The VPN that defends itself.
AegisWire replaces the VPN appliance attackers keep exploiting with access that fights back — AI threat defense that detects and contains attacks in real time, self-healing keys that bound any breach to a single session, and mandatory post-quantum encryption on every packet. Self-hosted or managed.
What you're defending against
Three exposures conventional VPNs leave open
Encrypted traffic harvested for later, a single stolen key, a provider that can read what crosses it — conventional VPNs leave at least one of these open. AegisWire closes each one at the protocol level.
Harvest now, decrypt later
Adversaries are copying your encrypted traffic today — to break it the day a quantum computer arrives.
Every packet is sealed with hybrid ML-KEM-1024 — with no weaker mode to fall back to, so traffic captured today stays unreadable.
One stolen key, the whole network
On most networks, one stolen key unlocks long-lived sessions and lets an intruder move sideways far beyond the connection it came from.
Each stream carries its own key that rotates as it runs — a stolen key opens one short window, not the rest of the network.
A private network you don't control
With most providers your private traffic still runs through someone else's infrastructure, where it can be inspected, logged, or compelled.
AegisWire performs no traffic inspection by design — run it self-hosted, sovereign, or managed, with the keys and data plane under your control.
One core. Three products.
Built once, at the protocol level
The same handshake, the same ML-DSA-87 signed trust chain, the same self-healing keys — whether it's your workforce, your network edges, or your own software. Three products, one transport underneath.
Your workforce, every region, one encrypted fabric
Zero-config token enrolment, a unique signed identity per device, and policy-aware regional gateways — with quantum-safe site-to-site links between your own edges. The session survives Wi-Fi, cellular and wired hand-offs without dropping.
- Full & split tunnel, secure DNS, always-on kill switch
- Centrally-signed policy, default-deny, enforced at every gateway
- Turnkey quantum-safe site-to-site federation across regions
- Seamless roaming & controlled failover, no dropped sessions
A transport that defends itself
Not generic network-detection bolted onto mirrored logs — a security AI co-designed inside the protocol. Entity-graph and temporal detectors, threat-intelligence, device posture, and adversarial-input signals fuse into one deterministic action ladder, with posture admission control at the door.
- Behavioural, anomaly, sequence & entity-graph detection
- Deterministic action ladder: Observe → contain → Emergency
- Device-posture admission — compromised endpoints never get in
- Bound to the same signed trust chain — verdicts can't be forged
Put it inside your own software
The exact same post-quantum transport, packaged to embed. One credential opens a quantum-safe channel in your app, API, mobile client, or device fleet — enrolment, key exchange, and self-healing handled underneath. Not optional hybrid bolted onto TLS: post-quantum by design, on every packet.
- One credential, one connection — quantum-safe end to end
- Native apps, mobile, IoT fleets, backend machine-to-machine
- Token-metered & monthly-call packages, staff-provisioned
Post-quantum cryptography
The primitives behind every session
Engineered in, not bolted on
Built into the protocol. Not bolted on.
These are properties of a from-scratch transport — the things a repackaged tunnel or a logs-watching AI can never retrofit. This is the moat.
Mandatory hybrid — no downgrade
ML-KEM-1024 + X25519 on every session, for every customer. There is no classical-only path to negotiate down to, and no per-tenant suite to misconfigure.
ML-DSA-87 signed trust chain
Device, capsule, grant, and policy are each post-quantum signed. Nothing is admitted, routed, or enforced on an unsigned object — the whole chain verifies end to end.
Self-healing keys
The tunnel continuously re-keys with fresh post-quantum material. A stolen session key is useful for a brief window before the connection heals — the breach can't reach past, future, or neighbouring traffic.
A replacement suite, pre-compiled
If an algorithm is ever weakened, the whole fleet migrates to an emergency suite from a different mathematical family — make-before-break, no flag day, no forced retrofit.
AI defense at the door
Device posture is checked before admission and behaviour is scored continuously after — an action ladder that can contain a session in real time, co-designed with the transport, not watching it from outside.
Can't be weaponised
Connection setup demands proof of origin before the gateway commits resources, replies are amplification-capped, and packet shapes are bucketed — no reflector abuse, no traffic fingerprinting. Identity keys and logs are encrypted at rest, fail-closed.
How it works
One signed path from device to session
Every connection follows the same governed sequence, on every platform, for every customer. No step can be skipped, and nothing is admitted on an unsigned object.
Enrol
One token enrols the device. The control plane issues a unique, post-quantum-signed identity bound to the user and to policy — not a shared key. Connectivity requires verified enrolment, not just valid credentials.
Grant & policy
The device receives an ML-DSA-87 signed grant and centrally-signed, default-deny policy. Routing, split-tunnel, DNS behaviour, and gateway selection all reflect administrative intent, distributed from one control plane.
Admit
At the gateway the handshake runs mandatory hybrid ML-KEM-1024 + X25519 — with no classical-only path to negotiate down. Where Sentinel AI is licensed, device-posture admission gates the session before any resources are committed.
