Security as an engineering property
AegisWire is engineered for environments where security is a measurable property of the system, not a line in a procurement questionnaire. Every session runs the full post-quantum suite, every release is signed, and the evidence a regulated buyer expects is ready from the first conversation.
Evidence at a glance
What procurement can expect on day one
Every item below is available under NDA and bundled into the evaluation package.
The system behind the posture
Trust is what the transport guarantees
The evidence pack documents the process. The named primitives below are the product — the AWT_UNIFIED post-quantum transport that every client, every gateway, and every site-to-site link runs without exception.
Post-quantum cryptography
The primitives behind every session
Client platforms
Same posture, every endpoint
macOS, iOS, Linux, Windows, and Android all ship the full post-quantum client — the same engine on every platform.
Operational guarantees
Engineered to fail closed
AI Sentinel
A separately licensed defence plugin layered on the transport: entity-graph and temporal detectors plus device-posture admission control, fusing live session signals into per-tenant, fully isolated threat decisions. Licensed independently of the core platform — never trained across tenants.
Explore AI DefenseDeveloper SDK
Embed the same post-quantum transport directly in your application. Sold as token-metered and monthly-call packages, staff-provisioned per engagement — the cryptographic posture an SDK build inherits is identical to the managed clients.
View the SDKPost-quantum posture
One standard, every customer
Every AegisWire customer runs the same post-quantum cryptographic posture across every handshake, every packet, every deployment tier. No commercial-grade downgrade path, no per-tenant suite selection, no mid-session negotiation to a weaker cipher. Self-hosted, Managed, Hardware, and Enterprise deployments share one uniform cryptographic stance.
CNSA 2.0 — in force today, mandated from 2027.
The US NSA's Commercial National Security Algorithm Suite 2.0 is the post-quantum cryptographic standard for new US national-security systems. The published NSA timeline calls for new systems to support CNSA 2.0 from 2027, use it exclusively for new commissioning from 2030, and move to full enforcement in 2031.
AegisWire runs the CNSA 2.0 posture for every customer, every handshake, every licence. A bank on Managed and a national-lab customer on Enterprise receive the same cryptographic posture as the strictest procurement tier. There is no weaker path for any customer class.
One implementation answers both regimes.
The UK National Cyber Security Centre publishes post-quantum cryptography migration guidance for UK government, UK MoD supply chain, and UK critical-infrastructure operators. NCSC guidance tracks NIST's post-quantum standardisation and aligns on the same parameter-set strengths used in CNSA 2.0.
The cryptographic posture AegisWire live satisfies both the US CNSA 2.0 mandate and the UK NCSC post-quantum guidance — one cryptographic module, two regimes answered. NCSC Foundation Grade assurance submission is commissioned alongside UK MoD supply-chain engagements.
A replacement suite, already compiled.
A single-suite deployment inherits the cryptanalytic risk of that suite. AegisWire mitigates this by maintaining a pre-registered emergency replacement suite — compiled and continuously validated in the build pipeline, but never shipped in production binaries.
If a future cryptanalytic result ever required cutover, the replacement suite is drawn from a fundamentally different mathematical family from the deployed one. The cutover procedure, licence re-signing path, and client cut-off sequence are pre-documented for operators. The operational runbook is held as internal evidence and is available to security evaluators under NDA.
Security architecture
Purpose-built, not inherited
The cryptographic and architectural foundations of AegisWire are built from the protocol up — not assembled from commodity VPN toolkits.
No Downgrade Path
The hybrid key exchange named above protects every session against harvest-now-decrypt-later attacks. Both the classical and quantum-safe components must succeed — there is no negotiation to a weaker cipher, on any tier.
Authenticated Transport
All data in transit is sealed with authenticated encryption. Nonce management, replay prevention, and DDoS resistance are built into the protocol — not bolted on at the edge.
Automatic Breach Containment
STREAMHEAL rekeying limits the impact of any single key compromise. Past and future traffic stay protected. Forward secrecy is structural, not optional.
Signed Policy Enforcement
Policies are signed at the management platform and verified at every gateway. Unsigned or tampered policies are rejected. No policy drift, no unauthorized overrides.
Deterministic Wire Format
Canonical encoding for deterministic serialisation. The wire format is compact, unambiguous, and supports byte-level verification for every cryptographic operation.
Tenant Isolation
Each customer tenant operates with dedicated management platform resources, an isolated database, and separate secrets. Cross-tenant data leakage is structurally prevented, not policy-gated.
Security practices
What we do every day
Engineering discipline that holds up under audit — built into the process, not retrofitted for review.
Secure Development Lifecycle
Code review on every change. Static analysis with gosec and staticcheck in CI. Type-safe languages (Go, Rust) with strict compiler settings. No unsafe defaults in production paths.
