TachyonicTachyonic

Runtimes

Bounded security-agent runtimes — concept, dashboard, and CLI

Overview

A runtime is a single, isolated, region-pinned execution of the Tachyonic scanner against your target. It carries explicit target and tool policy, a budget envelope, evidence capture, and an audit trail.

You can operate runtimes from the dashboard at platform.tachyonic.co or from the CLI under tachyonic runtime …. Both surfaces drive the same platform API.

Regions

Every runtime is pinned to a region at start. Region selection follows your workspace's data-residency settings:

  • EUaws-eu-west-1 (Ireland) is the live runtime cluster.
  • USaws-us-east-1 (Virginia) is the live runtime cluster.

To pin a workspace to a jurisdiction, set the workspace's residency in Settings → Data Residency. Runtimes inherit the workspace setting; pin per-runtime via the manifest or the dashboard's region selector.

Budgets

Each runtime carries a budget that caps spend before it runs:

FieldDefaultWhat it limits
max_runtime_minutes30Wall-clock.
max_model_tokens200,000Inference tokens routed through the platform's metered endpoint.
max_spend_usd5Soft cap reported on the runtime detail page.
max_http_requests500Reserved; not yet enforced.

The platform returns HTTP 402 to the runtime's inference loop once max_model_tokens is reached. The runtime surfaces this as failed_budget_exhausted in the dashboard and the CLI stops issuing inference requests.

Approvals

Tools matching the runtime's policy.approvals.require_before list pause execution and create a pending approval. The operator approves or denies it from the dashboard or with tachyonic runtime approve.

Default policy on a paid plan: destructive_action, credentialed_action, exploit_attempt always require approval. Free-tier may set policy.approvals.require_before: [] to disable approval gating.

Egress controls

Every runtime pod runs alongside an egress-gateway sidecar that proxies all outbound HTTP/HTTPS. A deny-default allowlist permits:

  1. The platform's callback endpoint
  2. The platform's metered inference endpoint
  3. Hosts listed in policy.network.allowlist from your manifest
  4. The host of your scan target

A network policy locks the pod at the cluster layer: only DNS, the platform control-plane namespace, and outbound via the gated sidecar path are permitted. Direct outbound is dropped.

Lifecycle

StatusDescription
plannedBundle rendered; no infrastructure yet.
queuedAdmitted to the runner pool, awaiting scheduling.
runningThe scanner is executing attacks against your target.
waiting_approvalPaused on a gated action; approve to continue.
completedTerminal; artifacts and findings ingested.
failed_budget_exhaustedHit max_model_tokens or max_runtime_minutes.
failedRunner error or operator denial.
cancelledStopped by operator.

Manifest

Reproducible runs use a runtime manifest. Schema:

objective: Pentest the MCP server for tool-poisoning   # required, >=8 chars
target: https://mcp.example.com                        # optional
region: aws-us-east-1                                  # aws-us-east-1 | aws-eu-west-1
model: <alias>                                         # optional
policy: passive-only                                   # passive-only | verified-scope | authorized-research
budget:
  max_runtime_minutes: 30
  max_spend_usd: 5

Unknown keys are rejected. objective is the only required field.

From the dashboard

  1. Sign in at platform.tachyonic.co.
  2. Go to Runtimes → New Runtime.
  3. Pick a target (or paste an endpoint), a region (US or EU), and a budget.
  4. Click Start Runtime to start a live runtime, or Create Plan for a dry-run.

The runtime appears on /runtimes with live status. The runtime detail page shows lifecycle events, callbacks, artifacts, and the approval inbox.

From the CLI

Authenticate the same way as cloud scans:

tachyonic login

All commands accept --api-url (or TACHYONIC_API_URL env) for non-default platforms.

Plan

Validate the manifest and render the runtime bundle without spending budget.

tachyonic runtime plan runtime.yml

Returns the runtime ID and status: planned.

Start

Two forms, mutually exclusive.

Manifest (reproducible runs with explicit policy and budget):

tachyonic runtime start runtime.yml

Shorthand (quick targeted assessment, objective auto-derived from URL host):

tachyonic runtime start --target https://api.example.com --region aws-us-east-1

Returns the runtime ID and status: queued.

Status

Point-in-time status.

tachyonic runtime status <runtime_id>

Watch

Follow a runtime until it reaches a terminal state. Exits 0 on completed, non-zero on failed/cancelled.

tachyonic runtime watch <runtime_id>
tachyonic runtime watch <runtime_id> --timeout 1800 --interval 5

Use in CI to gate on outcome:

RID=$(tachyonic runtime start ci-runtime.yml | grep -oE 'rt_[A-Za-z0-9]+' | head -1)
tachyonic runtime watch "$RID" --timeout 600

Events

Structured lifecycle events.

tachyonic runtime events <runtime_id>
tachyonic runtime events <runtime_id> --follow      # stream new entries
tachyonic runtime events <runtime_id> --limit 200

Logs

The runner's scan log, served as an artifact tail.

tachyonic runtime logs <runtime_id>
tachyonic runtime logs <runtime_id> --follow        # wait for the log artifact to appear, then print

Artifacts

Result artifacts (report bundles, evidence, traces) with signed URLs.

tachyonic runtime artifacts <runtime_id>

Output is a table of type, filename, bytes, and url. Fetch any URL directly with curl.

Approve

Approve or deny a gated action surfaced by runtime status / events when the runtime is waiting_approval.

tachyonic runtime approve <approval_id>
tachyonic runtime approve <approval_id> --deny
tachyonic runtime approve <approval_id> --deny --note "out of agreed scope"

When things go wrong

SymptomLikely causeWhat to do
Runtime stuck in queuedRegion capacity exhaustedWait; the platform auto-redirects after 5 minutes if nothing schedules.
Runtime completed with no findingsDetection thresholds too strict for your target's response shapeSee Detection tuning.
failed_budget_exhaustedHit max_model_tokensRaise the cap or narrow attack scope.
Approval repeatedly deniedPolicy too strictReview policy.approvals in your manifest.
egress_blocked in findingsAllowlist missing a required hostAdd it to policy.network.allowlist.

Next steps

Platform Guide

Using the Tachyonic dashboard for scan management, findings review, and team collaboration

CI/CD Integration

Run Tachyonic security scans in GitHub Actions, GitLab CI, and other CI/CD pipelines

On this page

OverviewRegionsBudgetsApprovalsEgress controlsLifecycleManifestFrom the dashboardFrom the CLIPlanStartStatusWatchEventsLogsArtifactsApproveWhen things go wrongNext steps