Security
Security
Last updated: 28 June 2026
We build cybersecurity research software — we hold ourselves to a high standard on evidence, access control, and responsible disclosure.
Product security model
- Self-hosted by default: Nexus runs on Thugir Node on your infrastructure. Scan data and findings remain under your control.
- Evidence gate: High and Critical severities require deterministic exploit proof enforced in code — not model confidence.
- Append-only audit log: Security actions on the platform are recorded and not silently deleted.
- Role-based access: RBAC with session tokens for dashboard and API access on Thugir Node.
- Scope enforcement: Authorized targets and approval gates before aggressive testing modes.
Website & communications
- TLS (HTTPS) enforced on thugirlabs.com
- Beta form submissions transmitted to Web3Forms over HTTPS
- No third-party advertising or tracking pixels on this marketing site
- Server logs retained up to 30 days for abuse prevention
AI & data use
Nexus routes frontier models (primarily Claude) through our Model Abstraction Layer for planning and analysis. We do not use your scan data to train public foundation models. Optional LoRA fine-tuning uses verified episodes on your deployment path when enabled.
Responsible disclosure
If you discover a vulnerability in Thugir Labs software or infrastructure, report it to [email protected] (or [email protected]). We aim to acknowledge within 48 hours, triage critical issues within 14 days, and will not pursue legal action against good-faith research that follows coordinated disclosure.
Incident response
If we become aware of a security incident affecting customer data we control, we will notify affected parties within 72 hours where required by law.