This website uses cookies to enhance your experience. By continuing to browse, you agree to our use of cookies.

Infosec at ThotAi

At Thot Ai, we’re passionate about solving real-world problems. Our software has been used to develop new business models, gain an edge in growth and cost efficiency, combat data security challenges, and more.
Given the critical work performed on our platforms, information security is our lifeblood. Our industry-leading InfoSec team works tirelessly to stay ahead of adversaries by hunting for sophisticated threats, thwarting changes in their tactics, and immediately eradicating risks.

THE INFORMATION SECURITY PROGRAM AT THOT AI HAS THREE CORE OBJECTIVES:

  1. 1
    Make Thot Application safer.
  2. 2
    Make our customers safer.
  3. 3
    Make the community and world safer.

As part of our commitment to make the world safer, our InfoSec team embraces an open-source first policy to help the larger InfoSec community better guard against attacks on their software.

Our software and internal tools are built around open-source tools, and we contribute prolifically to the open-source community through bug fixes, improvements, and developer tooling.

This is not to say that we do not use packaged IP application, we do that too, however, we value the open source community and acknowledge their contribution to our security

We frequently tell the stories behind our open-source contributions on our company blog. The posts below offer a good starting point:

Penetration Testing

We perform biannual penetration tests to ensure our backing infrastructure and operations meet the highest security standards.

Current or prospective customers can reach out to Thot to learn more about our security assessments. Customers who would like to perform their penetration tests can do so under certain conditions, provided the tests are scheduled at least seven days before the start of an engagement.

The following types of customer-initiated security-assessment activities are permitted:

  • Port scanning and banner grabbing.
  • Fuzzing, automated vulnerability scanners, or manually run tools against your own Thot deployment infrastructure.
  • Fuzzing, automated vulnerability scanners, or manually run tools against your own Thot deployment web applications.
  • Testing alerting and detection strategies in your tenant, assuming dedicated tenancy.
  • Attempting to break out from process sandboxing or containerization

The following types of security assessment activities are strictly prohibited:

  • Attempting to perform any denial of service attacks.
  • Targeting resources or data unrelated to your tenant.
  • Social engineering, phishing, or other employee-targeted attacks.
  • Performing attacks against non-tenant infrastructure, resources, personnel, or data.
  • Moving beyond proof of concepts for code execution, container escape, or lateral movement scenarios.