Two-plane isolation
Fire Mission strictly separates the control plane (PostgreSQL holding metadata: token counts, costs, security verdicts, SHA-256 content hashes) from the data plane (the ephemeral path that prompt and completion bytes take through the gateway on the way to your selected provider).
Raw prompt and completion bytes are never written to durable storage. The control plane only ever sees what's needed to bill, alert, and audit. A breach of Fire Mission's database exposes metadata — never prompt content or completion text.
BYOK — your keys, your providers
Bring Your Own Key. Provider credentials (OpenAI, Anthropic, Google, Groq, Together AI, self-hosted) are stored AES-256 encrypted at rest and used only to forward the call to the provider you chose. Fire Mission has no provider partnerships and no revenue share on inference — there is no incentive to silently route your traffic anywhere else.
Mandatory security scanning — no off switch
Every call runs through the security scanner regardless of tier. The scanner cannot be disabled by configuration.
- PII detection — emails, SSNs, phone numbers, payment cards, and other sensitive identifiers.
- Prompt-injection patterns — known attack templates flagged before the call hits the provider.
- API-key leakage — outbound prompts containing credentials are stopped at the gateway.
- US-compliance gating — provider whitelists and supply-chain blocks enforced on every request.
Verification flow
Prompt and completion bytes pass through. Only metadata is persisted to the control plane.
Supply chain enforcement — private host policy
The geopolitical enforcement mechanism applies supply chain blocks, provider whitelists, model denylists, compliance checks, and geo-blocking to every request. URL-origin checks are applied to all baseUrl specifications — a custom base URL pointing at a foreign-jurisdiction endpoint is blocked even if the provider name looks legitimate (label-laundering attack).
Self-hosted LLM runtimes (Ollama, LM Studio, LocalAI, vLLM) are supported with a private-host policy: restricted to specific runtime types and requiring explicit opt-in for private network access. This prevents SSRF attacks and cloud metadata exfiltration via a malicious self-hosted endpoint.
Authentication & access control
- Self-serve signup via Google or GitHub OAuth.
- TOTP 2FA available on all paid tiers.
- SSO / SAML on all tiers (architectural baseline).
- SCIM 2.0 user provisioning on Command tier (Okta, Azure AD, Google Workspace).
- Role-based access control with strict tenant isolation between organizations.
Encryption
- TLS 1.3 in transit.
- AES-256 at rest for API keys and provider credentials.
- FIPS 140-2 validated cryptographic modules for user account material.
- API key validation cache keyed on HMAC-SHA-256 — raw key bytes never stored in memory.
What a Fire Mission breach exposes
Typical AI proxy breach exposes
- Raw prompt and completion text
- User conversation history
- Embedded credentials in prompts
- Document content (if stored)
Fire Mission breach exposes
- Token counts, costs, latency (metadata only)
- Security verdicts (not the flagged content)
- Provider credentials (AES-256 encrypted at rest)
- No prompt text. No completion text. No document content.
Current attestation status
SOC 2 Type I in progress · NIST 800-53 aligned · HIPAA-ready architecture · FedRAMP-aligned (Moderate readiness on roadmap) · PCI DSS SAQ-A for checkout. Fire Mission never claims certifications it doesn't hold.
Visit the Trust Center →Report a vulnerability
Coordinated disclosure to mark@blackburntactical.us. We acknowledge within one business day. See /trust for current attestation status.