Master Security Framework: my Multi-Layer Security Framework for Modern Applications

05/18/2026

Summary

The Master Security Framework (MSF) is a comprehensive, multi-language, multi-layer security framework designed to protect modern applications at all levels of the technology stack. Implemented in Python and TypeScript, MSF offers more than 350 functions distributed across 28 modules, covering everything from authentication and encryption to web attack detection, network analysis, cloud security, artificial intelligence protection, adaptive honeypots, active defense and enterprise compliance. This article presents a detailed technical analysis of each module, function, design pattern and security mechanism implemented in the framework.

1. Introduction

1.1. The Problem

Modern applications face an increasingly sophisticated spectrum of threats. A single system can be targeted by attacks on multiple layers simultaneously: injection of prompts into language models, exploitation of web vulnerabilities (XSS, SQLi, SSRF), port scanning, DDoS attacks, cloud misconfigurations, compromised containers, vulnerable dependencies in the software supply chain, and regulatory compliance violations.

The traditional approach to security -- solving each problem with isolated tools -- creates silos of defense that leave gaps between layers. MSF was designed to solve this problem by offering a unified security platform that operates across all layers of the application.

1.2. What is the Master Security Framework

MSF is an open-source security framework implemented in two languages: Python and TypeScript. Each module exists in both languages with the same semantics, allowing multilingual teams to use the same set of security capabilities regardless of the technology stack.

The framework is structured around four pillars:

Prevention: Input validation, sanitization, encryption, configuration hardening
Detection: Analysis of attack patterns, statistical anomalies, malware signatures, suspicious behavior
Answer: Autonomous alerts, quarantine, containment, self-healing
Compliance: Automatic verification of LGPD, GDPR, HIPAA, PCI-DSS

1.3. Project Metrics

243 automated tests passing (77 Python + 166 TypeScript)
14 Python modules with over 180 functions
14 TypeScript modules with 170+ functions
OpenTelemetry telemetry integrated into all functions
Structured logging (pin in TypeScript, loguru in Python)
In-memory cache with automatic invalidation
Policy Engine for configurable security rules
Event Bus for asynchronous communication between modules

2. Framework Architecture

2.1. Infrastructure Layer (Core)

The MSF base is made up of six infrastructure components that are shared by all other modules:

Global Configuration: A centralized configuration object that stores security parameters, thresholds, allowed/blocked lists, and cryptographic keys. The configuration can be reloaded in real time from environment variables without restarting the application.

Policy Engine: A rule evaluation system that allows you to define security policies as structured statements. The engine supports logical operators, compound conditions, and enforcement actions (allow, deny, warn, log).

Event Bus: An asynchronous pub/sub system that allows modules to publish security events and other modules to subscribe to react. The event bus includes an event history and a dead letter queue for events that failed to process.

Metrics Registry: A metrics system that supports counters (for cumulative counts), gauges (for instantaneous values), and histograms (for distributions). All discovery functions automatically publish metrics.

Cache Manager: An LRU (Least Recently Used) cache with configurable TTL (Time-To-Live), used to store expensive validation results, IP block lists, session fingerprints, and revoked tokens.

OpenTelemetry: Complete integration with the OpenTelemetry standard, generating distributed tracing spans for each security operation. This allows colorrelate security events to request traces in microservices architectures.

Structured Logger: Structured logging in JSON format with pin (TypeScript) and loguru (Python), including automatic context such as trace ID, severity, module, and security metadata.

Exception Handling: A hierarchy of security exceptions (SecurityError, ValidationError, AuthenticationError, EncryptionError) that allows granular handling of security errors.

2.2. Protection Layer

Regarding infrastructure, MSF organizes its security modules into three functional layers:

Input Layer: Web, API, Auth -- protect application entry points Infrastructure Layer: Network, Cloud, File -- protects the underlying infrastructure Intelligent Layer: AI, Monitoring, Defensive, Honeypot -- protect with intelligence and adaptation

3. Authentication Module (Auth)

The authentication module is the most extensive in the framework, with 30 functions in Python and 7 in TypeScript. It covers the entire authentication lifecycle: token generation and validation, session management, attack detection, and advanced identity verification methods.

3.1. JWT (JSON Web Tokens)

MSF implements a complete JWT system that goes beyond simple generation and validation:

generate_jwt creates tokens with subject, custom claims, configurable expiration, and issuer. Supports HS256, HS384, HS512, RS256, ES256 algorithms.
validate_jwt checks signature, expiration, mandatory claims, and returns the decoded payload. The verify_exp parameter allows you to disable expiration checking for specific cases.
revoke_jwt adds the JTI (JWT ID) of the token to a revocation blacklist. This is essential to log out before the token's natural expiration.
rotate_jwt validates the old token and issues a new one with the same identity, allowing silent token rotation without interrupting the user session.
validate_refresh_token validates refresh tokens with verification of belonging to the specific user, preventing a stolen refresh token from being used by another user.

3.2. Session Management

The MSF session system includes protection against session hijacking:

secure_session creates a session linking user_id, IP, user agent, and device fingerprint. This allows you to detect suspicious changes in the session context.
validate_session checks if the session_id belongs to the user and if the current IP matches the IP registered when creating the session.
detect_session_hijack compares the current IP and user agent with historical session data. If the IP has moved to a different subnet or the user agent has changed significantly, the function returns true indicating possible hijacking.
detect_token_replay keeps a record of tokens already used. If a token is presented more than once, the function detects the replay attack.

3.3. Authentication Attack Detection

MSF detects three main types of attacks against authentication systems:

detect_credential_stuffing monitors login attempts from a single IP against multiple user accounts. If an IP tries many different usernames in a window of time, it is flagged as credential stuffing.
detect_bruteforce monitors login attempts against a single account. If the number of attempts exceeds the threshold in the time window, it is flagged as brute force.
detect_impossível_travel calculates the distance between two consecutive login locations and compares it with the elapsed time. If the speed required to travel between points exceeds reasonable physical limits (e.g. 900 km/h), the function detects impossible travel.
geo_velocity_check extends impossible travel detection to multiple locations, calculating geographic speed between all consecutive login points.

3.4. Adaptive and Risk-Based Authentication

adaptive_auth adjusts authentication requirements based on the context's risk score. A login from a familiar device in a familiar location may only require a password, while a login from a new device in a different country may require additional MFA.
behavioral_auth uses behavioral biometrics (typing pattern, mouse movement, browsing rhythm) to verify the user's identity against the registered behavioral baseline.
risk_based_auth calculates a composite risk score from multipleby factors: location, device, time, behavior, IP reputation, and returns an authentication decision with a confidence level.