Run & heal
Each stream carries its own key that rotates continuously as it runs. A stolen session key opens one short window — not past, future, or neighbouring traffic — and the session survives Wi-Fi, cellular, and wired hand-offs without dropping.
How AegisWire compares
The differences a security review actually turns on
Bolting post-quantum key exchange onto a legacy tunnel is not the same as building the platform around it. The difference is depth and integration: mandatory, signed, self-healing, AI-defended, embeddable, and yours to run. Reflects publicly documented capabilities as of 2026; validate against current vendor documentation during evaluation.
| Capability |
AegisWire
Post-quantum platform
|
Open VPN protocol
WireGuard / OpenVPN
|
Legacy enterprise VPN
Appliance + client
|
Cloud ZTNA / SASE
Multi-tenant cloud
|
|---|---|---|---|---|
| Mandatory post-quantum (ML-KEM-1024) on every session | ||||
| No classical-only downgrade path | ||||
| ML-DSA-87 signed trust chain — device, grant & policy | ||||
| Self-healing per-stream keys — automatic breach containment | ||||
| AI posture admission & behavioural detection designed inside the transport (not bolt-on NDR) | ||||
| Privacy by design — no broker-side traffic or content inspection | ||||
| Embeddable post-quantum transport SDK for your own apps | ||||
| Self-hosted / sovereign — multi-cloud, no lock-in |
For regulated procurement
Mapped to the standards your reviewers name
The cryptographic posture is fixed for every customer and every packet. The audit frameworks are addressed by building to the controls each one examines — with formal attestations scoped alongside the engagement that requires them.
Cryptographic standards
- CNSA 2.0 (US NSA) — the full Commercial National Security Algorithm Suite runs for every customer, every handshake; mandated for new US national-security systems from 2027. No weaker path for any customer class.
- UK NCSC — aligned with UK NCSC post-quantum guidance, met by the same single implementation that satisfies CNSA 2.0.
- NIST PQC — built on the NIST-finalised post-quantum standards: ML-KEM-1024 and ML-DSA-87.
Audit & data-protection frameworks
- SOC 2 — engineering practices structured against the Trust Service Criteria; the evidence bundle that feeds a Type II audit is produced and maintained today.
- ISO 27001 — ISMS documentation written to drop into the audit scope; certification engagement scoped alongside the contract that triggers it.
- GDPR & UK GDPR — operated by ITLOX LTD (England & Wales) and ITLOX, Inc. (Delaware); DPA and SCCs / IDTA on request. Self-hosted and regional-gateway deployments give full data-residency control.
- HIPAA — negotiated BAA and a formal security risk assessment bundled with healthcare engagements.
Deploy on your terms
Same security posture. Your control boundary.
Managed SaaS, dedicated single-tenant, self-hosted, or hardware appliance — on multi-vendor gateways (AWS & Vultr), no lock-in. Every model runs identical encryption, policy, and trust controls. You choose the boundary that fits residency, isolation, and compliance.
Compare deployment modelsManaged SaaS
Managed operations, fastest adoption
Dedicated Cloud
Single-tenant isolation, custom rollout
Self-Hosted
Full infrastructure control, sovereign
Hardware Appliance
Customer-controlled edge
Client platforms
Every device your workforce actually uses
Native clients on macOS, iOS, Linux, Windows, and Android — the same post-quantum engine and identical signed handshake on every one. No weaker mobile build, no feature-reduced port.
Who uses AegisWire
Built for organisations where a breach is a headline
Where security, privacy, and compliance are not optional — and "we'll be quantum-safe later" is not an acceptable answer.
Financial Services
Banks, insurers, and fintechs protecting transactions, client data, and inter-branch connectivity.
Healthcare & Life Sciences
Hospitals, research institutions, and pharma meeting HIPAA, GDPR, and data-sovereignty requirements.
Government & Defence
Agencies requiring sovereign deployment, air-gap capability, and classified network isolation.
Critical Infrastructure
Energy, utilities, and transport operators securing OT/IT convergence and SCADA networks.
Global Enterprise
Multi-nationals needing regional gateway presence, policy consistency, and data-residency control.
Your Industry
If your organisation handles sensitive data, we should talk. Request an architecture review.
Proof for the security review
Read the architecture, not the brochure
Two technical whitepapers for CISOs, security architects, and procurement — the cryptographic transport, and the zero-trust access model built on it.
Post-Quantum Secure Transport
Architecture, trust model, and evidence bundle — how AegisWire protects traffic, and why it survives "harvest now, decrypt later."
Read the whitepaperThe Post-Quantum Enterprise VPN
Zero-trust access, signed policy, default-deny enforcement, and the governance model a regulated security-review committee will examine.
Read the whitepaperTalk to engineering
See it running — not in slides
Request an architecture briefing. We walk through the live platform — transport, AI defense, and deployment options — mapped to your environment and procurement requirements.