Security First

Every byte is encrypted

All communication between your servers and HelmRelay travels through fully encrypted channels. No plain-text data, no exposed ports, no compromises — your infrastructure stays invisible and secure.

TLS 1.3 Encrypted

Zero Inbound Ports

EU Infrastructure

encrypted tunnel

> Establishing secure connection...

Handshake : TLS 1.3 complete

Cipher : TLS_AES_256_GCM_SHA384

Protocol : WSS (WebSocket Secure)

Latency : 12ms

> Agent connected securely to HelmRelay Cloud

> Streaming metrics (encrypted)...

↑ 2.4 KB/s (encrypted) → HelmRelay Cloud

↓ 0.8 KB/s (encrypted) ← Commands & config

Defense in Depth

8 layers of protection

From encrypted communication to file scanning and intrusion detection — every layer works together to keep your infrastructure secure.

End-to-End Encrypted Communication

All communication between the agent and HelmRelay cloud is fully encrypted. Your server data never travels unencrypted — not commands, not metrics, not logs. The agent and platform establish a secure TLS 1.3 tunnel with modern cipher suites.

TLS 1.3 with AES-256-GCM for all agent-to-cloud traffic
Encrypted WebSocket (WSS) connections for real-time data
X25519 key exchange — forward secrecy by default
API tokens hashed with bcrypt before storage
No plain-text credentials or secrets stored anywhere
Certificate pinning prevents man-in-the-middle attacks

agent ↔ cloud

$ helmrelay-agent --status

Connection : encrypted (TLS 1.3)

Protocol : WSS (WebSocket Secure)

Cipher : TLS_AES_256_GCM_SHA384

Key Exchange: X25519

Certificate: valid (expires 2026-03-15)

All data in transit is encrypted. No plain-text data leaves your server.

File & Virus Scanning

Scan your servers for malware, cryptominers, web shells, and suspicious files. HelmRelay detects threats on your file system and flags them immediately so you can take action before damage is done.

Full file-system scanning with malware signature detection
Cryptominer and web shell detection (PHP, Python, Bash)
Suspicious file pattern matching (hidden directories, obfuscated code)
Scheduled recurring scans or run on-demand from the dashboard
Quarantine recommendations with one-click remediation
Scan history and trend reporting per server

security scan

$ helmrelay scan --full --server prod-web-01

Scanning file system...

✗/tmp/.hidden/cryptominer.shmalware detected

!/var/www/uploads/shell.phpsuspicious file

✓/etc/ssh/sshd_configsecure

✓/home/deploy/.bashrcclean

Scanned 14,832 files — 1 threat · 1 suspicious · 14,830 clean

Command Safety System

Every AI-generated command is classified by risk level before execution. Destructive operations are blocked automatically and require explicit confirmation — so a mistake in natural language never becomes a disaster on your server.

Low / Moderate / High / Critical risk classification
Read-only commands (status, logs, df) execute automatically
Destructive commands (rm, drop, kill) require confirmation
Custom allowlists and blocklists per server
AI explains what each command does before you approve
Full command history with approval/denial audit trail

command safety

LOW RISKauto-approved

systemctl status nginx

MODERATErequires confirm

apt upgrade -y

CRITICALblocked

rm -rf /var/log/*

Role-Based Access Control

Granular permissions ensure team members only access what they need. Four distinct roles — Owner, Admin, Member, and Viewer — give you precise control over who can do what across your entire fleet.

Owner — full control over organization, billing, and team
Admin — manage servers, invite members, run scans
Member — execute commands, view metrics and logs
Viewer — read-only access to dashboards and reports
Per-server role overrides for fine-grained control
SSO-ready architecture for enterprise teams

permissions

Permission	Owner	Admin	Member	Viewer
Execute commands
View metrics
Manage servers
Manage team
Billing & plans

Comprehensive Audit Logging

Every action is recorded with user identity, timestamp, target server, command input, and execution result. Full traceability for compliance, debugging, and incident investigation.

Who did what, when, and on which server — every time
Full command input and output preserved
Retention periods by plan (7 days — 1 year)
Searchable and filterable audit history
Export logs for compliance reporting (CSV, JSON)
Tamper-proof storage — logs cannot be modified after creation

audit log

14:32:08Executed commandadmin@company.com → prod-web-01

14:31:55Viewed metricsdev@company.com → prod-db-01

14:30:12Security scan startedadmin@company.com → prod-web-01

14:28:45Agent connectedsystem → staging-01

14:25:33Blocked commandadmin@company.com → prod-web-01

Automated Vulnerability Scanning

Regular scans check for known vulnerabilities (CVEs), outdated packages, exposed ports, and security misconfigurations across your entire fleet. Every finding comes with actionable fix suggestions.

Package vulnerability detection against NVD/CVE databases
Open port scanning and firewall rule audit
SSH configuration review (weak ciphers, root login, keys)
Outdated software detection with upgrade recommendations
Severity-rated findings: Critical, High, Medium, Low
Automated scheduled scans with email/Slack notifications

vulnerability report

PackageSeverity

openssl 3.0.2CVE-2024-5535

High

curl 7.81.0CVE-2024-2398

Medium

nginx 1.18.0CVE-2024-7347

Low

3 vulnerabilities found · fix suggestions available

Isolated Agent Architecture

The agent runs as a lightweight systemd service with zero inbound ports. It only initiates outbound encrypted connections to HelmRelay cloud — your server is never directly exposed to the internet through HelmRelay.

No inbound ports opened on your server — ever
Agent binary under 10 MB, runs in user space
No stored credentials — token-based authentication only
Automatic updates with integrity checks and rollback
Can be uninstalled completely in seconds
Agent source code auditable upon request

architecture

Your Server

Agent (outbound only)

No open ports

TLS 1.3

→→

encrypted

HelmRelay Cloud

EU Infrastructure

DDoS protected

Agent initiates all connections · Zero inbound exposure

Intrusion Detection & Response

Real-time monitoring for suspicious activity: brute-force SSH attempts, unusual network traffic, unauthorized process spawning, and more. Threats are detected and can be blocked automatically before they cause harm.

Brute-force SSH detection with automatic IP blocking
Unusual outbound traffic and port monitoring
Unauthorized process and cron job detection
Automatic firewall rule creation for detected threats
Real-time alerts via dashboard, email, and Slack
Threat timeline and incident report generation

intrusion detection

⚠Failed SSH login from 185.220.101.34×23

⚠Unusual outbound traffic on port 4444now

✓IP 185.220.101.34 auto-blocked via firewall2s ago

✓Port 4444 flagged — alert sent to admin1s ago

Real-time monitoring · Automatic threat response

Best Practices

Our security practices

EU Infrastructure

Hosted on enterprise-grade European infrastructure with geographic redundancy and DDoS protection. GDPR compliant by design.

Minimal Footprint

The agent runs with minimal permissions and never stores credentials. Uninstall from the dashboard or manually in seconds.

No Root by Default

The agent requests only the permissions it needs. Sensitive operations require explicit elevation and user approval.

Incident Response

Documented incident response procedures. We notify affected customers within 24 hours of confirmed security breaches.

Token-Based Auth

No passwords stored on servers. Authentication uses cryptographically secure tokens with automatic rotation support.

Uptime Monitoring

Continuous health monitoring of the HelmRelay platform. Status page available at status.helmrelay.com with real-time updates.

Questions about security?

We're happy to discuss our security practices in detail.

Get Started Free Contact Us