3.5. TOTP and Backup Codes

generate_totp generates Time-based One-Time Password codes following RFC 6238, with configurable digits and period.
validate_totp validates TOTP tokens with clock drift tolerance (drift parameter), compensating for desynchronization between the server and the user's device.
verify_backup_code verifies and consumes backup/recovery codes, removing them from the valid list after use to prevent reuse.

3.6. WebAuthn and Passkeys

passkey_auth validates FIDO2/WebAuthn authentications by checking the authenticator's cryptographic signature, authenticator data, and JSON client data.
webauthn_verify performs a full WebAuthn assertion check, including validating the origin, RP ID (Relying Party ID), and cryptographic signature against the registered public key.
phishing_resistant_auth checks whether an authentication method is resistant to phishing, requiring FIDO2 level 2 or higher with verified attestation.

3.7. Password Security

password_entropy calculates the Shannon entropy of a password, measuring its informational complexity in bits. Passwords with entropy below 40 bits are considered weak.
detect_weak_password combines entropy analysis with checking against lists of common passwords (rockyou, top 10000, etc.).
password_breach_check checks whether a password hash appears in a database of known breaches (Have I Been Pwned and similar).
secure_password_hash creates password hashes with cryptographic salt and key stretching (iterations), supporting algorithms such as PBKDF2, bcrypt, scrypt, and Argon2.
verify_password_hash compares a password against a stored hash using constant-time secure comparison.

3.8. Device and Browser Fingerprinting

device_fingerprint generates a unique device identifier from attributes such as user agent, screen resolution, timezone, languages, and platform.
browser_fingerprint uses advanced fingerprinting techniques based on rendering characteristics: 2D canvas hash, WebGL hash, audio context hash, and list of installed fonts.
biometric_validation compares biometric data (fingerprint, facial recognition, iris) against a stored template with configurable similarity threshold.

4. Cryptography Module (Crypto)

The encryption module implements modern symmetric, asymmetric, and post-quantum encryption algorithms, with a focus on authentication and integrity.

4.1. Authenticated Encryption

encrypt_data uses authenticated encryption with associated data (AEAD), supporting AES-256-GCM and ChaCha20-Poly1305. Associated data (AAD) allows you to link unencrypted metadata to ciphertext in an authenticated way.
decrypt_data performs authenticated decryption, checking the authentication tag before returning plaintext. If the tag does not match, decryption fails, preventing oracle padding and ciphertext manipulation attacks.
encrypt_file and decrypt_file extend authenticated encryption to files on disk, managing nonce, salt, and metadata securely.

4.2. Hybrid Cryptography

hybrid_encrypt combines asymmetric encryption (for key exchange) with symmetric encryption (for the payload). The symmetric key is randomly generated, used to encrypt the payload, and then encrypted with the recipient's public key.
hybrid_decrypt reverses the process: decrypts the symmetric key with the private key and then decrypts the payload.

4.3. Post-Quantic Cryptography

The MSF implements the post-quantum algorithms standardized by NIST:

pqc_encrypt and pqc_decrypt use ML-KEM (formerly Kyber) for quantum computer-resistant encryption.
kyber_key_exchange implements the Kyber key exchange protocol for post-quantum shared key establishment.
dilithium_sign uses ML-DSA (formerly Dilithium) for post-quantum digital signatures.
sphincs_sign uses SPHINCS+, a signature scheme based on hash functions, as a stateless post-quantum alternative.
falcon_sign uses Falcon, a lattice-based signature scheme with compact signatures.

4.4. HMAC and Signature Verification

generate_hmac produces a Hash-based Message Authentication Code using HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, or HMAC-SHA3-256.
verify_hmac compares the calculated HMAC with the expected HMAC using constant-time comparison.
verify_signature verifies digital signatures (Ed25519, ECDSA, RSA-PSS) against a message and public key.

4.5. Cryptographic Utilities

secure_random generates cryptographically secure bytes using os.urandom() (Python) or crypto.getRandomValues() (TypeScript).
secure_memory_erase overwrites memory regions containing sensitive data with zeros, preventing data from remaining in memory after use.
anti_timing_compare compares two sequences of bytes in constant time, iterating over all bytes regardless of where the first difference occurs, preventing timing attacks.

5. Web Module

The Web module is the most extensive in terms of attack detection, with 30 functions in Python and 35 in TypeScript. It covers all web vulnerability categories listed in the OWASP Top 10 and beyond.

5.1. Cross-Site Scripting (XSS)

detect_xss analyzes input for XSS patterns including: <script> tags, event handlers (onload, onclick, onerror), javascript: URIs, DOM XSS (innerHTML, document.write), and XSS via SVG/MathML. The function takes a set of regex patterns and calculates a confidence score based on the number of matching patterns. severity_threshold allows you to adjust the detection sensitivity.
sanitize_html removes disallowed tags and attributes from HTML, using an allowlist of safe tags (<p>, <br>, <strong>, <em>, etc.) and safe attributes (href, src, alt, title, etc.). Disallowed tags are removed completely, and dangerous attributes like on* are filtered out.
sanitize_svg sanitizes SVG by removing dangerous elements such as <script>, <foreignObject>, <animate>, and event attributes.
sanitize_markdown sanitizes markdown by removing embedded dangerous HTML while preserving native markdown formatting.
sanitize_css removes dangerous CSS properties like expression(), url(javascript:), behavior, and -moz-binding.
sanitize_js removes dangerous JavaScript patterns including eval(), Function(), setTimeout/setInterval with string, document.write, document.cookie, unsafe DOM manipulation, and code execution methods.

5.2. SQL and NoSQL Injection

detect_sqli detects SQL injection patterns including: UNION-based (UNION SELECT), blind (AND 1=1, OR '1'='1'), time-based (SLEEP(), WAITFOR DELAY), error-based, and stacked queries. The function also detects evasion techniques such as hex encoding, comments (--, /* */), and string concatenation.
detect_nósqli detects injection in NoSQL databases (mainly MongoDB) identifying dangerous operators in input: $gt, $gte, $lt, $lte, $ne, $in, $nin, $regex, $where, $exists.

