Physical access controlPhysical access control for service paths

Patent-pending · 2023

Closed by default.Open by intent.

AirGapNet AGN1

Service path controller

Default-closed access window

Ready

Closed default

Timed access

Physically closes vendor and admin access between scheduled work windows.

Buy AGN1 Request a demo

10 GBit switching

GSM/SMS control

Default-closed

AirGapNet AGN1

Service path controller

Ready

Host

Critical host

Window

Access window

Closed by default

Opened only on purpose

Returns to a break

Customer feedback

When the line disappears.

Three pilot customers, in their own words. Names anonymised at their request; quotes translated from the original deployments.

Three pilot customers — technology, healthcare, finance — in their own words. Names anonymised at their request.

Customer 01

Technology company

“We brought AGN1 in to protect our R&D networks. It met our security requirements and added a layer the software controls couldn't — a physical break that doesn't depend on policy.”

Theodor U.

IT Specialist · Technology company

Customer 02

Healthcare provider

“AGN1 secures the segments where patient data lives. It gave us a way to demonstrate compliance under data-protection rules — auditors can see the relay state and the maintenance window, not just a config file.”

Lukas W.

IT Security Officer · Healthcare provider

Customer 03

Financial services firm

“We deployed AGN1 to protect our networks from potential threats — it exceeded our expectations. Physically separating segments improved our security materially. We can now show sensitive data is protected, not just configured to be.”

Ewald R.

IT Manager · Financial services firm

“We brought AGN1 in to protect our R&D networks. It met our security requirements and added a layer the software controls couldn't — a physical break that doesn't depend on policy.”

Theodor U.

IT Specialist · Technology company

Verified pilot · name anonymised

“AGN1 secures the segments where patient data lives. It gave us a way to demonstrate compliance under data-protection rules — auditors can see the relay state and the maintenance window, not just a config file.”

Lukas W.

IT Security Officer · Healthcare provider

Verified pilot · name anonymised

“We deployed AGN1 to protect our networks from potential threats — it exceeded our expectations. Physically separating segments improved our security materially. We can now show sensitive data is protected, not just configured to be.”

Ewald R.

IT Manager · Financial services firm

Verified pilot · name anonymised

The core idea

Keep the front open. Close the service door.

AirGapNet leaves business traffic alone and turns maintenance access into an approved window that returns to a physical break.

Customer path

Always available

Business traffic stays open.

Users, customers, employees, and production traffic keep moving.

No workflow changeExisting security stack stays

Service path

Closed by default

Maintenance is an approved window.

Vendor, admin, update, and backup access becomes time-boxed.

Scheduled or manualAuto-close locally

Service paths open only for an approved window, then auto-close.

See how it works

Why it matters

Every breach below started on a service path.

Not the firewall. A vendor VPN, an update channel, a remote-support session — paths the network leaves reachable by default. AirGapNet makes those paths physically absent.

U.S. avg breach cost · 2024

$4.88M

A physical break costs less than the first hour of most incident response. Source: IBM Cost of a Data Breach Report 2024

See AGN1

Real breach2021

Colonial Pipeline

$4.4M ransom

A single exposed VPN account let DarkSide ransomware halt the largest US fuel pipeline for six days.

Source: CISA AA21-131A

Real breach2017

Merck

$870M impact

NotPetya tore through always-connected production systems, halting manufacturing and disrupting global supply for weeks.

Source: Wired

Real breach2020

Universal Health Services

$67M impact

Ryuk ransomware forced 400 hospitals into paper workflows and delayed critical care across the United States.

Source: BleepingComputer

Real breach2021

Florida Water System

Near miss

An attacker used always-on remote support to raise sodium hydroxide in drinking water before an operator caught it.

Source: CISA AA21-042A

Use cases

Six paths. One break.

Six common paths where always-on reachability creates unnecessary exposure.

Internet isolation

Take a server off the public internet between active sessions. The line returns only for approved windows — backups, updates, vendor jobs.

SMB
Manufacturing

Server configuration windows

Open admin access to a server during a scheduled maintenance slot. The path closes automatically when the window ends.

All segments

Backup isolation

Backup targets stay disconnected from the production network and only open when the backup job runs. Ransomware cannot follow what is not connected.

All segments

Immutable backup vaults

Pair AGN1 with an air-gapped backup target so the vault is reachable only on explicit, time-limited writes. Combine with WORM storage for true immutability.

Finance
Healthcare
Regulated

PoE device control

Disconnect cameras, sensors, displays, or kiosks from the network when they aren't actively in use. Reduces the lateral-movement surface from edge devices.

Retail
Hospitality
Industrial

Vendor maintenance windows

External technicians get scoped access to one device during a defined window. No on-site escort, no entire-network exposure.

Manufacturing
Healthcare
MSP

Case study: Vendor maintenance windows

Product family

One layer. Three shapes.

Start with one device today. Add rack hardware as you grow. Manage the fleet from one place.

In stock · Ships in 5 days

Single-line hardware isolation

AirGapNet AGN1

$1,199single unit

View product

Quote-led

AGN2

Rack infrastructure isolation

Request quote

Coming soonPlanned Q3 2026

Cloud

Centralized hardware management

Join waitlist

In stock · Ships in 5 days

Single-line hardware isolation

AirGapNet AGN1

A compact device that physically connects, disconnects, or switches one network path.

$1,199

View product

Quote-led · 4–6 weeks

Rack infrastructure isolation

AirGapNet AGN2

The 19-inch rack version of AGN1 for larger server rooms and multi-line setups.

Request quote

Coming soon · Q3 2026

Centralized hardware management

AirGapNet Cloud

Coming soon — central management for a fleet of AirGapNet devices.

Request demo

FAQ

Buying questions.

Product, compliance, and pricing answers without turning the homepage into a manual.

See all FAQ

AGN1 is a hardware switch installed inline on a single network path. By default the line is physically open — neither side is electrically reachable. You open the path for a defined window (manual, scheduled, or event-based) over an independent GSM control channel, and the line returns to a physical break when the window ends.

No — it's an additional layer. Firewalls, EDR, and segmentation are software-based and assume the path exists. AirGapNet changes whether the path physically exists. Use it in addition to your existing stack, not in place of it.

A managed switch, VPN, or jump host still keeps the line electrically connected — you trust software to gate access. AGN1 makes the path physically not-exist by default. The attack surface during the closed state is zero, because there is no surface.

AirGapNet is currently in the US compliance process. We will publish the FCC ID and conformity statement on this page as soon as it is finalized. Until then, devices ship from European warehouses to early US pilots — talk to us about deployment timing.

No. AGN1 is a one-time hardware purchase. The independent control channel uses your own GSM SIM card and carrier plan (typically $5–$10 per month). AirGapNet Cloud, when available, will be a separate optional product.

From the founder

“Firewalls, EDR, training — all in place, and the attacker still walked in through a path that should not have been open at all.”

Markus Roth

Co-Founder

Read the full letter