Threat-modeled with STRIDE. The prototype constrains risk now and lays a path to a hardware root of trust.
| Today (prototype) | Roadmap (Pico 2 W) |
|---|---|
| Console-only account scope; deploy over serial. | Signed + attested boot; encrypted boot option. |
| Profiles on microSD; operator confirmation gates. | Signed profile bundles; OTP-sealed keys. |
| Scroll-back log for audit (plaintext). | Encrypted logs; tamper-evident export. |
| Basic error handling + retries. | Dispatcher with device-specific guards + checks. |
Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation are addressed via console scoping, profile signing, operator accountability, encrypted logs, bounded retries, and PIN-gated use (planned).
FortressFlash does not require the production network. It operates on the console path only and is suitable for isolated staging benches.
Vendor note: tested on FortiGate 60E; console captured on PA-200. No vendor affiliation.