The post-quantum transport underneath every connection
AWT_UNIFIED is AegisWire’s own post-quantum transport — not a TLS bolt-on. Every packet is sealed with a hybrid ML-KEM-1024 + X25519 handshake, authenticated by ML-DSA-87 identity, encrypted with AES-256-GCM, and protected against tampering, replay, and amplification. Sessions survive network changes without dropping, and if a single session key is ever exposed, the breach is automatically contained — it cannot spread sideways or persist over time.
The cryptographic moat
Quantum-resistant by construction, not configuration
There is no “classic mode” to forget to turn off. The full post-quantum suite runs for every customer, on every session, by default — a hybrid construction that stays secure even if either the classical or the quantum-safe half is later broken.
The transport core is written in memory-safe Rust and behaves identically in test and production. The same primitives protect your traffic today and hold the line as quantum computing matures — defeating harvest-now, decrypt-later collection from day one.
Post-quantum cryptography
The primitives behind every session
Built for the real network
Always-on connectivity
Connections that ride out hostile networks without a manual reconnect — and carry every application over one sealed session.
Resilient connections
Built for unreliable networks. Connections recover from packet loss, latency, and congestion automatically — with multi-lane striping that pushes throughput far past single-flow limits.
Multi-application support
Run many applications over a single sealed connection. Each application stream is independently keyed and protected — one tunnel, no per-app key sprawl.
Seamless roaming
Switch between Wi-Fi, cellular, and wired networks without dropping your session. The connection ID survives the network change — no reconnection, no re-handshake.
Integrity, not just secrecy
Tamper protection
Encryption keeps traffic private; these controls keep it honest — rejecting forged, replayed, and amplified packets before they touch a resource.
Replay attack prevention
Every packet is authenticated and checked for freshness. Duplicate, delayed, or replayed packets are rejected before processing — not logged and accepted.
Predictable security
The transport behaves identically in testing and production. No hidden modes, no debug fallbacks, no undocumented behaviour — what you audit is what runs.
DDoS & amplification resistance
Connection establishment requires proof of origin before any server resource is committed, so the gateway can never be turned into an amplification weapon. This is implemented and enforced in every deployment mode, not an optional hardening step.
Visibility without surveillance
Privacy by design
Operational telemetry for your security team — without ever inspecting or logging the content of your traffic.
-
Traffic privacy from packet zero
Metadata is protected during connection setup, not just after the session is established. We provide operational monitoring without exposing who communicates with whom.
-
Breach containment
If a session key is ever compromised, the damage is automatically contained. It cannot spread to other sessions or persist over time — past and future traffic stay sealed.
-
Quantum-resistant by default
Hybrid encryption protects sessions against both current threats and future quantum capability — with no “classic mode” that can silently weaken a connection.
-
Privacy-preserving monitoring
Full operational visibility for your security team without inspecting or logging traffic content. Built for organisations where privacy is a regulatory requirement, not a preference.
Security controls
Three guarantees, plainly
What the transport promises
Quantum-resistant
A hybrid handshake combining proven classical key exchange with next-generation quantum-safe key exchange. An attacker must break both to read a session — today and as quantum computers mature.
Aligned to the CNSA 2.0 suite that regulated buyers now require.
Breach containment
Session keys rotate continuously. If any one key is compromised, exposure is bounded to that single session — it cannot reach past or future traffic, and it cannot move laterally to other sessions.
Compromise of one session is not compromise of the connection.
Privacy by default
No content inspection. No traffic logging. Privacy-preserving monitoring is the production default, not an add-on. Your security team gets full operational visibility without surveillance.
Built for organisations where privacy is a regulatory requirement.
Enforced at the edge
Trust & policy enforcement
Policy is set centrally and enforced at every gateway — multi-vendor, signed, and rotated without dropping a single session.
One transport, every endpoint
Where the transport runs
The same post-quantum engine carries native clients on macOS, iOS, Linux, Windows, and Android — one transport core on every platform.
Client platforms
Where AegisWire runs
One post-quantum engine, every platform — the identical signed handshake and cryptographic posture on each.
Build on it · extend it
Embed and extend the transport
Put AWT_UNIFIED inside your own application, and layer behavioural defence on top — without touching the cryptographic core.
Developer SDK
Embed the post-quantum transport directly in your app. Provisioned by our staff and sold as token-metered or monthly-call packages — you get the moat without rebuilding the cryptography.
Explore the SDKAI Sentinel
Licensed Add-OnA separately licensed plugin that adds entity-graph and temporal threat detection plus device-posture admission — turning the privacy-preserving telemetry into active, content-blind defence.
See AI DefenseImplemented & enforced
Security properties in operation
Every property below is implemented and enforced across all deployment modes — not a roadmap item.
Quantum-resistant encryption
Hybrid ML-KEM-1024 + X25519 key exchange under AES-256-GCM. Both current and future quantum threats are addressed simultaneously.
Automatic breach containment
Session keys rotate automatically. A compromised key limits exposure to that session only and cannot affect past or future traffic.
Replay attack prevention
Every packet is validated for authenticity and freshness. Duplicate and out-of-order packets are rejected without processing.
DDoS & amplification resistance
Proof-of-origin required before resource commitment. Unauthenticated traffic is rejected before any resource is allocated.
Predictable security
Identical behaviour in testing and production. No hidden modes, no undocumented behaviour, no configuration surprises.
Seamless roaming
Sessions survive network changes — mobile handoff, Wi-Fi/cellular transition — without reconnection or session teardown.
Traffic privacy
Full traffic privacy from the start of the connection. Metadata is protected during connection setup, not just after the session is established.
Signed update distribution
Update manifests are cryptographically signed and verified before any artifact is applied — a tampered update is refused, fail-closed.
Talk to engineering
Request an architecture briefing
A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.