Guides
ChangelogStatus PageAPI ExplorerAPI ReferenceCLI ReferenceBlogIMPACT 2025

Infrastructure Security

Overview

Monte Carlo follows AWS Well-Architected and CIS Benchmark guidelines to ensure a secure foundation for enterprise-grade data + AI observability. Customer environments are logically isolated from, and all data—both in transit and at rest—is encrypted.

Core Infrastructure Components

Compute and Serverless Design

Monte Carlo uses AWS Lambda to process and orchestrate data securely. Each Lambda function executes in an isolated, short-lived container with strictly scoped IAM permissions. Because these compute environments are temporary and immutable, there are no persistent servers to patch or compromise, significantly reducing operational exposure.

Networking and Traffic Protection

All communication passes through AWS API Gateway, which enforces encryption, rate limits, and request throttling to prevent abuse.

Private VPC endpoints protect internal communication, while network segmentation separates production, staging, and development environments. Combined with AWS WAF protections, this architecture prevents unauthorized access and mitigates denial-of-service risks.

Ports, Protocols, and Egress Control

Because the platform runs on managed AWS services rather than customer-exposed hosts, there is no traditional inbound port surface to manage: all external communication terminates at AWS API Gateway and is transmitted exclusively over HTTPS/TLS. Internal and outbound service-to-service traffic is constrained by IAM policy, security groups, and private VPC endpoints, which limit the services, protocols, and destinations that are reachable.

Logical Segmentation and Tenant Isolation

Production, staging, and development environments are separated at the network layer, and customer environments are logically isolated from one another. Isolation is enforced using cloud-native controls—separate VPCs and subnets, security groups, and IAM boundaries—that serve the same role as traditional VLAN and DMZ segmentation in a data-center network.

Production customer data is not used in development or staging environments. Lower environments are provisioned without production customer data, and source customer data remains within the customer's production environment.

Identity and Access Management

Access to Monte Carlo’s infrastructure is tightly controlled using AWS IAM. Permissions are granted according to the principle of least privilege, with multi-factor authentication, short-lived credentials, and federated SSO protecting administrative accounts.

All privileged activity is logged, ensuring full auditability.

Infrastructure Hardening and Patch Management

Monte Carlo continuously identifies and remediates infrastructure vulnerabilities through automated scanning, configuration validation, and Infrastructure-as-Code reviews.

Critical issues are prioritized and all issues are tracked to remediation and verified post-fix. Independent penetration tests and third-party assessments confirm the platform’s security posture and alignment with modern cloud security standards.

Because Monte Carlo’s compute is serverless (AWS Lambda) and built on managed AWS services, there are no long-lived host operating systems in the customer data path to patch; the underlying runtime is patched continuously by AWS under the shared responsibility model. Application and dependency vulnerabilities are identified through continuous automated scanning and remediated on a risk-prioritized basis, with critical findings expedited.

Infrastructure hardening follows the CIS Benchmark and AWS Well-Architected security baselines. Compliance with these baselines is monitored continuously through automated configuration scanning, drift detection, and Infrastructure-as-Code review, so misconfigurations are caught and corrected on an ongoing basis rather than only at point-in-time audits.

Change Management

All changes to applications and infrastructure follow a formal change-management process. Significant changes are documented with their purpose, specification, impact and dependencies, and deployment plan, and are risk-assessed for business and security impact before implementation.

Changes are tested in staging environments that are segregated from production prior to release, and a formal review-and-approval step is required. Segregation of duties is enforced so that no single individual can develop, test, and deploy a change without independent approval. Source-code changes are restricted to authorized contributors, reviewed by someone other than the author, and version-controlled, with transfers between environments occurring over secure encrypted channels.

Emergency changes are expedited when necessary but undergo retrospective review. Patch management follows this same change-management process.

Monitoring and Infrastructure Defense

Security telemetry from across the platform is collected and correlated using internal tooling.

Centralized logging and SIEM integration provide a unified view of system activity, while immutable logs support audit and forensic analysis.

Monte Carlo’s 24/7 on-call security and engineering teams respond to alerts and incidents following established containment and recovery procedures.

Availability and Capacity Monitoring

Alongside security telemetry, Monte Carlo monitors service availability and capacity. Platform health, throughput, and resource utilization are tracked continuously, with automated alerting and 24/7 on-call coverage so that availability and capacity issues are detected and addressed before they affect customer-facing services.

Business Continuity and Disaster Recovery

Monte Carlo’s business continuity and disaster recovery program is aligned to its ISO 27001 and SOC 2 control frameworks, and BC/DR procedures are exercised and tested as part of those annual certification audits.

Compliance

Monte Carlo’s infrastructure controls adhere to frameworks and regulations such as SOC 2 Type II, ISO 27001, GDPR, and CCPA.

We operate under the AWS Shared Responsibility Model, in which AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud and Monte Carlo is responsible for all of the necessary security configuration and management tasks made available to us.

Visit our Trust Center for more information on compliance attestations or to view the Monte Carlo Shared Responsibility Matrix.