Security & Trust Center

Security Posture, Not Security Theatre

AegisWire treats trust operations as production functionality, not a compliance checkbox. The post-quantum transport that protects every session is the moat — not a layer bolted onto an inherited stack. Every release is signed and reproducible with public verification. Certificate issuance, rotation, and revocation are automated and operating. Observability surfaces operational signals without exposing session, endpoint, or behaviour metadata. This page documents what exists and is operating — not what is planned.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet

The moat

The transport is the trust boundary.

AWT_UNIFIED is AegisWire's purpose-built post-quantum transport. It is not a VPN service layered on inherited TLS defaults — it is a hybrid, harvest-now-decrypt-later-resistant protocol that runs the full CNSA 2.0 suite for every customer, on every packet, with no premium tier and no opt-out.

Tamper protection, replay resistance, DDoS-resistant connection setup, and automatic per-session breach containment (BLAKE3 STREAMHEAL) are properties of the protocol itself — they cannot be misconfigured away by an operator.

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

What sets us apart

What Makes AegisWire Different

Purpose-Built Transport

Not a VPN service layered on inherited defaults. AWT_UNIFIED is purpose-built for enterprise security — post-quantum by construction, with tamper protection, DDoS resistance, and predictable behaviour.

Signed Trust Chains

Policy artefacts are signed from publication through enforcement. Unsigned policy is rejected at the gateway. Certificates carry an automated lifecycle with rotation and revocation. Not dashboard-only governance.

Privacy-Preserving by Default

Observability uses privacy-preserving monitoring; full traffic privacy protects headers from connection setup onward. This is the default operating mode, not an optional add-on.

Reproducible & Auditable

Reproducible builds, SBOM generation, signed releases, and signed update distribution operate in the current build and release pipeline.

Deployment Choice, No Lock-In

Managed SaaS, dedicated single-tenant, self-hosted sovereign, and regional gateway network run the same trust architecture. Gateways deploy to AWS or Vultr — a single customer can run both. Control boundaries differ; trust integrity does not.

Operational Integrity

Signed update paths, automated certificate management, a fail-closed kill switch, and audit-ready evidence packaging are production platform features, not afterthought processes.

Evidence over assertion

Engineering Discipline

Trust claims require engineering evidence. These practices are implemented in the current platform.

Signed Releases

Every release artefact is signed. Signature verification is enforced on the update path — an unverifiable artefact is never applied.

SBOM Generation

A software bill of materials is generated for each release. Dependency tracking is part of the build pipeline.

Reproducible Builds

The build process produces identical outputs from identical inputs. Third-party verification is structurally supported.

Automated Certificate Management

Certificates have managed creation, rotation, and revocation. Lifecycle operations do not require service interruption.

Centrally Managed Policies

Policy artefacts carry signatures from the management platform through gateway enforcement. Unsigned policy is rejected.

Secure Update Discipline

Updates follow signed distribution paths. Rollback and version pinning are operationally supported.

Production capability map

Shipping core — with honest edges.

AegisWire does not separate a marketing roadmap from a delivered product. Every capability below is implemented and operating today — and where a surface is still in development, we say so. Security, policy, operations, and deployment are released together.

Transport & Crypto

  • Hybrid post-quantum key agreement
  • Tamper-proof, replay-resistant transport
  • Automatic breach containment per session
  • Full traffic privacy and header protection
  • DDoS-resistant connection setup
  • Multi-application support over one session
  • Seamless roaming across networks

Policy & Trust

  • Signed policy distribution end-to-end
  • Gateway-enforced default-deny posture
  • Automated certificate management
  • Device-to-user binding at enrolment
  • Credential revocation through trust chain
  • Privacy-preserving monitoring by default
  • Multi-path authentication families

Operations & Evidence

  • Reproducible builds per release
  • Software bill of materials (SBOM)
  • Signed release & update distribution
  • Multi-region site-to-site federation
  • Multi-vendor gateways (AWS + Vultr)
  • Enterprise admin with RBAC
  • Multi-tenant operator console

Delivery Surfaces

  • Managed SaaS deployment
  • Dedicated single-tenant deployment
  • Self-hosted / sovereign deployment
  • Hardware appliance for edge enforcement
  • Native clients: macOS, iOS, Linux
  • Developer SDK (token / call packages)
  • Full and split-tunnel VPN with kill switch

Client availability

Where clients run today

Clients macOS iOS Linux Windows Android

Native clients on macOS, iOS, Linux, Windows, and Android — the same post-quantum engine on every platform.

AI Sentinel

Licensed Add-On

Detection as a licensed plugin

AI Sentinel is a separately licensed plugin: entity-graph and temporal detectors plus device-posture admission. It layers on the same signed trust chain — posture attestations are device-key-sealed and bound into the handshake, evaluated fail-closed at the gateway. Available under its own subscription, not bundled into the base transport.

Every shipping item above is available to evaluate under NDA. Architecture documentation, the threat model, and signed audit evidence are bundled into the evaluation package on request.

Audit-ready by construction

Audit & Compliance Readiness

The goal is reducing friction between engineering reality and audit expectations. AegisWire produces evidence as part of normal operations, not as a separate compliance exercise — built to the controls a SOC 2, ISO 27001, GDPR, or HIPAA-style review examines.

Runtime platform controls

  • Policy enforced at the gateway — unsigned artefacts are rejected
  • Certificate rotation operates without service interruption
  • Full traffic privacy active at connection setup, not only after the connection is established
  • Fail-closed kill switch: traffic never leaks outside the tunnel on a stale or revoked session
  • Privacy-preserving monitoring: no content inspection in operational defaults

Governance and evidence workflows

  • Signed releases with cryptographic artefact verification paths
  • SBOM generated per release and tracked through the build pipeline
  • Reproducible builds: identical inputs produce identical outputs, third-party verifiable
  • Signed update distribution with rollback and version pinning
  • Structured evidence packaging for internal audit and security review cycles

For your security team

What Security Evaluators Can Review

The following documentation and evidence is available to security teams, technical buyers, and procurement evaluators on request. Every item listed is produced and maintained.

Transport & Cryptographic Architecture
  • Detailed transport, handshake, key-establishment, and breach-containment design documentation is available to security evaluators under NDA
Release & Build Integrity
  • Signed release artefacts with cryptographic verification paths
  • SBOM output per release with dependency tracking
  • Reproducible build process documentation and third-party verification approach
Policy & Trust Architecture
  • Policy pipeline from management platform through gateway enforcement
  • Automated certificate management model: issuance, rotation, and revocation
  • Device enrolment binding and trust-chain verification flows
Deployment Architecture
  • Deployment model specifications for all four delivery modes
  • Isolation and control-boundary documentation per deployment type
  • Self-hosted, sovereign, and multi-vendor gateway (AWS + Vultr) architecture details
Security & Compliance Posture
  • Built to the controls a SOC 2, ISO 27001, GDPR / UK GDPR, and HIPAA-style review examines — engineered to CNSA 2.0, UK NCSC, and NIST post-quantum standards
  • Third-party attestations (SOC 2, ISO 27001, HIPAA BAA, PCI DSS, FedRAMP) are scoped alongside the commercial engagement that requires them Commissioned on customer scope
  • Evidence bundle shipped today: SBOM, reproducible builds, signed releases, audit-evidence package — procurement-ready on day one

Talk to engineering

Request an architecture briefing

A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance