Autonomous reliability for restricted environments.
Zof generates governed test intelligence, packages it into signed capsules, and executes through customer-controlled runners inside protected networks.
No inbound access required
No external model calls from protected networks
Signed immutable test capsules
Customer-controlled execution with audit trails
Why secure environments need a different model
Restricted networks were not built for tools that require inbound access, unmanaged model calls, or ungoverned automation.
- -No direct internet access to protected applications
- -Network segmentation and zero-trust boundaries
- -Privileged access management and change control
- -Data loss prevention and evidence handling rules
- -Audit trails for every validation and remediation step
- -No unmanaged external AI calls from inside the enclave
The Zof secure enclave model
Intelligence and control operate where policy allows; execution stays inside the customer boundary behind a transfer gateway.
Intelligence Plane
Governed test intelligence
Runs in Zof Cloud, private cloud, or on-prem, where your policy permits planning and generation.
- -Requirements and workflow analysis
- -System Graph modeling and risk prioritization
- -Test generation and capsule assembly
- -Remediation planning where policy allows
- -No execution of tests against protected apps from this plane
Control Plane
Customer-governed approvals
Your policies, signatures, and audit trails govern what may run in protected environments.
- -Human approval and role-based controls
- -Cryptographic signing and policy checks
- -Capsule versioning and promotion
- -Scheduling and evidence routing
- -Complete audit trail for every action
Execution Plane
Inside your boundary
Runs entirely inside customer-controlled infrastructure. Sensitive data stays inside unless you approve egress.
- -Local browser, API, and desktop validation
- -Local screenshots, logs, and video capture
- -Redaction and local evidence bundles
- -Optional sanitized or metadata-only egress
- -No dependency on external model calls at runtime
Secure enclave architecture
Intelligence and control operate outside the protected segment; execution and evidence stay inside via signed capsules and customer-controlled runners.
Approved planning zone
Intelligence Plane
Cloud, private cloud, or on-prem
Control Plane
Signed Test Capsule
Customer Transfer Boundary
Customer-controlled segment
Execution Plane
Enclave Gateway
Edge Runner
Target Applications
Local Evidence Store
Optional Sanitized Egress
Approved planning zone
Intelligence Plane
Cloud, private cloud, or on-prem
Control Plane
Signed Test Capsule
Customer Transfer Boundary
Customer-controlled segment
Execution Plane
Enclave Gateway
Edge Runner
Target Applications
Local Evidence Store
Optional Sanitized Egress
Enclave-style execution architectures
Segmented infrastructure where planning may occur in an approved zone while execution and evidence remain in a customer-controlled boundary.
Secure enclave execution
Segmented execution with signed capsule transfer.
Customer-controlled execution boundary
You define where runners live, what they may touch, and how artifacts leave the segment.
- -Execution plane stays inside your perimeter
- -Sensitive runtime data not required in external SaaS
- -Optional metadata-only summaries for central dashboards
- -Per-environment evidence and retention policies
- -Runner allowlists and identity for audit
- -Integrates with existing segmentation and zero-trust models
Signed test capsules
Immutable, versioned, and approved packages, not ad hoc scripts. Constrained manifests define exactly what may run.
Test capsule lifecycle
From governed generation to signed, approved execution, every step is versioned and auditable.
Enclave gateway
Verifies signatures, enforces policy, stages capsules, logs every action, and triggers the edge runner, without opening inbound access.
PAM credential flow
Credentials are brokered at execution time, no long-lived secrets stored in Zof Cloud.
Local edge runner
Customer-deployed execution that runs tests locally, captures evidence, applies redaction, and produces reports inside the protected network.
Edge runner execution flow
Signed capsules move through gateway policy to local execution and evidence capture.
Segmented infrastructure support
Place gateways and runners per VLAN, DMZ, OT zone, or business unit with policies matched to risk.
- -Per-segment capsule promotion rules
- -Conservative pilots in highest-risk zones first
- -DMZ and internal-only application coverage
- -Manufacturing and branch networks via edge runners
- -SOC and admin tooling in isolated segments
- -Expand after security architecture sign-off
Controlled telemetry egress
Telemetry and evidence leave only through paths you approve, with redaction applied first.
Telemetry flow
Runner capture through optional controlled egress.
Evidence and egress controls
You choose how evidence leaves the execution plane, if it leaves at all.
Evidence flow modes
Choose how validation evidence leaves the execution plane.
Local only
All screenshots, logs, videos, and reports remain inside your environment. No outbound transfer.
Sanitized egress
Approved fields and artifacts pass through redaction policies before leaving the execution plane.