5.3. Server-Side Request Forgery (SSRF)

detect_ssrf checks URLs against a list of allowed domains and blocked IPs. The function detects SSRF bypass techniques including: redirects to localhost, use of DNS rebinding, URLs with encoding (%00, %0d%0a), and access to cloud metadata endpoints (169.254.169.254, metadata.google.internal).

5.4. Remote Code Execution (RCE) and Command Injection

detect_rce identifies remote code execution patterns including calls to eval(), exec(), system(), passthru(), popen(), backticks, and pipe operators.
detect_command_injection detects OS command injection using shell operators: ;, |, ||, &&, backticks, $(), and redirects (>, >>).

5.5. File Inclusion and Path Traversal

detect_lfi detects Local File Inclusion by identifying sequences of path traversal (../, ..\), encoded traversal (%2e%2e%2f), and dangerous protocols (php://filter, php://input, data://, expect://).
detect_rfi detects Remote File Inclusion when external URLs are passed as include/require parameters.
detect_path_traversal checks if a path resolves within an allowed base_path, detecting absolute and relative traversal.

5.6. Template Injection

detect_template_injection detects Server-Side Template Injection (SSTI) for Jinja2 ({{ 7*7 }}, {% for %}), EJS (<%= %>), Handlebars ({{#each}}), Pug, Twig, Mustache, and a generic mode that detects common template syntax.

5.7. Deserialization andOpen Redirect

detect_deserialization_attack identifica insecure deserialization verificando classes permitidas e padrões de gadgets conhecidos (Java serialization, Python pickle, PHP unserialize, YAML deserialization).
detect_open_redirect verifica se uma URL de redirecionamento aponta para um host na lista de permitidos, prevenindo redirecionamentos para domínios maliciosos.

5.8. CSRF, CORS and CSP protection

csrf_protect and validate_csrf check request CSRF tokens against session tokens using safe comparison.
validate_cors validates CORS requests by checking Origin, Methods, and Headers against allowed lists.
generate_csp gera headers Content-Security-Policy a partir de configuração de diretivas (script-src, style-src, img-src, connect-src, frame-ancestors, etc.).
validate_csp validates an existing CSP header against a defined security policy.
secure_headers gera um conjunto completo de headers de segurança: Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, e Content-Security-Policy.

5.9. Safe Cookies and Clickjacking

secure_cookie generates Set-Cookie headers with Secure, HttpOnly, SameSite (Strict or Lax), domain scope, path, and max-age flags.
detect_clickjacking checks for the presence of X-Frame-Options headers and CSP frame-ancestors to detect clickjacking vulnerability.
validate_origin and validate_referer validate Origin and Referer headers against expected domains.

5.10. Webhooks

webhook_signature generates HMAC signatures for webhook payloads, including timestamp for replay prevention.
webhook_replay_protection checks the webhook signature and timestamp, rejecting requests outside the configured time window.

6. API Module

The API module protects API endpoints against a wide range of attacks and abuse.

6.1. Input Validation and Sanitization

validate_json_schema valida dados contra definicoes JSON Schema com modo estrito opcional que rejeita campós extras não definidos no schema.
validate_input valida input de API contra regras de tipo (string, number, boolean, array, object), tamanho minimo/máximo, pattern regex, enum de valores permitidos, e profundidade maxima de nesting (default: 5 níveis).
sanitize_json sanitiza dados JSON removendo tipos não permitidos e truncando strings que excedem o tamanho máximo configurado (default: 10.000 caracteres).

6.2. Rate Limiting

api_rate_limit implementa rate limiting usando sliding window algorithm, mantendo um registro de timestamps de requisições por cliente e endpoint. When the number of requests in the window exceeds the limit, the request is rejected.
adaptive_rate_limit dynamically adjusts rate limits based on client behavior. Customers with a clean record receive more generous limits, while customers with suspicious patterns receive more restrictive limits.

6.3. API Abuse Detection

detect_api_abuse analisa padrões de requisições para detectar: scraping (requisições sequenciais a muitos recursos), enumeration (tentativas de IDs sequenciais), fuzzing (requisições com payloads malformados variados), e automação maliciosa (alta frequência com padrões regulares).
detect_shadow_api identifica endpoints não documentados que estão recebendo tráfego, comparando os endpoints acessados contra a lista de APIs documentadas.

6.4. Broken Object Level Authorization (BOLA/IDOR)

detect_bola verifica se o usuário tem autorização para acessar o recurso solicitado, comparando o resource_id com o ownership_map que mapeia recursos a seus proprietários. If the user is not the owner and does not have delegated permissions, the function returns true.

6.5. Broken Authentication and Mass Assignment

detect_broken_auth verifica a presença e validade do token de autenticação, os scopes requeridos pelo endpoint, e a correspondência entre o token e o usuário solicitado.
detect_mass_assignment verifica se o input da API contém campós que não estão no modelo (model_fields) ou que estão na lista de campós somente leitura (readonly_fields), prevenindo que atacantes modifiquem campós protegidos como is_admin, role, ou balance.

6.6. GraphQL Security

graphql_depth_limit analyzes the depth of GraphQL queries, rejecting queries that exceed the configured limit (default: 10 levels). This prevents attacks thatrecursive ries that can cause denial of service.
graphql_cost_analysis calculates the computational cost of a GraphQL query based on the complexity of each field (configurable via complexity_map) and the nesting level. Queries with a cost above the limit (default: 1000) are rejected.
graphql_abuse_detection analyzes multiple queries in a time window to detect query flooding, introspection abuse (queries that exploit the schema to map the API), and repetitive abuse patterns.

6.7. gRPC and WebSocket Security

grpc_security_validation validates the security of gRPC requests by checking metadata, mandatory headers, and TLS information (cipher suite, protocol, peer certificate).
secure_websocket configures secure WebSocket connections with origin validation and allowed subprotocols.
websocket_origin_validation and websocket_flood_protection protect against malicious WebSocket connections and connection flooding.

6.8. API Key Management

api_key_rotation generates new API keys with secure hash (SHA3-256), identifiable prefix, and configurable expiration date.
api_key_validation validates API keys against a registry of known keys, checking scopes, expiration, and individual rate limits.

7. Artificial Intelligence (AI) Module

The AI module is one of MSF's most innovative, offering complete protection for applications that use large language models (LLMs).

