CyborgDB’s threat model defines the types of adversaries assumed, the attacks protected against, and the attacks explicitly not addressed. It guides the design of our encryption, key management, and system architecture.
A well-scoped threat model is essential to evaluate whether CyborgDB’s security properties align with your risk profile. This page should be read alongside the Encryption section.

1. Adversary Model

The threat model assume adversaries can be:

External Network Adversary

Can intercept, modify, or replay traffic between client and server.

Server-Side Adversary

Has full read access to server memory, storage, and code execution environment.

Insider Threat

A privileged operator or cloud provider administrator with direct infrastructure access.

Passive Data Analyst

Can analyze access patterns, ciphertexts, and index structures over time.
CyborgDB do not assume the client endpoint is compromised (see Out of Scope), nor does it defend against malicious users with valid credentials performing authorized actions.

2. Attack Surfaces

Vector databases present a uniquely dangerous attack surface because they centralize semantic intelligence from across an organization’s entire data ecosystem. Unlike traditional databases that contain data from a single application, vector databases aggregate embeddings from CRM systems, HR databases, financial records, email communications, and document repositories. Standard vector databases compound this risk by storing & using embeddings in plaintext format, making them immediately exploitable upon breach. Once an attacker gains access, they can directly extract dense vector representations and apply machine learning techniques to reconstruct the original sensitive content with high fidelity. This combination of centralized intelligence and plaintext storage transforms what should be isolated system breaches into organization-wide intelligence compromises. The following attack surfaces become particularly critical in this context:

Data at Rest

  • Disk-level theft of database files
  • Cloud snapshot compromise
  • Backup leakage

Data in Transit

  • Man-in-the-middle interception
  • Traffic replay or modification

Data in Use

  • Memory scraping from compromised server
  • Runtime introspection of index structures
  • Retrieval of embeddings or keys from process space

Index & Query Metadata

  • Frequency analysis of search tokens
  • Correlation between inserted embeddings and prior queries
  • Leakage via predictable index structures

3. Adversary Capabilities

CapabilityExample Sources
Full disk accessStolen storage volume, cloud snapshot
Full memory accessCompromised hypervisor, malicious kernel module
Network interceptionBGP hijack, malicious ISP
Log & telemetry accessMisconfigured logging, compromised SIEM
Code execution on serverSupply chain attack, RCE in application stack
The Server-Side Adversary case — full memory, disk, and runtime access — is the primary driver for CyborgDB’s in-use encryption and forward-secure index design.

4. Attack Demonstration

Cyborg demonstrated the severity of vector database vulnerabilities at the Confidential Computing Summit (June 2025):
  • Target: Production-like vector DB with synthetic sensitive data (e.g., social security numbers, medical info)
  • Attack time: < 5 minutes from access to sensitive data recovery
  • Recovery rate: 99.38% successful reconstruction of original documents

Attack Flow

5. Mitigation Mapping

The table below maps specific adversary actions to CyborgDB controls:
Attack VectorMitigationResidual Risk
Disk theftAES-256-GCM encryption at restKey theft from KMS would bypass
Memory scrapingIn-use encryption with ephemeral node keysQueries in progress may suggest active clusters
Index structure analysisForward privacy & per-insertion randomizationSearch pattern leakage still possible within active session
Embedding inversionEncrypted embeddings never stored/processed in plaintextCompromised client could still expose
Network interceptionTLS + AEADEndpoint compromise would still allow decryption
Query correlationForward-secure cryptographic countersStatistical attacks on large query volumes
Cross-system linkingPer-record key derivation with unique IVsMetadata correlation if encryption keys compromised
These controls assume standard cryptographic primitives — AES-256, SHA-3, HMAC — remain unbroken and that all encryption keys remain secret. If either assumption fails, the corresponding protections may no longer hold.

Control Points in the Attack Chain

To learn more about how CyborgDB implements these protections, read our Encryption guide.

6. Out of Scope

CyborgDB does not protect against:
  • Client endpoint compromise: If the user’s device is compromised, plaintext data may be exposed during normal operation
  • Authorized insider misuse: Valid users performing authorized but malicious actions within their permissions
  • Social engineering: Attacks targeting users to reveal credentials or perform unauthorized actions
  • Physical access to client devices: Direct access to unlocked client machines
  • Key escrow attacks: Government or legal compulsion to provide decryption keys (mitigated by BYOK/HYOK)
Organizations should implement complementary controls (endpoint protection, user training, access controls) to address these out-of-scope threat vectors.