Resources
Read up, and get answers.
Everything you need to understand ApexAI and make the case for air-gapped security in your organisation.
Why air-gapped capability matters
Cloud-tethered security tools quietly assume connectivity — and quietly leak telemetry. This paper looks at why that's a growing liability, who can't accept it, and what genuinely air-gapped security and AI look like in practice.
Read the white paperMore white papers
Go deeper.
Exploitability, not CVE counts
Why raw CVE counts are a vanity metric — and how EPSS, CISA KEV and attack-path context let teams fix the small fraction of vulnerabilities that attackers actually reach for.
Read the white paper → White paperYour AI security tool is exfiltrating your estate
Cloud AI copilots quietly send the most sensitive description of your environment to systems you can't audit. Why that's a liability — and what on-prem AI does differently.
Read the white paper → White paperOne agent, zero inbound
How outbound-only architecture, app-layer cryptographic identity and signed jobs remove whole classes of attack that agent-based tools usually introduce.
Read the white paper → White paperAutonomous red-teaming without the blast radius
Continuous attack-path discovery that reasons over data you already hold — strictly read-only, never live exploitation — so it's safe even in fragile OT and CNI estates.
Read the white paper →FAQ
Common questions.
Can ApexAI really run fully air-gapped?
Yes. The agent, the control plane and the AI all run on your own infrastructure. There is no cloud dependency and no telemetry leaving your network — ApexAI can operate on a network with no internet access at all.
Which operating systems are supported?
Windows, Linux and macOS, through one lightweight agent with full parity across all three. Self-provisioning installers are available for each (MSI, .deb/.rpm and .pkg).
What does the AI (Apex Vantage) actually do — and where does it run?
Apex Vantage is a multi-agent assistant that triages your questions and delegates to domain specialists (red-team, vulnerability, inventory, patch, compliance). Findings are computed deterministically, never invented by the model, and every model runs on-prem so no data leaves your network. A human confirms anything that changes a device.
How does it connect without opening inbound ports?
Each agent holds a single encrypted, outbound-only connection over HTTPS/WSS on port 443. Nothing listens for inbound connections, there are no inbound firewall rules, and it survives TLS-inspecting proxies.
Is the autonomous red-teaming safe to run in production?
Yes — it is strictly read-only analysis. It reasons over data you already hold to describe plausible attack paths; it never executes attacker tooling and never sends a job across an edge against a live device.
How is it deployed and kept up to date?
Devices enrol automatically with pre-stamped installers. Upgrades are operator-pushed, SHA-256-verified and applied by a detached updater, with a watchdog that rolls back automatically if a new agent fails to reconnect.
Still have questions?
Book a walkthrough and we'll answer them against your own environment.
Get a demo