For Panther, the threat model includes attackers entirely external to the organization running Panther, as well as attackers within the organization that do not have access to Panther. Panther is designed be secure against malicious actors attempting to abuse or sidestep the system as long as those threats do not have access to the Panther UI or admin access to the AWS account where Panther is deployed. Any attacker that does have this access has the capability to sidestep, break, disable, or abuse the Panther deployment. In particular, any attacker that has the ability to edit or create arbitrary policies/rules should be considered to have full access to any and all data processed by Panther.