How often are you audited?

SOC 2 Type II annually; ISO 27001:2022 certification maintained with surveillance audits.

On major public clouds (Azure, AWS, GCP) in regions appropriate to the program; on-prem-style scenarios run as nested virtualization inside the same isolated tenancy.

Can students or attendees break out of a lab?

Labs are contained by per-lab networks and tenant boundaries; security training content (including offensive tooling) runs inside that containment. That's a primary design case, not an exception.

Do you support our SSO and MFA policies?

Yes. SAML 2.0 / OIDC with your IdP's conditional access; MFA is mandatory on admin portals regardless.

How fast can we get documents for an active deal?

Same-week under NDA, typically faster.

Security & Compliance

Built to pass your security review

SOC 2 Type II audited annually. ISO 27001:2022 certified. GDPR, CCPA, FERPA, and COPPA aligned. 8+ years in production with Microsoft and 500+ customers across six continents.

The procurement pack, with SOC 2 report, ISO certificate, DPA, and MSA template, ships under NDA, fast.

Request the procurement pack Visit the Trust Center

Compliance

Independently audited annually

SOC 2 Type II, ISO 27001:2022, GDPR, CCPA, FERPA, and COPPA. The certificates and reports behind each mark ship in the procurement pack.

Request the procurement pack

SOC 2 Type II

Independently audited annually
ISO 27001:2022

Certified, with surveillance audits
GDPR

EU data handling, documented in the DPA
CCPA

California data handling
FERPA

Education provisions in the DPA
COPPA

K-12 safe

Architecture

Isolation, by architecture

Tenant isolation

Every customer environment is isolated at the cloud-tenant level. Your labs, your data, your boundary.
Per-lab networks

Each lab runs in its own VNET with NSG-controlled traffic. No cross-tenant lateral movement, by design, which matters when the lab content is itself offensive-security training.
Ephemeral by default

Lab environments are torn down on schedule or idle timeout. Short-lived environments are small attack surfaces.
Scoped credentials

Per-user, per-session credentials with budget caps. Nothing shared, nothing persistent beyond the lab.

Identity & access

Your identity provider, your access rules

SSO everywhere

Entra ID, Google, Okta, and generic SAML 2.0 / OIDC.
MFA on admin surfaces

Required, not optional, for administrative portals.
Role-based access

Admins, instructors, learners, sponsors, and finance see only their surface. Roles map from your IdP.

Data handling

What we hold, where,
and on whose terms

Learner data is scoped, regional, and documented. The DPA spells out each piece.

Data processing agreement

Standard DPA covering learner data, with FERPA and COPPA provisions for education customers.

Regional awareness

GDPR for EU audiences, CCPA for California; data handling documented per region in the DPA.

Learner data minimization

Public event flows can run on registration forms without persistent accounts; what's collected is configurable per program.

Telemetry you control

What flows to your CRM or LMS is your configuration choice, documented per integration.

For your review team

The document pack, under NDA

Under NDA we provide: the current SOC 2 Type II report, ISO 27001:2022 certificate, DPA, MSA template, and architecture overview. Security questionnaires (SIG, CAIQ, or your own) are routine. Most reviews complete without a call, and we turn documents around quickly for active opportunities.

Request the procurement pack

A security review team working through a procurement checklist

FAQ's

Security review, answered

Send us the questionnaire

SOC 2 report, ISO certificate, DPA, and MSA template under NDA, with quick turnaround for active opportunities.

Request the procurement pack Visit the Trust Center

Built to pass your security review

Independently audited annually

SOC 2 Type II

ISO 27001:2022

GDPR

CCPA

FERPA

COPPA

Tenant isolation

Per-lab networks

Ephemeral by default

Scoped credentials

SSO everywhere

MFA on admin surfaces

Role-based access