Security as an engineering property
AegisWire is engineered for environments where security is a measurable property of the system, not a line in a procurement questionnaire. The platform is built to post-quantum standards, signs its own releases, and carries the evidence a regulated buyer expects from the first conversation.
What procurement can expect on day one
Every item below is available under NDA and bundled into the evaluation package.
One standard, every customer
Every AegisWire customer runs the same post-quantum cryptographic posture across every handshake, every packet, every deployment tier. No commercial-grade downgrade path, no per-tenant suite selection, no mid-session negotiation to a weaker cipher. Self-hosted, Managed, Hardware, and Enterprise deployments share one uniform cryptographic stance.
CNSA 2.0 — shipping today, mandated from 2027.
The US NSA's Commercial National Security Algorithm Suite 2.0 is the post-quantum cryptographic standard for new US national-security systems. The published NSA timeline calls for new systems to support CNSA 2.0 from 2027, use it exclusively for new commissioning from 2030, and move to full enforcement in 2031.
AegisWire runs the CNSA 2.0 posture for every customer, every handshake, every licence. A bank on Managed and a national-lab customer on Enterprise receive the same cryptographic posture as the strictest procurement tier. There is no weaker path for any customer class.
One implementation answers both regimes.
The UK National Cyber Security Centre publishes post-quantum cryptography migration guidance for UK government, UK MoD supply chain, and UK critical-infrastructure operators. NCSC guidance tracks NIST's post-quantum standardisation and aligns on the same parameter-set strengths used in CNSA 2.0.
The cryptographic posture AegisWire ships satisfies both the US CNSA 2.0 mandate and the UK NCSC post-quantum guidance — one cryptographic module, two regimes answered. NCSC Foundation Grade assurance submission is commissioned alongside UK MoD supply-chain engagements.
A replacement suite, already compiled.
A single-suite deployment inherits the cryptanalytic risk of that suite. AegisWire mitigates this by maintaining a pre-registered emergency replacement suite — compiled and continuously validated in the build pipeline, but never shipped in production binaries.
If a future cryptanalytic result ever required cutover, the replacement suite is drawn from a fundamentally different mathematical family from the deployed one. The cutover procedure, licence re-signing path, and client cut-off sequence are pre-documented for operators. The operational runbook is held as internal evidence and is available to security evaluators under NDA.
Security Architecture
The cryptographic and architectural foundations of AegisWire are purpose-built, not inherited from commodity VPN toolkits.
Hybrid Quantum-Resistant Key Exchange
Quantum-resistant hybrid key exchange protects every session against harvest-now-decrypt-later attacks. Both classical and quantum-resistant components must succeed for key agreement.
Encrypted Transport
All data in transit is protected by authenticated encryption. Nonce management, replay prevention, and DDoS resistance are built into the protocol.
Automatic Breach Containment
Automatic key refresh limits the impact of any single key compromise. Past and future traffic stay protected. Forward secrecy is structural, not optional.
Policy Enforcement
Policies are signed at the management platform and verified at every gateway. Unsigned or tampered policies are rejected. No policy drift, no unauthorized overrides.
Deterministic Wire Format
Canonical encoding for deterministic serialisation. Wire format is compact, unambiguous, and supports byte-level verification for cryptographic operations.
Tenant Isolation
Each customer tenant operates with dedicated management platform resources, isolated database, and separate secrets. Cross-tenant data leakage is structurally prevented, not policy-gated.
Security Practices
What we do in practice, every day, as part of the engineering process.
Secure Development Lifecycle
Code review on every change. Static analysis with gosec and staticcheck in CI. Type-safe languages (Go, Rust) with strict compiler settings. No unsafe defaults in production paths.
Dependency Management
Automated dependency scanning. SBOM generation for every release. Pinned dependency versions. Known-vulnerability monitoring with automated alerts.
Fail-Closed Design
Authentication, authorisation, and policy enforcement fail closed. If a security check cannot complete, the request is denied. No silent fallback to permissive mode.
Least Privilege
Services run with minimum required permissions. IAM roles are scoped to specific operations. No shared credentials between components. Secrets are managed through dedicated secret stores.
