App-layer identity
Every agent proves itself with an Ed25519 key it holds locally — never a transport client certificate and never a shared bearer secret on the wire.
The platform
ApexAI collapses endpoint management and security into a single lightweight agent that holds an encrypted, outbound-only connection to a central control plane — no inbound firewall rules, no client certs, no secrets on the wire. It survives TLS-inspecting proxies and runs fully air-gapped.
Architecture
Every device runs one agent that reaches out over a single HTTPS/WSS channel. Nothing listens for inbound connections, so there is no attack surface to expose — and the whole system can operate with no internet at all.
Every device across your estate — Windows, Linux and macOS — runs one lightweight agent that installs and updates itself.
The secure command centre for your estate — where policies are set, work is orchestrated across every device, and every action is signed and recorded.
Security-first by architecture
Trust is enforced in the design, not in configuration. Identity, authorisation and isolation are structural — so entire classes of attack simply aren't possible.
Every agent proves itself with an Ed25519 key it holds locally — never a transport client certificate and never a shared bearer secret on the wire.
Devices enrol with a single-use, hashed token. Identity is written on first run and the token is cleared — nothing reusable is left behind.
Every job the platform issues is cryptographically signed and verified on the device before it runs. Operators can't push unsigned work.
Isolation is enforced in the data layer itself, not in application code — so data can never cross a boundary it shouldn't.
One outbound channel on port 443, no listening ports, no inbound firewall rules. Proxy-safe and air-gap capable.
Every state change is logged with actor, target and outcome — and every AI action is captured in a separate assurance log for full traceability.
Capabilities
Real-time device facts, software, patches and posture collected through signed, allow-listed jobs — Cyber-Essentials-aligned checks across every OS, with soft-delete & 60-day retention.
Declarative desired state with continuous drift detection and remediation. Target device groups with additive, per-device overrides.
Offline OSV match surfaces CVEs, then EPSS + CISA KEV enrichment ranks them by real-world exploitability — KEV-listed first, not raw CVE counts.
Passive-by-default sensor maps topology, neighbours, connections and exposed services. Flags rogue / unmanaged assets and feeds the attack graph.
Approval-gated patch & reboot inside maintenance windows with auto-verify — plus risk-threshold autonomy that auto-approves only below a per-kind posture-score gate.
Every state change logged with actor, target and outcome — plus an AI assurance log capturing every Vantage tool call, proposal and delegation for full traceability.
Operations
Pre-stamped Windows MSI, Linux .deb/.rpm and macOS .pkg — no manual enrolment. Identity is written on first run and the token cleared.
Operator-pushed, SHA-256-verified upgrade jobs apply via a detached updater — with a watchdog that rolls back automatically if the new agent fails to reconnect.
Soft-delete with 60-day retention and restore, plus agent self-uninstall on decommission — nothing purged in haste, everything auditable.
One agent, one outbound channel, and a team of AI specialists — air-gapped end to end.
Get a demo