TachyonicTachyonic

Runtimes

Bounded security-agent runtimes for dashboard and CLI use

Overview

A runtime is a single isolated execution of the Tachyonic scanner against your target. It carries an explicit target, policy, budget envelope, evidence capture, and audit trail.

You can operate runtimes from the dashboard at platform.tachyonic.co/runtimes or from the CLI under tachyonic runtime .... Both surfaces drive the same platform API.

Plans and limits

Runtime limits are enforced before infrastructure is created. If a request exceeds the plan, the API returns HTTP 402 with upgrade_required: true. Signed evidence downloads and reviewer links remain available only inside the plan's evidence retention window. After that window closes, artifact and share-link endpoints return HTTP 410.

PlanRuntime startsRegionsMinutesSpendModel tokensEvidence retentionReviewer link max
Free3/monthDefault pool only15$150,00072 hours72 hours
Pro50/monthDefault, aws-us-east-1, aws-eu-west-160$10300,00030 days14 days
TeamUnlimitedDefault, aws-us-east-1, aws-eu-west-1120$501,000,00090 days30 days
EnterpriseUnlimitedDefault, aws-us-east-1, aws-eu-west-1240$2505,000,000365 days30 days

Check the limits for your workspace:

curl -sS \
  -H "x-api-key: $TACHYONIC_PLATFORM_KEY" \
  https://api.tachyonic.sh/api/v1/entitlements | jq .

Free users should omit --region; the platform selects the default signed runtime pool. Paid regional runtimes are available through the API and dashboard. Verify each evidence bundle with tachyonic verify before relying on it in a review package.

Regions

Every runtime is pinned to one runtime pool at start.

  • Free: default runtime pool only.
  • Paid: default runtime pool plus aws-us-east-1 and aws-eu-west-1.

When you need a paid region from the CLI, pass --region:

tachyonic runtime start --target https://api.example.com --region aws-us-east-1

Budgets

Each runtime carries a budget that caps spend before it runs.

FieldWhat it limits
max_runtime_minutesWall-clock runtime duration.
max_model_tokensInference tokens routed through the platform metered endpoint.
max_spend_usdRuntime spend cap.

The platform applies the lower of your requested value and your plan limit. The runtime stops issuing inference requests when a hard cap is reached.

Approvals

Free and Pro plans require approval gates for:

  • destructive_action
  • credentialed_action
  • exploit_attempt
  • out_of_scope_access

Tools matching the runtime policy pause execution and create a pending approval. Approve or deny from the dashboard or with tachyonic runtime approve.

Team and Enterprise can run without required approval gates, but explicit policy gates still apply when present.

Egress controls

Every runtime pod runs alongside an egress-gateway sidecar that proxies outbound HTTP/HTTPS. A deny-default allowlist permits:

  1. The platform callback endpoint.
  2. The platform metered inference endpoint.
  3. Hosts listed in policy.network.allowlist.
  4. The host of your scan target.

Direct outbound is dropped at the cluster layer.

Lifecycle

StatusDescription
plannedBundle rendered; no infrastructure yet.
queuedAdmitted to the runner pool and awaiting scheduling.
runningThe scanner is executing attacks against your target.
waiting_approvalPaused on a gated action.
completedTerminal; artifacts and findings ingested.
failed_budget_exhaustedHit a runtime, token, or spend cap.
failedRunner error or operator denial.
cancelledStopped by operator.

Manifest

Reproducible runs use a runtime manifest:

objective: Pentest the MCP server for tool poisoning
target: https://mcp.example.com
region: aws-us-east-1
model: <alias>
policy: passive-only
budget:
  max_runtime_minutes: 30
  max_spend_usd: 5

Unknown keys are rejected. objective is the only required field. Free users should omit region unless the value is supplied by the entitlement API.

From the dashboard

  1. Sign in at platform.tachyonic.co.
  2. Go to Runtimes > New Runtime.
  3. Choose the target endpoint, runtime pool, model, and budget.
  4. Click Start Runtime for a live runtime or Create Plan for a dry run.

The runtime detail page shows state transitions, events, artifacts, findings, and the approval inbox.

From the CLI

Authenticate the same way as cloud scans:

tachyonic login

For CI or a headless shell:

tachyonic login --platform-api-key "$TACHYONIC_PLATFORM_KEY"

All commands accept --api-url or TACHYONIC_API_URL for non-default platforms.

Plan

Validate the manifest and render the runtime bundle without spending budget.

tachyonic runtime plan runtime.yml

Returns the runtime ID and status: planned.

Start

Two forms are supported.

Manifest:

tachyonic runtime start runtime.yml

Shorthand:

tachyonic runtime start --target https://api.example.com

Returns the runtime ID and status: queued.

Status

tachyonic runtime status <runtime_id>

Watch

Follow a runtime until it reaches a terminal state. Exits 0 on completed; exits non-zero on failure or cancellation.

tachyonic runtime watch <runtime_id>
tachyonic runtime watch <runtime_id> --timeout 1800 --interval 5

Events

tachyonic runtime events <runtime_id>
tachyonic runtime events <runtime_id> --follow
tachyonic runtime events <runtime_id> --limit 200

Logs

tachyonic runtime logs <runtime_id>
tachyonic runtime logs <runtime_id> --follow

Artifacts

List result artifacts with presigned URLs:

tachyonic runtime artifacts <runtime_id>

Output is a table of type, filename, bytes, and url. Fetch any URL directly with curl.

Signed evidence usually includes:

  • finding_bundle_v1: the runtime result bundle.
  • evidence_manifest_v1: the Ed25519 evidence manifest.

Download both and run:

tachyonic verify ./tachyonic-evidence/<runtime_id>

See Verifying Evidence.

Approve

Approve or deny a gated action surfaced by runtime status or runtime events.

tachyonic runtime approve <approval_id>
tachyonic runtime approve <approval_id> --deny
tachyonic runtime approve <approval_id> --deny --note "out of agreed scope"

Cancel

tachyonic runtime cancel <runtime_id>

Cancel is idempotent.

Share evidence

Create a reviewer link after a completed runtime:

curl -sS -X POST \
  -H "x-api-key: $TACHYONIC_PLATFORM_KEY" \
  -H "content-type: application/json" \
  -d '{"expires_in_hours":72}' \
  "https://api.tachyonic.sh/api/v1/runtimes/<runtime_id>/share" | jq .

See Share Evidence.

When things go wrong

SymptomLikely causeWhat to do
HTTP 402 on startRegion, duration, spend, or monthly start count exceeds your planRun GET /api/v1/entitlements or upgrade at Settings > Billing.
Runtime stuck in queuedRuntime pool capacity is starting or exhaustedWait and check runtime events.
Runtime completed with no findingsDetection thresholds are too strict for your target response shapeSee Detection tuning.
failed_budget_exhaustedRuntime hit a hard capRaise the cap within your plan limit or narrow attack scope.
Approval repeatedly deniedPolicy is too strictReview policy.approvals in your manifest.
egress_blocked in findingsAllowlist missing a required hostAdd it to policy.network.allowlist.

Next steps

Platform Guide

Using the Tachyonic dashboard for scan management, findings review, and team collaboration

CI/CD Integration

Run Tachyonic security scans in GitHub Actions, GitLab CI, and other CI/CD pipelines

On this page

OverviewPlans and limitsRegionsBudgetsApprovalsEgress controlsLifecycleManifestFrom the dashboardFrom the CLIPlanStartStatusWatchEventsLogsArtifactsApproveCancelShare evidenceWhen things go wrongNext steps