Security Posture, Not Security Theatre
AegisWire treats trust operations as production functionality, not a compliance checkbox. The post-quantum transport that protects every session is the moat — not a layer bolted onto an inherited stack. Every release is signed and reproducible with public verification. Certificate issuance, rotation, and revocation are automated and operating. Observability surfaces operational signals without exposing session, endpoint, or behaviour metadata. This page documents what exists and is operating — not what is planned.
The moat
The transport is the trust boundary.
AWT_UNIFIED is AegisWire's purpose-built post-quantum transport. It is not a VPN service layered on inherited TLS defaults — it is a hybrid, harvest-now-decrypt-later-resistant protocol that runs the full CNSA 2.0 suite for every customer, on every packet, with no premium tier and no opt-out.
Tamper protection, replay resistance, DDoS-resistant connection setup, and automatic per-session breach containment (BLAKE3 STREAMHEAL) are properties of the protocol itself — they cannot be misconfigured away by an operator.
Post-quantum cryptography
The primitives behind every session
What sets us apart
What Makes AegisWire Different
Purpose-Built Transport
Not a VPN service layered on inherited defaults. AWT_UNIFIED is purpose-built for enterprise security — post-quantum by construction, with tamper protection, DDoS resistance, and predictable behaviour.
Signed Trust Chains
Policy artefacts are signed from publication through enforcement. Unsigned policy is rejected at the gateway. Certificates carry an automated lifecycle with rotation and revocation. Not dashboard-only governance.
Privacy-Preserving by Default
Observability uses privacy-preserving monitoring; full traffic privacy protects headers from connection setup onward. This is the default operating mode, not an optional add-on.
Reproducible & Auditable
Reproducible builds, SBOM generation, signed releases, and signed update distribution operate in the current build and release pipeline.
Deployment Choice, No Lock-In
Managed SaaS, dedicated single-tenant, self-hosted sovereign, and regional gateway network run the same trust architecture. Gateways deploy to AWS or Vultr — a single customer can run both. Control boundaries differ; trust integrity does not.
Operational Integrity
Signed update paths, automated certificate management, a fail-closed kill switch, and audit-ready evidence packaging are production platform features, not afterthought processes.
Evidence over assertion
Engineering Discipline
Trust claims require engineering evidence. These practices are implemented in the current platform.
Signed Releases
Every release artefact is signed. Signature verification is enforced on the update path — an unverifiable artefact is never applied.
SBOM Generation
A software bill of materials is generated for each release. Dependency tracking is part of the build pipeline.
Reproducible Builds
The build process produces identical outputs from identical inputs. Third-party verification is structurally supported.
Automated Certificate Management
Certificates have managed creation, rotation, and revocation. Lifecycle operations do not require service interruption.
Centrally Managed Policies
Policy artefacts carry signatures from the management platform through gateway enforcement. Unsigned policy is rejected.
Secure Update Discipline
Updates follow signed distribution paths. Rollback and version pinning are operationally supported.
Production capability map
Shipping core — with honest edges.
AegisWire does not separate a marketing roadmap from a delivered product. Every capability below is implemented and operating today — and where a surface is still in development, we say so. Security, policy, operations, and deployment are released together.
Transport & Crypto
- Hybrid post-quantum key agreement
- Tamper-proof, replay-resistant transport
- Automatic breach containment per session
- Full traffic privacy and header protection
- DDoS-resistant connection setup
- Multi-application support over one session
- Seamless roaming across networks
Policy & Trust
- Signed policy distribution end-to-end
- Gateway-enforced default-deny posture
- Automated certificate management
- Device-to-user binding at enrolment
- Credential revocation through trust chain
- Privacy-preserving monitoring by default
- Multi-path authentication families
Operations & Evidence
- Reproducible builds per release
- Software bill of materials (SBOM)
- Signed release & update distribution
- Multi-region site-to-site federation
- Multi-vendor gateways (AWS + Vultr)
- Enterprise admin with RBAC
- Multi-tenant operator console
Delivery Surfaces
- Managed SaaS deployment
- Dedicated single-tenant deployment
- Self-hosted / sovereign deployment
- Hardware appliance for edge enforcement
- Native clients: macOS, iOS, Linux
- Developer SDK (token / call packages)
- Full and split-tunnel VPN with kill switch
Client availability
Where clients run today
Native clients on macOS, iOS, Linux, Windows, and Android — the same post-quantum engine on every platform.
AI Sentinel
Licensed Add-OnDetection as a licensed plugin
AI Sentinel is a separately licensed plugin: entity-graph and temporal detectors plus device-posture admission. It layers on the same signed trust chain — posture attestations are device-key-sealed and bound into the handshake, evaluated fail-closed at the gateway. Available under its own subscription, not bundled into the base transport.
Every shipping item above is available to evaluate under NDA. Architecture documentation, the threat model, and signed audit evidence are bundled into the evaluation package on request.
Audit-ready by construction
Audit & Compliance Readiness
The goal is reducing friction between engineering reality and audit expectations. AegisWire produces evidence as part of normal operations, not as a separate compliance exercise — built to the controls a SOC 2, ISO 27001, GDPR, or HIPAA-style review examines.
Runtime platform controls
- Policy enforced at the gateway — unsigned artefacts are rejected
- Certificate rotation operates without service interruption
- Full traffic privacy active at connection setup, not only after the connection is established
- Fail-closed kill switch: traffic never leaks outside the tunnel on a stale or revoked session
- Privacy-preserving monitoring: no content inspection in operational defaults
Governance and evidence workflows
- Signed releases with cryptographic artefact verification paths
- SBOM generated per release and tracked through the build pipeline
- Reproducible builds: identical inputs produce identical outputs, third-party verifiable
- Signed update distribution with rollback and version pinning
- Structured evidence packaging for internal audit and security review cycles
For your security team
What Security Evaluators Can Review
The following documentation and evidence is available to security teams, technical buyers, and procurement evaluators on request. Every item listed is produced and maintained.
- Detailed transport, handshake, key-establishment, and breach-containment design documentation is available to security evaluators under NDA
- Signed release artefacts with cryptographic verification paths
- SBOM output per release with dependency tracking
- Reproducible build process documentation and third-party verification approach
- Policy pipeline from management platform through gateway enforcement
- Automated certificate management model: issuance, rotation, and revocation
- Device enrolment binding and trust-chain verification flows
- Deployment model specifications for all four delivery modes
- Isolation and control-boundary documentation per deployment type
- Self-hosted, sovereign, and multi-vendor gateway (AWS + Vultr) architecture details
- Built to the controls a SOC 2, ISO 27001, GDPR / UK GDPR, and HIPAA-style review examines — engineered to CNSA 2.0, UK NCSC, and NIST post-quantum standards
- Third-party attestations (SOC 2, ISO 27001, HIPAA BAA, PCI DSS, FedRAMP) are scoped alongside the commercial engagement that requires them Commissioned on customer scope
- Evidence bundle shipped today: SBOM, reproducible builds, signed releases, audit-evidence package — procurement-ready on day one
Talk to engineering
Request an architecture briefing
A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.