Air-gapped deployment
no internet, no compromise

For organisations where connecting any system to the internet is not an option — defence networks, critical OT environments, BBN3 government infrastructure, or highly regulated financial systems — Gatekeeper runs fully air-gapped on your own hardware with zero external dependencies.

No cloud services at runtime
Local database, no telemetry
Offline CVE feed import
Internal TLS-only comms

Core capabilities

What air-gapped Gatekeeper delivers

Zero internet dependency

Every component of Gatekeeper runs on your own hardware. No external calls are made at runtime. Supabase runs as a self-hosted instance on your infrastructure. No telemetry, no cloud services, no callbacks.

Local data residency

All asset data, incident logs, compliance evidence, credentials, syslog entries, and SIEM events are stored exclusively on your local database instance. Data never transits an external network.

Internal agent communication

Remote node agents communicate with the Gatekeeper platform server over your internal network using the Supabase Realtime protocol. No external relay server is involved in the data path.

Offline CVE feeds

NVD and CISA KEV vulnerability feeds are imported as periodic offline bundles. CVE-to-asset correlation runs entirely within your environment. No live external lookups are required.

Encrypted at rest & in transit

All data is encrypted at rest on the local Supabase instance. Internal TLS (TLS 1.3) is used for all platform-to-agent communication, even within the air-gapped network.

Full audit trail on-prem

Every user action, configuration change, and system event is logged in the local activity log. Syslog entries from network devices are ingested and retained locally. No logs leave the perimeter.

Infrastructure requirements

What you need to get started

Application server

Linux host (Ubuntu 22.04+ or RHEL 9+), 4 vCPU, 8 GB RAM minimum

Database

Self-hosted Supabase (PostgreSQL 15+), 50 GB+ storage depending on inventory size

Agent hosts

Windows 10+ or Linux; Python 3.9+; network access to scanned subnets

TLS certificates

Internal CA or self-signed certificates for internal HTTPS (TLS 1.3)

CVE feed updates

Periodic offline bundle import via USB, SFTP, or internal file share

DNS

Internal DNS resolution only; no external DNS queries required at runtime

Target environments

Who deploys air-gapped Gatekeeper

Defence & intelligence

Networks processing classified information that must never connect to civilian internet infrastructure.

Critical infrastructure

OT/ICS environments, power grids, water management systems requiring complete network isolation.

BBN3 government

Dutch government systems classified at the highest BIO level (BBN3) that prohibit cloud connectivity.

Regulated financial

Financial institutions subject to DORA or internal policies prohibiting third-party cloud data processing.

Full feature parity

No capabilities removed for air-gapped environments

Air-gapped Gatekeeper includes every module available in the cloud-hosted version: network discovery, CMDB, IPAM, ITSM, SIEM, SOAR, MDM, compliance, AD integration, switch connector, FortiGate integration, sites & racks, and the AI assistant. The AI assistant uses a locally hosted model when running in full air-gap mode.