Security you can underwrite.
A full catalogue of the controls, audits, and incident transparency that let institutional risk teams green-light us as an operator.
Security you can underwrite, not just read about.
We operate to the posture your risk team needs to green-light. Not marketing claims. Reports, hardware attestations, and public incident history.
Third-party audited operations covering change management and key custody. Security brief available on request.
FIPS 140-2 Level 3 hardware across multiple geographies. Signing keys never leave the box.
Underwritten coverage per protocol, scoped to delegator stake. Claim path documented in the brief.
Every sev-1 in operating history is published with timeline, root cause, and mitigation.
A validator signs two conflicting blocks or attestations for the same slot — the canonical fault that burns stake.
Remote-signer with anti-double-sign database; slash-protection journal replicated across regions; key never loaded on more than one live signer.
- Security brief, available on request
- Penetration tests run annually, with remediation tracked publicly
- Access reviews run quarterly, with documented approvers
- FIPS 140-2 Level 3 HSMs across three geographies
- Scoped signing policies, per-protocol, per-action, rate-limited
- Slash-protection journal replicated before any signer rotation
- 24/7 on-call with named protocol engineers per network
- Sev-1 response time: under 10 minutes, median under 4
- Change management with dual-approval on all production pushes
- Public post-mortems on every sev-1 in operating history
- Status page with raw uptime, not averages
- Customer-facing runbooks for all recoverable incident classes
Security questions from risk teams.
Don't see your question? A named engineer replies within one business day.
FIPS 140-2 Level 3 is a US federal standard for cryptographic hardware that requires tamper-evident physical enclosures, identity-based authentication for any key operation, and active destruction of plaintext keys on attempted intrusion. For validator infrastructure it matters because signing keys never leave the hardware boundary, so a compromise of the operating system or signer software cannot exfiltrate the key material that produces slashable signatures.
Slashing protection runs at three layers. First, a replicated slashing-protection database tracks every block height and attestation slot the validator has ever signed, and refuses to sign anything that conflicts. Second, double-sign guards in the remote signer enforce the same invariant independently of the validator client. Third, equivocation detectors monitor the chain for any signature that looks like ours but should not have been produced. The journal replicates across regions before any signer rotation.
Yes. Underwritten slashing coverage applies per protocol and is scoped to delegator stake. The claim path is documented in the security brief and reviewed during contract scoping. Coverage limits and premiums vary by protocol risk profile and are written into the master services agreement.
Sev-1 response time is under 10 minutes from page, with a median of under 4 minutes across our incident history. Public post-mortems publish within 48 hours of incident resolution, including timeline, root cause, customer impact, and the mitigation we deployed. Every sev-1 in the company's operating history is archived publicly.
The security brief is available under NDA to counterparties evaluating the operator for validator delegation, RPC contracts, or dedicated cluster deployment. Requests route through the contact form with the company name and intended use case. Turnaround for NDA execution and brief delivery is one business day.
Yes. Change management, key custody, and operational controls were third-party audited in Q4 2025. Annual penetration tests follow on a published schedule with remediation tracked publicly. The audit report executive summary is available under NDA alongside the security brief.
Under 4 minutes median, under 10 minutes guaranteed by SLA. Named protocol engineers cover every network on a 24/7 rotation. Pages route to a primary engineer with automatic escalation to a secondary engineer at the 5-minute mark if the primary has not acknowledged.
Put your workload on infrastructure that's built to run it.
One conversation. A named engineer. A reply within one business day. No custody transfer. No lock-in.