Security FAQ

Straight answers for security teams

The questions enterprise security reviewers, procurement, and technical evaluators raise most often — answered directly, with no hedging. The transport is post-quantum on every packet for every customer. Certifications are scoped alongside the commercial engagements that require them; the architecture is built to carry every control those audits examine.

Full CNSA 2.0 suite (US NSA) · UK NCSC-aligned — every customer, every packet
Commissioned on customer scope

The first question, answered

“Are you actually post-quantum, or is that marketing?”

It is the wire format, not a slide. The AWT_UNIFIED transport runs a hybrid key exchange — a quantum-safe KEM combined with classical elliptic-curve — on every session, alongside post-quantum identity signatures and authenticated record encryption. There is no “classic mode” toggle and no per-customer downgrade: the same suite protects every packet for every tenant.

The posture aligns to the US NSA CNSA 2.0 suite in full and to UK NCSC post-quantum guidance. That answers the harvest-now-decrypt-later question for regulated buyers in one line: traffic captured today is not decryptable by a future quantum adversary.

Post-quantum cryptography

The primitives behind every session

Hybrid key exchange
Quantum-safe + classical, combined
ML-KEM-1024X25519
Identity signatures
Post-quantum signed trust chains
ML-DSA-87
Record encryption
Authenticated, per-session keys
AES-256-GCM
Keyed hashing · STREAMHEAL
Integrity and rapid rekey
BLAKE3
Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance

Procurement & assurance

Certifications, controls, and how we operate

SOC 2

Commissioned on customer scope

Our engineering practices — logical access control, change management, continuous monitoring, encryption, incident response — are structured against the SOC 2 Trust Service Criteria. The evidence bundle that would feed a Type II audit is produced and maintained today, and git history is treated as an append-only change log (no rewrites of pushed commits).

The formal SOC 2 engagement is scoped alongside the commercial contract that requires it, rather than carried on the marketing site as a generic certificate. If your procurement requires SOC 2 Type II at signing, raise it in the commercial conversation and we will scope the auditor work alongside the engagement.

ISO 27001

Commissioned on customer scope

Information security management practices are documented and followed internally: access control policy, secure development lifecycle, incident response, asset management, supplier risk, and cryptographic controls.

The ISO 27001 certification engagement is scoped alongside the customer contract that triggers it — the ISMS documentation is already written to drop into the audit scope.

HIPAA

Commissioned on customer scope

AegisWire ships the technical controls healthcare operators require: quantum-resistant encryption in transit and at rest, per-tenant isolation, comprehensive tamper-evident audit logging, and role-based access control. Tunnel traffic content is never stored, inspected, or logged.

HIPAA has no formal certification — it is a statutory framework enforced through Business Associate Agreements. A negotiated BAA and a formal HIPAA security risk assessment are bundled with healthcare engagements.

GDPR & UK GDPR

AegisWire is operated by ITLOX LTD (England & Wales) and ITLOX, Inc. (Delaware, USA), so EU/UK data protection is a first-class design constraint, not a bolt-on. We provide a Data Processing Addendum and Standard Contractual Clauses / IDTA on request, and self-hosted and regional-gateway deployments give you full data-residency control.

Because the gateway sees routing metadata only — never tunnel content — the data-minimisation and purpose-limitation principles are enforced by the architecture itself, not by policy promises alone.

How do you test security?

Continuous

Security testing is continuous and adversarial, run by the same cryptographic engineering team that builds the platform — the people attacking it are the people who know exactly where it could break.

Static analysis — gosec and staticcheck run in CI on every commit. The build fails on findings.
Dependency scanning — automated monitoring of known vulnerabilities across the dependency tree.
Internal adversarial testing — continuous attack-driven testing against authentication, authorisation, API boundaries, and the transport protocol itself.
Memory-safe languages — Go and Rust with strict compiler settings eliminate entire classes of memory-safety and type-confusion vulnerabilities.
Signed, reproducible release distribution — every client and gateway update is cryptographically signed; clients verify the signature before applying it.

Independent penetration testing follows the same model as our formal certifications: commissioned on customer scope, alongside the enterprise engagement that requires it.

What data do you store?

Documented
Subscription and billing data — organisation details, plan tier, payment metadata.
Metering events — connection counts, data-transfer volumes, device enrollments. Used for billing and capacity planning.
Audit logs — security-relevant operations: authentication events, policy changes, administrative actions.
Device enrollment records — device identity, certificate bindings, enrollment status.
Policy configurations — network policies, access rules, gateway assignments.

We do not store, inspect, or log tunnel traffic content. The gateway sees routing metadata only — the payload is end-to-end encrypted under per-session post-quantum keys it never holds.

Can you offer self-hosted deployment?

Yes. AegisWire supports multiple deployment models, all running the same post-quantum security architecture — and gateways are multi-vendor, so you are never locked to a single cloud:

Managed cloud — we operate the infrastructure, updates, and operations. Per-tenant isolation with a dedicated management plane.
Self-hosted — deploy gateways on your own cloud or on-premise infrastructure for full data-residency control.
Multi-vendor gateways — run gateways across providers such as AWS and Vultr, in one tenant, with no vendor lock-in. Provider secrets are handled per-vendor with least privilege.
Hardware appliance — pre-configured hardware with local PostgreSQL and hardware-bound licensing. Suitable for edge and sovereign deployments.

What happens when something fails?

The platform fails closed. If trust cannot be established or a session goes stale, traffic is blocked — never silently sent in the clear.

Fail-closed kill switch — if the tunnel drops or trust is lost, the client blocks egress rather than leaking traffic outside the encrypted path.
Per-session breach containment — keys are scoped per session and rapidly rekeyed, so a single compromised session cannot unwind past or future traffic.
Signed configuration and policy distribution — clients only apply VPN configuration and policy that carries a valid signature.

Do you offer behavioural threat detection?

Licensed plugin Licensed Add-On

AI Sentinel is a separately licensed add-on that layers anomaly detection on top of the transport — entity-graph and temporal detectors plus device-posture admission, so a session can be required to prove the endpoint’s security posture before it is admitted.

It runs in monitor-first mode and is tenant-isolated: models do not train across tenants. Sentinel is optional — the core post-quantum transport and fail-closed posture stand on their own without it.

Do you support customer security reviews?

Yes. We welcome security reviews as part of procurement evaluation. We can provide:

  • Architecture documentation and a security-design overview
  • Completed security questionnaires (CAIQ, SIG, or your format)
  • Data processing addendum and privacy documentation
  • Direct technical discussion with the engineering team

Contact security@aegiswire.com to begin a review.

How do you handle vulnerabilities?

Policy published

We maintain a published Vulnerability Disclosure Policy with safe-harbour provisions for good-faith security researchers.

48-hour acknowledgement on all reports to security@aegiswire.com
5 business-day triage with severity assessment and an initial response
Safe harbour for researchers who follow the disclosure policy
Ongoing communication with the reporter throughout remediation

Talk to engineering

Request an architecture briefing

A technical walkthrough of the transport, trust model, and deployment options — mapped to your environment and procurement requirements.

Implements US NSA CNSA 2.0 in full · aligned with UK NCSC post-quantum guidance