New:System Graph 2.0See System Graph 2.0
Secure enclave

Autonomous reliability for restricted environments.

Zof generates governed test intelligence, packages it into signed capsules, and executes through customer-controlled runners inside protected networks.

Book a secure deployment briefingView deployment architecture

No inbound access required

No external model calls from protected networks

Signed immutable test capsules

Customer-controlled execution with audit trails

The challenge

Why secure environments need a different model

Restricted networks were not built for tools that require inbound access, unmanaged model calls, or ungoverned automation.

  • -No direct internet access to protected applications
  • -Network segmentation and zero-trust boundaries
  • -Privileged access management and change control
  • -Data loss prevention and evidence handling rules
  • -Audit trails for every validation and remediation step
  • -No unmanaged external AI calls from inside the enclave
Architecture

The Zof secure enclave model

Intelligence and control operate where policy allows; execution stays inside the customer boundary behind a transfer gateway.

Intelligence Plane

Governed test intelligence

Runs in Zof Cloud, private cloud, or on-prem, where your policy permits planning and generation.

  • -Requirements and workflow analysis
  • -System Graph modeling and risk prioritization
  • -Test generation and capsule assembly
  • -Remediation planning where policy allows
  • -No execution of tests against protected apps from this plane

Control Plane

Customer-governed approvals

Your policies, signatures, and audit trails govern what may run in protected environments.

  • -Human approval and role-based controls
  • -Cryptographic signing and policy checks
  • -Capsule versioning and promotion
  • -Scheduling and evidence routing
  • -Complete audit trail for every action

Execution Plane

Inside your boundary

Runs entirely inside customer-controlled infrastructure. Sensitive data stays inside unless you approve egress.

  • -Local browser, API, and desktop validation
  • -Local screenshots, logs, and video capture
  • -Redaction and local evidence bundles
  • -Optional sanitized or metadata-only egress
  • -No dependency on external model calls at runtime

Secure enclave architecture

Intelligence and control operate outside the protected segment; execution and evidence stay inside via signed capsules and customer-controlled runners.

Approved planning zone

Intelligence Plane

Cloud, private cloud, or on-prem

Control Plane

Signed Test Capsule

Customer Transfer Boundary

Customer-controlled segment

Execution Plane

Enclave Gateway

Edge Runner

Target Applications

Local Evidence Store

Optional Sanitized Egress

Enclave patterns

Enclave-style execution architectures

Segmented infrastructure where planning may occur in an approved zone while execution and evidence remain in a customer-controlled boundary.

Secure enclave execution

Segmented execution with signed capsule transfer.

Approved planning zoneProtected segmentIntelligenceControlGatewayRunnerAppsEvidence
Execution boundary

Customer-controlled execution boundary

You define where runners live, what they may touch, and how artifacts leave the segment.

  • -Execution plane stays inside your perimeter
  • -Sensitive runtime data not required in external SaaS
  • -Optional metadata-only summaries for central dashboards
  • -Per-environment evidence and retention policies
  • -Runner allowlists and identity for audit
  • -Integrates with existing segmentation and zero-trust models
Signed capsules

Signed test capsules

Immutable, versioned, and approved packages, not ad hoc scripts. Constrained manifests define exactly what may run.

Test capsule lifecycle

From governed generation to signed, approved execution, every step is versioned and auditable.

AnalyzeGenerateAssembleApproveSignExecute
Enclave gateway

Enclave gateway

Verifies signatures, enforces policy, stages capsules, logs every action, and triggers the edge runner, without opening inbound access.

PAM credential flow

Credentials are brokered at execution time, no long-lived secrets stored in Zof Cloud.

Runner requests sessionGateway enforces policyPAM brokers credentialTime-bound access grantedAudit event recorded
Edge runner

Local edge runner

Customer-deployed execution that runs tests locally, captures evidence, applies redaction, and produces reports inside the protected network.

Edge runner execution flow

Signed capsules move through gateway policy to local execution and evidence capture.

Enclave GatewayEdge RunnerTarget ApplicationsLocal Evidence Store
Segmentation

Segmented infrastructure support

Place gateways and runners per VLAN, DMZ, OT zone, or business unit with policies matched to risk.

  • -Per-segment capsule promotion rules
  • -Conservative pilots in highest-risk zones first
  • -DMZ and internal-only application coverage
  • -Manufacturing and branch networks via edge runners
  • -SOC and admin tooling in isolated segments
  • -Expand after security architecture sign-off
Telemetry

Controlled telemetry egress

Telemetry and evidence leave only through paths you approve, with redaction applied first.

Telemetry flow

Runner capture through optional controlled egress.

RunnerLocal storeRedactionApproved egress
Evidence controls

Evidence and egress controls

You choose how evidence leaves the execution plane, if it leaves at all.

Evidence flow modes

Choose how validation evidence leaves the execution plane.

Local only

All screenshots, logs, videos, and reports remain inside your environment. No outbound transfer.

Sanitized egress

Approved fields and artifacts pass through redaction policies before leaving the execution plane.

Metadata only

Share pass/fail summaries and non-sensitive metadata for central dashboards, no raw application data.

Approvals

Enterprise approval workflows

Human authorization gates capsule promotion and governed remediation before production impact.

Remediation approval workflow

Governed path from detection to verified fix.

DetectProposeApproveApplyVerifyAudit
Regulated environments

Regulated environment examples

Representative patterns for financial services, healthcare administration, and public-sector segmentation—not customer endorsements.

