SYS / NOMINALNODE EDZ-01 · PERIMETER SEALED

CLASSIFIED ARCH // PUBLIC FACING SITE--:--:-- UTC

Secure Brief →Request Access

DOSSIER / 01 — INFRASTRUCTURE

Zero client.
Closed network.
True zero trust.

Edzell delivers the operational model of a classified government network across enterprises. No local data. No exposed endpoints. No implicit trust — anywhere on the wire.

Request Secure Briefing View Architecture

0: Local attack surface
100%: Session attestation
FIPS 140-3: Crypto module class

edzell-fabric / session.attest

$ edzell auth --device thinclient-A19

[ok] hardware root verified — TPM 2.0

[ok] attestation chain valid (4 nodes)

$ edzell session open --policy strict

[ok] ephemeral keys provisioned

[warn] peripheral USB-3 disabled by policy

[ok] compute streamed from enclave us-cls-2

$ edzell egress check

[ok] data plane sealed — 0 bytes at rest

session ready

LATENCY

11ms

ENCLAVE

us-cls-2

TRUST

0.00

FIPS 140-3NIST SP 800-207CMMC LEVEL 3FedRAMP HIGHITAR READYNATO RESTRICTEDISO 27001SOC 2 TYPE IIFIPS 140-3NIST SP 800-207CMMC LEVEL 3FedRAMP HIGHITAR READYNATO RESTRICTEDISO 27001SOC 2 TYPE II

// 02 · The doctrine

Four absolutes

01

Zero Client

Endpoints hold no data, no apps, no state. A compromised laptop yields a paperweight, not a breach.

02

Closed Network

Private fabric with no path to the open internet. Egress is policy-defined and cryptographically gated.

03

Continuous Attestation

Every device, user, and packet is re-verified at line rate. Trust is a measurement, not an assumption.

04

Sealed Enclaves

Compute runs inside hardware-rooted enclaves. Operators cannot see customer state — by design.

// 03 · Architecture

The fabric, end to end

SCHEMATIC / EDZ-FABRIC v3

L1

Hardened Thin Endpoint

TPM-rooted boot. No local storage. Display + input only.

L2

Edge Attestation Gateway

Mutual TLS with hardware identity. Drops anything unverified.

L3

Closed Transport Fabric

Private overlay with deterministic routing. No internet adjacency.

L4

Sealed Compute Enclave

Confidential VMs. Operator-blind. Memory encrypted at use.

L5

Policy & Audit Plane

Tamper-evident logs. Real-time policy as code.

// 04 · What you get

Capabilities

Cryptographic Identity

Every device, user, and workload carries a hardware-rooted identity. No passwords, no shared secrets.

Microsegmented Wire

Per-session paths. Lateral movement is mathematically denied, not policy-suggested.

Confidential Compute

AMD SEV-SNP and Intel TDX enclaves. Data is encrypted at rest, in transit, and in use.

Out-of-Band Control

Management plane on its own physical channel. Compromise of data ≠ compromise of policy.

Active Deception

Honeyed paths and decoy enclaves convert reconnaissance into intelligence.

Operator Blindness

Edzell staff cannot read customer workloads. Verified by remote attestation, not promised in a PDF.

// 05 · Sectors of record

Where it operates

Government & Defense

Classified workflows, coalition sharing, ITAR-bounded engineering.

Financial Infrastructure

Trading desks, model IP, M&A war rooms.

Energy & Utilities

Operational tech isolation for grid, pipeline, and reactor control.

Healthcare & Research

PHI-bound research enclaves and pharma trial integrity.

Legal & Advisory

Privileged document review with provable non-leakage.

// 06 · Compliance

Built to be audited, not just trusted.

Edzell architecture maps to the strictest civilian and defense standards. Every claim on this page has a control behind it and a test that proves it.

FIPS 140-3

NIST SP 800-207

NIST 800-53 HIGH

CMMC L3

FedRAMP HIGH

ISO/IEC 27001

SOC 2 TYPE II

ITAR

EAR

// 07 · ENGAGE

Brief us on the
adversary you cannot accept.

Engagement begins with a sealed briefing under NDA. We do not publish customers, deployments, or pricing.