We take security seriously. Learn how we protect your data and maintain the integrity of our platform.
As a security company, we hold ourselves to the highest standards. We practice what we preach and continuously invest in protecting your data and our infrastructure. Security isn't just our product—it's our foundation.
All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 encryption.
Our infrastructure is hosted on SOC 2 Type II certified cloud providers with enterprise-grade security controls.
Row-level security ensures complete data isolation between customers. Your data is never accessible to other users.
Enterprise-grade DDoS mitigation protects our platform from volumetric and application-layer attacks.
Secure authentication with email verification, password hashing using bcrypt, and session management. Role-based access control (RBAC) ensures users only access what they're authorized to.
All user inputs are validated and sanitized to prevent injection attacks. We use parameterized queries to protect against SQL injection and encode outputs to prevent XSS.
API endpoints are protected with rate limiting to prevent abuse and brute-force attacks. Suspicious activity triggers automatic temporary blocks.
Our scanning engine includes SSRF protections that prevent scanning of internal/private IP ranges, localhost, and other potentially malicious targets.
All security-relevant actions are logged with timestamps, user identifiers, and IP addresses for forensic analysis and compliance requirements.
Our scans are passive and non-intrusive. We only analyze publicly accessible information and never attempt to exploit vulnerabilities or access protected resources.
You must verify domain ownership via DNS before scanning. This prevents unauthorized scanning of third-party websites and ensures ethical use of our platform.
Scans are designed to have minimal impact on your website's performance. We use polite crawling practices and respect robots.txt directives.
If you provide FTP/SFTP credentials for auto-fix features, they are encrypted at rest and only decrypted momentarily during the remediation process.
Our infrastructure meets SOC 2 Type II requirements for security, availability, and confidentiality.
We comply with GDPR requirements for data protection, including data minimization and right to deletion.
Our security checks align with OWASP Top 10 guidelines and best practices for web application security.
Our reports help you meet PCI-DSS requirements for maintaining secure web applications.
We value the security research community and encourage responsible disclosure of any vulnerabilities you may find in our platform.
If you discover a security issue, please email us at security@mbguards.com with details of the vulnerability. We commit to:
Please do not publicly disclose issues until we've had a chance to address them.
Our team is happy to discuss our security practices in more detail.