TR
Technical
reference

Security

AORKA · TECHNICAL REFERENCE · SA‑01 · REV. 2026.05

Security architecture.

Any management agent with execution privileges is a security commitment. We don't minimize it — we engineered for it. This document describes, by threat model, what stands between the model and your machines: the deterministic safety pipeline, the cryptographic verifications on both ends of every connection, and the residual risks we consider honest.

01The RMM trust problem 02Control plane compromise 03Prompt injection 04Supply chain integrity 05Agent privileges
06Rule of Two 07Mutual verification 08Data isolation 09Residual risk 10Comparison matrix
01
Trust

The RMM trust problem.

Every remote management tool — ConnectWise, Datto, NinjaRMM, Kaseya, and now Aorka — creates the same fundamental trade-off. You gain centralized control. You also create a high-value target. If the control plane is compromised, every connected endpoint is at risk.

This is not unique to AI-powered tools. It is inherent to the RMM model. What is unique to Aorka is that the AI layer adds security constraints conventional RMM tools lack entirely. In a conventional RMM, an operator types a command and it executes — no analysis, no scoring, no second opinion. Aorka's pipeline introduces three independent safety layers before anything runs.

We built Aorka assuming the control plane would be targeted. Every design decision in this document reflects that assumption.

02
Control plane

Control plane compromise.

Threat hypothesis

If an attacker compromises Aorka's central control plane, they could run commands on everything at once.

  • Hard execution ceiling. Scripts scoring above 51 are blocked for all users — including admins. There is no override, no emergency bypass, no “god mode.” Destructive operations are caught by deterministic pattern matching before the AI evaluator even runs. An attacker with full admin access still cannot execute these commands through Aorka.
  • Out-of-band approval. Every write operation requires human approval in the browser — a separate authenticated session, not the same context that generated the script. Even if an API session is compromised, the attacker needs a valid browser session to approve execution. MCP requests require approval at a unique, expiring URL with session authentication. MCP tokens are IP-bound at creation; rebinding requires MFA.
  • HMAC job signing. Every job is cryptographically signed (HMAC‑SHA256) at creation and verified at dispatch. The signing key is separate from the API credentials. A compromised API layer cannot forge jobs that pass signature verification at the WebSocket dispatch layer — the two systems must independently agree.
  • Mutual authentication. All agent connections use TLS (WSS) — the same baseline as any RMM. Aorka stacks more on top. Agents verify the server's identity via HMAC‑SHA256 challenge-response on every connection; if the server fails, the agent disconnects. The server verifies the agent via trusted hash registry and device fingerprint; if either does not match the registered endpoint, the connection is rejected. Both sides must prove identity before any commands are exchanged.
  • Layered authentication. Aorka authenticates through your Azure AD tenant — your conditional access policies, your MFA requirements, your session controls all apply first. Aorka then adds its own TOTP-based MFA for sensitive operations: credential access, MCP token management, security-critical settings. Your security posture is the floor, not the ceiling.
  • Unit read-only locks. Every new client unit starts in read-only mode. Even with full admin access, an attacker cannot run write scripts against locked units. The tenant admin must explicitly unlock a unit before any state-changing commands are allowed — and if a parent unit is locked, all descendants are locked regardless of their individual setting.
03
Injection

Prompt injection.

Threat hypothesis

An attacker could trick the AI into bypassing safety filters and executing unauthorized commands.

This is the most common concern about AI-powered tools, and it reflects a real risk in systems where the AI has direct execution authority. Aorka's architecture is specifically designed so that the AI never has direct execution authority. The safety pipeline that gates every command is not itself AI.

Layer 1
Regex command filter. Deterministic pattern matching. Every operation is classified as read-only, write, or blocked before the AI sees the command. No prompt can bypass a pattern match — it is string comparison, not language understanding.
Layer 2
AI risk evaluation. Multiple independent evaluations run from different model contexts and their analyses are compared. This is not the chat model scoring its own output — it is separate models evaluating the same script. They only score; they cannot approve or execute. Even if one evaluation were manipulated to return a low score, the others would flag the discrepancy and Layer 1's classification still holds.
Layer 3
Human approval gate. Every write operation requires explicit human approval in the browser. The AI cannot click “Approve” — that is a separate authenticated action by a human user. Not a soft guardrail the model can talk its way around. A UI gate in a different security context.

