Skip to content
0%
Blog

Inside Alchemy's enterprise-grade security infrastructure

Author: Alchemy

Last updated: February 10, 20267 min read
enterprise security at alchemy

When enterprises evaluate blockchain infrastructure providers, security is paramount to the decision-making process. Whether you're a financial service exploring blockchain integration, a Fortune 500 company building digital asset capabilities, or a web3-native company scaling to enterprise scale, security is critical to the success of your business and a non-negotiable responsibility to customers.

At Alchemy, we understand these requirements deeply. Our security team is built from practitioners who've operated in the world's most demanding environments: large banks, regulated financial institutions, major cloud providers, federal agencies, and leading security firms. We've designed our security program to meet the standards enterprise compliance teams require while delivering the performance and reliability that blockchain applications demand.

Here’s a detailed look at exactly how we approach the security challenges that matter most.

Our security foundation

Alchemy's security organization brings together three core capabilities that are essential for enterprise-grade infrastructure:

  • Financial services risk management expertise from teams that have worked with regulated institutions and their auditors
  • Enterprise-scale operations experience securing high-availability infrastructure that processes billions of requests
  • Comprehensive threat defense capabilities covering detection, response, and continuous improvement

This combination allows us to deliver infrastructure security that meets enterprise compliance requirements while supporting the performance needs of modern blockchain applications.

Why enterprise organizations choose Alchemy

Enterprise-grade security isn't about any single tool or certification. It's about having experienced people, proven processes, and battle-tested systems working together.

We meet your compliance requirements:

  • SOC 2 Type II certified
  • Public Trust Center with documentation your auditors need
  • Controls designed for enterprise security reviews
  • Evidence and audit trails ready for examination

We deliver the performance web3 demands:

Security RequirementDoing It YourselfWith Alchemy

Security Certifications:
Can you show partners, investors, or compliance teams that your infra meets real security standards?

No formal certifications. Hard to get through enterprise security reviews.

SOC 2 Type II certified with a public Trust Center at trust.alchemy.com making it easier to clear enterprise requirements.

API Key & Access Security:
How well protected are your keys, and can you control who can hit your endpoints?

You have to build all the protections yourself— allowlists, monitoring, alerts, everything.

Built-in protections: IP/domain allowlists, per-app keys, traffic insights, and abuse detection.

Operational Security:
How locked-down and well-managed is the actual infrastructure running your blockchain connections?

Full responsibility lands on your team— patches, upgrades, network hardening.

Professionally managed security with regular testing and clear policies to meet industry requirements.

Uptime & Reliability:
Will your app actually stay online during traffic spikes or market chaos?

Depends entirely on your engineering muscle— outages are very likely.

Proven 99.99% uptime with global redundancy and automatic failover across multiple cloud providers.

Performance Under Load:
When traffic surges, does the system keep up or fall over?

You'll need expensive overbuilds to survive spikes.

Designed for huge bursts (NFT drops, trading volatility, gaming traffic) without degradation.

Supporting Multiple Chains:
How hard is it to launch on more chains as you scale?

Every new chain = another infra project and more overhead.

One platform that supports 80+ networks with consistent performance.

Auditability & Compliance:
Can you easily provide the logs, controls, and evidence auditors or partners need?

Heavy lift— you have to create everything yourself.

Ready-to-use audit documentation, logs, and controls that speed up reviews.

Incident Response:
When something breaks, who's fixing it and how fast?

Entirely your team's problem— including middle-of-the-night firefights.

Dedicated infrastructure team with battle-tested playbooks and fast response times 24x7x365.

Real scenarios we handle

Critical third-party infrastructure provider goes down

The challenge: When Cloudflare experienced outages in October 2025, many services went down. Organizations built on single-provider architectures had no recourse—when their provider went down, they went down with it.

Why this matters: We architect for multi-provider resilience from the ground up. Our infrastructure spans multiple cloud providers with automatic failover, so your service stays online even when major dependencies experience issues.

Build vs. Buy ebook cover
Free guide

Build vs. Buy: Blockchain Infrastructure

Before you hire an infra team, read this: building in-house can cost $850K–$1M+ a year before you serve a single production request. See the full cost breakdown.

Download the guide

Application-level DDoS attack

The threat: Attackers attempted to flood our free tier with bogus sign-ups in a real application-level DDoS event.

Our response:

  • Declared an incident and brought in our on-call response team
  • Throttled and blocked abusive regions and networks
  • Separated legitimate users from fraudulent accounts in real time
  • Identified and removed all accounts tied to malicious IPs

The result: Customers stayed online, and the attack turned into a test we passed—not an outage.

Nation-state actor targeting your infrastructure

The threat: Recently, we were targeted by a DPRK-linked campaign during the ClickFix/ClickFake operation. At least 15 fake LinkedIn accounts impersonating Alchemy employees were identified as part of a coordinated attack on multiple fronts.

