Full GitOps Kubernetes stack with zero-trust access, secrets management, SSO, and full observability — deployed on your hardware or cloud.
We deploy the same zero-trust infrastructure stack that powers every 47Network product — on your hardware, your cloud, or your colocation. GitOps with Argo CD, Pomerium access proxy, Keycloak 47ID SSO, HashiCorp Vault for secrets, Kyverno network policies, and Prometheus + Loki observability. You get full ownership from day one: every config is in Git, every secret is managed, and your team receives full runbooks and hands-on training.
App-of-Apps pattern. Every resource defined in Git. Automated sync, self-healing, and drift detection.
Identity-aware access to every internal service. No VPN required. Works with any OIDC provider.
Centralized identity: users, groups, MFA, passkeys, and per-application RBAC. LDAP/AD sync available.
Dynamic secrets, PKI, database credential rotation, and KV engine. No more hardcoded secrets.
Full-stack observability: metrics, logs, and alerts. Grafana dashboards delivered per service.
Admission control, pod security standards, and namespace isolation. Zero lateral movement.
We audit your existing infrastructure, document all services, and identify security gaps and integration points.
We design the full stack in a detailed architecture document and scope the work into a fixed-price SOW.
We deploy to your environment with all controls active. Every component is tested and validated.
Full runbooks, architecture diagrams, and hands-on team training. You own everything from day one.
Yes — AWS, GCP, Azure, Hetzner, OVH, or bare metal. We're cloud-agnostic by design. We have the most experience on bare metal and Hetzner, but the stack works identically anywhere Kubernetes runs.
A standard zero-trust stack (Argo CD + Pomerium + Keycloak + Vault + observability) typically takes 3–6 weeks depending on complexity, number of existing services to onboard, and team availability for knowledge transfer.
We integrate with what you have. If you already run Keycloak, we configure Pomerium to use it. If you have Vault, we harden and extend it. We don't rip and replace for its own sake.
The engagement includes 30 days of post-handover support. Ongoing maintenance contracts are available at Standard, Priority, and Enterprise SLA tiers — see our Legal Hub for details.
No implicit trust based on network location. Every request — whether from inside your network or outside — is authenticated, authorised against policy, and logged before access is granted. A compromised machine inside your perimeter cannot access other internal services just by being on the same network. Trust is granted per-request, not per-session or per-network.
Keycloak (47ID) for identity and SSO, HashiCorp Vault for secrets management, Istio for service mesh and mTLS between services, Kyverno for Kubernetes policy enforcement, and 47Sentry (eBPF/XDP) for perimeter monitoring. All open-source, all self-hostable. We don't build on SaaS identity providers that hold your identity data.
For a 20–50 person company starting from a conventional network perimeter model: typically 6–10 weeks for the initial engagement covering identity, secrets, and service authentication. This is not a full-org transformation — it's the foundational layer that makes everything else work. Subsequent phases (policy enforcement, full mTLS rollout, audit pipeline) are scoped separately once the foundation is running.
Minimally. The main visible change is that secrets come from Vault rather than environment variables or config files, and service-to-service calls go through the service mesh. We handle both as part of the migration with tooling that makes the transition transparent where possible. The training component of the engagement covers the new patterns so your team can work within the new model confidently.
Yes. The stack works on-premise, on any cloud provider, and in hybrid configurations. Keycloak and Vault are cloud-agnostic. Istio runs on any Kubernetes distribution. We've deployed on bare metal, AWS, GCP, Hetzner, and OVHcloud. The design principle is that nothing in the zero-trust stack should be cloud-provider-specific — you should be able to move providers without redesigning security.
Real engagements with measurable outcomes — from fintech to e-commerce.
GitOps-managed zero-trust infrastructure — Keycloak SSO, Vault secrets, Istio mesh, Kyverno policy enforcement — for a financial data processor with strict compliance requirements.
Unified 5 internal tools under a single 47ID identity layer — warehouse, orders, analytics, admin panel, support. GDPR audit logs, full MFA coverage, secrets migrated from env vars to Vault.
Tell us about your current setup — cloud provider, team size, existing identity stack. We'll scope a zero-trust engagement and respond within 24 hours.
Technical guides on the infrastructure and processes behind zero-trust engagements.
The principles behind every zero-trust Studio engagement — identity-first networking, least-privilege access, and the three things most SMEs get wrong when they start.
WireGuard is the backbone of many zero-trust site interconnects. This guide covers key generation, routing configuration, persistent keepalives, and multi-site mesh setup.
Key-only auth, algorithm hardening, fail2ban, and Teleport for centralised SSH access — the baseline we apply in every zero-trust infrastructure engagement.
TLS termination with OCSP stapling, per-endpoint rate limiting zones, JSON structured logging, and security headers — the Nginx config pattern in every Studio deployment.
XDP packet filtering, kernel-level network policy enforcement, and runtime syscall auditing — the eBPF layer that runs beneath every 47Network zero-trust deployment.
Self-hosted control plane, zero-trust ACLs, subnet routing, and MagicDNS — the Headscale setup used in 47Network fintech and zero-trust engagements.
DNS-01 wildcard certificates, automatic renewal, OCSP stapling, Nginx TLS hardening, and Prometheus expiry alerting — TLS automation for every 47Network deployment.
WebAuthn registration flows, resident keys, cross-device passkeys — how phishing-resistant authentication fits into a zero-trust perimeter.
Headscale on the management server, ACLs enforcing least-privilege access — the control-plane-sovereign VPN layer used in zero-trust engagements where all privileged access must stay off the public internet.