7.1. Prompt Injection and Jailbreak Protection

detect_prompt_injection analyzes prompts for injection patterns such as "ignore previous instructions", "forget all rules", "system:", "you are now", "disregard all previous", "override system instructions", "bypass security", "act as if you are", "pretend you are", "from now on you are", "developer mode:", and markup patterns that attempt to simulate system instructions. The function uses more than 20 regex patterns and calculates a confidence score based on the number of matches and the length of the prompt.
detect_jailbreak detects jailbreak attempts specifically aimed at bypassing LLM security restrictions, including: DAN mode, "do anything now", "disable safety", "unrestricted mode", "without any restrictions", "ignore your safety guidelines", "you don't have to follow your rules", "roleplay as unrestricted", "hypothetical scenario where you can", "in this alternate universe", and "for educational purposes only" patterns used as justification for bypass.

7.2. Sensitive Data Protection

detect_sensitive_leak scans text for sensitive data including: SSN/CPF, credit card numbers (with Luhn checksum validation), emails, phone numbers, API keys (AWS, GCP, GitHub, Stripe standards), passwords, JWT tokens, private keys (PEM headers), and cryptocurrency wallet addresses.
detect_prompt_leak detects attempts to extract the LLM system prompt by comparing the contents of the user prompt with the system prompt using text similarity. If the user is trying to reproduce or infer parts of the system prompt, the function flags it.
detect_data_exfiltration analyzes the LLM output for sensitive data that may have been inadvertently included in the response.

7.3. Sanitization

sanitize_prompt removes blocked patterns from user prompt and enforces length limit.
sanitize_llm_output removes scripts, event handlers, and sensitive data from the LLM output, applying truncation if necessary.
ai_memory_sanitizer sanitizes AI memory entries based on retention policy, removing sensitive data and expired entries.

7.4. Model and Agent Abuse Detection

detect_model_abuse analyzes request patterns to detect model abuse: excessive repetition (same prompt sent multiple times), high request rate (above 30/minute), and abnormal complexity (very deep or long queries). The abuse score is calculated as a weighted combination of pattern matching, repetition, rate, and complexity.
detect_agent_abuse monitors the behavior of AI agents by checking whether the actions performed are within the defined policies (allowed actions, call limits, access restrictions).

7.5. LLM Firewall and Policy Engine

llm_firewall evaluates input against a set of LLM firewall rules with configurable actions (block, warn, log). Each rule specifies a pattern, a condition, and an action.
ai_policy_engine evaluatesboth the LLM prompt and output against a set of security policies, including: prohibition on generating malicious code, prohibition on revealing personal information, requirement of sources for factual claims, and domain-specific restrictions.

7.6. RAG and Hallucination

rag_source_validation validates the credibility of sources used in RAG (Retrieval-Augmented Generation) systems, checking whether the source domains are on the trusted list and applying validation rules such as checking date, author, and reputation.
hallucination_risk assesses the risk of hallucination in the LLM output by analyzing: low confidence scores, unverified statements, factual inconsistencies, and language patterns indicative of uncertainty.

7.7. Guardrails and Tool Call Validation

ai_output_guard applies guardrails and redaction rules to LLM output, removing prohibited content and redacting sensitive data.
tool_call_validation validates tool calls (function calling) by checking whether the tool is on the allowed list and whether the arguments correspond to the expected schema.
multi_agent_isolation validates isolation and communication policies between multiple AI agents, preventing one agent from compromising another.

7.8. Monitoring

ai_token_monitor monitors the use of LLM tokens against defined limits (per request, per minute, per day, per cost), generating alerts when limits are approached or exceeded.
ai_behavior_monitor monitors AI behavior for deviations from the established baseline, detecting changes in response patterns, increased errors, or unexpected behavior.

8. Network Module

The network module provides network-level threat detection, covering everything from port scanning to command-and-control communication.

8.1. Scan Detection

detect_port_scan analyzes connections from a source IP to detect port scans. The function counts unique ports accessed, calculates the connection rate (connections per second), and analyzes TCP flag patterns (SYN flood, SYN-RST patterns). Detected scan types include: SYN scan, FIN scan, XMAS scan, NULL scan, and UDP scan. The configurable threshold allows you to adjust the sensitivity (default: 20 single ports in 60 seconds).
detect_dns_tunneling analyzes DNS queries to detect tunneling, calculating the Shannon entropy of subdomains (data encoded in DNS queries has high entropy), measuring the average size of subdomains, and counting the frequency of queries for a specific domain.

8.2. Traffic Anomaly Detection

detect_traffic_anomaly compares current traffic metrics (bytes per second, packets per second, connections per second, protocol distribution) against a historical baseline using static z-score. Deviations above the threshold (default: 2.0 standard deviations) are flagged as anomalies.
detect_ddos detects Distributed Denial of Service attacks by analyzing spikes in bytes/packets per second against the baseline, with configurable threshold and time window.

8.3. Proxy, VPN and Tor Detection

detect_proxy checks HTTP headers indicative of proxy (X-Forwarded-For, Via, X-Real-IP, Forwarded) and analyzes behavioral patterns of proxy connections.
detect_vpn checks the source IP against a database of known VPN provider IPs.
detect_tor checks whether the IP belongs to the Tor network by comparing against lists of nodes and exit nodes from the Tor network.

8.4. IP and Domain Validation

validate_ip validates IPv4 addresses against allowed ranges and blocks using CIDR matching. Supports CIDR notation (e.g. 192.168.1.0/24) and individual ranges.
validate_domain validates domains by checking the TLD against an allowed list (e.g. just .com, .org, .br) and the full domain against a blocked list.

8.5. Spoofing Detection and ARP Poisoning

detect_spoofing analyzes packet data against expected sources and network topology to detect IP spoofing, checking whether the source IP is consistent with the expected route.
detect_arp_poisoning compares the current ARP table against expected IP-to-MAC mappings, detecting when a MAC address responds to multiple IPs or when a mapping changes unexpectedly.

8.6. TLS Fingerprinting

tls_fingerprint generates a TLS fingerprint from the handshake (cipher suites, extensions, elliptical curves, dot formats) and compares againstto a database of known fingerprints to identify the client.
ja3_fingerprint generates a TLS-specific JA3 hash ClientHello, which is an industry standard for identifying TLS clients based on negotiation parameters.

8.7. Beaconing and C2 Detection

beaconing_detection detects beaconing behavior (periodic communication with command-and-control) by analyzing the regularity of the intervals between connections. Connections with very regular intervals (low jitter) and high interval correlation are indicative of beaconing.
command_and_control_detection analyzes traffic patterns against known indicators of C2: communication with DGA (Domain Generation Algorithm) domains, traffic on non-standard ports, beaconing patterns, and use of tunneling protocols (DNS, ICMP, HTTP).

