ORBTR
Platform

Built for teams that refuse
to compromise on security

A unified agent with full-stack Virtual Wire networking (L3–L7) that replaces your VPN and endpoint monitoring stack — no gateway appliances required.

Networking

Virtual Wire — Layer 2 to Layer 7

Traditional VPNs and tunnels operate at a single network layer and funnel traffic through a central gateway. ORBTR's Virtual Wire spans the full stack — from Ethernet framing (L2) through transport (L4) to application-layer policy (L7) — all managed directly by the agent and control plane. No gateway appliances, no concentrators, no bottlenecks.

  • L2 bridging — extend VLANs and broadcast domains across sites roadmap
  • L3 routing — encrypted mesh overlay with per-tenant VRFs
  • L4 transport — per-flow policy with segment-aware forwarding
  • L7 application — DNS policy, identity-aware access, deep inspection roadmap
  • Zero gateway dependency — direct peer-to-peer, no single chokepoint
  • Virtual networks with DHCP, IPAM, and multi-network routing
virtual wire — layer coverage
Virtual Wire Stack
 
L7 Application DNS policy · identity-aware access
L6 Presentation deep inspection [roadmap]
L5 Session Noise sessions · NodeID binding
L4 Transport Per-flow policy · segment routing
L3 Network VL1 overlay · VRF/tenant isolation
L2 Data Link VLAN bridging · broadcast ext [roadmap]
 
Traditional VPN: L3 only · gateway-dependent
ORBTR: L3–L7 · gatewayless · agent-native
Mesh

Encrypted Mesh Overlay

ORBTR creates a peer-to-peer encrypted network between all your devices using the VL1 overlay protocol. UDP hole punching establishes direct connections; relay nodes provide fallback when NAT traversal fails.

  • Noise-encrypted sessions with Ed25519 key binding
  • Automatic hole punching — no port forwarding
  • Relay fallback with short-lived, audited tickets
  • Ledger-as-Directory (LAD) for peer discovery
  • Transport failover: VL1 → QUIC → WebSocket
  • mDNS/NetBIOS proxy for cross-mesh service discovery
mesh status
$ orbtrctl mesh status
Overlay: connected
Protocol: VL1/UDP + Noise
Peers: 12 direct, 2 relayed
Latency: p50=3ms p99=18ms (typical)
LAD Snapshot: fresh (age 12s)
Anchor: node-eu-01 (verified)
Security

Zero-Trust by Design

Every connection, every policy update, and every script execution is cryptographically verified. ORBTR implements a three-tier key hierarchy with dual-validity signing and epoch-based anti-rollback.

  • Platform Root + Tenant Root key hierarchy (Ed25519)
  • Dual-signed Root Descriptors (TR ∧ PR)
  • Epoch-based anti-rollback on all state
  • Agent-side rate limiting detects key compromise
  • Device keys never leave the OS keychain (DPAPI/Keychain/TPM)
  • HSM-backed tenant keys for Enterprise compliance
key hierarchy
Key Hierarchy
├─ Platform Root (PR) HSM-backed
│ ├─ Signs: TR certs, RD, updates, SM
│ └─ Emergency policy override
├─ Tenant Root (TR) exportable
│ ├─ Signs: RD, policies, jobs
│ └─ Co-signs Root Descriptor
└─ Agent Key local only
└─ Signs: heartbeats, mesh, DDNS
Management

Fleet-Wide Device Control

Manage every device from a single control plane. Enforce policies, run remote jobs, push updates, and monitor health — whether you have 10 devices or 10,000.

  • Cross-platform agent — macOS, Linux, Windows
  • Hardware, OS, network, software, and security inventory
  • Device tags, groups, and smart group rules
  • Patch management with compliance tracking and schedules
  • Cryptographically verified updates with staged rollouts and auto-rollback
  • Fleet map — geographic device distribution by region
device inventory
$ orbtrctl status
Device: dev_k8s_node_07
Tenant: acme-prod
Agent: v2.4.1 (up to date)
Mesh: connected · 14 peers
Policy: epoch 47 ✓ verified
Groups: production, us-east, k8s-nodes
Tags: env:prod, role:worker, tier:1
Automation

Jobs & ScriptPacks

Run verified scripts, collect logs, push files, and manage packages remotely. Every execution is hash-verified, targets specific groups or tags, and streams output in real time.

