Air-gapped endpoint security & orchestration

Unify. Protect.
Automate. ApexAI.

A next-generation endpoint security platform that runs fully air-gapped — no cloud, no internet required. One lightweight agent across Windows, Linux and macOS, with autonomous red-teaming and Apex Vantage, an on-prem AI assistant that finds the attack paths and fixes the findings without a single byte leaving your network.

Configuration & Posture
Autonomous Red-Teaming
Apex Vantage AI Fixes
OS parity · Win · Linux · mac
443 single outbound port
1 agent · zero inbound rules
1 + 5 Vantage agents
Air-gap capable AI

How it works

One agent. One outbound channel.
Total control of the edge.

Apex collapses endpoint management and security into a single lightweight agent that holds an encrypted, outbound-only connection to a central control plane. No inbound firewall rules, no client certs, no bearer secrets on the wire — it survives TLS-inspecting proxies and even runs air-gapped. Everything an operator sees, every job an agent runs, is cryptographically signed and fully audited.

Your fleet

Every device across your estate — Windows, Linux and macOS — runs one lightweight agent that installs and updates itself, ready to manage and protect from the moment it comes online.

self-provisioning · self-upgrading
HTTPS :443 ⟂ WSSEd25519 proof-of-possession · signed jobs

Control plane

The secure command centre for your estate — where policies are set, work is orchestrated across every device, and every action is signed and recorded.

policies · orchestration · full audit trail

Capabilities across the platform

Everything you need to see, secure and steer the edge.

Fleet & inventory

Real-time device facts, software, patches and posture collected through signed, allow-listed jobs — Cyber-Essentials-aligned checks across every OS, with soft-delete & 60-day retention.

Config-as-code

Declarative desired state with continuous drift detection and remediation. Target device groups with additive, per-device overrides.

Exploitability-first triage

Offline OSV match surfaces CVEs, then EPSS + CISA KEV enrichment ranks them by real-world exploitability — KEV-listed first, not raw CVE counts.

Network discovery

Passive-by-default sensor maps topology, neighbours, connections and exposed services. Flags rogue / unmanaged assets and feeds the attack graph.

Graduated remediation

Approval-gated patch & reboot inside maintenance windows with auto-verify — plus risk-threshold autonomy that auto-approves only below a per-kind posture-score gate.

Audit & AI assurance

Every state change logged with actor, target and outcome — plus an AI assurance log capturing every Vantage tool call, proposal and delegation for full traceability.

Headline · AutoRedTeam

Autonomous red-teaming that thinks like an attacker — safely.

Apex continuously reasons over the data it already holds — inventory, software, matched CVEs and network topology — to discover and rank the realistic attack paths an adversary could chain through your estate. It blends CVSS, EPSS and CISA KEV into an exploit-realism score, then Vantage's red-team specialist narrates the kill-chain in plain English, citing the exact devices and CVEs.

  • Zero live traffic against your hosts — analysis, never exploitation
  • Operator / admin visibility only
  • Reproducible & auditor-defensible
apexai.global / #/w/prism · Prism
3 CRITICAL PATHS · exploit realism .92
web-edge-01 app-svr-12 file-svr-03 DC-PRIMARY ★
#1 → DC-PRIMARY0.92web-edge-01 ▸ app-svr-12 ▸ file-svr-03 ▸ DC-PRIMARY · KEV entry
#2 → file-svr-030.71vpn-gw-02 ▸ wks-17 ▸ file-svr-03
#3 → db-090.64printer-04 ▸ app-svr-12 ▸ db-09

Headline · Apex Vantage · Multi-agent

One assistant. A team of specialists that fix findings with you.

Apex Vantage is multi-agent. A supervisor triages your question and delegates to the right domain specialist — each with its own tools to help you remediate. Findings are computed deterministically, never invented by the model; every tool call, proposal and delegation lands in the assurance log; and a human confirms every write.

Aurora · Persona workspaces

Five workspaces. One vantage point.

Aurora reshapes the console around the person using it. Each role lands in a workspace tuned to their job — the KPIs they track, the queue they work, the Vantage briefing they need. One switch, and the same live data reframes for the executive, the operator or the auditor.

Horizon

Executive

Fleet posture, open criticals, weakest-device watchlist.

Bridge

IT manager

Devices online, remediation queue, pending approvals, stale agents.

Flightdeck

SOC operator

KEV-listed & critical CVEs, exploitability-ordered triage queue.

Prism

Threat hunter

Attack paths, entry points, exploit-realism ranking.

Ledger

Governance

AI actions audited, proposals awaiting approval, policy assurance.

Self-provisioning installers

Pre-stamped Windows MSI, Linux .deb/.rpm and macOS .pkg — no manual enrolment. Identity is written on first run and the token cleared.

Self-upgrade & auto-rollback

Operator-pushed, SHA-256-verified upgrade jobs apply via a detached updater — with a watchdog that rolls back automatically if the new agent fails to reconnect.

Safe device lifecycle

Soft-delete with 60-day retention and restore, plus agent self-uninstall on decommission — nothing purged in haste, everything auditable.

See the attack paths.
Close them with a team of AI specialists.

Cross-platform endpoint security, autonomous red-teaming and multi-agent Apex Vantage — over one outbound channel.

Get a demo

hello@apexai.global