Dependency Management
Automated dependency scanning. SBOM generation for every release. Pinned dependency versions. Known-vulnerability monitoring with automated alerts.
Fail-Closed Design
Authentication, authorisation, and policy enforcement fail closed. If a security check cannot complete, the request is denied. No silent fallback to permissive mode.
Least Privilege
Services run with minimum required permissions. IAM roles are scoped to specific operations. No shared credentials between components. Secrets are managed through dedicated secret stores.
Structured Logging & Audit
All security-relevant operations produce structured audit logs. Sensitive data is never logged. Logs include correlation identifiers for incident tracing. Audit trails are append-only.
Reproducible Builds
The build process produces identical outputs from identical inputs. Every release artifact is signed, and signature verification is part of the client update path.
Security & compliance posture
Built to the controls these audits examine
Engineered against the cryptographic standards that will govern regulated procurement through 2031. Third-party certifications are commissioned alongside the customer engagements that scope them — not collected as marketing inventory.
CNSA 2.0 · NCSC · NIST PQ
Every session uses the post-quantum parameter sets specified by the US NSA CNSA 2.0 mandate, UK NCSC migration guidance, and the NIST post-quantum standards. Uniform across tenants, uniform across deployments. Zero downgrade path.
FIPS 140-3 engineering posture
The cryptographic module is engineered to FIPS 140-3 Level 2 / Level 3 design patterns — approved algorithms, boundary-enforced key lifecycle, tamper-evident build chain. Formal CMVP validation is scoped with national-security engagements.
Signed releases & evidence bundle
Every container image cryptographically signed. SBOM generated per release. Reproducible-build attestations published. Audit-evidence bundle ready for procurement on day one. Independently verifiable from source.
UK & EU GDPR by design
Privacy-preserving monitoring — no content inspection, no payload logging. DPA with UK IDTA and EU SCCs. Published sub-processor list. ITLOX LTD registered in England & Wales.
Responsible disclosure
Published vulnerability disclosure policy with safe harbour. Dedicated security@aegiswire.com contact. 48-hour acknowledgement commitment.
SOC 2 · ISO 27001 · CMVP · FedRAMP
Third-party attestations are scoped alongside the commercial engagement that requires them. The architecture is built to carry every one of SOC 2 Type II, ISO 27001, FIPS 140-3 CMVP, NIS2, HIPAA BAA, PCI DSS, FedRAMP, and NCSC Foundation Grade — the audit schedule is set by the contract.
Data handling
Privacy is the default mode
How we protect, store, and manage your data throughout its lifecycle — and what we deliberately never touch.
Encryption at Rest
All stored data is encrypted at rest using AES-256. Database volumes, backups, and object storage use server-side encryption with managed keys. Encryption is not optional.
Encryption in Transit
All API traffic uses modern TLS. Tunnel traffic uses the AegisWire post-quantum transport with hybrid key exchange. No unencrypted communication paths exist in the platform.
Tenant Data Isolation
Each tenant has a dedicated database. Cross-tenant queries are structurally impossible. Management platform resources are provisioned per-tenant with separate secrets and credentials.
What We Store
Subscription and billing data, metering events, audit logs, device enrollment records, and policy configurations. We do not store, inspect, or log tunnel traffic content.
Data Retention & Deletion
Audit logs are retained per your tier’s retention policy. Account deletion removes all associated data. The GDPR data-export endpoint is operational for data-portability requests.
No Traffic Inspection
AegisWire never inspects, logs, or stores the content of tunnel traffic. We see only the metadata required for routing and metering. Full traffic privacy is the default operating mode.
Deployment options
Pick your trust boundary
Choose the deployment model that matches your requirements. Every one runs the identical security architecture — the cryptographic posture never changes with the boundary.
Managed Cloud
Fully managed by AegisWire. Dedicated per-tenant management platform provisioned automatically. We handle infrastructure, updates, and operational monitoring.
- Dedicated tenant database
- Automated provisioning
- Managed updates and patches
Self-Hosted
Deploy on your own infrastructure. Full control over data residency, network boundaries, and operational procedures. Same software, your trust boundary.
- Your infrastructure, your rules
- Data residency control
- Sovereign deployment support
Hardware Appliance
Pre-configured hardware with local PostgreSQL, full user management, and hardware-bound licensing. Connects to the platform via phone-home heartbeat.
- Air-gap capable operations
- Hardware-bound licensing
- Local data processing
Customer security reviews
Bring your security team
We welcome customer security reviews as part of procurement due diligence. If you are evaluating AegisWire for a regulated environment, we will work with your security team to provide the information you need.
What we can provide
- Architecture documentation and security design overview
- Completed security questionnaires (CAIQ, SIG, or your own format)
- Data processing addendum and privacy documentation
- Technical discussion with the engineering team
To initiate a security review, contact us directly.
security@aegiswire.com