Structured Logging & Audit
All security-relevant operations produce structured audit logs. Sensitive data is never logged. Logs include correlation identifiers for incident tracing. Audit trails are append-only.
Reproducible Builds
Build process produces identical outputs from identical inputs. Every release artifact is signed. Signature verification is part of the client update path.
Security & Compliance Posture
Engineering built against the cryptographic standards that will govern regulated procurement through 2031. Third-party certifications are commissioned alongside the customer engagements that scope them — not collected as marketing inventory.
CNSA 2.0 · NCSC · NIST PQ
Every session uses the post-quantum parameter sets specified by the US NSA CNSA 2.0 mandate, UK NCSC migration guidance, and the NIST post-quantum standards. Uniform across tenants, uniform across deployments. Zero downgrade path.
FIPS 140-3 engineering posture
The cryptographic module is engineered to FIPS 140-3 Level 2 / Level 3 design patterns — approved algorithms, boundary-enforced key lifecycle, tamper-evident build chain. Formal CMVP validation is scoped with national-security engagements.
Signed releases & evidence bundle
Every container image cryptographically signed. SBOM generated per release. Reproducible-build attestations published. Audit-evidence bundle ready for procurement on day one. Independently verifiable from source.
UK & EU GDPR by design
Privacy-preserving monitoring — no content inspection, no payload logging. DPA with UK IDTA and EU SCCs. Published sub-processor list. ITLOX LTD registered in England & Wales.
Responsible disclosure
Published vulnerability disclosure policy with safe harbour. Dedicated security@aegiswire.com contact. 48-hour acknowledgement commitment.
SOC 2 · ISO 27001 · CMVP · FedRAMP
Third-party attestations are scoped alongside the commercial engagement that requires them. The architecture is built to carry every one of SOC 2 Type II, ISO 27001, FIPS 140-3 CMVP, NIS2, HIPAA BAA, PCI DSS, FedRAMP, and NCSC Foundation Grade — the audit schedule is set by the contract.
Data Handling
How we protect, store, and manage your data throughout its lifecycle.
Encryption at Rest
All stored data is encrypted at rest using AES-256. Database volumes, backups, and object storage use server-side encryption with managed keys. Encryption is not optional.
Encryption in Transit
All API traffic uses modern TLS. Tunnel traffic uses the AegisWire encrypted transport with hybrid post-quantum key exchange. No unencrypted communication paths exist in the platform.
Tenant Data Isolation
Each tenant has a dedicated database. Cross-tenant queries are structurally impossible. Management platform resources are provisioned per-tenant with separate secrets and credentials.
What We Store
Subscription and billing data, metering events, audit logs, device enrollment records, and policy configurations. We do not store, inspect, or log tunnel traffic content.
Data Retention & Deletion
Audit logs are retained per your tier’s retention policy. Account deletion removes all associated data. GDPR data export endpoint is operational for data portability requests.
No Traffic Inspection
AegisWire never inspects, logs, or stores the content of tunnel traffic. We see metadata required for routing and metering only. Full traffic privacy is the default operating mode.
Deployment Options
Choose the trust boundary that matches your requirements. All deployment models run the same security architecture.
Managed Cloud
Fully managed by AegisWire. Dedicated per-tenant management platform provisioned automatically. We handle infrastructure, updates, and operational monitoring.
- Dedicated tenant database
- Automated provisioning
- Managed updates and patches
Self-Hosted
Deploy on your own infrastructure. Full control over data residency, network boundaries, and operational procedures. Same software, your trust boundary.
- Your infrastructure, your rules
- Data residency control
- Sovereign deployment support
Hardware Appliance
Pre-configured hardware with local PostgreSQL, full user management, and hardware-bound licensing. Connects to the platform via phone-home heartbeat.
- Air-gap capable operations
- Hardware-bound licensing
- Local data processing
Customer Security Reviews
We welcome customer security reviews as part of procurement due diligence. If you are evaluating AegisWire for a regulated environment, we will work with your security team to provide the information you need.
What we can provide
- Architecture documentation and security design overview
- Completed security questionnaires (CAIQ, SIG, or your own format)
- Data processing addendum and privacy documentation
- Technical discussion with the engineering team
To initiate a security review, contact us directly.
security@aegiswire.com