Intelligent Infrastructure Security

Own your fleet.

Deploy C1 Capsules on every host in every datacenter — full visibility, autonomous control, and continuous proof. One dashboard. Zero blind spots.

Deploy your C1 Capsules See how they work

Built on standards your team already uses

  • OIDC
  • WebAuthn
  • SOC 2
  • ISO 27001
  • CIS
  • OpenTelemetry
  • Apache Doris
  • WireGuard

The Problem

Seven tools. No single source of truth.

The average security team runs seven disconnected tools. Your SIEM sees logs it can't act on. Your PAM grants access it can't audit. Your compliance scanner runs quarterly. None of them talk to each other — and you pay for all of them.

Before Control One

SIEM sees logs, can't remediate
PAM tool no posture context
Compliance scanner quarterly, not continuous
EDR alerts with zero auto-fix
Threat intel feeds never reach firewalls
Audit logger a fourth separate dashboard
vs

With Control One

One C1 Capsule

Per server. Every capability, unified.

  • Full SIEM + auto-remediation
  • PAM with session replay
  • Continuous compliance engine
  • Threat intel → firewall, automatically
  • Tamper-evident audit trail

The Platform

One C1 Capsule per host. Total command.

Every server gets a dedicated C1 Capsule — an intelligent agent that sees, controls, and proves everything on that host. One dashboard. Real-time. No manual toil.

◈ Industry-first

Full Visibility

See every connection. Score every risk.

C1 Capsules give you IP intelligence no SIEM matches — time-windowed analysis that scores every inbound connection by country, port pattern, bytes transferred, and behaviour across any time window you define.

  • Time-windowed IP analysis — "Show IPs from RU connecting 2am–7am"
  • Suspicious scoring per IP per window with visual heatmaps
  • Activities performed, ports accessed, bytes transferred — full context
  • Policy: "If IP from country X, 2am–7am, block >1 GB transfers"
  • Country-based and time-based rate limiting
// C1 Capsule rule: auto-remediate on policy breach allow port 22/tcp where labels.role == "bastion" deny port 3306/tcp on public_ip alert severity=high if log ~ /failed login/ > 5/min remediate action=block_ip ttl=1h

Total Control

Autonomous enforcement. Zero standing access.

C1 Capsules execute your policies without waiting for a human. JIT access requests flow through approval, every privileged session is recorded end-to-end, and threat intel feeds go straight to the firewall in seconds.

  • Just-in-time PAM — no standing root, ever
  • Bastion SSH proxy with mTLS tunnel direct to the capsule
  • Session replay — full transcript, searchable, exportable
  • Auto-remediation + circuit breakers on policy breach
  • Threat intel → ufw / firewalld / nftables / netsh, automatically
  • Step-up MFA (TOTP + WebAuthn) for highest-risk actions

Audit-Ready

SOC 2 in weeks. Evidence generated continuously.

Every C1 Capsule generates tamper-evident audit trails mapped to SOC 2 CC controls and ISO 27001. One click produces your evidence pack. No more spreadsheets, no more last-minute scrambles, no more $100K consultant fees.

  • Continuous compliance — not a quarterly snapshot
  • Pre-built CIS, SOC 2, and ISO 27001 control packs
  • What-if simulator replays a draft rule against 30 days of history
  • Behavioural baselines surface drift before it becomes a finding
  • One-click evidence export — hand auditors exactly what they need

How it works

From zero to full fleet control in 30 minutes.

  1. 1

    Bootstrap the control plane

    Deploy via Docker, Kubernetes, or the offline bundle. Bring your own Postgres + Redis or use the embedded stack. On-prem, cloud, air-gapped — your choice.

  2. 2

    Enrol hosts — C1 Capsules deploy

    One-line installer for Ubuntu, Debian, RHEL, Rocky, Alma, Alpine, and Windows. Bulk-enrol over SSH. Provision new hosts via KVM, VMware, AWS, or Azure — each one gets a dedicated C1 Capsule on first boot.

  3. 3

    Set posture, ship rules

    Pick a policy pack or author your own rules. Promote, simulate, roll out — every C1 Capsule sees the change in seconds via SSE. Rollout circuit breakers halt bad deploys automatically.

  4. 4

    Prove it to auditors

    Schedule CSV reports, hand over session recordings, point at the audit trail. Export your SOC 2 evidence pack in one click. Done in an afternoon, not three months.

Security & trust

Built like infrastructure security teams expect

Zero standing privilege

Every privileged session is JIT and time-bound. SSH certs are signed by a tenant CA and expire in minutes.

