We hold ourselves to the standard we test you against.
Mara is purpose-built to break into systems — so the platform itself ships with defense in depth.
Hard scope enforcement
Every outbound request from the sandbox is checked against the verified scope. Out-of-scope requests are dropped at the egress proxy with a 451 + an audit-log entry.
Append-only audit log
Every prompt, tool call, response, and finding is recorded immutably with a monotonic per-scan sequence.
Just-in-time policy gate
policy_check(action, context) runs before every tool call. Denials are recorded; agents see them and adjust.
Customer-managed credentials
Optional authenticated scans use credentials stored in customer-managed KMS. We never log secrets.
Single-tenant deployment
Enterprise customers run on a dedicated VPC with regional residency and customer-managed encryption keys.
Compliance
SOC 2 Type II in progress. ISO 27001 ready. Pen test reports available under NDA.