The key insight: prompt injection can make a model suggest a dangerous command. It cannot make a regex filter misclassify it. It cannot make a human click “Approve.” It cannot forge a cryptographic job signature. The layers that matter most are not AI.

04
Supply chain

Supply chain integrity.

Threat hypothesis

If Aorka's update server is hijacked, a malicious agent version could be pushed to your entire fleet.

  • RSA-signed updates. Agent updates are signed with an RSA‑2048 private key that never leaves the development machine. The agent verifies the signature against an embedded public key before applying any update. Even if the update server is fully compromised, the attacker cannot produce a valid signature without the offline private key.
  • Trusted hash registry. Every agent version's hash is registered in the database. Agents report their running hash on connection. The server verifies the hash against the trusted registry — unrecognized hashes are flagged and can be blocked. A second independent check beyond RSA signature verification.
  • Pull-based updates. The server never pushes arbitrary code to agents. It sets a flag indicating an update is available. The agent polls for this flag, downloads the update, verifies the RSA signature, and applies it. The agent decides whether to trust the payload.
  • Staged rollouts. Updates are never pushed to the entire fleet at once. New versions are deployed to test endpoints first, verified, then gradually rolled out. A bad update affects a handful of machines, not your entire infrastructure.
05
Privileges

Agent privileges.

Threat hypothesis

The agent requires elevated privileges. If it is compromised, the attacker inherits those permissions.

This is accurate and unavoidable. The agent requires elevated privileges because it needs to manage services, query directories, install updates, and perform the operations IT teams require. Every RMM agent has this same requirement.

The mitigation is not reducing privileges (which would make the tool useless) but controlling what those privileges are used for:

  • Outbound-only connections. The agent initiates all connections. No inbound ports, no listening services, no attack surface visible to network scanners.
  • Plaintext execution. Commands execute as readable script files, not encoded or obfuscated blobs. EDR-friendly — your existing endpoint protection sees and can block every command.
  • Machine-bound credentials. Agent credentials and server proof values are encrypted using platform-native key storage, bound to the specific machine. Extracting them requires privileged access on that specific endpoint.
  • Device fingerprinting. Each agent registers a hardware fingerprint at deployment. An agent binary moved to a different machine cannot authenticate.
  • The safety pipeline still applies. Regardless of the agent's privilege level, it only executes commands that passed the full three-layer pipeline. Elevated privileges do not bypass the approval gate.
06
Rule of Two

Rule of Two.

The Rule of Two, established by the Chromium security team, states that a component must never combine more than two of three dangerous properties: untrustworthy input, unsafe implementation language, and high privilege. If all three are present, a single exploit can cascade into full system compromise. Security-critical systems are designed so that at least one property is always absent.

Agent side — the classic formulation.

The original Rule of Two addresses code execution: can crafted input exploit a memory-unsafe language to hijack a privileged process?

Mitigated
Untrustworthy input. Commands arrive from the server over a network connection. Input is filtered through the deterministic safety pipeline and server identity is verified via HMAC challenge-response before any commands are accepted.
Absent
Unsafe implementation language. The agent runs on a managed, memory-safe runtime (.NET CLR for PowerShell, or equivalent on other platforms). No C/C++ in the execution path. Memory corruption exploits do not apply.
Present
High privilege. The agent runs as SYSTEM (Windows), root (Linux/macOS), or equivalent. Required for IT management operations.

Two of three. The absent property — unsafe language — means that even if an attacker could deliver malicious input, the managed runtime prevents memory corruption from escalating into arbitrary code execution.

Server side — adapted for AI orchestration.

The classic Rule of Two addresses memory safety. AI orchestration introduces a different class of risk: non-deterministic processing. An AI model interpreting untrusted data can be manipulated in ways that are difficult to predict — analogous to how memory-unsafe code can be exploited by crafted input. For AI orchestration, the three properties become:

Property 1
Untrustworthy input. Agent-reported data — job results, diagnostics, status reports — originates from endpoints that could be compromised.
Property 2
Non-deterministic processing. An AI model reasons about the input, interprets meaning, and makes decisions. Unlike deterministic code, its behavior under adversarial input is not fully predictable.
Property 3
High privilege. Write access to the knowledge base, credential dispatch, and job execution across the managed infrastructure.

