Autonomous reliability for restricted environments.
Zof generates governed test intelligence, packages it into signed capsules, and executes through customer-controlled runners inside protected networks.
No inbound access required
No external model calls from protected networks
Signed immutable test capsules
Customer-controlled execution with audit trails
Why secure environments need a different model
Restricted networks were not built for tools that require inbound access, unmanaged model calls, or ungoverned automation.
- -No direct internet access to protected applications
- -Network segmentation and zero-trust boundaries
- -Privileged access management and change control
- -Data loss prevention and evidence handling rules
- -Audit trails for every validation and remediation step
- -No unmanaged external AI calls from inside the enclave
The Zof secure enclave model
Intelligence and control operate where policy allows; execution stays inside the customer boundary behind a transfer gateway.
Intelligence Plane
Governed test intelligence
Runs in Zof Cloud, private cloud, or on-prem, where your policy permits planning and generation.
- -Requirements and workflow analysis
- -System Graph modeling and risk prioritization
- -Test generation and capsule assembly
- -Remediation planning where policy allows
- -No execution of tests against protected apps from this plane
Control Plane
Customer-governed approvals
Your policies, signatures, and audit trails govern what may run in protected environments.
- -Human approval and role-based controls
- -Cryptographic signing and policy checks
- -Capsule versioning and promotion
- -Scheduling and evidence routing
- -Complete audit trail for every action
Execution Plane
Inside your boundary
Runs entirely inside customer-controlled infrastructure. Sensitive data stays inside unless you approve egress.
- -Local browser, API, and desktop validation
- -Local screenshots, logs, and video capture
- -Redaction and local evidence bundles
- -Optional sanitized or metadata-only egress
- -No dependency on external model calls at runtime
Secure enclave architecture
Intelligence and control operate outside the protected segment; execution and evidence stay inside via signed capsules and customer-controlled runners.
Approved planning zone
Intelligence Plane
Cloud, private cloud, or on-prem
Control Plane
Signed Test Capsule
Customer Transfer Boundary
Customer-controlled segment
Execution Plane
Enclave Gateway
Edge Runner
Target Applications
Local Evidence Store
Optional Sanitized Egress
Approved planning zone
Intelligence Plane
Cloud, private cloud, or on-prem
Control Plane
Signed Test Capsule
Customer Transfer Boundary
Customer-controlled segment
Execution Plane
Enclave Gateway
Edge Runner
Target Applications
Local Evidence Store
Optional Sanitized Egress
Signed test capsules
Immutable, versioned, and approved packages, not ad hoc scripts. Constrained manifests define exactly what may run.
Test capsule lifecycle
From governed generation to signed, approved execution, every step is versioned and auditable.
Enclave gateway
Verifies signatures, enforces policy, stages capsules, logs every action, and triggers the edge runner, without opening inbound access.
PAM credential flow
Credentials are brokered at execution time, no long-lived secrets stored in Zof Cloud.
Local edge runner
Customer-deployed execution that runs tests locally, captures evidence, applies redaction, and produces reports inside the protected network.
Edge runner execution flow
Signed capsules move through gateway policy to local execution and evidence capture.
Evidence and egress controls
You choose how evidence leaves the execution plane, if it leaves at all.
Evidence flow modes
Choose how validation evidence leaves the execution plane.
Local only
All screenshots, logs, videos, and reports remain inside your environment. No outbound transfer.
Sanitized egress
Approved fields and artifacts pass through redaction policies before leaving the execution plane.
Metadata only
Share pass/fail summaries and non-sensitive metadata for central dashboards, no raw application data.
Fit your operating model
From standard cloud to air-gapped on-prem, same governed capsule model, different placement of each plane.
| Deployment model | Where AI planning runs | Where execution runs | Internet requirement | Data egress model | Ideal use case | Sales motion | Pricing |
|---|---|---|---|---|---|---|---|
| Zof Cloud | Zof Cloud | Zof-managed or customer runners | Standard outbound | Customer-configured | Cloud-native teams, lower-friction pilots | Self-serve to enterprise | Published tiers + enterprise |
| Zof Private Cloud | Dedicated private cloud | Customer-controlled runners | Policy-controlled outbound | Local-first; optional approved egress | Regulated industries, residency requirements | Enterprise sales | Custom, contact sales |
| Zof Hybrid Enclave | Cloud or private cloud | Enclave gateway + edge runners | Not required in protected segment | Local-only default; optional sanitized | Banks, insurance, internal-only apps | Secure deployment briefing | Custom, contact sales |
| Zof On-Prem Control Plane | Customer data center | Customer-managed runners | Optional / air-gapped supported | Local-only typical | No internet, strict residency, internal governance | Architecture review required | Custom, contact sales |
| Zof Local Edge Runner | Paired control plane | Branch, factory, edge site | Not required for execution | Local evidence; optional sync | Distributed sites, segmented networks | Add-on to enterprise deployment | Custom, contact sales |
Secure deployment pricing depends on model, footprint, and implementation scope. View enterprise deployment pricing
Designed for security review
Controls your security and risk teams expect, without claiming certifications we have not earned.
- SSO/SAML/OIDC and role-based access control
- Signed runners and execution allowlists
- Audit trails for capsules, runs, and approvals
- PAM-compatible credential brokering at execution time
- Configurable redaction and retention policies
- Human approval before governed remediation
- Evidence modes: local-only, sanitized, or metadata-only
- Designed to support bank-controlled execution models
Secure Deployment Review Checklist
Use this checklist with your security, risk, and infrastructure teams. Designed to support, not replace, your internal review process.
Architecture review
Document placement of intelligence, control, and execution planes relative to network segments.
Data flow review
Map what data is created, stored, and transmitted, including evidence and optional egress paths.
Runner signing
Verify runner binaries, signing keys, and allowlists for execution hosts.
PAM model
Confirm integration approach for privileged credentials at execution time.
DLP and redaction
Define field masking, screenshot policies, and retention for local evidence.
Audit trails
Validate logging for capsule promotion, runs, approvals, and administrative actions.
RBAC and SSO
Align Zof roles with corporate identity and least-privilege access.
Deployment model selection
Choose cloud, private cloud, hybrid enclave, on-prem, or edge based on segmentation needs.
Evidence storage
Define where artifacts live, how long they are retained, and who may access them.
Egress controls
Select local-only, sanitized, or metadata-only modes per environment.
Support access model
Document when Zof personnel may access systems and under what approval workflow.
Pilot and rollout plan
Define conservative pilot scope, success criteria, and production expansion gates.
Download the checklist
Share with security and procurement stakeholders before your architecture review.
View secure deployment checklistSecure deployment questions
Answers for security, infrastructure, and procurement reviewers.
Discuss secure deployment with Zof
Review segmentation, capsule governance, and runner placement with teams who support regulated enterprises.
