- What it is
- Default-deny architecture is the security principle that an exam device is permitted to reach only the destinations explicitly authorized by the assessment policy — everything else, including unknown and future threats, is blocked by default.
- Why it matters
- Detection-based and allow-then-observe models are always one cheating tool behind the attacker; default-deny flips the asymmetry so new tools have no reachable infrastructure inside the session.
- How Aiseptor implements it
- Aiseptor is default-deny end-to-end: the exam policy lists the allowed domains, and the enclave blocks all other network traffic without needing to recognize specific cheating binaries.
Canonical definition
Default-deny architecture is the application of a classic network security principle — deny by default, allow only what is explicitly listed — to exam integrity. In a default-deny exam environment, the candidate device operates inside a policy that names the resources the assessment legitimately requires (the exam UI, a specific documentation site, a permitted IDE) and blocks every other destination. This eliminates an entire class of defensive pressure: the system does not have to recognize Cluely, or its forks, or the next overlay tool that appears on GitHub next week; it only has to recognize what the exam is supposed to touch. The result is a durable security posture whose effectiveness does not decay as new cheating vendors emerge, because the allowed surface — not the attacker surface — is what the policy encodes.
Citations
- [1]NIST Special Publication 800-207, Zero Trust Architecture (2020)
- [2]Aiseptor architecture whitepaper (public version) (2026)