  • Script library with TR-signed manifests
  • Target by group, tag expression, or individual device
  • Multiple execution contexts — SYSTEM, USER, ELEVATED
  • Tray consent prompts for sensitive operations
  • Real-time stdout/stderr streaming
  • Retry logic and cancellation support
job execution
$ orbtrctl job run --script audit-compliance \
--target "group:production"
Verifying script hash...
Dispatching to 47 devices...
Progress: ████████████████████ 47/47
Results: 45 passed · 2 pending
Security

Threat Detection & Response

Every agent runs a built-in detection stack — monitoring file integrity, scanning for malware patterns, matching CVEs against your software inventory, and collecting security events. No separate EDR or vulnerability scanner required.

  • File Integrity Monitoring (FIM) with fingerprint-based change detection
  • Sigma rule engine for generic threat detection
  • YARA pattern scanning for malware signatures
  • ETW event collection on Windows (process, file, registry)
  • Rootkit detection and kernel integrity checks
  • CVE vulnerability scanning — 5 sources queried concurrently (NVD, OSV, GitHub Advisories, CIRCL, OpenCVE)
  • Per-device CVSS risk scoring with finding dismissal and audit trail
  • Distributed fleet scanning — hash-ring scheduling across 24h windows
threat detection
$ orbtrctl vuln scan --device dev_k8s_node_07
Scanning software inventory... (142 packages)
Normalizing CPE mappings... done
Querying 5 sources... NVD · OSV · GitHub · CIRCL · OpenCVE
 
Findings: 3 critical · 7 high · 12 medium · 4 low
Max CVSS: 9.8 (CVE-2024-3094 · xz-utils)
Fix available: 18 of 26
 
FIM Sigma YARA ETW CVE · all engines active
DNS

Intelligent DNS & DDNS

A built-in policy-driven DNS resolution engine with mesh-assisted fallback. Block threats, route queries per domain, and maintain device addressability with signed DDNS updates.

  • Block, override, forward, rewrite, and sinkhole modes
  • Per-domain upstream routing (UDP/TCP/DoH/DoT)
  • Mesh-assisted resolution when upstreams unreachable
  • URL-based blocklists with auto-refresh
  • DNS zone and record management (A/AAAA/CNAME/SRV)
  • Force SafeSearch and DNS sinkhole for threat mitigation
  • Dynamic DNS with health checks, failover, and email alerting
dns policy
# agent.yaml — dns section
dns:
mode: enforced
mesh_assist: true
safe_search: true
blocklists:
- source: ads.txt
action: nxdomain
refresh: 86400
Policy

Policy Engine & Network Firewall

Define security posture at every scope level — from tenant-wide defaults down to individual devices. Policies propagate through the mesh even when the control plane is unreachable.

  • Scope hierarchy: Tenant → Network → Group → Device
  • Signed policy bundles with epoch-based anti-rollback
  • Mesh gossip propagation — works offline
  • Network firewall with address groups, port groups, and schedules
  • FQDN rules with DNS resolver integration
  • Zero-trust policies — identity-aware, posture-based, time-bounded
  • Routing policies — overlay routes, edge endpoint egress, force tunneling
policy scope hierarchy
Scope Resolution (most specific wins)
 
T Tenant baseline defaults
N Network per-network overrides
G Group role-based policy
D Device individual exceptions
 
Deep merge · signed bundles · anti-rollback
Infrastructure

Edge Endpoints

Any enrolled agent can be promoted to serve mesh infrastructure roles — relay, anchor, DNS authority, DHCP bridge, or egress gateway. Run your own infrastructure on your own hardware with no separate appliance.

