No ThreatStrike cloud
Legion runs entirely on your machine. There is no ThreatStrike backend that receives your task data. No usage analytics, no telemetry, no crash reporters, no feature flags, no phone-home signals of any kind come from the running app.
The only time Legion contacts a ThreatStrike server is during license activation and periodic re-validation. Those requests contain your license key and a hashed device identifier only. No task data, credentials, targets, findings, or anything from your work is included.
Local data storage
Everything you do inside Legion stays on your machine. Task data including hosts, services, credentials, vulnerabilities, web paths, screenshots, and reports is stored locally in ~/.strikedeck/. We never receive copies of any of it.
If you uninstall Legion, that folder stays on your machine. You can delete it manually if you want to remove your data completely.
Credential vault
Credentials you save inside Legion are written to your operating system's keychain. On macOS that's Keychain Services. On Linux it's the Secret Service API. Either way, the credentials are encrypted at rest by the OS and ThreatStrike never receives them.
Tool forms that accept credentials have a one-click vault picker so you don't have to copy and paste from a text file. The AI Operator can also use saved credentials to log into accounts automatically using Playwright, without the credentials appearing in plain text in the command history.
AI providers
Legion supports four AI engine options. You choose one in Settings.
- Claude — Via the Anthropic API or a Claude Code CLI subscription. Governed by Anthropic's usage policy.
- OpenAI — Via an OpenAI API key. Governed by OpenAI's terms of use.
- Google Gemini — Via a Google AI Studio API key. Governed by Google's Generative AI terms.
- Local LLM — Any OpenAI-compatible endpoint you run locally: Ollama, LM Studio, vLLM, llama.cpp. When you use a local model, nothing leaves your device through Legion.
AI output is not guaranteed to be accurate. The agent can misidentify findings, miss vulnerabilities, suggest commands that fail, or generate report text that's wrong. Always verify AI-generated findings before including them in a deliverable.
You are responsible for any fees your chosen AI provider charges. ThreatStrike has no visibility into your API usage or billing.