond inside two business days, credit you in the changelog if you want, and ship a fix.

05/Practices

What we do, on every release.

A stamp on the wall isn't security. The discipline is in the daily build.

CVEs
Near-zero CVE policy. Critical and high-severity vulnerabilities in dependencies are patched within 48 hours of disclosure. Mediums within a sprint. The current count is published on each release.
Static analysis
Static code scanning on every PR. Semgrep, gitleaks, Trivy, and language-native linters block merges on findings. Custom rules for the agent harness and the workspace runtime.
Penetration testing
Regular external pentests. Third-party engagement against the agent boundary, the workspace pod, and the web client. Findings tracked in public-facing security advisories.
Supply chain
Signed releases, reproducible builds. Container images signed with cosign. SBOM published per release. Dependency updates land via Renovate with required manual review.
Threat model
Updated each release. Living document covering the agent's tool surface, the workspace sandbox, the GitHub App scopes, and the licensing channel. Available on request.
Architecture review

Walk through the architecture with us.

There is no audit report to send because there is no audit yet. What we can do is sit down with your security team, walk through the Helm chart, the agent boundary, and the threat model, and answer questions in detail.

security@threaded.fyi →