SecDog’s whole reason to exist is that target data stays on your machine. That claim only means something if we’re specific about it — including the one place data genuinely does leave. Here is the honest accounting: what never leaves, what reaches the SecBlok control plane, and the single real egress path you control.
The boundary
The architecture is a strict control-plane / data-plane split: the engine and all target traffic run on your machine; the cloud control plane carries account, license, and opt-in telemetry data only. The asterisk is the LLM — called out in full below.
No target or scan data. Ever.
This is the one real egress path — and it’s the provider you choose. See “The honest caveat” below.
A swappable cloud LLM is an egress path: to plan attacks it sees hostnames and truncated response snippets, and the provider logs those per its own policy. We will not pretend otherwise. Three ways to close it: route everything through your own egress proxy; bring a local / in-network model (BYO, fail-closed); or wait for the first-class no-egress mode on the roadmap below. Until then, if the provider seeing hostnames concerns you, use a local model.
Why “verified” is trustworthy
An LLM is persuasive but not trustworthy, so it can never mint a finding. In Rust, the confirmation evidence struct has private fields and no public constructor — it can be created solely by an oracle that observed a causal proof the model cannot author. Payloads supply form; oracles supply truth.
A computed marker the payload never carried appears in the response.
resp contains 227*683 = 155041 → a value only the target could compute
A unique token lands on your collector for a blind vulnerability.
collector ← GET /a9f3e1c.oob
blind SSRF / RCE / XXE confirmed
A real Chromium sets a nonce on window in a live DOM.
chromium → window.__sd === "nonce-7b21"
Retest replays the sealed chain through the same oracle — no model.
replay chain → oracle fires again
evidence re-minted — still live
The deliberate wedge
You own the findings and the evidence. They never transit vendor infrastructure, which makes air-gapped and NDA-bound testing actually possible.
There is no vendor cloud holding your target data to be breached. The operator is the gatekeeper, not us.
You bring your own LLM key, so inference cost sits with you and the price stays low. We never store or proxy your key.
You manage the machine, the LLM key, the egress proxy, and the scope. This is a tool, not a managed service — that is the point.
Authorized use only
An allowlist plus internal-range and metadata deny, enforced at the tool boundary. The engine refuses to fire outside the scope you imported.
The EULA requires per-target written authorization — a Rules-of-Engagement or scope document for every engagement. Your labs, or in-scope work only.
Target output is labeled untrusted, so a hostile page cannot steer the agents into acting outside scope.
Every run, finding, retest, and proxy flow is logged locally. The license carries export/ethical-use clauses and a hard destination embargo (Cuba, Iran, DPRK, Syria).
Roadmap
A first-class no-egress mode — local / in-network LLM support (e.g. Ollama and self-hosted inference endpoints), fail-closed — so the one remaining egress path can be closed entirely. We’ll update this page as it ships, and keep this account honest as the product changes.
Responsible disclosure
Report it to security@secblok.io. We follow coordinated disclosure with a 90-day embargo before public detail. SecDog is offensive software; the scope gate, the audit log, and the authorization warrant exist to keep its use lawful and accountable.