Security overview
BreachFix Cloud separates control plane (API gateway) from data plane (customer Docker workloads). Workspaces get isolated Docker networks and cgroup limits.
Current gaps
- API rate limiting not implemented
- Platform DDoS mitigation not built in — use Cloudflare at edge
- SMTP port blocking is partial (cap drop only)
- RBAC not enforced on team roles