8.8. Lateral Movement and Network Analysis

lateral_movement_detection detects lateral movement by analyzing access patterns between hosts on the network: accesses to hosts that the user does not normally access, use of remote administration protocols (RDP, SSH, WMI) for unusual hosts, and propagation of access in a graph pattern.
network_entropy_analysis analyzes the entropy of network packets to detect encrypted or scrambled traffic (high entropy indicates random or encrypted data).
traffic_behavior_analysis analyzes traffic behavior against baselines established in a time window, detecting changes in the communication pattern.
protocol_anomaly_detection detects anomalies in protocols by comparing protocol data against expected specification (required fields, valid values, message sequence).

9. Cloud Module

The cloud module protects cloud infrastructures on AWS, GCP, and Azure, covering containers, Kubernetes, storage, IAM, IaC, and supply chain.

9.1. Container Security

validate_dockerfile validates Dockerfiles against security best practices: don't use latest tag, don't run as root, include HEALTHCHECK, don't include hardcoded secrets, use minimal base images (alpine, distroless), and don't expose unnecessary ports.
detect_container_escape detects potential container escape vectors by checking: privileged mode, dangerous capabilities (SYS_ADMIN, SYS_PTRACE, NET_ADMIN), sensitive hostPath mounting (/, /etc, /proc, /sys), lack of seccomp/AppArmor profiles, and host namespace sharing.
runtime_container_protection analyzes container events at runtime against threat rules and performs automatic actions (block, alert, isolate, terminate, log).
container_image_scan scans container image layers for known vulnerabilities (CVEs) and checks image signatures (Cosign, Notary).

9.2. Kubernetes Security

validate_k8s_rbac validates Kubernetes RBAC configurations against principles of least privilege: detecting ClusterRoles with wildcard (*), ServiceAccounts with excessive permissions, bindings that grant access to secrets, and roles that allow exec in pods.
validate_kubernetes_manifest validates Kubernetes manifests against pod security policies and network policies: detect pods running as root, without resource limits, with hostNetwork/hostPID/hostIPC, without readOnlyRootFilesystem, and without securityContext.
runtime_k8s_anomaly detects anomalous behavior in Kubernetes runtime events: creation of pods in unusual namespaces, changes to RBAC, access to non-standard secrets, and communication between pods that normally do not communicate.

9.3. Storage and IAM

detect_public_bucket detects publicly accessible cloud storage buckets by checking: bucket policies with Primary: "*", public ACLs, public access blocking disabled, and website configurations that expose the bucket.
validate_s3_permissions validates S3 bucket permissions against security requirements: checking that there are no public write permissions, that encryption is enabled, that versioning is active, and that logging is configured.
validate_iam_policy validates IAM policies against lists of allowed and denied actions, detecting over-permission: actions with wildcard (s3:*, *), access to resources of all services, and absence of restriction conditions.

9.4. Infrastructure as Code

validate_terraform validates Terraform plans against security policies: detect resources with encryption disabled, security groups with open entry rules (0.0.0.0/0), public buckets, unbacked databases, and resources without identifying tags.
detect_cloud_misconfig detects cloud infrastructure misconfigurations by comparing the current configuration against a security baseline per provider (AWS, GCP, Azure).

9.5. Secrets and Supply Chain

validate_secrets_manager validates secrets manager configuration: automatic rotation enabled, encryption at rest with KMS, restrictive access policies, and access logging enabled.
supply_chain_validation validates software dependencies against trusted sources and vulnerability databases, detecting packages from unverified sources, versions with known CVEs, and dependencies with restrictive licenses.
sbom_generator generates Software Bill of Materials in SPDX or CycloneDX formats, listing all components with name, version, type, licenses, and hash.
dependency_audit audits dependencies against vulnerability database with severity filter.
detect_typósquatting detects typósquatting attacks by comparing package names against known packages using string similarity (Levenshtein, char swap, hyphenation).

9.6. Score and Identity

cloud_security_score calculates an overall cloud security score based on CIS benchmarks and configurable weights by category (IAM, storage, network, logging, encryption).
workload_identity_validation validates workload identity configuration (IRSA on AWS, Workload Identity on GKE, Managed Identity on Azure).
confidential_computing_validation validates confidential computing attestation for TEEs (Intel SGX/TDX, AMD SEV-SNP, AWS Nitro Enclaves, Azure CVM).

10. Monitoring Module

The monitoring module offers advanced detection, correlation, and incident response capabilities.

10.1. Tamper-Proof Logging

secure_log creates secure log entries with cryptographic integrity using hash chain: each entry includes the hash of the previous entry, making it impossible to change past entries without invalidating the entire chain.
tamperproof_logs checks the integrity of a chain of logs by validating that each hash correctly points to the previous entry.

10.2. Statistical Scoring

anomaly_score calculates an anomaly score using statistical z-score: for each metric, calculates how many standard deviations the current value is from the historical average. Individual scores are combined with configurable weights to produce a composite score.
threat_score calculates a threat score composed of security and threat intelligence events, weighting by severity, criticality of the target, and confidence in the intelligence source.
risk_score calculates a risk score for a specific user based on recent events, current context, and history (previous risk average, number of incidents, days since last incident).

10.3. Correlation and Alerts

correlate_events correlates security events within a time window using user-defined correlation rules. For example: "if there are 3 failed login events from the same IP followed by a success event, correlate as possible brute force".
realtime_alert evaluates events against alert rules and generates real-time alerts with configurable notifications (email, Slack, PagerDuty, webhook).
adaptive_alerting implements adaptive alerts with alert fatigue prevention: if the number of alerts per hour exceeds a baseline, the system groups similar alerts and reduces the notification frequency.

10.4. Attack Analysis

attack_path_analysis analyzes potential attack paths through the network based on security events and network topology, identifying sequences of actions that an attacker could use to reach a critical target.
threat_graph builds a threat knowledge graph from events, entities (users, hosts, applications), and relationships (accessed, compromised, communicated with).
attack_chain_mapping maps security events to the MITER ATT&CK framework (techniques and tactics) and to the Cyber Kill Chain (reconnaissance, weaponization, delivery, exploitation, installation, C2, actions on objectives).