Metadata only
Share pass/fail summaries and non-sensitive metadata for central dashboards, no raw application data.
Enterprise approval workflows
Human authorization gates capsule promotion and governed remediation before production impact.
Remediation approval workflow
Governed path from detection to verified fix.
Regulated environment examples
Representative patterns for financial services, healthcare administration, and public-sector segmentation—not customer endorsements.
- -Core banking and payment processing segments
- -Healthcare administrative systems with PHI boundaries
- -Identity and trust platforms in DMZ architectures
- -Manufacturing OT-adjacent validation at the edge
- -Security operations tooling in SOC VLANs
- -See deployment hub scenarios for anonymized models
Fit your operating model
From standard cloud to air-gapped on-prem, same governed capsule model, different placement of each plane.
| Deployment model | Where AI planning runs | Where execution runs | Internet requirement | Data egress model | Ideal use case | Sales motion | Pricing |
|---|---|---|---|---|---|---|---|
| Zof Cloud | Zof Cloud | Zof-managed or customer runners | Standard outbound | Customer-configured | Cloud-native teams, lower-friction pilots | Self-serve to enterprise | Published tiers + enterprise |
| Zof Private Cloud | Dedicated private cloud | Customer-controlled runners | Policy-controlled outbound | Local-first; optional approved egress | Regulated industries, residency requirements | Enterprise sales | Custom, contact sales |
| Zof Hybrid Enclave | Cloud or private cloud | Enclave gateway + edge runners | Not required in protected segment | Local-only default; optional sanitized | Banks, insurance, internal-only apps | Secure deployment briefing | Custom, contact sales |
| Zof On-Prem Control Plane | Customer data center | Customer-managed runners | Optional / air-gapped supported | Local-only typical | No internet, strict residency, internal governance | Architecture review required | Custom, contact sales |
| Zof Local Edge Runner | Paired control plane | Branch, factory, edge site | Not required for execution | Local evidence; optional sync | Distributed sites, segmented networks | Add-on to enterprise deployment | Custom, contact sales |
| Customer VPC / VNet | Cloud or private cloud | Customer VPC runners | Outbound-only typical | Local-first; policy-controlled | Enterprise SaaS in your cloud account | Architecture review | Custom, contact sales |
| Private Kubernetes execution | Customer-approved control plane | Customer-managed cluster agents | Policy-controlled | Namespace-scoped evidence | Platform teams with existing K8s estates | Architecture review | Custom, contact sales |
| Endpoint agents | Paired control plane | Desktop / VDI / legacy UI | Outbound registration typical | Local capture; optional sanitized | ERP, Citrix, internal desktop apps | Enterprise deployment | Custom, contact sales |
Secure deployment pricing depends on model, footprint, and implementation scope. View enterprise deployment pricing
Designed for security review
Controls your security and risk teams expect, without claiming certifications we have not earned.
- SSO/SAML/OIDC and role-based access control
- Signed runners and execution allowlists
- Audit trails for capsules, runs, and approvals
- PAM-compatible credential brokering at execution time
- Configurable redaction and retention policies
- Human approval before governed remediation
- Evidence modes: local-only, sanitized, or metadata-only
- Designed to support bank-controlled execution models
Secure Deployment Review Checklist
Use this checklist with your security, risk, and infrastructure teams. Designed to support, not replace, your internal review process.
Architecture review
Document placement of intelligence, control, and execution planes relative to network segments.
Data flow review
Map what data is created, stored, and transmitted, including evidence and optional egress paths.
Runner signing
Verify runner binaries, signing keys, and allowlists for execution hosts.
PAM model
Confirm integration approach for privileged credentials at execution time.
DLP and redaction
Define field masking, screenshot policies, and retention for local evidence.
Audit trails
Validate logging for capsule promotion, runs, approvals, and administrative actions.
RBAC and SSO
Align Zof roles with corporate identity and least-privilege access.
Deployment model selection
Choose cloud, private cloud, hybrid enclave, on-prem, or edge based on segmentation needs.
Evidence storage
Define where artifacts live, how long they are retained, and who may access them.
Egress controls
Select local-only, sanitized, or metadata-only modes per environment.
Support access model
Document when Zof personnel may access systems and under what approval workflow.
Pilot and rollout plan
Define conservative pilot scope, success criteria, and production expansion gates.
Download the checklist
Share with security and procurement stakeholders before your architecture review.
View secure deployment checklistSecure deployment questions
Answers for security, infrastructure, and procurement reviewers.
Discuss secure deployment with Zof
Review segmentation, capsule governance, and runner placement with teams who support regulated enterprises.
