> ## Documentation Index
> Fetch the complete documentation index at: https://docs.casebender.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> CaseBender is built for security teams and secured like one. Explore our enterprise-grade security controls, compliance frameworks, and transparent build pipeline.

## Built for Security Teams, Secured Like One

CaseBender is an on-premise case management platform purpose-built for Security Operations Centers. We understand that the tools security teams rely on must meet the same rigorous standards they enforce across their organizations.

### Live Pipeline Status

Every code change to CaseBender passes through automated security gates before it reaches a release. These badges reflect real-time CI/CD status from our build pipeline:

| Check           | Status                                                                                                                 | What It Covers                                                                                                    |
| --------------- | ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
| Security Scan   | ![Security Scan](https://github.com/casebender/webapp/actions/workflows/security-scan.yml/badge.svg?branch=main)       | Gitleaks, Trivy, Semgrep SAST, ESLint Security, OWASP ZAP, dependency review, license compliance, SBOM generation |
| Supply Chain    | ![Supply Chain](https://github.com/casebender/webapp/actions/workflows/supply-chain-verify.yml/badge.svg?branch=main)  | Reproducible build verification, lockfile integrity, dependency pinning, image verification                       |
| Image Signing   | ![Image Signing](https://github.com/casebender/webapp/actions/workflows/image-sign.yml/badge.svg?branch=main)          | Cosign keyless signing for all container images, SBOM attestation                                                 |
| SLSA Provenance | ![SLSA Provenance](https://github.com/casebender/webapp/actions/workflows/slsa-provenance.yml/badge.svg?branch=main)   | SLSA Level 2+ build provenance generation and signing                                                             |
| Accessibility   | ![Accessibility](https://github.com/casebender/webapp/actions/workflows/accessibility-audit.yml/badge.svg?branch=main) | WCAG 2.1 AA, Section 508, ADA Title III compliance                                                                |

<Tip>
  These badges are live and link directly to our CI/CD pipeline. They update automatically with every build.
</Tip>

## Security by the Numbers

<CardGroup cols={3}>
  <Card title="20 Security Controls" icon="lock">
    From Zero Trust architecture to DDoS protection, covering SEC-001 through SEC-020
  </Card>

  <Card title="10+ Compliance Frameworks" icon="clipboard-check">
    SOC2, ISO 27001, GDPR, CMMC, FedRAMP, HIPAA, PCI DSS, and more
  </Card>

  <Card title="15+ CI/CD Security Checks" icon="circle-check">
    Automated scanning on every commit: SAST, DAST, SCA, secrets, licenses, containers
  </Card>
</CardGroup>

<CardGroup cols={3}>
  <Card title="On-Premise First" icon="server">
    Your data never leaves your infrastructure. No telemetry, no cloud dependencies
  </Card>

  <Card title="Signed Artifacts" icon="signature">
    Every container image is signed with Sigstore. Every build has SLSA provenance
  </Card>

  <Card title="7 Container Images" icon="docker">
    Each service image is individually scanned, signed, and attested before release
  </Card>
</CardGroup>

## Security Principles

### Defense in Depth

CaseBender implements multiple layers of security controls. No single control is relied upon in isolation:

* **Perimeter**: Rate limiting, DDoS detection, input validation, SSRF prevention
* **Authentication**: MFA (TOTP + WebAuthn/FIDO2), SSO (SAML 2.0), step-up authentication
* **Authorization**: RBAC, TLP-based access control, privileged access management
* **Data**: Encryption at rest (AES-256) and in transit (TLS 1.3), field-level encryption, data classification
* **Monitoring**: UEBA behavioral analytics, insider threat detection, unified audit trail, SIEM forwarding
* **Supply Chain**: Signed images, SBOM, SLSA provenance, dependency scanning, reproducible builds

### Zero Trust Architecture

Every request is verified regardless of origin. CaseBender implements:

* Device trust assessment with risk scoring
* Mutual service authentication (HMAC) between microservices
* Step-up authentication for sensitive operations
* Continuous session validation
* No implicit trust between services

### On-Premise Advantage

As an on-premise platform, CaseBender provides inherent security benefits:

* **Data Sovereignty**: Customer data stays within your infrastructure boundary
* **Network Control**: You control all ingress and egress
* **Air-Gap Support**: Deployable in fully isolated environments
* **No Vendor Access**: CaseBender has zero access to your running instance or data
* **Compliance Simplification**: Your data classification and retention policies apply directly

## Explore Security Documentation

<CardGroup cols={2}>
  <Card title="Security Architecture" icon="diagram-project" href="/en/security/architecture">
    Zero Trust design, service mesh, network segmentation, and multi-tenant isolation
  </Card>

  <Card title="Data Protection" icon="database" href="/en/security/data-protection">
    Encryption, data classification, TLP system, secrets management, and retention policies
  </Card>

  <Card title="Authentication & Access" icon="key" href="/en/security/authentication">
    MFA, SSO, account lockout, step-up authentication, and WebAuthn/FIDO2
  </Card>

  <Card title="Access Control" icon="user-shield" href="/en/security/access-control">
    RBAC, privileged access management, cross-team visibility, and API security
  </Card>

  <Card title="Threat Detection" icon="radar" href="/en/security/behavioral-analytics">
    UEBA, insider threat detection, DDoS protection, and SIEM integration
  </Card>

  <Card title="Compliance Frameworks" icon="clipboard-check" href="/en/security/compliance-overview">
    SOC2, ISO 27001, GDPR, CMMC, FedRAMP, HIPAA, PCI DSS, and more
  </Card>

  <Card title="Supply Chain Security" icon="link" href="/en/security/supply-chain">
    Dependency management, container signing, SBOM, SLSA provenance
  </Card>

  <Card title="Code Security" icon="code" href="/en/security/code-security">
    SAST, DAST, vulnerability management, penetration testing, license compliance
  </Card>

  <Card title="Audit Logging" icon="scroll" href="/en/security/audit-logging">
    Unified audit trail, integrity verification, legal hold, e-discovery
  </Card>

  <Card title="Hardening Guide" icon="shield" href="/en/security/hardening-guide">
    Deployment hardening, database security, container security, monitoring
  </Card>
</CardGroup>

## Responsible Disclosure

If you discover a security vulnerability in CaseBender, please report it responsibly to [security@casebender.com](mailto:security@casebender.com). We take all reports seriously and will respond within 24 hours.
