Post-quantum protection inside your own software
The exact AWT_UNIFIED transport that powers our enterprise VPN, packaged as a developer SDK. Embed AegisWire's mandatory-hybrid post-quantum transport directly into your application, API, mobile client, or device fleet. One credential, one connection — quantum-safe end to end. Not an optional hybrid bolted onto TLS: post-quantum by design, on every packet.
Stronger than a checkbox
Post-quantum by design — not a TLS add-on
Most "post-quantum" is an optional hybrid key exchange negotiated into TLS. AegisWire is post-quantum across the whole transport, on every connection, with no classical-only mode to disable.
Mandatory hybrid
Every session uses hybrid ML-KEM-1024 + X25519 key exchange. There is no classical-only mode to disable or negotiate down — protection is not optional.
Automatic breach containment
BLAKE3 STREAMHEAL re-keys continuously across each connection. If one session key is ever exposed, the damage cannot spread to past or future traffic.
Connection privacy
No server identity, client identity, or routing hint is exposed on the wire. ML-DSA-87 trust chains stay hidden from passive observers from the first packet.
What you inherit
A CNSA 2.0-aligned suite, drop-in
Your team writes no cryptography. The SDK ships the full AWT_UNIFIED suite — hybrid key exchange, post-quantum identity, authenticated record encryption, and continuous key healing — the same primitives that run in production across our platform. You inherit a proven foundation, not a prototype.
- Replay-protected, tamper-checked records
Every packet authenticated end to end.
- Fail-closed by default
A kill-switch holds traffic if the secure path is ever unavailable — it never silently falls back.
- Signed update distribution
Engine updates ship over a signed channel with a published supply chain.
Post-quantum cryptography
The primitives behind every session
Integration in four steps
From one credential to a quantum-safe channel
The SDK hides enrolment, key exchange, healing, and recovery. Your app sees a connection; the post-quantum work happens underneath.
Add the SDK + a key
Drop the SDK into your app and supply one staff-provisioned credential. No cryptography for your team to implement or get wrong.
Enrol, automatically
The SDK provisions a device identity on first run and registers it — no manual setup, and private keys never leave the device.
Connect, quantum-safe
A single call opens a post-quantum session to an AegisWire gateway. Healing and recovery run on their own.
Send and receive
Move bytes like any socket. Every packet is quantum-safe, tamper-checked, and replay-protected end to end.
Where it runs
One transport, every platform
The same engine runs across native, mobile, and server-side environments — one uniform security posture everywhere. Native clients on macOS, iOS, Linux, Windows, and Android all build on it.
- Native & systems apps
Desktop and embedded software in memory-safe Rust.
- Mobile
iOS today, using the same transport as our native clients.
- Backend & services
Server-side bindings for machine-to-machine and API traffic.
Client platforms
Where AegisWire runs
One post-quantum engine, every platform — the identical signed handshake and cryptographic posture on each.
Who builds on it
For software where post-quantum is becoming a requirement
If your data has to stay secret for years — or you ship software into regulated buyers — the SDK embeds the answer now, not in a retrofit later.
Programmes moving to post-quantum requirements need it embedded now, not retrofitted later.
Health, finance, legal, and IP — anything recorded today that is still sensitive in ten years.
Devices that ship today and live for 15–20 years need post-quantum protection baked in.
Automated, non-browser traffic between services and agents — a natural fit for an embedded SDK.
"Our connections are post-quantum secure" becomes a differentiator when you sell into the above.
Operational systems where a quantum-safe control channel is a procurement-level requirement.
Licensing
Packaged the way platforms buy
SDK access is staff-provisioned and metered to fit your traffic profile — not a public download. We size the package to your stack on the briefing call.
Token-metered
Pay for what you transport. Usage-based metering suits variable or bursty machine-to-machine workloads.
Monthly-call packages
Predictable monthly call allowances for steady production traffic — budget-friendly and easy to forecast.
Staff-provisioned access
Credentials are issued and scoped by our team, enforced in software. No anonymous self-serve keys floating in the wild.
Same trust fabric
The SDK plugs into the whole platform
Embedded sessions terminate on the same gateways, federation, and trust operations as our managed VPN. Nothing about the SDK is a side track.
Multi-region federation
Turnkey site-to-site links between gateways. Reach the same backends your VPN users do, across regions, with no per-link configuration.
Multi-vendor gateways
Run gateways on AWS and Vultr — or both for one customer. No cloud lock-in, with identical post-quantum posture on every vendor.
AI Sentinel
A separately licensed plugin: entity-graph and temporal anomaly detection plus device-posture admission, layered over the same sessions.
Production transport, packaged for your code
The SDK is built on the same post-quantum transport, gateways, and native clients that run in production — with a controls posture built to what SOC 2, ISO 27001, GDPR, and HIPAA-style reviews examine.
Talk to engineering
Request an architecture briefing
A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.