  • -Core banking and payment processing segments
  • -Healthcare administrative systems with PHI boundaries
  • -Identity and trust platforms in DMZ architectures
  • -Manufacturing OT-adjacent validation at the edge
  • -Security operations tooling in SOC VLANs
  • -See deployment hub scenarios for anonymized models
Deployment modes

Fit your operating model

From standard cloud to air-gapped on-prem, same governed capsule model, different placement of each plane.

Deployment modelWhere AI planning runsWhere execution runsInternet requirementData egress modelIdeal use caseSales motionPricing
Zof CloudZof CloudZof-managed or customer runnersStandard outboundCustomer-configuredCloud-native teams, lower-friction pilotsSelf-serve to enterprisePublished tiers + enterprise
Zof Private CloudDedicated private cloudCustomer-controlled runnersPolicy-controlled outboundLocal-first; optional approved egressRegulated industries, residency requirementsEnterprise salesCustom, contact sales
Zof Hybrid EnclaveCloud or private cloudEnclave gateway + edge runnersNot required in protected segmentLocal-only default; optional sanitizedBanks, insurance, internal-only appsSecure deployment briefingCustom, contact sales
Zof On-Prem Control PlaneCustomer data centerCustomer-managed runnersOptional / air-gapped supportedLocal-only typicalNo internet, strict residency, internal governanceArchitecture review requiredCustom, contact sales
Zof Local Edge RunnerPaired control planeBranch, factory, edge siteNot required for executionLocal evidence; optional syncDistributed sites, segmented networksAdd-on to enterprise deploymentCustom, contact sales
Customer VPC / VNetCloud or private cloudCustomer VPC runnersOutbound-only typicalLocal-first; policy-controlledEnterprise SaaS in your cloud accountArchitecture reviewCustom, contact sales
Private Kubernetes executionCustomer-approved control planeCustomer-managed cluster agentsPolicy-controlledNamespace-scoped evidencePlatform teams with existing K8s estatesArchitecture reviewCustom, contact sales
Endpoint agentsPaired control planeDesktop / VDI / legacy UIOutbound registration typicalLocal capture; optional sanitizedERP, Citrix, internal desktop appsEnterprise deploymentCustom, contact sales

Secure deployment pricing depends on model, footprint, and implementation scope. View enterprise deployment pricing

Security controls

Designed for security review

Controls your security and risk teams expect, without claiming certifications we have not earned.

  • SSO/SAML/OIDC and role-based access control
  • Signed runners and execution allowlists
  • Audit trails for capsules, runs, and approvals
  • PAM-compatible credential brokering at execution time
  • Configurable redaction and retention policies
  • Human approval before governed remediation
  • Evidence modes: local-only, sanitized, or metadata-only
  • Designed to support bank-controlled execution models
Security review

Secure Deployment Review Checklist

Use this checklist with your security, risk, and infrastructure teams. Designed to support, not replace, your internal review process.

  • Architecture review

    Document placement of intelligence, control, and execution planes relative to network segments.

  • Data flow review

    Map what data is created, stored, and transmitted, including evidence and optional egress paths.

  • Runner signing

    Verify runner binaries, signing keys, and allowlists for execution hosts.

  • PAM model

    Confirm integration approach for privileged credentials at execution time.

  • DLP and redaction

    Define field masking, screenshot policies, and retention for local evidence.

  • Audit trails

    Validate logging for capsule promotion, runs, approvals, and administrative actions.

  • RBAC and SSO

    Align Zof roles with corporate identity and least-privilege access.

  • Deployment model selection

    Choose cloud, private cloud, hybrid enclave, on-prem, or edge based on segmentation needs.

  • Evidence storage

    Define where artifacts live, how long they are retained, and who may access them.

  • Egress controls

    Select local-only, sanitized, or metadata-only modes per environment.

  • Support access model

    Document when Zof personnel may access systems and under what approval workflow.

  • Pilot and rollout plan

    Define conservative pilot scope, success criteria, and production expansion gates.

Download the checklist

Share with security and procurement stakeholders before your architecture review.

View secure deployment checklist
FAQ

Secure deployment questions

Answers for security, infrastructure, and procurement reviewers.

No. Zof does not require inbound connections to your protected network. Customer-deployed edge runners execute signed capsules locally. Connectivity, if any, is outbound and policy-controlled.
Next step

Discuss secure deployment with Zof

Review segmentation, capsule governance, and runner placement with teams who support regulated enterprises.

Book a secure deployment briefingContact sales
01The operational surface

One surface for posture, operations, and what needs attention next.

The Zof home is not a marketing dashboard. It is the operational surface engineering, QA, and SRE teams use every day, quality posture, in-flight runs, coverage by module, and the actions a leader should look at next.

OPERATIONAL KPIs

  • Runs
  • Coverage
  • Risk

Live across every environment you ship to.

WORK SPINE

  • Specs
  • Tests
  • Schedules

From specification to scheduled regression.

GUARDRAILS

  • RBAC
  • SSO
  • audit

Every action attributable to a named human.

STAGING · LIVE/home
Zof AI home command center showing 12 runs at 94% pass, 3 open critical issues, 84% coverage, four module traceability bars, the specification pipeline, upcoming schedules, and recommended next actions with an active-runs sidebar.
Home view · Checkout Service · Staging · captured live from the product.
  • 01 · RUNS · 24H

    94% pass

    12 runs across staging

  • 02 · COVERAGE

    84%

    Across four modules

  • 03 · ACTIVE RUNS

    3 running

    Live on this branch

  • 04 · NEXT ACTIONS

    Recommended

    Triage gaps, new spec

Zof AI Secure Enclave Deployment, Customer-Controlled Testing for Restricted Environments