The platform

One agent. One outbound channel.
Total control of the edge.

ApexAI collapses endpoint management and security into a single lightweight agent that holds an encrypted, outbound-only connection to a central control plane — no inbound firewall rules, no client certs, no secrets on the wire. It survives TLS-inspecting proxies and runs fully air-gapped.

Architecture

Outbound-only by design.

Every device runs one agent that reaches out over a single HTTPS/WSS channel. Nothing listens for inbound connections, so there is no attack surface to expose — and the whole system can operate with no internet at all.

Your fleet

Every device across your estate — Windows, Linux and macOS — runs one lightweight agent that installs and updates itself.

self-provisioning · self-upgrading
HTTPS :443 ⟂ WSSEd25519 proof-of-possession · signed jobs

Control plane

The secure command centre for your estate — where policies are set, work is orchestrated across every device, and every action is signed and recorded.

policies · orchestration · full audit trail

Security-first by architecture

Security you don't have to bolt on.

Trust is enforced in the design, not in configuration. Identity, authorisation and isolation are structural — so entire classes of attack simply aren't possible.

App-layer identity

Every agent proves itself with an Ed25519 key it holds locally — never a transport client certificate and never a shared bearer secret on the wire.

Single-use enrolment

Devices enrol with a single-use, hashed token. Identity is written on first run and the token is cleared — nothing reusable is left behind.

Signed & verified jobs

Every job the platform issues is cryptographically signed and verified on the device before it runs. Operators can't push unsigned work.

Strict data isolation

Isolation is enforced in the data layer itself, not in application code — so data can never cross a boundary it shouldn't.

Zero inbound surface

One outbound channel on port 443, no listening ports, no inbound firewall rules. Proxy-safe and air-gap capable.

Everything audited

Every state change is logged with actor, target and outcome — and every AI action is captured in a separate assurance log for full traceability.

Capabilities

Everything you need to see, secure and steer the edge.

Fleet & inventory

Real-time device facts, software, patches and posture collected through signed, allow-listed jobs — Cyber-Essentials-aligned checks across every OS, with soft-delete & 60-day retention.

Config-as-code

Declarative desired state with continuous drift detection and remediation. Target device groups with additive, per-device overrides.

Exploitability-first triage

Offline OSV match surfaces CVEs, then EPSS + CISA KEV enrichment ranks them by real-world exploitability — KEV-listed first, not raw CVE counts.

Network discovery

Passive-by-default sensor maps topology, neighbours, connections and exposed services. Flags rogue / unmanaged assets and feeds the attack graph.

Graduated remediation

Approval-gated patch & reboot inside maintenance windows with auto-verify — plus risk-threshold autonomy that auto-approves only below a per-kind posture-score gate.

Audit & AI assurance

Every state change logged with actor, target and outcome — plus an AI assurance log capturing every Vantage tool call, proposal and delegation for full traceability.

Operations

Built to run itself.

Self-provisioning installers

Pre-stamped Windows MSI, Linux .deb/.rpm and macOS .pkg — no manual enrolment. Identity is written on first run and the token cleared.

Self-upgrade & auto-rollback

Operator-pushed, SHA-256-verified upgrade jobs apply via a detached updater — with a watchdog that rolls back automatically if the new agent fails to reconnect.

Safe device lifecycle

Soft-delete with 60-day retention and restore, plus agent self-uninstall on decommission — nothing purged in haste, everything auditable.

See the platform on your estate.

One agent, one outbound channel, and a team of AI specialists — air-gapped end to end.

Get a demo