ControlNetwork control you can physically verify.
Firevault Control gives you nine purpose-built modules across two layers. The Fire layer decides which paths exist. The Vault layer decides what those paths are allowed to touch. Every decision is enforced in hardware you can see, hear and physically verify.
-
FirebreakBreaks the external connection path
-
IsolateSeparates IT from the crown jewels
-
ArchivePreserves the asset for clean recovery
Why we built this
Software alone was never going to be enough.
Most security tools watch the network and hope to react in time. Control changes the network itself, so the bad outcome cannot happen in the first place.
An attacker who is in, gets to walk around
One compromised laptop is rarely the goal. It is the way in. Without a physical break in the path, the next system is only a hop away.
The off switch sits on the wires it is meant to cut
If the kill command travels the same network as the threat, the attacker is already standing next to the off switch. We move that switch off the network entirely.
Pulling cables works. It just does not scale
Every team that has handled a real incident knows the feeling. Control gives you the same outcome on demand, from anywhere, with a clean audit trail.
- Physical control over what is connected to what
- Nine modules, split across the FIRE and VAULT layers
- Composed into Blueprints around the outcome you need
- Anchored in hardware your auditor can hold
- Changes what is possible on the wire, not just what is allowed
- At home in OT, IT and AI environments
- Another dashboard full of alerts
- A replacement for your SIEM, EDR, XDR or SOC
- Software only, or cloud only
- A backup or a recovery product
- A policy document or a compliance checklist
- Another agent to deploy on another endpoint
Physics, not promises.
The nine modules
FIRE decides the path. VAULT looks after what sits on the end of it.
Each module does one job, and does it well. Pick the ones your environment needs and we will compose them into a Blueprint that fits.
Firebreak
FIREPhysically opens or closes connection paths to prevent unauthorised access and stop attack progression.
Isolate
FIRESeparates systems and networks into controlled zones to reduce lateral movement and enforce trust boundaries.
Relay
FIREAllows connectivity only when needed, for a defined purpose, under controlled conditions and for a limited time.
Execute
FIREInitiates control actions when a policy, approval, schedule, incident state or supervisory override requires action.
Validate
VAULTChecks whether a request, command or approval should proceed before access, action or transfer is allowed.
Archive
VAULTPreserves critical files and records for recovery, retention, compliance, continuity and evidential integrity.
Unlink
VAULTRemoves persistent connections, live dependencies and inherited trust relationships that keep sensitive assets exposed.
Lock
VAULTRestricts access through identity, authority, policy, permission and operational controls.
Transfer
VAULTControls how sensitive assets move into, out of or between protected environments through approved paths.
Blueprints in play
See the modules click together.
We deal the nine modules along a real path between a user and an asset. Firebreak lands on the gate, the route is severed, and the outcome speaks for itself. Click any card to pause.
3P·Open access only when required, close on completion.
The physical-break module · Firebreak
Firebreak makes the break physical.
- Physical Layer 1 break — when a module disconnects, the segment is unreachable, not just filtered.
- Out-of-band command path over dedicated management Ethernet, cellular SMS or authenticated API.
- Per-zone independence — isolate one circuit, one tenant, one segment, without touching the rest.
What Every Blueprint Includes
Four pillars under every Control Blueprint
Whatever the outcome, every Blueprint rests on the same physical foundation.
Out-of-band command path
Commands arrive over dedicated management Ethernet, cellular SMS, or an authenticated API. They never traverse the production network they control.
Learn morePer-zone independence
Each zone is switched independently. Isolate one circuit, one tenant, one SCADA segment, without touching the rest.
Learn moreAuditable, evidential log
Every action is logged locally and to SysLog. Verifiable records for NIS2, DORA, insurer scrutiny and internal audit.
Learn moreControl vs the alternatives
Detect-and-respond and manual shutdown are the two positions most teams pick between. Control is the third.
| Posture | Detect & respond | Manual shutdown | Control |
|---|---|---|---|
| Time to contain | Minutes to hours | Minutes, manual | Milliseconds, scheduled or on-demand |
| Reversible without site visit | Yes | No | Yes |
| Auditable physical action | No | Ad hoc | Yes |
| Depends on uncompromised software | Yes | No | No, hardware path |
| Scope of action | Alerts, blocks, isolates a host | Whole segment, all or nothing | Per-zone, per-module, per-blueprint |
| Out-of-band command path | No | No | Yes |
| Maps to NIS2 / DORA isolation | Indirect | Indirect | Yes |
Use Cases
Every sector reaches into the same six Blueprints.
Who Control Is For
From OT segments to national infrastructure
Control is built for operators who need physical certainty over what is reachable, when, and by whom.
Related Solutions
Take control. Before something else decides for you.
Tell us about your environment and we will walk you through how Control fits, where Firebreak sits, and what good looks like for your team.