SECURITY
Security & Data Handling
FireWeave reads firewall and network configuration data. Customers reasonably ask how we handle it. This page summarizes our deployment model, what we store, how we protect credentials, how AI requests are routed, and our web-application hardening.
Deployment model
FireWeave is available as a managed cloud service and as a self-hosted on-prem deployment. Customers operating in air-gapped or sensitive environments can run the full stack inside their own network with no outbound dependency on FireWeave.
Data flows
FireWeave reads configuration data from Panorama, cloud control planes, and connected network devices. It does not capture, mirror, or analyze packet traffic. Discovered configuration and topology data is stored in the FireWeave database; in self-hosted deployments that database lives entirely inside the customer environment.
Secrets handling
API keys, SSH credentials, and service-account tokens used by integrations are encrypted at rest using a per-tenant key. Secrets are never written to application logs and are redacted from error reports. Access to stored secrets is scoped to the integration that needs them.
AI data handling
Policy analysis is deterministic. AI assistance is layered on top and is optional. When AI is used, requests can be routed to a customer-controlled model endpoint (for example Azure OpenAI, AWS Bedrock, or an on-prem Ollama deployment). Customer data is never used to train any model. In air-gapped deployments, no AI request leaves the customer environment.
Transport security
- HTTPS enforced on all marketing and application traffic
- Outbound SMTP from this site uses TLS 1.2+ with certificate verification
- Integration connections use the strongest TLS or SSH profile each target supports
- Internal service-to-service traffic is mTLS-authenticated
Web application hardening
- Middleware rejects requests from known security scanners (sqlmap, nikto, nessus, burp, nmap, masscan)
- Contact form is rate-limited per IP and honeypot-protected
- Submission payloads are size-capped and input-sanitized server-side
- No third-party trackers, analytics, or advertising tags on the marketing site
Compliance posture
FireWeave performs continuous policy validation against custom and standard frameworks chosen by each customer; the platform is framework-agnostic and does not prescribe a single standard. Our internal security program is aligned with ISO/IEC 27001 control families.
Formal third-party certifications are in planning. Contact us for the current roadmap and any required attestations.
Reporting a vulnerability
If you believe you have found a security issue in FireWeave or this site, please email security@fireweave.io. Please include reproduction steps and your contact details. We will acknowledge within two business days and keep you updated through remediation.
We ask that researchers do not perform automated scanning against production systems and do not access or modify data that does not belong to them.
Related
- Privacy Policy — what we collect from the marketing site
- Terms of Use — terms governing this site
- Contact — request a security review or architecture call