  • Anchor — serve LAD snapshots for peer discovery
  • Relay — packet forwarding when direct P2P fails
  • DNS Authority — authoritative DNS for your mesh zones
  • DHCP Bridge — bridge non-mesh LAN devices onto the overlay
  • Print Management — discover, approve, and deploy printers via mesh
  • Enterprise: VRF/VLAN egress, QoS, SNMP discovery
edge endpoint roles
Config-driven role activation
 
anchor LAD snapshots · peer directory
relay packet forwarding · NAT traversal
dns authoritative zones · health checks
dhcp LAN bridge · lease management
egress VRF/NAT/VLAN · QoS shaping
print SNMP discovery · mesh delivery
 
State: disabled → starting → active → draining → stopped
Sovereignty

Data Sovereignty & Business Continuity

ORBTR is built for organisations that can't afford to depend on a third-party control plane. Export your Tenant Root key, run an emergency controller on your own hardware, and operate fully standalone when needed.

  • Emergency controller — standalone operation when control plane is unreachable
  • Tenant Root key export for cryptographic independence
  • Compliance-segmented PR keys (HIPAA, FedRAMP, PCI, IRAP)
  • Mesh-internal C2 failover via edge endpoint promotion
  • Data residency controls and regional key isolation
  • Offline policy enforcement with signed cache fallback
sovereignty mode
Sovereignty Configuration
 
TR Export: available
PR Domain: hipaa (us-east)
Controller: standby (edge-01)
Policy: cached epoch 47
MeshDB: synced (12s ago)
 
Failover: automatic · ready
Everything Included

One platform, every capability

Real-Time Telemetry

System metrics, health status, and security events streamed with backpressure controls and privacy-first field redaction.

Remote Access

WebRTC remote desktop, shell, and tunnel sessions with approval-based consent and optional session transcripts.

Alerts & Notifications

In-app notifications for IPS alerts, agent events, policy updates, and security signals. Email alerting for DDNS health checks.

Staged Rollouts

Percentage-based and ring-based deployment waves with auto-rollback on failure thresholds. Stable, beta, and custom update channels.

Identity & Access

SSO (SAML/OIDC), directory sync (AD/LDAP), RBAC, composed groups, and user-identity-aware policy enforcement.

Audit Logging

Immutable audit trail for every action, authentication event, and policy change. 7-day to unlimited retention with SIEM export.

Vulnerability Scanning

Multi-source CVE detection across NVD, OSV, GitHub Advisories, CIRCL, and OpenCVE — with CVSS risk scoring, deduplication, finding dismissal, and distributed fleet-wide scanning.

CLI & Tray

orbtrctl for automation and diagnostics. System tray app for status, DNS, jobs, mesh overview, and management actions.

Sovereignty

Emergency controller, TR key export, compliance-segmented cryptography, and mesh-internal C2 failover for full data sovereignty.

Plans

Features by tier

Every plan includes unlimited users. Higher tiers inherit all features from lower tiers.

Starter · Free

Mesh SD-WAN (L3), zero-trust enrollment, basic policy, DNS stub resolver, device inventory, groups, tags, fleet map, security center, audit logging (7 days), CLI, auto-updates, and in-app notifications. 9 devices free forever.

Pro · $16/device

Everything in Starter plus Virtual Wire (L3–L7), virtual networks with DHCP, network firewall, full policy with mesh propagation, ScriptPacks, remote access, Edge Endpoints, print management, SSO, smart groups, staged rollouts, DDNS monitoring, RBAC, patch management, and 90-day audit retention.

Enterprise · Custom

Everything in Pro plus unlimited Edge Endpoints with VRF/VLAN/QoS, sovereignty controls with emergency controller, distributed telemetry, HSM-backed keys, compliance-segmented cryptography (HIPAA/FedRAMP/PCI/IRAP), session transcripts, deep inspection (eBPF/WFP), and unlimited audit retention with SIEM export.

See it in action

Every account starts with a 30-day Pro trial. Deploy the agent on your first device in under two minutes.

Start Free Trial View Pricing