...
First, we never transmit passwords, cookies, oauth tokens, or anything else that would be considered identity data to our Cyber Crucible servers. That is true whether the server is customer-hosted, or Cyber Crucible hosted.
Second, we learned to conduct behavioral analysis of identity information, without actually processing identity information. That means that our analytics are not actually processing or exposing sensitive data such as actual passwords, session tokens, etc.