Chapter 01
The supplier ran 12 CNC machines and 3 robot cells with always-on vendor support tunnels into the OT subnet. The maintenance contract specified per-machine support, but the network reality was a single shared VPN reaching everything.
Automotive Tier-1 supplier · 3 sites in Central Europe
Always-on vendor VPN reached the entire OT subnet between maintenance windows.
−98%
Vendor exposure window
12 of 12
Audited paths closed
5 days
Time to deploy first site
What happened
Outcome.
Chapter 02
AirGapNet's AGN1 units were placed in front of each machine, with one AGN2 on the rack between the OT trunk and the vendor network. Vendor sessions now open only on a Tuesday-Friday 04:00–06:00 schedule per machine; outside that, the path is physically broken.
Chapter 03
The audit findings around 'vendor account scoped at the network level' closed out in the next quarterly review. The OT team's biggest behavioral change: vendors now schedule maintenance instead of debugging in real time over an always-open line.
Disclaimer · Composite pilot case based on conversations with prospective pilot customers across automotive and metals manufacturing in 2024–2025. Specific numbers represent typical scope, not a single deployment.
See if your pattern matches
Most pilots look like one of these three.