Defence & Government

Sovereign Infrastructure for
National Security Workloads

Defence and government organisations cannot use public cloud for their most sensitive systems. DSEC OS provides hosting on hardware you physically control, with mandatory security enforcement at every layer and full supply chain transparency.

Pre-release — in-house production tested
Sovereign Infrastructure

No Cloud. No Third Parties. No Exceptions.

For defence and government workloads, the cloud provider itself is part of the threat model. Their employees, their infrastructure, their jurisdiction — each introduces risk that cannot be mitigated by configuration alone.

DSEC OS is deployed on hardware you own, in facilities you control, under your jurisdiction. The platform operates entirely self-contained. Air-gapped deployment is supported for environments that require complete network isolation from the public internet.

  • On-premises deployment — your hardware, your facilities
  • Air-gapped deployment for the most sensitive environments
  • No phone-home, no telemetry, no external dependencies
  • Full supply chain visibility — built on auditable open-source components
  • Jurisdiction determined by physical hardware placement
0
Cloud Dependencies
0
External Telemetry
100%
Open-Source Stack
Your
Jurisdiction
Defence-Grade Security

Mandatory Access Controls at Every Layer

DSEC OS does not offer a "permissive mode." Security controls are mandatory and enforced at the kernel level. Every container workload is confined by SELinux type enforcement policies, AppArmor profiles, and eBPF-based network policy — regardless of what the container image itself is configured to do.

The platform is built on Rocky Linux 9.x with CIS Level 2 benchmarks applied. Kernel parameters are tuned for security, unnecessary services are stripped, and cryptographic policies are enforced system-wide.

  • SELinux enforcing mode — always on, not configurable to permissive
  • CIS Level 2 benchmarks applied and verified — 97.4/100 score
  • Rootless container runtime eliminates root-based escape vectors
  • eBPF network monitoring with per-process traffic control
  • LUKS2 full-disk encryption for all persistent storage
  • Immutable, append-only audit journal
Management Interface
HARDENED
API + Auth Gateway
HARDENED
Container Orchestration
HARDENED
Rootless Runtime + Namespaces
HARDENED
SELinux + AppArmor + eBPF
ENFORCING
Rocky Linux 9.x (CIS L2)
HARDENED
Audit & Accountability

Complete Forensic Trail, Tamper-Evident by Design

Government and defence environments require that every action is attributable and every event is recorded. DSEC OS maintains an immutable, append-only audit journal that cannot be silently modified or deleted — not even by administrators.

The audit system captures privilege use, access control decisions, container lifecycle events, configuration changes, and network policy enforcement — providing the complete forensic trail required for security investigations and compliance reporting.

  • Append-only storage — logs cannot be retroactively modified
  • Every administrative action attributed to a specific user and role
  • Configuration changes recorded with before/after state differentials
  • Network policy enforcement events logged at process-level granularity
  • Exportable audit data for integration with SIEM and reporting systems
AUDIT LOG — CLASSIFIED WORKLOAD
[06:00:01] VERIFY platform.integrity check passed
[06:00:02] ENFORCE selinux policy reload complete
[08:14:31] AUTH user:op-admin role:operator
[08:14:32] ALLOW container.start secure-comms
[08:14:33] DENY network.egress 0.0.0.0/0
[08:14:33] ENFORCE air-gap policy: external blocked
[08:15:00] ALLOW network.internal 10.0.1.0/24
Defence & Government

Infrastructure That Meets
the Highest Standards

If your organisation requires sovereign, air-gap-capable hosting infrastructure with mandatory security enforcement, we'd like to hear from you. We work with a small number of clients and give each engagement the attention it deserves.

Start a Conversation Security Overview