Threat model

Custody's design defends against a defined set of adversaries. This page enumerates them and maps each to the controls that mitigate them.

Adversaries considered

Compromised application host — attacker runs arbitrary code on an integrator's machine.
Compromised Custody node — attacker controls one signing or policy node.
Compromised operator — a single insider attempts to exfiltrate keys or forge signatures.
Network-level attacker — can observe, drop, or modify traffic between planes.