Secure every web request.
On your own infrastructure.

Q: How is EnforceGate vX licensed?

Three editions — Lite, Pro and Enterprise — on an annual subscription. Each bundles connector sessions sized to its deployment (10 / 25 / 50); optional 5-session packs add capacity as you grow. No per-byte, per-user or per-endpoint metering, so you know your cost at signing. Lite is available now; Pro follows in Q4 2026 and Enterprise in Q2 2027.

Q: Where does our traffic and data go?

Nowhere external. EnforceGate runs inside your perimeter as a container or virtual appliance; traffic, policies and logs stay on your infrastructure with no cloud backhaul.

Q: Is SSL/TLS inspection legal to enable?

Inspection ships disabled by default. peek reads only the SNI; bump performs full decryption and requires an explicit, audited acknowledgement. Lawfulness depends on your jurisdiction and the notice or consent you provide.

Q: How are upgrades performed?

Upgrades are in-place and seamless — typically 1-2 minutes end to end, with under a minute of service interruption while the new components start. Configuration, license activation, policy history and audit log are preserved across upgrades, including yearly release transitions. On the virtual appliance the host OS updates continuously as atomic, rollback-capable snapshots, so it is always current; only the EnforceGate components are swapped. Docker deployments pull the new image versions.

Q: Can it run air-gapped or offline?

Activation happens once per validity period — once a year. The engine validates its license against the Exosys Control Server when activated and then caches it, so the deployment runs for the rest of the year without ongoing connectivity. For air-gapped or restricted networks, support can provide an offline-activation procedure.

Q: What support is included?

Every licence includes Direct support — email and a support portal, triaged by an Exosys engineer who works on the product. Pro can add Extended for scheduled callbacks and priority engineering triage. Enterprise includes Premium — a named engineering contact, special-release builds and rollout consultation.

EnforceGate vX is a self-hosted secure web gateway — URL filtering, network access control, SSL/TLS inspection and a captive portal. Enterprise-grade web security that runs inside your perimeter, deploys in minutes, and is priced by edition — not per seat or per Gbps.

Join Early Access

or talk to an engineer

EnforceGate vX

live

StatusOperational

Connectors5 / 5

Policy rules1,247

# 1 · create a rule — it installs & enforces automatically [root@xeg01] # eghost policy new 50-deny-c2 ● installed /etc/enforcegate/rules.d/50-deny-c2.policy ● policy reloaded # 2 · check it against live traffic [root@xeg01] # eghost policy test-uri "https://www.c2.com/" URI: https://www.c2.com/ Matched: yes Code: 300 (deny — redirect to portal) Rule name: block-c2 Reason: Block C2 malware traffic [root@xeg01] #

Deploys in minutes on Docker VMware KVM Hyper-V Signed & integrity-checked builds Your data stays on-premises 🇨🇭 Engineered in Switzerland

the platform

One gateway. Complete control of web traffic.

Every core capability below ships in every edition — no essential filtering, inspection or policy control locked behind a higher tier. Identity-aware access, the web console and operator SSO unlock with Pro and Enterprise.

URL filtering

Allow or deny HTTP and HTTPS by URI, hostname, SNI, user-agent and client IP/MAC. Every request gets a per-URL verdict before it leaves your network.

$ eghost policy test-uri "https://…"

Network access control

Permit or deny by identity principal (users, groups), client posture, or network origin — matched on the same attributes as your URL policies.

$ eghost policy new 20-nac-eng

SSL/TLS inspection

Three modes — off, peek (SNI) and bump (full decryption) — so you choose how much HTTPS visibility each deployment needs. The inspection CA is generated in seconds by the interactive installer.

$ eghost restart enforcegate

Captive portal

Block, warn and AUP verdicts redirect the visitor to an in-product explanation page in English, French, German and Italian — with an optional, recorded "Proceed anyway".

$ eghost links

Plain-text policies

Edit .policy files with the editor of your choice such as vi, or nano — domain lists, regex, SNI and user-agent matching. The engine saves a snapshot before every reload, so you can roll back to a previous version with a single command.

$ eghost policy edit 90-denyurlshort

Signed & verified

Every release is cosign-signed with a hardware-held key, its SHA-256 manifest re-checked at boot and by a running watcher, on a read-only root filesystem.

$ cosign verify-blob --key exosys-release.pub

solutions

Built for the jobs you actually have.

From acceptable-use enforcement to threat control and guest access — one engine, configured to your policy.

Compliance

Acceptable use & compliance

Enforce what your organisation may browse — block or warn by category, with an Acceptable Use page users acknowledge.

Domain-list & regex policies
Audited acknowledgement
Default-permit or default-deny

Threat control

Malware, phishing & C2 egress

Stop outbound connections to known-bad destinations before they leave your network, with optional HTTPS inspection.

Block phishing & C2 domains
SSL/TLS inspection (opt-in)
Threats-protection add-on feed

Access

Guest, kiosks & BYOD

Give unmanaged devices safe, filtered access with a self-service CA install page and per-origin policy — no agent required.

Self-service CA install page
Per users / groups / origin rules
Multilingual captive portal

how it works

From signed download to enforcing in three steps.

Verify & install

Download the cosign-signed bundle, verify it, and run the guided installer — it loads the images, starts the stack, and waits for the engine to go healthy.

$ sudo ./install.sh

Point your clients

Send web traffic through the bundled Squid proxy on :3128. The connector forwards every request to the engine over the encrypted Defendr protocol.

$ eghost status

Write policies & enforce

Edit plain-text .policy rules in the editor of your choice. eghost policy compiles and reloads the engine live — no restart, no dropped connections.

$ eghost policy new 90-denyurlshort

ClientsHTTP/HTTPS

→

Squid:3128

→

ConnectorDefendr

→

Engineverdict

→

Captive portalblock · warn · aup

why EnforceGate vX

The enterprise gateway, re-engineered for ownership.

Everything a secure web gateway should give you — without the cloud lock-in, the per-seat bill, or the expensive hardware. Built on proven open-source technologies and shipped as signed, verifiable images you can run and control.

Your data stays home

Traffic, policies and logs never leave your infrastructure. No backhaul through a vendor cloud, no data-residency headaches.

Predictable licensing

Priced by active connector session, not per seat or per Gbps. Cost scales with your ecosystem — a fraction of legacy platforms.

Verifiable supply chain

Hardware-anchored signing, in-image integrity checks, and a read-only root filesystem. Trust you can verify, not take on faith.

Swiss engineering & support

Built in the Swiss Alps and supported by the engineers who write the code — with a reply within one business day.

how we compare

The capability of a legacy NGFW. Without the legacy baggage.

How EnforceGate vX stacks up against incumbent enterprise NGFW and cloud secure-web-gateway platforms — on the criteria that actually move the needle.

	EnforceGate vX	Legacy NGFW / cloud SWG
Deployment	Self-hosted container or VM, live in minutes	Proprietary appliance or forced cloud
Where your traffic goes	Stays inside your network	Backhauled through the vendor's cloud
Pricing model	By edition + bundled connector sessions — no usage metering	Per user/seat plus bandwidth tiers
Renewal	No metering — renew on the same edition & connector count	Throughput audits and subscription renewals
First-year cost	From USD 299 first year	From USD 3,600 first year
Policy authoring	Plain-text `.policy` files — any editor, git-friendly	Proprietary console and change tickets
Automation & control	CLI-first — `eghost` · `egctl` · `egpolicy`	GUI-first, with a partial API
Openness	Built on open source; TLS, scripts & portal adaptable	Opaque, closed stack
Supply chain	Hardware-signed & integrity-checked at boot	Unverifiable binaries
Upgrades	In-place in 1–2 min; continuously-updated appliance OS	Maintenance windows and manual OS patching
Vendor lock-in	None — you run and control it	Deep platform lock-in

≈ 12× lower

first-year cost — USD 299 with EnforceGate vX versus ~~USD 3,600~~ for a typical enterprise NGFW / cloud secure-web-gateway. Same control of your web traffic, a fraction of the spend.

Comparison reflects typical enterprise NGFW / cloud secure-web-gateway deployments; capabilities vary by vendor and tier.

editions

Three editions, sized to your deployment.

One core platform, three editions. Each bundles connector sessions for your deployment size — add 5-session packs as you grow, with no per-seat, per-Gbps or per-request metering. Lite is available today; Pro and Enterprise follow in Q4 2026 and Q2 2027.

Currency

	Lite Available now	Pro Available Q4 2026	Enterprise Available Q2 2027
filtering & inspection
HTTP/HTTPS URL filtering	✓	✓	✓
SSL/TLS inspection	off · peek · bump	off · peek · bump	off · peek · bump
Captive portal	EN · FR · DE · IT	EN · FR · DE · IT	EN · FR · DE · IT
Squid connector	✓	✓	✓
access control
Network access control	IP, Subnet	User, Group, IP, Subnet	User, Group, IP, Subnet
Identity integration	None	Active Directory	Active Directory, RADIUS
policies & management
Plain-text policy engine	✓	✓	✓
Zero-downtime reload & rollback	✓	✓	✓
Operator CLIs	eghost · egctl · egpolicy	eghost · egctl · egpolicy	eghost · egctl · egpolicy
Learning mode & diagnostics	✓	✓	✓
Web admin interface	✕	✓	✓
Operator SSO / SAML	✕	✕	✓
deployment & scale
Deployment	Docker · VMware · Hyper-V · KVM	Docker · VMware · Hyper-V · KVM	Docker · VMware · Hyper-V · KVM
Hardware	x86-64	x86-64	x86-64
Throughput	10 Gbps+^†1	10 Gbps+^†1	10 Gbps+^†1
security & supply chain
Signed & integrity-checked images	✓	✓	✓
Read-only root filesystem	✓	✓	✓
optional add-ons
Threats protection	Add-on	Add-on	Add-on
connector capacity
Bundled connector sessions	10	25	50
Add-on connector packs	—	Up to 1 (+5)	Unlimited
support
Support tier	Direct	Direct · Extended optional	Premium
pricing — limited-time launch offer
Launch price^†2	~~USD 799 / yr~~ USD 299 / yr	~~USD 3,999 / yr~~ USD 1,499 / yr
^†1 Throughput depends on hardware specifications, hypervisor configuration, network topology, and the active SSL-inspection mode. Actual performance varies by installation.
^†2 Prices are per edition licence, per year, including the edition's bundled connector sessions. The struck figure is the standard list price; the highlighted figure is the limited-time launch rate. Optional connector packs add 5 sessions for USD 199 / pack / yr (standard USD 499); Extended support for Pro is USD 499 / yr (standard USD 1,499). Enterprise is priced per deployment — request a quote. Launch rates are limited-time and subject to change. The software is fully operational throughout the active subscription period; once the subscription expires, the product can no longer be used.

questions

Answers before you ask sales.

The things security and IT teams check before they trial a gateway.

How is EnforceGate vX licensed?

Three editions — Lite, Pro and Enterprise — on an annual subscription. Each bundles connector sessions sized to its deployment (10 / 25 / 50); add optional 5-session packs as you grow. There's no per-byte, per-user or per-endpoint metering, so you know your cost at signing. Lite is available today; Pro follows in Q4 2026 and Enterprise in Q2 2027. During Early Access, Lite is free to run in your network.

Where does our traffic and data go?

Nowhere external. EnforceGate runs entirely inside your perimeter as a container or virtual appliance — traffic, policies and logs stay on your infrastructure. There is no cloud backhaul and no vendor telemetry on inspected traffic.

Is SSL/TLS inspection legal to enable?

Inspection ships disabled by default. peek reads only the SNI; bump performs full decryption and requires an explicit, audited acknowledgement before it will start. Whether decryption is lawful depends on your jurisdiction and the notice or consent you provide — you remain responsible for that determination.

How long does deployment take?

Minutes. Download the signed Docker bundle, verify it, run the guided installer, and point your clients at the proxy. Prefer a VM? The turnkey virtual appliance ships as ready-to-import images in OVA, QCOW2, VHDX and VMDK formats for VMware, KVM and Hyper-V. Either way, the engine self-initialises its keys, certificates and a default policy on first boot.

How are upgrades performed?

Upgrades are in-place and seamless — typically 1–2 minutes end to end, with under a minute of service interruption while the new components start. Your configuration, license activation, policy history and audit log are preserved across upgrades, including yearly release transitions. On the virtual appliance the host operating system updates continuously as atomic, rollback-capable snapshots, so the OS underneath is always current — only the EnforceGate components are swapped at upgrade time. Docker deployments simply pull the new image versions.

Can it run air-gapped or offline?

Activation happens once per validity period — once a year. The engine validates its license against the Exosys Control Server when activated and then caches it, so the deployment runs for the rest of the year without ongoing connectivity to the server. For air-gapped or restricted networks, support can provide an offline-activation procedure.

What support is included?

Every licence includes Direct support — email and a support portal, triaged by an Exosys engineer who works on the product, not a community forum. Extended, a paid upgrade available on Pro, adds scheduled callbacks and priority engineering triage. Premium, included with Enterprise, adds a named engineering contact, special-release builds and rollout consultation.

free during early access

Test EnforceGate vX in your own network.

Join the Early Access waiting list. If you're selected, we'll email your invite and the verified download — no credit card, no sales call.

Please accept the Privacy Policy to continue.

Something went wrong — please try again.

No spam. Unsubscribe anytime.

✓

You're on the list.

If you're selected, we'll email with your invite and download.

Secure every web request.On your own infrastructure.