Your Pentest Data. Your Cloud. Your Controls.
Every vulnerability finding, test log, report, and proof-of-concept payload — stored directly in your cloud account. Full data ownership. Full regulatory control. Zero ambiguity about where your sensitive security data lives.
The Problem
You Trust a Pentester with Your Vulnerabilities. Where Do They Store Them?
Penetration testing produces some of the most sensitive data in your organization. Detailed vulnerability findings. Working exploit code. Proof-of-concept payloads that demonstrate exactly how to compromise your systems. Reports that map your entire security posture in granular technical detail.
With traditional pentest providers, all of that data lives on someone else's infrastructure. A consulting firm's file share. A SaaS platform's multi-tenant database. A scanner vendor's cloud instance in a region you didn't choose and can't control.
For many organizations — especially those operating under data residency regulations, sovereignty requirements, or strict internal governance policies — this is a non-starter. Your security, compliance, and legal teams have spent years building controls around sensitive data. None of those controls apply when your most sensitive security data is stored in a vendor's environment.
The question isn't whether you trust your pentest provider. It's whether your regulators, auditors, and internal policies allow sensitive vulnerability data to live outside your controlled infrastructure.
Shinobi Stores Everything in Your Cloud Account. Everything.
When you enable Data Residency, every piece of data Shinobi generates is written directly to storage in your cloud account.
Vulnerability findings and evidence
Every validated finding with full technical detail, including requests, responses, and observations
Proof-of-concept payloads and screenshots
Exploit code and visual evidence that demonstrate each vulnerability's impact
Full test logs and agent activity
Complete records of every action Shinobi's AI agents took during the engagement
Reports in all formats
Executive, technical, and compliance-mapped reports stored as generated artifacts
Nothing is retained on Shinobi's infrastructure. Your vulnerability data never passes through a multi-tenant data store.
Configure in Minutes. No Infrastructure Work Required.
Shinobi's guided setup wizard walks you through the configuration in minutes.
01
Cloud account connection
Authenticate your AWS account and authorize Shinobi to write to a designated storage location
02
Storage configuration
Choose the region, bucket, and path structure that aligns with your data governance policies
03
Encryption settings
Use your own KMS keys for encryption at rest, inheriting the same controls as the rest of your infrastructure
04
Access verification
Shinobi validates the connection and performs a test write to confirm everything is configured correctly
Once configured, Data Residency applies to all subsequent tests automatically. No per-engagement setup. No manual data transfers. Every test, every finding, every report — written to your cloud account by default.
Layer Your Entire Security Stack on Top of Pentest Data
When pentest data lives in your cloud account, it inherits every control you've already built.
Access control
IAM policies, role-based access, and least-privilege permissions govern who can see vulnerability findings
Encryption
Your KMS keys, your rotation policies, your encryption standards — not a vendor's shared key infrastructure
Retention and lifecycle
Enforce your organization's data retention schedules, archival policies, and deletion workflows
Audit logging
Every access event captured in CloudTrail or equivalent, feeding your existing SIEM and compliance monitoring
Geographic boundaries
Choose the region where data is stored to satisfy residency regulations and sovereignty requirements
Network controls
VPC policies, private endpoints, and network segmentation apply to pentest data like everything else
This is your infrastructure, your policies, your audit trail. Shinobi writes the data. You govern it.
AWS Today. Azure and GCP Coming Soon.
Amazon Web Services
Full Data Residency support with S3 storage, KMS encryption, and CloudTrail audit integration.
Microsoft Azure
Blob Storage with customer-managed keys and Azure Monitor integration.
Google Cloud Platform
Cloud Storage with customer-managed encryption keys and Cloud Audit Logs integration.
Frequently Asked Questions
Does Shinobi retain any data on its own infrastructure?
No. When Data Residency is enabled, all data generated during testing is written directly to your cloud account. Shinobi does not retain copies of findings, logs, reports, or evidence on its own infrastructure.
Which cloud providers are supported?
AWS is fully supported today with S3 storage, KMS encryption, and CloudTrail integration. Microsoft Azure and Google Cloud Platform support are coming soon.
How long does Data Residency setup take?
Minutes. Shinobi's guided setup wizard walks you through cloud account connection, storage configuration, encryption settings, and access verification. No manual infrastructure provisioning required.
Can I use my own encryption keys?
Yes. Data Residency supports customer-managed KMS keys for encryption at rest, ensuring your pentest data inherits the same encryption controls as the rest of your sensitive infrastructure.
Does Data Residency meet GDPR / data sovereignty requirements?
Data Residency gives you full control over where data is stored geographically, which encryption keys are used, and how long data is retained — enabling you to meet GDPR, data sovereignty, and internal governance requirements with your own infrastructure controls.
Is there additional cost for Data Residency?
Contact us for pricing details. Data Residency is available as part of Shinobi's enterprise offering, designed for organizations with strict data governance requirements.
Security Data Deserves Security Controls
Your organization doesn't store customer PII on a vendor's file share. Vulnerability data — detailed maps of exactly how to compromise your systems — deserves the same governance rigor.
Data Residency makes this the default, not the exception. Every finding, every log, every report, every proof-of-concept — stored in your cloud, under your controls, compliant with your policies.
Book Your Demo Today