10.5. Behavioral Analysis and UEBA

behavioral_analysis analyzes user behavior against established baselines: typical login times, common locations, volume of events per hour, and typical action types.
ueba_analysis performsUser and Entity Behavior Analytics comparing user behavior against the peer group (group of users with a similar profile), detecting statistical deviations.
detect_account_takeover detects account takeover attempts based on behavioral indicators: unknown device login, unusual location, atypical time, password change followed by data transfer, and access to non-standard resources.

10.6. Autonomous Response and Forensics

autonomous_response performs autonomous incident response based on threat severity and response rules: block IP, disable account, isolate host, revoke tokens, and escalate to security team.
forensic_snapshot creates a forensic snapshot of the system state with chain of custody of evidence, including cryptographic hash of all collected artifacts.
incident_timeline builds a chronological incident timeline from security events, ordering by timestamp and grouping by attack phase.
autonomous_triage performs autonomous triage of alerts using triage rules and enrichment data (threat intel, user context, false positive history).

11. Active Defense Module (Defensive)

The defensive module implements active defense mechanisms that protect the framework and application runtime itself.

11.1. Anti-Debugging and Anti-Tampering

runtime_self_protection enables self-protection mechanisms at runtime: periodic integrity checks, debugging detection, and continuous monitoring of the process state.
anti_debugging_detection detects active debugging attempts by checking: ptrace status (if the process is being traced), debugger signals in the environment (environment variables, debug files), and runtime anomalies (unexpected pauses indicate breakpoints).
anti_tampering checks binary integrity by comparing cryptographic hashes (SHA-256, SHA3-256) against expected values. If the hash has changed, the binary has been modified.
memory_integrity_check checks the integrity of memory regions by comparing the current state against the expected state and checking signatures of critical regions.
process_integrity_check verifica a integridade do processo incluindo: módulos carregados (detectando DLLs não autorizadas), cadeia de processos país (detectando se o processo foi iniciado por um pai inesperado), e permissões do processo.

11.2. Binary and Boot Validation

code_signing_validation validates a binary's code signing certificate against a store of trusted certificates and checks that the certificate has not been revoked.
binary_integrity_validation validates the integrity of a binary per section (.text, .data, .rsrc, .reloc) by calculating individual hashes for each section and comparing against expected hashes.
secure_boot_validation validates the secure boot chain by checking the TPM (Trusted Platform Module) measurements and the values of the PCRs (Platform Configuration Registers) that record each boot stage.
secure_update_validation validates update packages by checking: package cryptographic signature, content integrity, version (preventing downgrade attacks), and distribution channel.

11.3. Advanced Detection Techniques

anti_hook_detection detects function hooks in memory by checking: IAT hooking (modifying the Import Address Table), inline hooking (modifying the first instructions of a function), and SSDT hooking (modifying the System Service Descriptor Table in the kernel).
anti_injection_detection detects code injection in process memory space by checking: modules loaded without signature, libraries loaded from suspicious paths, and signatures of known injection techniques (process hollowing, DLL injection, reflective DLL loading).
anti_rootkit_detection detects rootkit indicators by analyzing: system calls that return inconsistent results, unsigned kernel modules, and hidden processes (processes that appear in the kernel process list but not in the operating system list).
anti_vm_detection detects execution in a virtual environment by checking: hardware information indicative of the VM (BIOS manufacturer, processor model, MAC address), timing checks (instructions that execute slower in VMs), and VM artifacts (files, services, drivers specific to VMware, VirtualBox, Hyper-V).
anti_emulation_detectiondetects emulation environments by checking: availability of APIs that emulators often do not implement, timing of operations (emulators are slower), and environment checks (number of processes, disk space, RAM memory).

11.4. Moving Target e Self-Healing

moving_target_runtime implements moving target defense by rotating service endpoints, randomizing memory layout, and varying response times to make vulnerability exploitation more difficult.
dynamic_attack_surface dynamically adjusts the attack surface based on the threat level: at low level, all endpoints are available; at medium level, non-essential endpoints are disabled; at high level, only critical endpoints remain active.
runtime_policy_engine evaluates and applies security policies at runtime with configurable enforcement mode (audit, warn, enforce).
self_healing_security automatically detects and recovers from security incidents: if a service is compromised, the system can restart the service, restore the original configuration, and notify staff.
adaptive_threat_response performs adaptive response to threats based on threat characteristics and predefined response playbooks.
autonomous_containment contains autonomously active threats using containment rules and network topology: isolate compromised hosts, block C2 communication, and segment the network to limit propagation.

12. Modulo de Honeypot

The honeypot module implements deception techniques to attract, detect, and analyze attackers.

12.1. Fake Services

fake_admin_panel deploys a realistic fake admin panel with login routes, dashboard, user management, and system settings. All interactions are logged for analysis.
fake_database creates a fake database with realistic schema (user, order, payment tables) and example records that look legitimate but are completely fictitious.
fake_api deploys a fake REST API with realistic endpoints (/api/users, /api/orders, /api/payments) that return convincing but fictitious payloads.
fake_filesystem creates a fake file system with plausible directory structure (/etc, /var/log, /home/user, /opt/app) and files with realistic content.
fake_ssh_service deploys a fake SSH service that accepts connections, displays a realistic banner, and logs all authentication attempts and executed commands.
fake_rdp_service deploys a fake RDP service to detect and track remote desktop attacks.
fake_kubernetes_cluster deploys a fake Kubernetes cluster API to attract container-focused attackers by responding to queries for pods, services, deployments, and secrets.
fake_s3_bucket creates a fake S3 bucket with realistic objects (documents, configurations, backups) and access policies that look legitimate.
fake_login_page deploys a convincing login page with customizable branding to capture credential submission attempts.
fake_debug_panel deploys a fake debug/development panel that appears to expose internal system information (environment variables, database settings, logs).

12.2. Honeytokens and Deception

fake_secrets generates and manages fake secrets (API keys, database tokens, SSH credentials) that alert when used outside of authorized contexts.
honeytoken_generation generates trackable tokens of different types (URLs, API keys, credentials, files) that trigger alerts when accessed.
honeycredential_detection checks submitted credentials against the database of known honeytokens, detecting when an attacker is using fake credentials.
deceptive_routes records deceptive routes that look like legitimate API endpoints but trigger alerts when accessed.
decoy_endpoints generates a list of decoy API endpoints that mimic real service endpoints.
deceptive_responses generates contextually appropriate deceptive responses based on the request and the attacker's profile, keeping the attacker engaged while gathering information.

