Platform Overview

One Post-Quantum Platform, End to End

Post-quantum transport, VPN services, policy management, gateway infrastructure, and identity operations work as one integrated system — not separate products bolted together. Security outcomes fail at the boundaries between layers. AegisWire keeps encryption, policy, trust, and operations aligned under a single signed trust model, centrally managed configuration, and privacy-preserving monitoring.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

Secure access

Hybrid post-quantum encrypted sessions with tamper-proof framing, seamless roaming between networks, full traffic privacy, and DDoS-resistant gateway infrastructure. Purpose-built transport — not a repackaged commodity tunnel.

Learn more about security

Policy & enforcement

Signed policy distribution from the management platform to every gateway, automated certificate issuance with rotation and revocation, device-enrollment binding, and a default-deny posture verified per session. Authored centrally, enforced at the edge — no drift, no stale cache.

Enterprise VPN details

Platform capabilities

Everything the platform actually does

One integrated system — post-quantum transport, self-healing sessions, multi-region federation, defensive AI, and an embeddable SDK, all under a single signed trust model.

Client platforms

Run the same trust model everywhere

Native clients on macOS, iOS, Linux, Windows, and Android, all driven by the same post-quantum engine. Every client speaks the identical signed handshake, so your trust model never forks per operating system.

macOS
iOS
Linux
Windows
Android

Platform components

Six components, one trust model

Every component below is implemented and running in production. They share a single signed trust chain — not loosely coupled subsystems.

Secure Access

  • Hybrid post-quantum encrypted sessions
  • Multiple applications over one connection
  • Seamless roaming across networks
  • Tamper-proof, DDoS-resistant framing
  • Multi-lane striping for high throughput
  • Predictable, auditable behaviour

Enterprise VPN

  • Full and split tunnel with secure DNS
  • Fail-closed OS-level kill switch
  • Policy-driven routing decisions
  • User and device enrollment binding
  • Managed credential refresh and revocation
  • Desktop, mobile, and headless clients

Management Platform

  • Tenant, user, and device lifecycle
  • Signed, centrally managed policy distribution
  • Automated certificate management
  • Gateway directory and network management
  • Role-aware administrative workflows
  • Multi-tenant, isolated operations

Gateway Infrastructure

  • Regional gateway pool architecture
  • Multi-vendor: AWS and Vultr, no lock-in
  • Policy-aware gateway selection
  • Privacy-preserving monitoring
  • Controlled draining and failover
  • Capacity-aware scaling

Trust & Evidence

  • Verified policy and posture artifacts
  • Certificate rotation and revocation
  • Reproducible builds and SBOMs
  • Signed update distribution, KMS-backed
  • Audit-ready evidence packaging
  • Release manifests verifiable end to end

Administration

  • Enterprise admin console
  • Role-based access control
  • Multi-tenant operations
  • Privacy-preserving audit logging
  • Deployment-aware controls
  • Fleet lifecycle management

Extend the platform

Build on it, link it, and defend it

The same post-quantum core powers an embeddable SDK, turnkey multi-region site links, and an optional AI defense plugin — each governed by the one trust model, not bolted on at the edges.

Developer SDK

Embed post-quantum transport directly in your own applications. Token-metered and monthly-call packages, staff-provisioned, with the same signed enrollment and trust chain as every AegisWire client.

Explore the SDK

Site-to-Site

Turnkey multi-region federation. Quantum-safe links between your gateways with no manual key exchange — trust is provisioned, delivered, and verified automatically across AWS and Vultr regions.

See site-to-site
Licensed Add-On

AI Sentinel

A separately licensed plugin: entity-graph and temporal anomaly detectors plus device-posture admission control, fused into the gateway’s per-session decision. Threat detection and breach containment governed by your policy.

Licensed plugin
Explore AI defense

Reference architecture

How AegisWire actually fits in your environment

A high-level map of where each layer runs and what crosses which boundary. Every box below is a production-shipping layer. Full architecture documentation and threat model are shared under NDA.

YOUR USERS & DEVICES macOS Linux iOS Win / Android AEGISWIRE CLIENT Fail-closed kill switch Secure DNS resolution Policy-driven routing Seamless roaming POST-QUANTUM tamper-proof · private GLOBAL GATEWAY NETWORK · AWS + VULTR EU Regional pool AMERICAS Regional pool APAC Regional pool MENA · AFRICA Regional pool GATEWAY ENFORCEMENT Policy verification per session Default-deny posture Privacy-preserving monitoring SIGNED POLICY verified at every gateway MANAGEMENT PLATFORM POLICY & TRUST Signed policy distribution IDENTITY & CERTS Automated cert management ADMIN CONSOLE Users · devices · fleet TRUST & EVIDENCE SBOM · signed releases Audit evidence bundle DEPLOYED AS Managed SaaS · Dedicated Single-Tenant · Self-Hosted · Hardware Appliance — identical security posture, your control boundary
One trust model

Every layer — client, gateway, management — shares the same signed trust chain. No trust transitions between subsystems.

Policy → enforcement continuity

Policy authored in the management platform is verified cryptographically at every gateway — no drift, no silent override, no stale cache.

Evidence everywhere

Every release ships with an SBOM, reproducible build attestation, signed update manifest, and audit-evidence bundle. Procurement and security-review ready from day one.

Why this architecture is unusual

The boundaries are where products fail

Most products combine a tunnel, an admin console, and some policy logic. AegisWire is shaped so those pieces reinforce each other rather than operating as loosely connected subsystems.

Trust failures typically appear at the boundaries: between enrollment and connection, between policy and gateway action, between release operations and runtime trust, and between architecture claims and operational evidence. AegisWire keeps those boundaries explicit, signed, and governed — not left as integration problems.

Session ↔ Trust Boundary

Session establishment and trust chain verification happen together. Connectivity does not precede trust validation.

Policy ↔ Gateway Alignment

Gateway selection and enforcement reflect published policy at runtime — not stale config or client-local state.

Release ↔ Runtime Integrity

Signed releases, KMS-backed update manifests, SBOMs, and reproducible builds mean the thing that runs can be compared against the thing that was reviewed.

Platform outcomes

What the integration buys you

No hidden trust transitions between layers
Policy integrity from publication through enforcement
Audit and architecture review supported by evidence
Regulated operating models supported by deployment choice
Multi-vendor gateways — AWS and Vultr, no lock-in
A concrete modernization path for legacy VPN replacement
Built to the controls these audits examine Commissioned on customer scope

Architecture, change-control, least-privilege, and auditability aligned to SOC 2, ISO 27001, GDPR, and HIPAA-style review. Formal certification is commissioned on customer scope.

Trust Center

Talk to engineering

Request an architecture briefing

A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance