CC6.6 · D5 · f1
evidence/boundary-policy.md — Apex Fintech system boundary and network security policy defining DMZ architecture, WAF/API Gateway requirements, mTLS, and VPN access controlsevidence/network-topology.md — Network architecture document describing VPC layout, traffic flows, and the admin API configurationevidence/penetration-test-findings.json — Q3 2025 external penetration test results from CyberShield Assessments with 2 medium and 3 low findingsevidence/api-gateway-access-logs.csv — 30 days of API Gateway and admin API access logs showing traffic distribution and source IPs| ID | Type | Severity | Finding |
|---|---|---|---|
| F-001 | gap | medium | Admin API bypasses defined system boundary controls The boundary policy (APXF-SEC-POL-009 Section 3.2) states 'No production service shall be directly accessible from the public internet without traversing the WAF and API Gateway.' The admin API endpoi... |
| F-002 | gap | low | Penetration test staleness for Q4 observation period The most recent penetration test was conducted July 14-25, 2025 (Q3). The policy requires quarterly penetration testing. The pentest report notes 'next assessment: Q4 2025 — Scheduled for October 2025... |
| F-003 | gap | medium | No centralized mTLS certificate inventory or validation evidence The boundary policy (Section 3.3) requires mTLS for all service-to-service communication with 90-day certificate rotation via HashiCorp Vault. The network topology document confirms mTLS is configured... |
| F-004 | gap | low | Materiality of traffic bypassing API Gateway boundary Access logs show 0.3% of total production traffic (~12,500 requests/day) bypasses the API Gateway boundary by hitting the admin API directly. While all admin API traffic originates from the VPN CIDR r... |
| Model | Provider | Score | Recall | Prec. | F1 | Gaps | Reported |
|---|---|---|---|---|---|---|---|
| Sonnet 4.6 | Anthropic | 55% | 75% | 43% | 55% | 3/4 | 7 |
| Opus 4.7 | Anthropic | 33% | 50% | 25% | 33% | 2/4 | 8 |
| GPT-5.5 | OpenAI | 15% | 25% | 11% | 15% | 1/4 | 9 |
| GPT-4.1 | OpenAI | 20% | 25% | 17% | 20% | 1/4 | 6 |
| Haiku 4.5 | Anthropic | 27% | 75% | 17% | 27% | 3/4 | 18 |
| GPT-4o | OpenAI | 20% | 25% | 17% | 20% | 1/4 | 6 |