12.3. Analysis and Adaptation

adaptive_honeypot dynamically adjusts the honeypot configuration based on observed traffic and threat level: if the attacker is exploiting web vulnerabilities, the honeypot increases the surface of web services; if it's scanning doors, it opens more fake doors.
attacker_behavior_tracking tracks and analyzes attacker behavior patterns within the honeypot session: commands executed, files accessed, credentials attempted, and time spent on each service.
adaptive_deception dynamically adjusts deception tactics based on the attacker profile (script kiddie, automated attacker, APT) and effectiveness metrics (how long the attacker stayed, how many actions he performed).
moving_target_defense implements moving target defense in the context of honeypots, rotating service configurations (ports, banners, responses) to make fingerprinting the environment more difficult.

13. File Module (File)

The file module protects against file-borne threats: malicious uploads, documents with macros, PDFs with JavaScript, polyglot files, zip bombs, and malware.

13.1. Upload Validation

secure_upload validates and processes file uploads securely on multiple layers: checks extension against allowlist, validates MIME type via magic bytes, checks maximum size, and scans content for malware.
validate_extension checks if the file extension is in the list of allowed extensions.
validate_mime validates the MIME type of the file using magic byte detection (file format signatures in the first bytes), preventing extension spoofing (e.g. a .jpg file which is actually an executable).

13.2. Threat Detection in Files

detect_polyglot_file detects if a file contains multiple file format signatures, indicating a polyglot file attack (a file that is valid in two or more formats simultaneously, such as a GIF that is also valid JavaScript).
detect_zip_bomb detects zip bombs by analyzing the compression ratio and the declared uncompressed size. A ratio above 100:1 or uncompressed size above 1GB is flagged as a potential zip bomb.
detect_office_macro detects VBA macros in Office documents (Word .doc/.docx, Excel .xls/.xlsx, PowerPoint .ppt/.pptx) that can execute malicious code when opening the document.
detect_pdf_javascript detects JavaScript embedded in PDF files that can perform malicious actions such as downloading malware or phishing.
detect_executable_payload detects executable payloads embedded in non-executable files (e.g. a PDF that contains a Windows executable PE header).
detect_embedded_script detects scripts embedded in files: JavaScript in PDF, VBScript in Office documents, PowerShell in text files, and Python scripts in data files.

13.3. Malware Scanning

malware_scan scans files for malware using signature matching (comparison against known malware signatures) and YARA rules (advanced pattern matching with complex conditions).
yara_scan scans files using YARA rules with namespace support for organizing rules by category (malware, exploit, suspicious, etc.).
heuristic_scan performs heuristic analysis to detect suspicious behavior in files that do not match known signatures but have characteristics indicative of malware (obfuscation, anti-debug, packing).

13.4. Advanced Analysis

entropy_analysis calculates the Shannon entropy of block file data to detect encryption or compression. Files with entropy above 7.5 bits per byte are considered highly random (indicative of encryption or packing).
detect_steganography detects steganography in image files using multiple techniques: LSB (Least Significant Bit) analysis, appended data detection, block entropy analysis, and color histogram analysis.
detect_obfuscation detects obfuscated content in files using multiple techniques: base64 string detection, hex encoding, string concatenation, high entropy in specific sections, and obfuscated control flow patterns.

13.5. Sanitization and Quarantine

sanitize_filename sanitizes filenames by removing dangerous characters (/, \, .., :, *, ?, ", <, >, |) and path traversal sequences.
quarantine_file moves malicious files to a quarantine directory with metadata tracking (quarantine reason, timestamp, file hash, uploader).
sandbox_execute executes files in a sandboxed environment for behavioral analysis, monitoring: system calls, network access, file modification, and creation of child processes.
secure_tempfile creates secure temporary files with restricted permissions (only read/write by owner) and optional self-deletion on close.
immutable_storage_check checks the integrity of files on immutable storage by comparing the current hash against the expected hash.

14. Enterprise Module

The enterprise module checks compliance with data protection and information security regulations.

14.1. Regulatory Compliance

lgpd_check verifies compliance with the General Data Protection Law (LGPD, Law 13,709/2018) of Brazil: consent of the holder, appointment of DPO (Data Officer), rights of holders (access, correction, deletion, portability), registration of processing operations, impact report on personal data protection, and notification of incidents to ANPD.
gdpr_check checks compliance with the General Data Protection Regulation (GDPR, Regulation EU 2016/679): legal basis for processing, appointment of DPO, data minimization, purpose limitation, accuracy, storage limitation, integrity and confidentiality, right to be forgotten, data portability, and notification of breaches within 72 hours.
hipaa_check verifies compliance with the US Health Insurance Portability and Accountability Act (HIPAA): PHI (Protected Health Information) encryption at rest and in transit, access controls (unique user identification, emergency access, automatic logoff), audit controls (audit logs, integrity controls), and PHI data integrity.
pci_check checks compliance with the Payment Card Industry Data Security Standard (PCI-DSS): encryption of card data in transit and at rest, network segmentation (separation of the card environment), access control (need-to-know, unique IDs, MFA), network and systems monitoring, and regular security testing.

14.2. Reports and Dashboard

compliance_report generates a comprehensive compliance report from multiple check results, including: executive summary, identified gaps, remediation recommendations, compliance timeline, and score by category.
realtime_security_dashboard generates a real-time security dashboard displaying: security metrics (detected threats, blocks, false positives), active alerts, historical trends, and overall risk score.

14.3. Audit and Policy

audit_trail generates an immutable audit trail from security events, user actions, and data changes, including: who did what, when, from where, and what the impact was.
policy_as_code evaluates and applies security policies defined as code, allowing versioning, review, and automatic testing of security policies.

14.4. Multi-Tenant and Multi-Region

tenant_isolation checks and applies tenant isolation in a multi-tenant environment: data separation, network isolation, cross-tenant access control, and prevention of information leakage between tenants.
multi_region_security evaluates multi-region security posture and data residency compliance: verification that data from specific regions remains in the region, consistent encryption between regions, and compliance with local regulations in each region.

15. Integrations Module

The integrations module provides adapters for popular frameworks and platforms.

15.1. Python Web Frameworks

fastapi_security_dependency creates a security dependency for FastAPI with OAuth2, JWT validation, rate limiting, and input protection.
django_security_middleware creates security middleware for Django with CSP, CSRF, security headers, and input protection.
flask_security_extension creates a security extension for Flask with security wrappers, request protection, and input validation.
celery_security_monitor creates security monitor for Celery tasks with argument validation, rate limiting per task, and audit logging.
sqlalchemy_query_protection applies protection to SQLAlchemy queries with row-level security, permission filtering, and query injection prevention.

