An adversary that leaves no damage.
AutoAttack’s autonomous adversary runs the same attacks a real one would — and nothing else. It throttles to your lockout policy, installs nothing, changes nothing, and leaves nothing on disk. Here is exactly how it operates inside your network, and how we handle the evidence it produces.
Deploy →in your network
no lockouts Credential attempts are throttled to your domain’s real lockout policy. No account gets locked out.
no disruption No service installs. No policy changes. No payload that trips antivirus. Production stays up.
no footprint Nothing is written to disk on your hosts. Proof streams straight to your dashboard as each step lands.
ephemeral Each campaign runs in a fresh container that lives only for the engagement, then is destroyed. There is no persistent agent left behind.
your data
residency Campaign data, findings, and account information are hosted within the European Economic Area (France).
in transit All data in transit is encrypted with TLS. Agents reach the dashboard only over an encrypted API.
isolation Multi-tenant isolation keeps your campaign data — including finding evidence and proof — accessible only to your account.
processors We use Stripe for payments and Resend for email. Where personal data leaves the EEA, Standard Contractual Clauses apply.
incident & disclosure
breach notice If a breach affects your personal data, we notify the relevant supervisory authority within 72 hours where required, and affected customers without undue delay.
report an issue Found a security issue in AutoAttack itself? Email security@autoattack.ai. Our machine-readable contact is at /.well-known/security.txt.
data lifecycle
deletion Delete your account from Settings. It becomes inaccessible immediately; your email and password hash are permanently overwritten after 30 days.
running campaigns If a campaign is still running when you delete, it is terminated before the deletion process begins.