Security controls built for trust, proof, and scale.
We are building privacy-first DNS, enterprise proxy, converged HSM, Vault, and Ledger platforms with one standard: transparent engineering, reproducible delivery, and operational evidence that stands up in regulated environments.
Transparency
Architecture notes, threat models, and change logs are shared with partners before material deployment decisions.
Verifiability
Signed artifacts, reproducible build guidance, and open policy definitions support independent verification.
Co-design
We work directly with operators and compliance leaders so controls reflect your environment rather than a generic checklist.
Platform
Controls engineered for audibility by design.
Each product is developed with shared primitives: deterministic builds, hardware-backed trust anchors, and operator-ready documentation.
Lab testing
CA
Enterprise certificate authority with ACME automation
A policy-driven certificate authority for enterprise provisioning, renewal, and revocation workflows with full ACME protocol support.
- ACME endpoints for automated certificate issuance and renewal
- Policy-based issuance controls with role and environment scoping
- Auditable certificate lifecycle events from request to revocation
Lab testing
DNS
Authoritative + recursive DNS with secure transport endpoints
Rust DNS service supporting authoritative internal zones, recursive resolution fallback, secure DNS transports, and live config reload.
- Authoritative zone serving with SOA/NS/A/AAAA/TXT/SRV record support
- Recursive forwarding using configured resolvers or built-in root hints
- UDP/TCP, DoT, DoH (HTTP/2), DoQ, and DoH3 listener support
Lab testing
Proxy
Multi-protocol edge proxy for HTTP, HTTPS, and SOCKS5
Rust proxy service with per-mode listener controls, optional HTTPS auth, domain blacklist filtering, response caching, and config reload.
- Run HTTP, HTTPS, and SOCKS5 listeners concurrently with independent ports
- Optional HTTPS basic/bearer authentication and TLS cert/key configuration
- Cache responses in memory (Moka) or Redis with blacklist-aware routing
Lab testing
HSM
gRPC cryptography service with partition-aware access control
Rust gRPC service exposing RSA, ECDSA, hash, PQC, symmetric, and curve operations with partition credential validation.
- Service modules for RSA, ECDSA, SHA-2/SHA-3/SM3, AES, Curve25519/448, ML-DSA, and ML-KEM
- JSON-based partition id/secret validation hooks for request gating
- Protobuf/prost service boundaries with reusable middleware and partition crates
Lab testing
Vault
Offline-first secret management with controlled synchronization
Vault manages passwords, passkeys, SSH keys, and secure records locally by default, with synchronization enabled only through explicit policy and approval.
- Unified keybag for passwords, passkeys, SSH keys, cards, and secure notes
- Local-first cryptography with policy-gated synchronization controls
- Client-side approvals and tamper-evident history for accountable workflows
Lab testing
Ledger
Raft-replicated append service with checkpoint anchoring
Rust ledger service with HTTP append API, Raft consensus over UDP, persistent log state, and checkpoint/anchor workflows.
- Leader-aware append endpoint with redirect responses for follower nodes
- Raft worker + UDP transport for replicated append commands
- Checkpoint records containing cluster id, committed index, and global hash
Why we build this way
Architecture, compliance, and operations in one conversation.
Confidence before scale
Integration reviews, tabletop simulations, and open security notes are part of the build cycle from the beginning.
Intentional surface area
We prioritize fewer, stronger controls. Each product defaults to least privilege and produces direct audit evidence.
Uncompromised privacy
Data remains in the environment you designate. When signal collection is required, it is limited, attributable, and tightly controlled.
Get involved
Ready to review the blueprint?
Briefings cover architecture drafts, certification timelines, and validation workflows. Bring operations, compliance, and assurance teams; we design for rigorous review.