Our response: Our security team gained access to an active command-and-control (C2) server, downloaded the malware, and thoroughly analyzed it—turning an attempted compromise into actionable intelligence. Upon reverse engineering the malware, our analysis revealed non-public, previously unknown state-sponsored C2 domains, TTPs, and IOCs.

Why this matters: Our capabilities allow us to create our own custom threat intelligence without solely relying on known indicators. We don't just defend—we develop intelligence that keeps us ahead of evolving threats.

Laptop with deploy keys gets stolen

Hypothetical scenario: A laptop containing deployment credentials is lost or stolen—a risk every organization needs to be prepared for.

Our controls in place:

  • Who can deploy: Only tightly scoped roles can access deploy keys; access is logged, reviewed, and easy to revoke.
  • What's on laptops: We lock down what can live on endpoints and monitor for sensitive data with DLP.

How we would respond:

  • EDR lets us instantly network-isolate the device to perform forensics
  • MDM lets us remote lock and wipe it
  • We can revoke sessions and rotate keys tied to that user
  • Laptops are encrypted
  • Zero trust controls ensure device posture and network requirements

The difference: With Alchemy, you get this by default—hardened devices, controlled access, and a practiced incident response. With most DIY or legacy setups, you're often guessing who has what keys on which laptop.

GitHub account phishing attempt

Our defense:

  • First layer: Continuous employee education and monitoring for suspicious logins. This is our biggest line of defense.
  • Second layer: SSO enabled for all GitHub accounts through Okta, meaning our SSO infrastructure would need to be compromised for Alchemy-specific GitHub accounts to be phished—adding a critical layer of protection.

Review our security program

We invite enterprise security and compliance teams to review our security program in detail:

Visit our Trust Center and review our security controls and compliance documentation.

Get in touch with us about specific security requirements, compliance needs, regulatory considerations, or technical architecture.

Frequently asked questions

What security certifications does Alchemy hold?

Alchemy is SOC 2 Type II certified, with a Public Trust Center providing documentation, controls, evidence, and audit trails designed for enterprise security reviews.

How does Alchemy achieve high uptime for blockchain applications?

We deliver 99.99% uptime during peak market conditions through global infrastructure with automatic failover across multiple cloud providers, ensuring service continuity even when major dependencies experience issues.

What access controls does Alchemy implement?

We use Single Sign-On (SSO) through Okta with Role-Based Access Control (RBAC), ensuring tightly scoped access that is logged, reviewed, and easily revoked.

How did Alchemy respond to the recent nation-state actor targeting?

During a DPRK-linked ClickFix/ClickFake campaign, Alchemy's security team gained access to an active command-and-control server, downloaded and reverse-engineered the malware, and uncovered previously unknown state-sponsored C2 domains, TTPs, and IOCs.

What protections does Alchemy have against laptop theft or loss?

We use encrypted laptops with endpoint detection and response (EDR) for instant network isolation, mobile device management (MDM) for remote lock and wipe, zero trust controls, and tightly scoped deploy key access that can be instantly revoked.

How does Alchemy handle DDoS attacks?

In a real application-level DDoS attack on the free tier, Alchemy's team declared an incident, throttled and blocked abusive regions and networks, separated legitimate users from fraudulent accounts in real time, and removed all malicious accounts, keeping customers online throughout.

What makes Alchemy's security team qualified for enterprise requirements?

Alchemy's security team consists of practitioners with experience from large banks, regulated financial institutions, major cloud providers, federal agencies, and leading security firms, combining financial services risk management, enterprise-scale operations, and comprehensive threat defense capabilities.

How does Alchemy protect against GitHub phishing attempts?

Alchemy requires SSO for all GitHub accounts through Okta, meaning the SSO infrastructure would need to be compromised for GitHub accounts to be phished, plus continuous employee education and suspicious login monitoring as the primary defense layer.

Alchemy Newsletter

Be the first to know about releases

Sign up for our newsletter

Get the latest product updates and resources from Alchemy

A
O
D
+
Over 80,000 subscribers

By entering your email address, you agree to receive our marketing communications and product updates. You acknowledge that Alchemy processes the information we receive in accordance with our Privacy Notice. You can unsubscribe anytime.

Blog post page related articles background

Related articles

The tech behind Cortex
Products

Inside Cortex: the engineering behind sub-50ms, 99.995% uptime infrastructure

Reliable blockchain connectivity is non-negotiable. Cortex achieves sub-50ms response times and 99.995% uptime at scale through purpose-built architecture: from bare-metal hardware to an AI-managed node fleet.

gasless transactions at scale
Products

Zero fees, infinite complexity: building gasless transactions at scale

Consumer apps need blockchain to feel like any other payment experience. The biggest obstacle is a fee layer most users will never understand. Here's how we remove it entirely.

prices api
Products

Introducing Prices API

Save development time with our new API for real-time and historical token prices.