OUR SECURITY POSTURE

We audit ourselves.

Before asking DeFi investors to trust our security intelligence, we apply the same NIST 800-53 framework to our own infrastructure. Below are the results of our most recent VM self-audit — published publicly as a commitment to transparency and accountability.

13/14
NIST 800-53 Controls Passed Infrastructure security audit — Google Cloud Compute Engine VM
Last audit: May 27, 2026
Next audit: July 1, 2026
Auditor: DeFi Sentinel Watch (self-audit)
Framework: NIST SP 800-53 Rev. 5

CONTROL RESULTS

AC-2
Account Management
Only 1 active user account on the VM. Minimal attack surface. SSH key authentication only.
PASS
AC-3
Access Enforcement
SSH key authentication enforced. Root login disabled. No password authentication permitted.
PASS
AC-6
Least Privilege
Minimal sudo access. Service accounts scoped to their specific function only.
PASS
AU-2
Audit Events
System logging active via rsyslog. Auth and syslog files present. All critical events captured.
PASS
AU-6
Audit Review
All services actively monitored via systemd. Portal and monitoring agent logs reviewed continuously.
PASS
SC-5
DoS Protection
GCP firewall rules configured. Only necessary ports open (80, 443, 9650, 9651, 22).
PASS
SC-8
Transmission Integrity
HTTPS enforced on both domains via Let's Encrypt SSL. All subscriber traffic encrypted in transit.
PASS
SI-2
Flaw Remediation
System fully patched. All available security updates applied. No outstanding vulnerabilities.
PASS
SI-7
Software Integrity
All critical files hashed and verified. Integrity baseline established for portal, agent, and audit engine.
PASS
CM-6
Configuration Management
All services configured for auto-start via systemd. Configuration managed and version controlled in GitHub.
PASS
CP-9
State Recovery
Code backed up to GitHub. Audit reports stored locally. Recovery path established and documented.
PASS
RA-3
Risk Assessment
External ports open by design for Flare Network RPC node (9650, 9651). Accepted risk — required for blockchain operations.
PARTIAL
IR-4
Incident Handling
Continuous monitoring agent active 24/7. Alert mechanisms configured. Incident response procedures documented.
PASS
SA-11
Security Testing
Code syntax validated. SSL configured and verified. OAuth PKCE enabled. Security testing performed at launch.
PASS

🔒 Our Commitment to Transparency

DeFi Sentinel Watch applies the same NIST 800-53 security framework to our own infrastructure that we apply to SparkDex liquidity pools. We publish these results publicly because we believe security intelligence providers should be held to the same standard they apply to others.


The RA-3 PARTIAL rating reflects external ports required for our Flare Network RPC node operation — a known and accepted architectural requirement, not a vulnerability. All other controls pass.


This audit is performed by our automated vm_audit.py script and reviewed by our team. Results are published within 48 hours of each audit run. Next scheduled audit: July 1, 2026.

See what we find on SparkDex pools

We apply these same 14 NIST 800-53 controls to 6 SparkDex V3 and V4 liquidity pools every week. Free reports available — no credit card required.

Subscribe free →