Encrypted at rest

AES-256-GCM on every credential, API key, and SSH CA private key. Operator never sees plaintext after save.

Step-up MFA

TOTP and WebAuthn (FIDO2) for the highest-risk actions: rotate CA, approve change-window override, delete tenant.

Tamper-evident audit

Append-only audit log with actor, target, action, and metadata. Mapped to SOC 2 CC and ISO 27001 controls.

WireGuard mesh

Optional encrypted overlay between control plane and C1 Capsules. Bastion never traverses the public internet.

Open formats

tlog session recordings, OpenTelemetry traces, OIDC auth, standard SSH certs. No proprietary lock-in.

Air-gap ready

Self-contained install bundle. Offline threat-feed mirroring. No phone-home telemetry without consent.

RBAC & multi-tenant

Role-based access at the page, route, and action level. Tenants are isolated from the database up.

Who it's for

Different teams, one control plane

For the CISO

One number on the board: how compliant are we, right now? Evidence packs that hand auditors what they want without engineering time. SOC 2 in weeks, not quarters.

For the SRE / DevOps lead

A single tool that knows about every host, every cluster, every rule. Visual rule builder for newcomers; YAML and API for automation pipelines. Open standards, no vendor lock-in.

For the sysadmin

Bulk-enrol existing fleets over SSH. Distro-aware installer that respects your init system. Every host firewall — ufw, firewalld, iptables, Windows — speaks one API.

Pricing

Pick a tier. Switch any time.

Prices display in your local currency based on your location.

Enterprise

For regulated estates

$250 / host / month

  • Everything in Business, plus:
  • Air-gapped deployment
  • BYO Postgres / Redis / Doris
  • WireGuard mesh + bastion proxy
  • FedRAMP / IRAP scoping
  • Named TAM, 24×7 SLA
  • Custom integrations
Talk to sales
Most Popular

Business

For growing security teams

$12 / host / month

  • Unlimited hosts
  • Full PAM with session replay
  • Auto-remediation + circuit breakers
  • Multi-tenant + RBAC
  • SOC 2 evidence pack
  • Email + chat support, 1-hour SLA
Book demo

Starter

For teams under 20 hosts

$0 · self-hosted

  • Up to 50 hosts
  • Compliance + posture
  • Threat intel feeds
  • Single tenant
  • Email support
Get started free

FAQ

Questions we get asked a lot

How does this compare to CrowdStrike, Palo Alto, or Okta?

Control One deploys C1 Capsules — dedicated intelligent agents per host. Unlike point solutions, each capsule gives you complete visibility, autonomous control, and tamper-evident proof in one dashboard. Our time-windowed IP intelligence is a differentiator no other SIEM currently matches.

What's the implementation timeline?

Most teams deploy their first C1 Capsules in under 30 minutes. Bootstrap the control plane, enrol your first hosts, and start seeing live capsule data immediately. Full fleet enrolment depends on your infrastructure size.

Do I need to replace my existing SIEM?

No. C1 Capsules work alongside your existing SIEM. The Apache Doris backbone handles millions of events per day, and you can forward events to Splunk, Loki, or Elastic when you need a unified pane across teams.

How do you handle air-gapped environments?

One tarball, no outbound calls. The offline bundle ships every capsule binary, migration, and threat-feed mirror you need. The included docker-compose runs Postgres, Redis, the control plane, and the operator console with zero internet egress.

What's your security posture?

Zero standing privilege, AES-256-GCM encryption at rest, step-up MFA for high-risk actions, tamper-evident audit logs, and WireGuard mesh for encrypted capsule communication. We practice what we preach.

Can I try before I buy?

Yes. The Starter tier is free for up to 50 hosts. Book a demo and we'll spin up a sandbox with your data to show you exactly how C1 Capsules solve your biggest headaches.

What happens if I exceed my host count?

On the Business tier, you have unlimited hosts. On the Starter tier, you can upgrade at any time. We'll notify you before you hit limits — no surprise overages.

Do you offer government or compliance-specific versions?

Yes. The Enterprise tier includes FedRAMP / IRAP scoping, air-gapped deployment, and custom integrations for regulated environments. Talk to sales for a scoping call.

Deploy C1 Capsules

See your C1 Capsules in action in 30 minutes

We'll spin up a sandbox with your data, deploy C1 Capsules across your fleet, and show you exactly how they solve your biggest security headaches.

No credit card required. No commitment. Just clarity.