Skip to main content
MemCyber

AI Policy

How we use LLMs — and where we don’t.

AI is a productivity tool in the MemCyber workflow, not a substitute for the researcher. This policy documents exactly where large language models fit into an engagement, and the guardrails that protect client code and findings.

Where we use LLMs

  • Draft triage notes
    Rough first-pass notes during testing — always human-reviewed before any finding is recorded.
  • Report writeup drafts
    Structural drafts and grammar polish on the human-authored finding body. Final wording is reviewed and signed off by the researcher.
  • Literature review
    Surface public CVEs, audit contest writeups, or academic papers relevant to the target stack.
  • Test-case enumeration
    Brainstorm edge cases and attack variations the researcher then validates manually.

Where we don’t

  • Client source code is never uploaded to third-party LLM APIs
    All reasoning over client code happens locally or in an air-gapped environment. No snippets go to public endpoints.
  • No AI-generated findings
    Every finding in a MemCyber report is human-authored, human-reproduced, and backed by a working PoC. We will not ship output a model wrote unsupervised.
  • No LLM inference in the critical path
    Severity scoring, exploit validation, and sign-off are done by the researcher. Models assist; they do not decide.
  • No customer data in model training
    We use API tiers that contractually exclude inputs from training (e.g., enterprise plans). We will not use free tiers that may log for training with engagement data.

Data handling

  • Prompt and response logs
    Retained by the model vendor under their standard SOC 2 / ISO 27001 terms. We use enterprise / zero-retention tiers where available.
  • Client-specific chat history
    Never retained on our side beyond the engagement. Wiped at close.
  • Embedding indices
    Built and stored locally on the engagement workstation, encrypted at rest, destroyed at close.

This policy is reviewed every quarter and updated as our tooling evolves. Last reviewed: April 2026.

Procurement has an AI questionnaire?

Send it. We answer RFP AI sections in one business day.

Request Assessment