Secure Transport · AWT_UNIFIED

The post-quantum transport underneath every connection

AWT_UNIFIED is AegisWire’s own post-quantum transport — not a TLS bolt-on. Every packet is sealed with a hybrid ML-KEM-1024 + X25519 handshake, authenticated by ML-DSA-87 identity, encrypted with AES-256-GCM, and protected against tampering, replay, and amplification. Sessions survive network changes without dropping, and if a single session key is ever exposed, the breach is automatically contained — it cannot spread sideways or persist over time.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet

The cryptographic moat

Quantum-resistant by construction, not configuration

There is no “classic mode” to forget to turn off. The full post-quantum suite runs for every customer, on every session, by default — a hybrid construction that stays secure even if either the classical or the quantum-safe half is later broken.

The transport core is written in memory-safe Rust and behaves identically in test and production. The same primitives protect your traffic today and hold the line as quantum computing matures — defeating harvest-now, decrypt-later collection from day one.

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

Built for the real network

Always-on connectivity

Connections that ride out hostile networks without a manual reconnect — and carry every application over one sealed session.

Resilient connections

Built for unreliable networks. Connections recover from packet loss, latency, and congestion automatically — with multi-lane striping that pushes throughput far past single-flow limits.

Multi-application support

Run many applications over a single sealed connection. Each application stream is independently keyed and protected — one tunnel, no per-app key sprawl.

Seamless roaming

Switch between Wi-Fi, cellular, and wired networks without dropping your session. The connection ID survives the network change — no reconnection, no re-handshake.

Integrity, not just secrecy

Tamper protection

Encryption keeps traffic private; these controls keep it honest — rejecting forged, replayed, and amplified packets before they touch a resource.

Replay attack prevention

Every packet is authenticated and checked for freshness. Duplicate, delayed, or replayed packets are rejected before processing — not logged and accepted.

Predictable security

The transport behaves identically in testing and production. No hidden modes, no debug fallbacks, no undocumented behaviour — what you audit is what runs.

DDoS & amplification resistance

Connection establishment requires proof of origin before any server resource is committed, so the gateway can never be turned into an amplification weapon. This is implemented and enforced in every deployment mode, not an optional hardening step.

Visibility without surveillance

Privacy by design

Operational telemetry for your security team — without ever inspecting or logging the content of your traffic.

  • Traffic privacy from packet zero

    Metadata is protected during connection setup, not just after the session is established. We provide operational monitoring without exposing who communicates with whom.

  • Breach containment

    If a session key is ever compromised, the damage is automatically contained. It cannot spread to other sessions or persist over time — past and future traffic stay sealed.

  • Quantum-resistant by default

    Hybrid encryption protects sessions against both current threats and future quantum capability — with no “classic mode” that can silently weaken a connection.

  • Privacy-preserving monitoring

    Full operational visibility for your security team without inspecting or logging traffic content. Built for organisations where privacy is a regulatory requirement, not a preference.

Security controls

Key exchange Hybrid PQ, always on
Record encryption AES-256-GCM, per session
Applications Multi-app, independently keyed
Tampering Rejected automatically
Privacy No content inspection
Breach containment Per-session, automatic

Three guarantees, plainly

What the transport promises

Quantum-resistant

A hybrid handshake combining proven classical key exchange with next-generation quantum-safe key exchange. An attacker must break both to read a session — today and as quantum computers mature.

Aligned to the CNSA 2.0 suite that regulated buyers now require.

Breach containment

Session keys rotate continuously. If any one key is compromised, exposure is bounded to that single session — it cannot reach past or future traffic, and it cannot move laterally to other sessions.

Compromise of one session is not compromise of the connection.

Privacy by default

No content inspection. No traffic logging. Privacy-preserving monitoring is the production default, not an add-on. Your security team gets full operational visibility without surveillance.

Built for organisations where privacy is a regulatory requirement.

Enforced at the edge

Trust & policy enforcement

Policy is set centrally and enforced at every gateway — multi-vendor, signed, and rotated without dropping a single session.

Centrally managed policy, enforced automatically at every gateway
Signed update distribution — verified before any artifact is applied
Automated certificate rotation and revocation without service interruption
Device enrollment binding with post-quantum trust-chain verification
Fail-closed kill-switch — traffic never leaks if the tunnel cannot be secured
Gateways run on AWS and Vultr — multi-vendor by construction, no lock-in

One transport, every endpoint

Where the transport runs

The same post-quantum engine carries native clients on macOS, iOS, Linux, Windows, and Android — one transport core on every platform.

Client platforms

Where AegisWire runs

One post-quantum engine, every platform — the identical signed handshake and cryptographic posture on each.

macOS
Linux
iOS
Windows
Android

Build on it · extend it

Embed and extend the transport

Put AWT_UNIFIED inside your own application, and layer behavioural defence on top — without touching the cryptographic core.

Developer SDK

Embed the post-quantum transport directly in your app. Provisioned by our staff and sold as token-metered or monthly-call packages — you get the moat without rebuilding the cryptography.

Explore the SDK

AI Sentinel

Licensed Add-On

A separately licensed plugin that adds entity-graph and temporal threat detection plus device-posture admission — turning the privacy-preserving telemetry into active, content-blind defence.

See AI Defense

Implemented & enforced

Security properties in operation

Every property below is implemented and enforced across all deployment modes — not a roadmap item.

Quantum-resistant encryption

Hybrid ML-KEM-1024 + X25519 key exchange under AES-256-GCM. Both current and future quantum threats are addressed simultaneously.

Automatic breach containment

Session keys rotate automatically. A compromised key limits exposure to that session only and cannot affect past or future traffic.

Replay attack prevention

Every packet is validated for authenticity and freshness. Duplicate and out-of-order packets are rejected without processing.

DDoS & amplification resistance

Proof-of-origin required before resource commitment. Unauthenticated traffic is rejected before any resource is allocated.

Predictable security

Identical behaviour in testing and production. No hidden modes, no undocumented behaviour, no configuration surprises.

Seamless roaming

Sessions survive network changes — mobile handoff, Wi-Fi/cellular transition — without reconnection or session teardown.

Traffic privacy

Full traffic privacy from the start of the connection. Metadata is protected during connection setup, not just after the session is established.

Signed update distribution

Update manifests are cryptographically signed and verified before any artifact is applied — a tampered update is refused, fail-closed.

Controls posture built to the standards these audits examine: Commissioned on customer scope SOC 2 · ISO 27001 · GDPR · HIPAA-style

Talk to engineering

Request an architecture briefing

A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance