Industries · MSP & SMB

Per-customer physical isolation — from your NOC.

One MSP credential should not reach every customer site, all the time. AirGapNet turns customer access into scheduled or on-demand windows you control from a single console — physical, not policy.

Become a partner See maintenance flow

MSP supply-chain incident, SolarWinds 2020

18,000

A trojanized software update flowed through an always-open trust channel into US Treasury, Pentagon, and 18,000 organizations. The path was 'managed', but it was reachable all the time.

Source: CISA AA20-352A

Attack surfaces

Four paths that almost never need to be reachable.

Each one carries a real operational need — and stays open between calls because no one wants to break the part that worked the one day it was needed.

Shared MSP RMM tunnels

Your RMM agent keeps a reachable path to every customer endpoint, all day. Compromise of one MSP credential cascades into every protected environment.

Customer site VPN concentrators

Site-to-site VPNs that aggregate into the MSP NOC become a single point of failure. The route exists 100% of the time; the work happens 1% of the time.

Backup destinations per customer

Customer backups land on a target reachable from the production line — the same path attackers use to encrypt the originals along with the backups.

After-hours admin access

Admin tunnels that operators leave open overnight are the most-targeted entry point for credential-stuffing and password-spray campaigns.

How it maps

Real scenarios. Concrete fix.

Pick the scenario closest to your floor. The mapping below is what changes once AirGapNet sits on the service path.

Customer requests a scheduled maintenance window every Tuesday 02:00–04:00.

AGN1 at the customer site opens the admin path only during that window. The NOC sees the window in the audit log; outside it, the path does not exist.

Customer's RMM credential is rotated after a vendor compromise alert.

Because the customer's access path is closed by default, the rotation happens during the next scheduled window. No 24/7 exposure while the rotation propagates.

Customer wants to demonstrate physical isolation to their compliance auditor.

AGN1 audit log shows exact window open/close timestamps. Auditor verifies the path physically did not exist outside windows — not a policy assertion, a hardware fact.

Recommended setup

AGN2 on the rack. AGN1 per machine.

A typical mid-sized site uses one rack-mount AGN2 for vendor and admin networks, plus per-machine AGN1 units on the lines that matter most.

AGN1

Per customer site — on the MSP-managed admin path

Typical · 1 per site

AGN1

Per customer — between production and backup target

Typical · 1 per customer

AGN2

MSP NOC — managing fleet of customer-side AGN1 units (Cloud-ready)

Typical · 1 rack

What changes

After rollout, four things stop being possible.

AirGapNet is a hardware switch, not a policy. The change is measurable from the network side, not just in process documents.

Per-customer physical break replaces shared always-on VPN
One compromised MSP credential reaches one customer, not all
Customer-facing audit reports include hardware-level isolation proof
Backup paths exist only during the backup window

Go deeper on the MSP & SMB angle.

Industry

MSPs: sell physical isolation as a feature, not a footnote

MSPs spend QBRs explaining how vendor access is controlled. Per-tenant physical isolation, scheduled from the NOC, is a feature you can put on the one-pager — not an apology in the footnotes.

Read article

Field notes

OT maintenance windows: closing is the hard part

Opening a maintenance window is easy. Closing it on time, every time, is the part incidents are made of. The pattern where the close runs on a timer, not on an operator remembering.

Read article

Concept

Air gap vs network segmentation: when to use which

Both isolate, but they answer different questions. Segmentation asks who may use a path; an air gap asks whether the path exists. Pick the right tool — usually both, in different parts of the diagram.

Read article

Or read across all of it:How it works Case studies Full blog

Resell or roll out

Make physical isolation a feature of every plan.

We work with MSPs and VARs on bulk pricing, branded one-pagers, and pilot-with-customer programs. The first customer pilot ships in two weeks.

Become a partner Other industries