App-layer identity
Every agent proves itself with an Ed25519 key it holds locally — never a transport client certificate and never a shared bearer secret on the wire.
Sovereign endpoint security & AI
Apex Vantage collapses endpoint management and security into a single lightweight agent that holds an encrypted, outbound-only connection to a central control plane — no inbound firewall rules, no client certs, no secrets on the wire. It survives TLS-inspecting proxies, runs fully air-gapped, and keeps your data, your AI and your control entirely within your own sovereign boundary.
Architecture
Every device runs one agent that reaches out over a single HTTPS/WSS channel. Nothing listens for inbound connections, so there is no attack surface to expose — and the whole system can operate with no internet at all.
Every device you manage — Windows, Linux and macOS — runs one lightweight agent that installs and updates itself.
The secure command centre for your estate — where policies are set, work is orchestrated across every device, and every action is signed and recorded.
Security-first by architecture
Trust is enforced in the design, not in configuration. Identity, authorisation and isolation are structural — so entire classes of attack simply aren't possible.
Every agent proves itself with an Ed25519 key it holds locally — never a transport client certificate and never a shared bearer secret on the wire.
Devices enrol with a single-use, hashed token. Identity is written on first run and the token is cleared — nothing reusable is left behind.
Every job the platform issues is cryptographically signed and verified on the device before it runs. Operators can't push unsigned work.
Isolation is enforced in the data layer itself, not in application code — so data can never cross a boundary it shouldn't.
One outbound channel on port 443, no listening ports, no inbound firewall rules. Proxy-safe and air-gap capable.
Every state change is logged with actor, target and outcome — and every AI action is captured in a separate assurance log for full traceability.
Sovereign by design
Sovereignty isn't a setting you switch on — it's the consequence of an architecture where nothing has to leave your control. Apex Vantage keeps four kinds of sovereignty intact by default.
Your inventory, posture, findings and logs never leave your network. No telemetry, no exfiltration, no third party quietly holding a map of your estate.
Apex runs its models on your own infrastructure. You get an AI that reasons over your environment without ever sending it to a foreign, hosted model.
No dependency on a vendor cloud that can go down, be cut off, or be compelled to hand over data. It runs fully air-gapped and keeps working with no internet at all.
Provable data residency and control, so you can satisfy data-sovereignty rules and resilience regimes like GDPR, NIS2, DORA, SecNumCloud and BSI IT-Grundschutz.
Capabilities
Real-time device facts, software, patches and posture collected through signed, allow-listed jobs — Cyber-Essentials-aligned checks across every OS, with soft-delete & 60-day retention.
Declarative desired state with continuous drift detection and remediation. Target device groups with additive, per-device overrides.
Offline OSV match surfaces CVEs, then EPSS + CISA KEV enrichment ranks them by real-world exploitability — KEV-listed first, not raw CVE counts.
Passive-by-default sensor maps topology, neighbours, connections and exposed services. Flags rogue / unmanaged assets and feeds the attack graph.
Approval-gated patch & reboot inside maintenance windows with auto-verify — plus risk-threshold autonomy that auto-approves only below a per-kind posture-score gate.
Every state change logged with actor, target and outcome — plus an AI assurance log capturing every Apex tool call, proposal and delegation for full traceability.
Operations
Pre-stamped Windows MSI, Linux .deb/.rpm and macOS .pkg — no manual enrolment. Identity is written on first run and the token cleared.
Operator-pushed, SHA-256-verified upgrade jobs apply via a detached updater — with a watchdog that rolls back automatically if the new agent fails to reconnect.
Soft-delete with 60-day retention and restore, plus agent self-uninstall on decommission — nothing purged in haste, everything auditable.
One agent, one outbound channel, and a team of AI specialists — sovereign and air-gapped, end to end.
Get a demo