More Control, Same Architecture: Bring Your Own AI and Bring Your Own Cloud

Security-savvy buyers don't evaluate a pentesting platform only on what it finds. You evaluate whether you can govern how it operates: whose model is reasoning about your attack surface, whose infrastructure your source code and findings pass through, and who validates a result before it becomes a report. If you're a financial institution, healthcare organization, or other regulated enterprise, those aren't optional extras. They're the same due diligence lens you apply to every other vendor in your stack.

That's what enterprise-ready has always meant at Terra: an architecture built so the fundamentals don't bend, no matter how you need to configure the edges around it. 

Terra already supports multi-tenant SaaS, single-tenant, and fully on-premises/air-gapped deployment. Reports are compliance-ready and human-signed. Every finding undergoes a double-verification process, with human validation as needed, before it reaches you. That same architecture is why Terra holds SOC 2 Type II today, why its reports are accepted by auditors under ISO 27001, PCI-DSS, and HIPAA regimes, and why FedRAMP High environments are supported through on-premises deployment.

Two new capabilities extend that same principle further: Bring Your Own AI (BYOAI) and Bring Your Own Cloud (BYOC). These new configuration options are now available on Terra Platform™, which enterprises already trust, giving you direct control over two more variables.

Bring Your Own AI

BYOAI lets you connect your own LLM or model endpoint in place of Terra's default model provider. It's available across every deployment tier: standard SaaS, single-tenant, and on-premises.

If you already have a negotiated enterprise agreement with a model provider, with pricing and usage limits locked in, BYOAI means spend runs through your existing agreement rather than a new one, which lowers the total cost of your Terra engagement. It's as much a governance answer as a commercial one. The NIST AI Risk Management Framework asks organizations to govern the AI components in their supply chain, not just the systems those components touch, and regulated sectors often carry their own constraints on which model providers can process security-relevant data in the first place. 

Concentration in a handful of foundation model providers is its own risk category, too. If you can substitute models, you're not exposed to one provider's outage, policy change, or contract dispute the way you would be if you were locked into a single provider.

What doesn't change: Terra's harness. Swapping the model doesn't touch the layer that governs it. Terra's harness — the guardrails, tool permissions, and policy enforcement that constrain what any agent can do — sits outside the model itself and remains constant regardless of which model you connect to. The downstream validation gate is also untouched. A reported finding is a confirmed exploit, not raw model output, regardless of which model produced the reasoning behind it.

Bring Your Own Cloud

BYOC lets you run Terra Platform in a dedicated, single-tenant cloud environment that you provision and control, rather than Terra's shared, multi-tenant infrastructure. It's a defined middle tier: more isolation than shared SaaS, without the operational lift of a fully on-premises install.

You provision a separate account or subscription in AWS, and Terra deploys into it as an isolated, single-tenant instance. Source code analysis, agent orchestration, and finding validation all run inside your own boundary. 

This matters most if you have data residency requirements that rule out shared infrastructure outright, and if you're managing third-party risk formally: the 2023 Interagency Guidance on Third-Party Relationships from the Federal Reserve, FDIC, and OCC is explicit that a bank's use of a third party doesn't reduce its own responsibility for where sensitive processing happens. Running Terra inside infrastructure you already own makes that responsibility easier to demonstrate, not harder.

Two things worth stating plainly. Customer-managed encryption keys (CMEK/BYOK) are currently supported for AWS deployments; for Azure, GCP, or a cloud-agnostic architecture, the key management scope should be confirmed during evaluation rather than assumed. And BYOC shifts more operational responsibility to you than SaaS does: your team owns the update cadence for the deployed instance, closer to how on-premises systems work, without the overhead of managing physical hardware or a fully air-gapped network.

Same Architecture, More Configuration

The parts of Terra that make findings trusted by the world’s most sensitive enterprise remain the same with the release of these new capabilities. Hundreds of specialized AI agents generate signals, validating what’s truly exploitable before anything becomes a finding, all with a Human-ON-the-Loop for safety, judgment, and compliance. The report you get is built on a confirmed exploit, not a model's guess. 

Common Questions, Answered

  • "We already have an enterprise AI agreement we're required to use. Can I tap into that with your platform?" BYOAI connects directly to that endpoint across all deployment tiers, including standard SaaS, and reduces the total cost of your Terra engagement.
  • "Will I be able to use the Terra Platform if our data can't leave our own cloud environment?" BYOC deploys Terra as a single-tenant instance inside your AWS, Azure, or GCP account. Analysis, orchestration, and validation all run inside your boundary.
  • "Is this only available to on-prem or top-tier customers?" No. BYOAI works across every tier. BYOC is its own tier, available without a full on-premises engagement.
  • "What are we taking on by choosing these options?" With BYOC, your team owns the update cadence for your Terra Platform instance. With BYOAI, you own the model endpoint's availability and behavior. 

If you're interested in configuring BYOAI or BYOC for an upcoming engagement, contact your account team to review architecture documentation and deployment options for your environment.

If you’re interested in a demo of Terra Platform, click here

LabelContinuous is the new pentesting standard.Book a demo to see how you can operationalize
it for your organization with Terra.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Smooth sand dunes bathed in warm light against a dark background.
YouTubeLinkedIn
Terra
SOC 2 Type II CertifiedSOC 2 Type II Certified
Terra cross emblem