Resources

Read up, and get answers.

Everything you need to understand Apex Vantage and make the case for sovereign, air-gapped security in your organisation.

White paper

Digital sovereignty in security & AI

Sovereignty has moved from policy debate to procurement requirement. This paper looks at what it really means for security and AI, the dependencies most tools quietly introduce, and what keeping your estate within your own borders looks like in practice.

Read the white paper

More white papers

Go deeper.

FAQ

Common questions.

Can Apex Vantage really run fully air-gapped?

Yes. The agent, the control plane and the AI all run on your own infrastructure. There is no cloud dependency and no telemetry leaving your network — Apex Vantage can operate on a network with no internet access at all.

How does Apex Vantage support data sovereignty and residency?

Everything — data, control plane and AI models — runs on infrastructure you own and govern, so your data and the AI that reasons over it never leave your network or your jurisdiction. That makes it straightforward to satisfy data-residency rules and resilience regimes such as GDPR, NIS2, DORA, SecNumCloud and BSI IT-Grundschutz, with a complete local audit trail as evidence.

Which operating systems are supported?

Windows, Linux and macOS, through one lightweight agent with full parity across all three. Self-provisioning installers are available for each (MSI, .deb/.rpm and .pkg).

What does the AI (Apex) actually do — and where does it run?

Apex is a multi-agent assistant that triages your questions and delegates to domain specialists (red-team, vulnerability, inventory, patch, compliance). Findings are computed deterministically, never invented by the model, and every model runs on-prem so no data leaves your network. A human confirms anything that changes a device.

How does it connect without opening inbound ports?

Each agent holds a single encrypted, outbound-only connection over HTTPS/WSS on port 443. Nothing listens for inbound connections, there are no inbound firewall rules, and it survives TLS-inspecting proxies.

Is the autonomous red-teaming safe to run in production?

Yes — it is strictly read-only analysis. It reasons over data you already hold to describe plausible attack paths; it never executes attacker tooling and never sends a job across an edge against a live device.

How is it deployed and kept up to date?

Devices enrol automatically with pre-stamped installers. Upgrades are operator-pushed, SHA-256-verified and applied by a detached updater, with a watchdog that rolls back automatically if a new agent fails to reconnect.

Still have questions?

Book a walkthrough and we'll answer them against your own environment.

Get a demo