15.2. TypeScript Web Frameworks

expressSecurityMiddleware creates security middleware for Express.js with input protection, rate limiting, CORS, CSRF, and security headers.
fastifySecurityMiddleware creates security middleware for Fastify with validation hooks, rate limiting, and payload protection.
nestjsSecurityModule creates security module for NestJS with authentication guards, validation interceptors, and authorization decorators.
nextjsSecurityHeaders configures security headers for Next.js (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy).

15.3. Edge and Runtime

cloudflareEdgeProtection configures edge protection on Cloudflare with WAF rules, rate limiting, bot management, and custom security workers.
denoSecurityPlugin creates security plugin for Deno with permissions control (read, write, net, env, run) and sandboxing.
bunSecurityPlugin creates security plugin for Bun with security optimization and access control to system APIs.
browserRuntimeProtection configures browser runtime protection with CSP, iframe sandbox, and API restrictions.
serviceWorkerSecurity configures Service Workers security with restricted scope, limited permissions, and origin validation.
wasmSecurityRuntime creates security runtime for WebAssembly with memory limits (initial, maximum, shared) and syscalls restrictions.

15.4. Pipeline and Engine

async_threat_pipeline creates an asynchronous threat detection pipeline with configurable processors (validation, detection, scoring, alerts) and output channels (log, metrics, webhook).
yara_realtime_engine creates a real-time YARA scanning engine with file watch (directory monitoring) and continuous rule matching.
ai_threat_classifier creates an AI threat classifier using a trained model and confidence threshold for automated decisions.
secure_cli_runtime creates a secure CLI runtime with input sanitization, argument validation, and execution timeouts.
python_runtime_guard creates a Python runtime guard with import whitelisting (only allowed modules can be imported) and sandboxing (filesystem, network, and system access restrictions).

16. Telemetry and Observability

MSF integrates observability into all its operations, following the three pillars of observability: logs, metrics, and traces.

16.1. Structured Logs

All modules use structured logging in JSON format. Each log entry includes:

timestamp: ISO 8601 date and time
level: severity (debug, info, warning, error, critical)
module: name of the module that generated the log
traceId: OpenTelemetry trace ID for correlation
context: operation-specific metadata (e.g. detected, confidence, severity, matches)

16.2. Metrics

Metrics Registry supports three types of metrics:

Counters: cumulative values that only increment. Examples: jwt_validations, xss_detections, sqli_detections, port_scan_detections, ddos_detections, malware_scans.
Gauges: instantaneous values that can increase or decrease. Examples: active_sessions, cache_hit_ratio.
Histograms: distributions of values. Examples: anomaly_scores, threat_scores, detection_latency_ms.

Each metric can include labels (tags) for additional dimensionality, such as module, severity, detected, cloud_provider.

16.3. Distributed Tracing

Each security role creates an OpenTelemetry span with:

Operation name (ex: msf.web.detect_xss)
Attributes: input parameters, result, duration
Events: significant milestones during execution
Status: ok or error with description

Spans are exported to OpenTelemetry-compatible backends (Jaeger, Zipkin, AWS X-Ray, Google Cloud Trace, Azure Application Insights).

16.4. Event Bus

Event Bus allows asynchronous communication between modules:

Publication: any module can publish events with type, severity, message, and metadata.
Subscription: modules can subscribe to specific types of events and perform actions when events are published.
History: the event bus maintains a history of the last N events for consultation.
Dead Letter Queue: events that fail to process are moved to a dead letter queue for later reprocessing.

17. Design Patterns and Engineering Principles

17.1. Patterns Used

Singleton: for infrastructure components (PolicyEngine, MetricsRegistry, EventBus, CacheManager).
Factory: for creating standardized result objects (DetectionResult, ValidationResult, ScanResult).
Strategy: for interchangeable detection algorithms (different detection patterns for XSS, SQLi, etc.).
Observer:to the Event Bus, where modules watch for events published by other modules.
Chain of Responsibility: for validation pipelines where each step can pass or reject the input.
Decorator: to add security features to existing functions (logging, metrics, tracing).

17.2. Security Principles

Defense in Depth: multiple layers of protection so that if one fails, others continue to operate.
Least Privilege: each function and module operates with the minimum necessary permissions.
Fail Secure: in case of an internal error, the functions return results that deny access (fail closed).
Safe Comparison: all secret comparisons use constant-time comparison to prevent timing attacks.
Input Sanitization: all input is treated as unreliable and sanitized before processing.
Security Logging: all security operations are logged for auditing and incident detection.

18. Conclusion

The Master Security Framework represents a comprehensive, unified approach to modern application security. With more than 350 functions distributed across 28 modules, MSF covers the entire spectrum of threats that applications face today: from traditional web attacks (XSS, SQLi, SSRF) to emerging threats (prompt injection in LLMs, supply chain attacks, container escapes).

Dual implementation in Python and TypeScript allows multilingual teams to utilize the same set of security capabilities, while integration with OpenTelemetry, structured logging, and event bus ensures that all security operations are observable and auditable.

The active defense modules (anti-debugging, anti-tampering, self-healing) and adaptive honeypots add layers of proactive protection that go beyond reactive detection, while the enterprise compliance module automates LGPD, GDPR, HIPAA, and PCI-DSS scanning.

The framework is open-source, extensible via Policy Engine and Event Bus and designed to evolve with the threat landscape. Each function is automatically tested (243 tests passing), documented with docstrings and JSDoc, and instrumented with telemetry for production operation.

References

OWASP Top 10: https://owasp.org/www-project-top-ten/
MITER ATT&CK Framework: https://attack.mitre.org/
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
NIST Post-Quantum Cryptography: https://csrc.nist.gov/projects/post-quantum-cryptography
RFC 6238 - TOTP: https://datatracker.ietf.org/doc/html/rfc6238
RFC 7519 - JWT: https://datatracker.ietf.org/doc/html/rfc7519
CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
LGPD (Law 13,709/2018): https://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/l13709.htm
GDPR (EU Regulation 2016/679): https://eur-lex.europa.eu/eli/reg/2016/679/oj
HIPAA: https://www.hhs.gov/hipaa/index.html
PCI-DSS: https://www.pcisecuritystandards.org/