Infosec at Palantir

At Palantir, we’re passionate about solving real-world problems. Our software has been used to stop terrorist attacks, develop new medicines, gain an edge in global financial markets, combat child trafficking, and more.

Given the critical work performed on our platforms, information security is our lifeblood. Our industry-leading InfoSec team works tirelessly to stay ahead of adversaries by hunting for sophisticated threats, thwarting changes in their tactics, and immediately eradicating risks.

The information security program at Palantir has three core objectives:

  1. 1
    Make Palantir safer.
  2. 2
    Make our customers safer.
  3. 3
    Make the world safer.

As part of our commitment to make the world safer, our InfoSec team embraces an open-source first policy to help the larger InfoSec community better guard against attacks on their own software.

Our software and internal tools are built around open-source tools, and we contribute prolifically to the open-source community through bug fixes, improvements, and developer tooling. We're also proud to partner with SpecterOps, a cybersecurity company that shares our commitment to OSS.

We frequently tell the stories behind our open-source contributions on our company blog. The posts below offer a good starting point:

Blog Posts:

GitHub Repositories:

Our customers rely on Palantir to power their most critical work, and we’re dedicated to building platforms they can trust. Our cloud offering is a managed, standardized, tested, and externally audited platform with robust access controls that scale to meet customer demand

Our cloud platform’s infrastructure and operations are certified compliant with the following industry best practice standards and frameworks:

  • SSAE18 SOC 2 Type II
  • ISAE 3000 SOC 2 Type II
  • FedRamp (Moderate IL-4) Pending

In addition, we have extensive experience helping customers meet specific regulatory and industry requirements. Our software provides functionality that customers can configure and operate to meet requirements such as those arising from:

  • CCPA
  • CJIS
  • DOD IL-4
  • FISMA High
  • GDPR
  • HIPAA

Palantir is an active member of the Vendor Security Alliance, an organization improving information security across vendors and PaaS and SaaS solution providers, and a partner with SpecterOps, a leader in red team operations.

We perform biannual penetration tests to ensure our backing infrastructure and operations meets the highest security standards.

Current or prospective customers can reach out to Palantir to learn more about our security assessments. Customers who would like to perform their own penetration tests can do so under certain conditions, provided the tests are scheduled at least seven days before the start of an engagement.

The following types of customer-initiated security-assessment activities are permitted:

  • Port scanning and banner grabbing.
  • Fuzzing, automated vulnerability scanners, or manually run tools against your own Palantir deployment infrastructure.
  • Fuzzing, automated vulnerability scanners, or manually run tools against your own Palantir deployment web applications.
  • Testing alerting and detection strategies in your tenant, assuming dedicated tenancy.
  • Attempting to break out from process sandboxing or containerization

The following types of security assessment activities are strictly prohibited:

  • Attempting to perform any denial of service attacks.
  • Targeting resources or data unrelated to your tenant.
  • Social engineering, phishing, or other employee-targeted attacks.
  • Performing attacks against non-tenant infrastructure, resources, personnel, or data.
  • Moving beyond proof of concepts for code execution, container escape, or lateral movement scenarios.

Reporting Security Issues

If you've identified a potential security flaw in our infrastructure or software, please let us know within 24 hours using GPG encryption. We'll triage the issue and get back to you within three business days.

Careers

The Information Security team is Palantir's first line of defense. We're engineers, analysts, and operators committed to making the world a safer place — and we're hiring.