If all three combine in a single component, a compromised endpoint can feed crafted data to the AI, manipulate its reasoning, and use its privileged access to poison knowledge, harvest credentials, or influence actions on other endpoints. This is the AI orchestration equivalent of a buffer overflow leading to privilege escalation.

Aorka's architecture prevents this by ensuring deterministic gates stand between the AI and every privileged infrastructure action. Every write operation passes through multiple independent filters: deterministic command classification, AI risk scoring, human approval, and EDR policy enforcement on the endpoint itself. Knowledge mutations are logged with full provenance and are reversible. Credential dispatch and command execution are gated by deterministic validation the AI cannot bypass.

07
Verification

Mutual verification.

Aorka plays its cards face up. Every layer of the system is designed so that both sides — Aorka and your environment — can independently verify the other. You do not have to take our word for it.

  • Plaintext agent source code. The agent is plaintext source code, not a compiled binary. Open the agent file on any endpoint and read every line of code that runs on your machine. Your EDR can read it. Your security team can audit it. There is nothing hidden. If someone edits it, the hash changes and the server will not connect — the trusted hash registry catches the mismatch immediately.
  • EDR-visible execution. Commands execute as readable script files. Your endpoint protection sees every command that runs — the full text, in the clear. Effectively another safety layer, but one your endpoints hold, not us. If your EDR policy blocks a command, it blocks it. Aorka does not bypass endpoint security.
  • Mutual authentication at every layer. Your IDP enforces your security policies; we add TOTP on top. The agent verifies the server's identity; the server verifies the agent's identity. Scripts are visible to your EDR. Audit logs are visible to your team. No layer depends solely on trust in Aorka.
08
Isolation

Data isolation.

  • Tenant isolation. Every data layer is tenant-scoped: facts, understandings, credentials, conversations, endpoints, and job history. Multi-tenant SSO auto-discovery assigns users to their Azure AD tenant. Cross-tenant data access is structurally impossible — queries are scoped at the database level, not the application level.
  • Provider isolation. AI requests are stateless API calls. Your infrastructure data, knowledge base, and credentials are never stored by Anthropic, OpenAI, Google, or any model provider. Conversation history is stored in Aorka's database under your tenant, not in the provider's systems. Your data is never used to train models.
  • Credential vault. Stored credentials use AES‑256‑GCM encryption at rest. Viewing a credential requires MFA verification, not just session authentication. Break-glass access for emergencies is logged and alerted. Credential access controls are independent of unit access.
  • Infrastructure secrets. Application secrets (API keys, signing keys, encryption keys) are managed via AWS Secrets Manager with IAM-scoped access policies. No secrets are stored in code, configuration files, or environment variables on the application server.
09
Residual

Residual risk.

No security architecture eliminates all risk. Here is what we consider the honest residual:

  • You are trusting us. Like every SaaS tool, Aorka requires trust in the vendor. We mitigate this with cryptographic verification (RSA signatures, HMAC signing, mutual authentication), staged rollouts, and comprehensive audit logging — but the trust relationship exists. That is true of ConnectWise, Datto, and every other RMM.
  • Account takeover is the real attack surface. An attacker who compromises a tenant admin's session can approve scripts within Aorka's allowed risk range (0–50). MFA, session management, and the hard ceiling at 51 limit this, but it is the most realistic attack vector. Treat your Aorka console access with the same seriousness as your RMM — because it is one.
10
Matrix

Aorka vs. traditional RMM.

Per threat, what each model does about it.

Threat Traditional RMM Aorka
Operator runs destructive command Executes immediately Blocked if score > 50; write approval required
Compromised admin session Full execution access Hard ceiling at score 51; unit locks; MFA on sensitive ops
Update server hijacked Varies by vendor RSA signature + trusted hash verification
MITM on agent connection TLS only TLS + HMAC challenge-response + trusted hash + device fingerprint
AI manipulation N/A — no AI layer Deterministic filter + separate evaluator + human gate
Agent transparency Compiled binary (opaque) Plaintext source, EDR-visible execution, hash-verified integrity

Read the source. Run the pipeline.

The architecture above is auditable end-to-end. We will walk you through it with your own infrastructure — your endpoints, your scripts, your EDR watching. Break it if you can.

Request a security walkthrough