Skip to content

Security & IP Protection

The platform implements defense-in-depth against intellectual property leakage. A user with a proxy (Burp Suite, mitmproxy, Charles) or access to browser DevTools could otherwise reverse-engineer BeDefended's proprietary methodology, knowledge packs, and testing architecture.

This section documents every protection layer, the threat model behind it, and verification procedures.

Threat Model

An adversary (competitor, curious client, malicious pentester) can attempt to extract IP through three distinct channels:

graph LR
    subgraph "Channel 1: Frontend Code"
        DT["Browser DevTools"]
        JS["JS Bundle Analysis"]
    end

    subgraph "Channel 2: API Interception"
        BP["Burp Suite / Proxy"]
        WS["WebSocket Sniffing"]
    end

    subgraph "Channel 3: Binary RE"
        DA["Dart Decompilation"]
        ST["strings / objdump"]
    end

    DT --> |"Skill catalog<br/>Type definitions"| IP["IP Exposure"]
    JS --> |"React components<br/>Workflow logic"| IP
    BP --> |"context.json<br/>Runner output"| IP
    WS --> |"PTY stream<br/>AI reasoning"| IP
    DA --> |"HMAC keys<br/>API endpoints"| IP
    ST --> |"Hardcoded secrets<br/>Constant strings"| IP

    style IP fill:#b71c1c,color:#fff
    style DT fill:#e65100,color:#fff
    style JS fill:#e65100,color:#fff
    style BP fill:#bf360c,color:#fff
    style WS fill:#bf360c,color:#fff
    style DA fill:#4e342e,color:#fff
    style ST fill:#4e342e,color:#fff

Protection Layers

Layer Protects Against Priority Status
Output Sanitization Runner/terminal IP leakage via proxy P1 Implemented
WebSocket Authentication Unauthenticated event sniffing P1 Implemented
API Response Hardening context.json / finding data interception P2 Implemented
Frontend IP Protection DevTools skill catalog extraction P3 Implemented
Desktop Binary Hardening Dart decompilation / key extraction P4 Implemented

IP Theft Detection

Beyond preventing IP leakage, the platform includes a multi-layered system for detecting and tracing stolen intellectual property:

Level Type Detection Method Documentation
A — Canary Tokens Active HTTP callbacks from stolen knowledge packs Details
B + E — Watermarking Passive Steganographic fingerprints in reports and content Details
C — Build Fingerprints Passive Compile-time markers in JS, Flutter, and Docker Details
D — Honeypot Endpoints Active Fake API endpoints detect cloned architecture Details

For complete details, see the IP Theft Detection Overview.

What Is Protected vs. What Is Not

Protected (never reaches the client)

  • Knowledge packs (knowledge-*.md) -- testing techniques, bypass payloads, vulnerability patterns
  • SKILL.md files -- detailed per-skill testing logic, AI decision points, step-by-step procedures
  • Hacker heuristics -- strategic thinking framework, crown jewel analysis, trust boundary mapping
  • Kill signals -- time-waste prevention rules, dead-end detection logic
  • Research escalation protocol -- mid-testing web search triggers and safety validation
  • Agent dispatch logic -- model routing tables, thinking budgets, wave scheduling
  • Boilerplate code -- shared initialization, stealth configuration, request signing
  • CLAUDE.md -- master configuration and methodology specification
  • AI reasoning -- [AI-DECISION] markers, confidence scores, attack path selection

Visible by design (required for UI functionality)

  • Phase status (recon/discover/scan/test/verify/report) -- progress indicators
  • Finding summaries (title, severity, CVSS, endpoint) -- the deliverable to clients
  • Tech stack (backend, frontend, WAF) -- displayed in engagement detail
  • Severity counts -- dashboard statistics

Architecture Overview

graph TB
    subgraph "Client Layer"
        Browser["Dashboard Browser"]
        Desktop["Desktop App"]
        ClientPortal["Client Portal"]
    end

    subgraph "Protection Layer"
        WSAuth["JWT WebSocket Auth"]
        Sanitizer["Output Sanitizer<br/>11 regex patterns"]
        SkillAPI["Skill Catalog API<br/>Authenticated endpoint"]
        RoleFilter["Role-Based Filtering<br/>viewer / pentester / admin"]
    end

    subgraph "Backend"
        Runner["Runner Service"]
        Terminal["Terminal PTY"]
        API["REST API"]
        WS["WebSocket Events"]
    end

    subgraph "Protected Assets"
        KP["Knowledge Packs"]
        Skills["SKILL.md Files"]
        Claude["CLAUDE.md"]
        Dispatch["Agent Dispatch"]
    end

    Browser --> WSAuth
    Desktop --> WSAuth
    ClientPortal --> WSAuth
    WSAuth --> Sanitizer
    Sanitizer --> Runner
    Sanitizer --> Terminal
    SkillAPI --> API
    RoleFilter --> API
    RoleFilter --> WS
    Runner -.->|"reads"| KP
    Runner -.->|"reads"| Skills
    Runner -.->|"reads"| Claude
    Runner -.->|"reads"| Dispatch

    style Sanitizer fill:#1b5e20,color:#fff
    style WSAuth fill:#1b5e20,color:#fff
    style SkillAPI fill:#1b5e20,color:#fff
    style RoleFilter fill:#1b5e20,color:#fff
    style KP fill:#4a148c,color:#fff
    style Skills fill:#4a148c,color:#fff
    style Claude fill:#4a148c,color:#fff
    style Dispatch fill:#4a148c,color:#fff

Verification Checklist

After deployment, verify all protections:

Test Expected Result
Open DevTools on dashboard JS bundle contains only /pentest fallback, not full skill catalog
Intercept GET /engagements/{name} with Burp No raw field in response (context.json not exposed)
Intercept timeline events as viewer role skill field shows "Security Testing", not "test-injection --scope sqli"
Intercept GET /runner/sessions/{id}/output No references to knowledge-*.md, SKILL.md, or [AI-DECISION]
Connect to ws://host/ws/{name} without JWT Connection refused (code 4001)
Connect to ws://host/ws/client/{id} without JWT Connection refused (code 4001)
Run strings on desktop binary No BD-APP-HMAC-KEY or plaintext secrets
Desktop app with Burp + custom CA Connection rejected if certificate pins are populated