Security is the product, not a feature.
Vigil Nexa is built to defend enterprise SOC environments — a strict CSP, per-request script nonce, and defense-in-depth headers on day one. This page describes the posture we hold and the channel for reporting a vulnerability to us directly.
What ships by default
Six trust claims the codebase backs up today.
Each card below maps to a concrete control the platform ships now. Prose that resembles a contractual claim carries an explicit watermark so counsel can specialize it during the legal-review sweep.
[NEEDS LEGAL REVIEW]
TLS 1.3 for data in transit
All platform traffic uses TLS 1.3 with modern cipher suites; cloud-to-on-prem ingest channels are encrypted end-to-end. Self-signed certificates are rejected; certificate rotation is automated.
[NEEDS LEGAL REVIEW]
KMS-managed secret storage
Secrets are never persisted in plaintext configuration. Every secret read at runtime resolves through a dedicated key-management system with audit logging.
[NEEDS LEGAL REVIEW]
Role-based access control with SSO, SAML, and SCIM
Operator access is gated by role-based access control; identity is delegated to your identity provider through SAML single sign-on and SCIM provisioning so the full joiner-mover-leaver lifecycle is owned by your directory.
[NEEDS LEGAL REVIEW]
Audit log export capability
Every alert, response action, and configuration change is captured in the audit log. Operators can export the log to their SIEM or to long-term storage in a portable, machine-readable format.
[NEEDS LEGAL REVIEW]
Deployment model matrix
Three deployment models ship today — cloud, hybrid, and on-prem — backed by the on-prem ingestion agent and the hybrid detection console.
| Model | Status | What ships today |
|---|---|---|
| Cloud | Shipped today | Hosted console and SOC surface for design partners during the private beta. |
| Hybrid | Shipped today | On-prem ingestion agent feeds the cloud console — substantiated by the on-prem ingest route. |
| On-prem | Shipped today | Edge-side telemetry collection via the on-prem ingestion agent shipped in the platform. |
[NEEDS LEGAL REVIEW]
SIEM, ticketing, and SOAR connector support
Alert and response traffic is dispatched through the connector matrix the playbook engine fires today. Connectors marked Supported by design ship through the same dispatcher surface — connector mappings are available on request for design partners.
- SplunkEvents indexed for correlation via the SIEM webhook URL cited in the use-case grid.Shipped
- ServiceNowTickets opened on escalation via the ticketing webhook URL cited in the use-case grid.Shipped
- PagerDutyOn-call triggered via the SOAR play-trigger path; dispatcher body shape is PagerDuty-shaped.Shipped
- DatadogSignals correlated with downstream process anomalies via the SIEM webhook URL.Shipped
- SentinelConnector mapping is available on request for design partners.Supported by design
- QRadarConnector mapping is available on request for design partners.Supported by design
Found a vulnerability? Tell us directly.
[NEEDS LEGAL REVIEW]
Email vigilnexa@polsia.app with the subject Security Disclosure. We'll acknowledge within 5 business days and triage with the engineering team — no public disclosure coordination required for a first contact, just a clear repro.
For design partnerships, enterprise sales, or general inquiries, use the regular contact form.
[NEEDS LEGAL REVIEW]
Vigil Nexa is in active private beta; SOC 2 Type II is on the roadmap for Q4 2026 — track progress on /about#roadmap.