One Post-Quantum Platform, End to End
Post-quantum transport, VPN services, policy management, gateway infrastructure, and identity operations work as one integrated system — not separate products bolted together. Security outcomes fail at the boundaries between layers. AegisWire keeps encryption, policy, trust, and operations aligned under a single signed trust model, centrally managed configuration, and privacy-preserving monitoring.
Post-quantum cryptography
The primitives behind every session
Secure access
Hybrid post-quantum encrypted sessions with tamper-proof framing, seamless roaming between networks, full traffic privacy, and DDoS-resistant gateway infrastructure. Purpose-built transport — not a repackaged commodity tunnel.
Learn more about securityPolicy & enforcement
Signed policy distribution from the management platform to every gateway, automated certificate issuance with rotation and revocation, device-enrollment binding, and a default-deny posture verified per session. Authored centrally, enforced at the edge — no drift, no stale cache.
Enterprise VPN detailsPlatform capabilities
Everything the platform actually does
One integrated system — post-quantum transport, self-healing sessions, multi-region federation, defensive AI, and an embeddable SDK, all under a single signed trust model.
Post-quantum transport
Hybrid ML-KEM-1024 + X25519 key exchange, ML-DSA-87 identity, AES-256-GCM — CNSA 2.0-aligned, on every session.
Self-healing sessions
Per-stream STREAMHEAL keys rebind a session across network changes and recover from loss without a renegotiation — seamless roaming, automatic breach containment.
Site-to-site federation
Turnkey gateway-to-gateway links across regions — one customer can span jurisdictions with the same post-quantum handshake between sites.
Sentinel AI defense
A separately-licensed defensive-AI plane — entity-graph + temporal detectors fuse telemetry into one risk fabric and take bounded, auditable action.
Multi-vendor gateways
Gateways on AWS and Vultr — no vendor lock-in, with managed, dedicated, self-hosted, and hardware-appliance deployment boundaries.
Device-posture admission
Device-signed posture attestation, bound to the handshake — invalid, expired, or revoked posture is denied at admission, fail-closed.
Signed update distribution
Client and gateway updates ship as cryptographically-signed manifests with mandatory verification — no unsigned code reaches a fleet.
Embeddable SDK
Drop the same post-quantum transport into your own apps — token-metered and monthly-call packages, the identical engine the clients run.
Fail-closed kill-switch
If the tunnel drops, traffic stops — no silent fallback to the open internet. Leak protection enforced at the OS firewall on every client.
Client platforms
Run the same trust model everywhere
Native clients on macOS, iOS, Linux, Windows, and Android, all driven by the same post-quantum engine. Every client speaks the identical signed handshake, so your trust model never forks per operating system.
Platform components
Six components, one trust model
Every component below is implemented and running in production. They share a single signed trust chain — not loosely coupled subsystems.
Secure Access
- Hybrid post-quantum encrypted sessions
- Multiple applications over one connection
- Seamless roaming across networks
- Tamper-proof, DDoS-resistant framing
- Multi-lane striping for high throughput
- Predictable, auditable behaviour
Enterprise VPN
- Full and split tunnel with secure DNS
- Fail-closed OS-level kill switch
- Policy-driven routing decisions
- User and device enrollment binding
- Managed credential refresh and revocation
- Desktop, mobile, and headless clients
Management Platform
- Tenant, user, and device lifecycle
- Signed, centrally managed policy distribution
- Automated certificate management
- Gateway directory and network management
- Role-aware administrative workflows
- Multi-tenant, isolated operations
Gateway Infrastructure
- Regional gateway pool architecture
- Multi-vendor: AWS and Vultr, no lock-in
- Policy-aware gateway selection
- Privacy-preserving monitoring
- Controlled draining and failover
- Capacity-aware scaling
Trust & Evidence
- Verified policy and posture artifacts
- Certificate rotation and revocation
- Reproducible builds and SBOMs
- Signed update distribution, KMS-backed
- Audit-ready evidence packaging
- Release manifests verifiable end to end
Administration
- Enterprise admin console
- Role-based access control
- Multi-tenant operations
- Privacy-preserving audit logging
- Deployment-aware controls
- Fleet lifecycle management
Extend the platform
Build on it, link it, and defend it
The same post-quantum core powers an embeddable SDK, turnkey multi-region site links, and an optional AI defense plugin — each governed by the one trust model, not bolted on at the edges.
Developer SDK
Embed post-quantum transport directly in your own applications. Token-metered and monthly-call packages, staff-provisioned, with the same signed enrollment and trust chain as every AegisWire client.
Explore the SDKSite-to-Site
Turnkey multi-region federation. Quantum-safe links between your gateways with no manual key exchange — trust is provisioned, delivered, and verified automatically across AWS and Vultr regions.
See site-to-siteAI Sentinel
A separately licensed plugin: entity-graph and temporal anomaly detectors plus device-posture admission control, fused into the gateway’s per-session decision. Threat detection and breach containment governed by your policy.
Reference architecture
How AegisWire actually fits in your environment
A high-level map of where each layer runs and what crosses which boundary. Every box below is a production-shipping layer. Full architecture documentation and threat model are shared under NDA.
Every layer — client, gateway, management — shares the same signed trust chain. No trust transitions between subsystems.
Policy authored in the management platform is verified cryptographically at every gateway — no drift, no silent override, no stale cache.
Every release ships with an SBOM, reproducible build attestation, signed update manifest, and audit-evidence bundle. Procurement and security-review ready from day one.
Why this architecture is unusual
The boundaries are where products fail
Most products combine a tunnel, an admin console, and some policy logic. AegisWire is shaped so those pieces reinforce each other rather than operating as loosely connected subsystems.
Trust failures typically appear at the boundaries: between enrollment and connection, between policy and gateway action, between release operations and runtime trust, and between architecture claims and operational evidence. AegisWire keeps those boundaries explicit, signed, and governed — not left as integration problems.
Session ↔ Trust Boundary
Session establishment and trust chain verification happen together. Connectivity does not precede trust validation.
Policy ↔ Gateway Alignment
Gateway selection and enforcement reflect published policy at runtime — not stale config or client-local state.
Release ↔ Runtime Integrity
Signed releases, KMS-backed update manifests, SBOMs, and reproducible builds mean the thing that runs can be compared against the thing that was reviewed.
Platform outcomes
What the integration buys you
Architecture, change-control, least-privilege, and auditability aligned to SOC 2, ISO 27001, GDPR, and HIPAA-style review. Formal certification is commissioned on customer scope.
Talk to engineering
Request an architecture briefing
A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.