Post-quantum Zero Trust access

The VPN that defends itself.

AegisWire replaces the VPN appliance attackers keep exploiting with access that fights back — AI threat defense that detects and contains attacks in real time, self-healing keys that bound any breach to a single session, and mandatory post-quantum encryption on every packet. Self-hosted or managed.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet
Mandatory CNSA 2.0 — no downgrade path AI threat defense at the protocol layer Licensed Add-On Self-healing keys contain every breach Zero traffic inspection, by design Self-host, sovereign, or fully managed
Clients macOS iOS Linux Windows Android

What you're defending against

Three exposures conventional VPNs leave open

Encrypted traffic harvested for later, a single stolen key, a provider that can read what crosses it — conventional VPNs leave at least one of these open. AegisWire closes each one at the protocol level.

Harvest now, decrypt later

Adversaries are copying your encrypted traffic today — to break it the day a quantum computer arrives.

Every packet is sealed with hybrid ML-KEM-1024 — with no weaker mode to fall back to, so traffic captured today stays unreadable.

One stolen key, the whole network

On most networks, one stolen key unlocks long-lived sessions and lets an intruder move sideways far beyond the connection it came from.

Each stream carries its own key that rotates as it runs — a stolen key opens one short window, not the rest of the network.

A private network you don't control

With most providers your private traffic still runs through someone else's infrastructure, where it can be inspected, logged, or compelled.

AegisWire performs no traffic inspection by design — run it self-hosted, sovereign, or managed, with the keys and data plane under your control.

The quantum decryption timeline
2024
NIST finalises PQC standards
2026 · today
AegisWire ships PQ for every customer
2027
New US NSS must support CNSA 2.0
2030
Classical-only deployment prohibited
2031–2035
Traffic captured in 2026 at risk

One core. Three products.

Built once, at the protocol level

The same handshake, the same ML-DSA-87 signed trust chain, the same self-healing keys — whether it's your workforce, your network edges, or your own software. Three products, one transport underneath.

ML-KEM-1024X25519ML-DSA-87AES-256-GCMBLAKE3 · STREAMHEAL
Product 01 · Enterprise VPN

Your workforce, every region, one encrypted fabric

Zero-config token enrolment, a unique signed identity per device, and policy-aware regional gateways — with quantum-safe site-to-site links between your own edges. The session survives Wi-Fi, cellular and wired hand-offs without dropping.

  • Full & split tunnel, secure DNS, always-on kill switch
  • Centrally-signed policy, default-deny, enforced at every gateway
  • Turnkey quantum-safe site-to-site federation across regions
  • Seamless roaming & controlled failover, no dropped sessions
Explore the Enterprise VPN
MANAGEMENT CLIENT EU POOL US POOL APAC POOL PQ HYBRID ENCRYPTED TUNNEL · EVERY SESSION · EVERY REGION
Behavioural Anomaly Sequence Entity graph Risk score Containment
Product 02 · Sentinel AI Licensed Add-On

A transport that defends itself

Not generic network-detection bolted onto mirrored logs — a security AI co-designed inside the protocol. Entity-graph and temporal detectors, threat-intelligence, device posture, and adversarial-input signals fuse into one deterministic action ladder, with posture admission control at the door.

  • Behavioural, anomaly, sequence & entity-graph detection
  • Deterministic action ladder: Observe → contain → Emergency
  • Device-posture admission — compromised endpoints never get in
  • Bound to the same signed trust chain — verdicts can't be forged
Explore Sentinel AI
Product 03 · Developer SDK

Put it inside your own software

The exact same post-quantum transport, packaged to embed. One credential opens a quantum-safe channel in your app, API, mobile client, or device fleet — enrolment, key exchange, and self-healing handled underneath. Not optional hybrid bolted onto TLS: post-quantum by design, on every packet.

  • One credential, one connection — quantum-safe end to end
  • Native apps, mobile, IoT fleets, backend machine-to-machine
  • Token-metered & monthly-call packages, staff-provisioned
Explore the SDK

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

Engineered in, not bolted on

Built into the protocol. Not bolted on.

These are properties of a from-scratch transport — the things a repackaged tunnel or a logs-watching AI can never retrofit. This is the moat.

Mandatory hybrid — no downgrade

ML-KEM-1024 + X25519 on every session, for every customer. There is no classical-only path to negotiate down to, and no per-tenant suite to misconfigure.

ML-DSA-87 signed trust chain

Device, capsule, grant, and policy are each post-quantum signed. Nothing is admitted, routed, or enforced on an unsigned object — the whole chain verifies end to end.

Self-healing keys

The tunnel continuously re-keys with fresh post-quantum material. A stolen session key is useful for a brief window before the connection heals — the breach can't reach past, future, or neighbouring traffic.

A replacement suite, pre-compiled

If an algorithm is ever weakened, the whole fleet migrates to an emergency suite from a different mathematical family — make-before-break, no flag day, no forced retrofit.

AI defense at the door

Device posture is checked before admission and behaviour is scored continuously after — an action ladder that can contain a session in real time, co-designed with the transport, not watching it from outside.

Can't be weaponised

Connection setup demands proof of origin before the gateway commits resources, replies are amplification-capped, and packet shapes are bucketed — no reflector abuse, no traffic fingerprinting. Identity keys and logs are encrypted at rest, fail-closed.

How it works

One signed path from device to session

Every connection follows the same governed sequence, on every platform, for every customer. No step can be skipped, and nothing is admitted on an unsigned object.

01

Enrol

One token enrols the device. The control plane issues a unique, post-quantum-signed identity bound to the user and to policy — not a shared key. Connectivity requires verified enrolment, not just valid credentials.

02

Grant & policy

The device receives an ML-DSA-87 signed grant and centrally-signed, default-deny policy. Routing, split-tunnel, DNS behaviour, and gateway selection all reflect administrative intent, distributed from one control plane.

03

Admit

At the gateway the handshake runs mandatory hybrid ML-KEM-1024 + X25519 — with no classical-only path to negotiate down. Where Sentinel AI is licensed, device-posture admission gates the session before any resources are committed.

04

Run & heal

Each stream carries its own key that rotates continuously as it runs. A stolen session key opens one short window — not past, future, or neighbouring traffic — and the session survives Wi-Fi, cellular, and wired hand-offs without dropping.

How AegisWire compares

The differences a security review actually turns on

Bolting post-quantum key exchange onto a legacy tunnel is not the same as building the platform around it. The difference is depth and integration: mandatory, signed, self-healing, AI-defended, embeddable, and yours to run. Reflects publicly documented capabilities as of 2026; validate against current vendor documentation during evaluation.

Capability
AegisWire
Post-quantum platform
Open VPN protocol
WireGuard / OpenVPN
Legacy enterprise VPN
Appliance + client
Cloud ZTNA / SASE
Multi-tenant cloud
Mandatory post-quantum (ML-KEM-1024) on every session
No classical-only downgrade path
ML-DSA-87 signed trust chain — device, grant & policy
Self-healing per-stream keys — automatic breach containment
AI posture admission & behavioural detection designed inside the transport (not bolt-on NDR)
Privacy by design — no broker-side traffic or content inspection
Embeddable post-quantum transport SDK for your own apps
Self-hosted / sovereign — multi-cloud, no lock-in
Full Partial / vendor-dependent Not available

For regulated procurement

Mapped to the standards your reviewers name

The cryptographic posture is fixed for every customer and every packet. The audit frameworks are addressed by building to the controls each one examines — with formal attestations scoped alongside the engagement that requires them.

Cryptographic standards

  • CNSA 2.0 (US NSA) — the full Commercial National Security Algorithm Suite runs for every customer, every handshake; mandated for new US national-security systems from 2027. No weaker path for any customer class.
  • UK NCSC — aligned with UK NCSC post-quantum guidance, met by the same single implementation that satisfies CNSA 2.0.
  • NIST PQC — built on the NIST-finalised post-quantum standards: ML-KEM-1024 and ML-DSA-87.

Audit & data-protection frameworks

  • SOC 2 — engineering practices structured against the Trust Service Criteria; the evidence bundle that feeds a Type II audit is produced and maintained today.
  • ISO 27001 — ISMS documentation written to drop into the audit scope; certification engagement scoped alongside the contract that triggers it.
  • GDPR & UK GDPR — operated by ITLOX LTD (England & Wales) and ITLOX, Inc. (Delaware); DPA and SCCs / IDTA on request. Self-hosted and regional-gateway deployments give full data-residency control.
  • HIPAA — negotiated BAA and a formal security risk assessment bundled with healthcare engagements.

Deploy on your terms

Same security posture. Your control boundary.

Managed SaaS, dedicated single-tenant, self-hosted, or hardware appliance — on multi-vendor gateways (AWS & Vultr), no lock-in. Every model runs identical encryption, policy, and trust controls. You choose the boundary that fits residency, isolation, and compliance.

Compare deployment models

Managed SaaS

Managed operations, fastest adoption

Dedicated Cloud

Single-tenant isolation, custom rollout

Self-Hosted

Full infrastructure control, sovereign

Hardware Appliance

Customer-controlled edge

Client platforms

Every device your workforce actually uses

Native clients on macOS, iOS, Linux, Windows, and Android — the same post-quantum engine and identical signed handshake on every one. No weaker mobile build, no feature-reduced port.

Talk to engineering

See it running — not in slides

Request an architecture briefing. We walk through the live platform — transport, AI defense, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance