Skip to main content
Every LaunchSafe scan runs in a dedicated, ephemeral Kali Linux sandbox — an isolated compute environment purpose-built for penetration testing. No two scans ever share infrastructure.

Architecture

When you launch a scan, LaunchSafe provisions a fresh sandbox instance with:
  • Kali Linux — the industry-standard penetration testing distribution, pre-loaded with 600+ security tools
  • Dedicated compute — isolated CPU, memory, and network resources for your scan only
  • Network isolation — the sandbox can reach your target application but is isolated from other scans and LaunchSafe’s internal infrastructure
  • Encrypted storage — all data within the sandbox is encrypted at rest using AES-256

Lifecycle

Launch scan → Provision sandbox (1-3 min) → Clone code → Run tests → Generate report → Destroy sandbox
The sandbox is destroyed immediately after the scan completes — including all source code, intermediate results, and temporary files. Nothing persists. If the scan fails or is cancelled, the sandbox is still destroyed.

Real-time metrics

During a scan, the sandbox panel on the scan detail page shows live metrics: CPU utilization Percentage of allocated CPU being used by scan tools. CPU-intensive phases include AST parsing (SAST), payload generation (DAST), and report compilation. Sustained 100% CPU is normal during active scanning. Memory usage RAM consumption of the scan process. Large codebases may consume more memory during AST construction. Memory is bounded to prevent runaway processes from affecting scan stability. Network I/O Inbound and outbound traffic between the sandbox and your target application. High network I/O during DAST indicates active crawling and payload delivery. Network traffic is logged for audit purposes. Uptime Total time since the sandbox was provisioned. This includes provisioning overhead (1-3 minutes), actual scan time, and report generation. The timer stops when the sandbox is destroyed.

Security guarantees

PropertyDetail
IsolationEach scan runs in its own container with dedicated compute, memory, and network namespace. No shared filesystem or process space between scans.
EphemeralSandbox is created at scan start and destroyed at scan end. No persistent storage between scans.
Encryption at restAll data within the sandbox is encrypted with AES-256.
Encryption in transitAll communication between the sandbox and LaunchSafe’s control plane uses TLS 1.3.
No code retentionSource code is deleted when the sandbox is destroyed. LaunchSafe does not retain copies of your source code.
Automated access onlyAccess to your data is restricted to automated systems; no employee accesses your code or results without your explicit written consent.

Provisioning time

Sandbox provisioning typically takes 1–3 minutes. During this phase, you’ll see a “Provisioning scan infrastructure” message with a spinner on the scan detail page. Factors that affect provisioning time:
  • Current infrastructure load
  • Region proximity to your target
  • Scan type complexity (hybrid scans provision more tools)
If provisioning takes longer than 5 minutes, the scan will automatically retry. If the retry also fails, the scan is marked as failed and you can re-launch it.