The company

Built by someone who ran
the infrastructure first.

Nantevo was founded by an engineer with twenty years of experience operating DNS, network services, and security infrastructure at internet scale — for the Department of Defense, for the Adobe Marketing Cloud, and across two and a half years of continuous production operation serving real households. This isn't a product designed from the outside. Every architectural decision reflects a specific operational lesson learned under real conditions.

Oct '23
Production launch date — continuous operation since
2.5 yrs
Uninterrupted service across real households and devices
~25%
Of all DNS queries blocked when ad filtering is active
Zero
Downtime complaints from users — beyond known Cloudflare events
The founding story

Every piece of Nantevo comes
from something real.

The story starts in 2005, not 2024. A young engineer running DNS for the Department of Defense's procurement platform in FreeBSD jails, under a top-secret clearance that required FBI interviews of everyone who had ever known him. That infrastructure, those jails, that discipline around availability and security: the architecture that became Nantevo has roots two decades deep.

A decade later, the same engineer was running DNS for the Adobe Marketing Cloud — the analytics backbone for a significant share of the Fortune 500's web properties. Billions of queries per day across a global anycast network spanning more than two dozen data centers. Latency and availability were not engineering goals. They were business requirements. A slow DNS response meant a delayed page load for millions of users. A failure meant calls from executives.

It was at Adobe that the pattern that defines Nantevo first became visible: a security gap nobody had solved cleanly, a novel solution built in the gaps between meetings, and an industry recognizing it before the builder fully understood what he had made.

"A sales engineer from SaltStack pulled me aside at a meetup after I demoed HubbleStack. He wanted to, in his words, 'sell the shit out of it.' I wasn't ready. I didn't take the meeting."

HubbleStack was a security visibility platform built at Adobe — real-time file integrity monitoring, CIS benchmark compliance, and osquery fleet telemetry at enterprise scale. The CSO50 award recognized it as innovative thought leadership. Multiple engineers at SaltStack said directly that it saved the company. SaltStack was acquired by VMware for $51 million. The builder of HubbleStack received a good salary and no part of the acquisition. That is not a complaint. It is a fact that clarified something important about the next chapter.


October 2023

Not a proof of concept.
A production service.

In 2023, QueryGuard launched — not as a lab experiment or a demo environment, but as a real service deployed to real households. Friends and family who volunteered to generate real traffic across real devices: iPhones, iPads, MacBooks, Android phones, Windows laptops, Linux machines, FreeBSD workstations, home routers providing network-wide protection, and every major browser. Each household received a unique endpoint and ClientID — per-client authentication from day one — with dashboard access, customizable filtering rules, and protection telemetry.

The dashboard itself was built with the same care as the resolver: magic link login — no passwords, ever. Charts showing blocked threat categories, bandwidth saved by ad filtering, top detected threats, and even anonymous comparative rankings against other users. A real product experience for real users, built and maintained by one engineer from a van on the road.

"I've watched it block clever malware from reaching tenured IT professionals. I've watched it filter adult content hidden in App Store games on a child's iPad. I've watched it save enormous amounts of bandwidth while improving security — a combination that every network should have."

That service has run continuously since October 2023 — two and a half years without a service interruption. No user has ever filed a complaint about downtime beyond the known Cloudflare outage events that affected the entire cloud delivery layer. Among twenty years of operating public-facing internet services, this stands as one of the highest availability records achieved.

The van itself runs a Raspberry Pi that acts as a local DNS resolver — lightweight caching and first-line filtering, forwarding all queries upstream to the cloud endpoints. Optimistic caching makes the upstream round trip completely transparent to the user after the initial request. The van is both a test environment and a demonstration of the hybrid deployment model: local intelligence where low latency matters, cloud intelligence where deeper analysis is available.

During those same two years, a master's degree in cybersecurity was completed in four months through competency-based assessment — the capstone paper written on Protective DNS, using the production service as both the design template and the implementation proof. Formal credentials for two decades of informal expertise.

Real-world impact

What actually happened
when the service went live.

These are not hypothetical threat scenarios. They are observed outcomes from 2.5 years of production DNS telemetry across real households and devices.

Malware blocked from IT professionals

Tenured IT professionals — people who know better than most — had devices attempting to reach known malware infrastructure. DNS-layer blocking stopped the connection before any payload could be delivered, without any action required from the user. The attack happened. The resolution didn't.

blocked at DNS layer · zero user action required

Adult content hidden in App Store games

A child's iPad, running an App Store game with an age-appropriate rating, attempted to resolve adult content domains embedded in the app's ad network. The domains never resolved. The app continued to function. The content never appeared. This is the protection that parental controls on the device cannot provide — it operates above the app layer.

blocked before content loaded · app unaffected

25% of all queries blocked by ad filtering

Across the production fleet, ad filtering blocks approximately one in four DNS queries — removing ad infrastructure, tracking domains, and surveillance networks before they can load. Ads are frequently the delivery vehicle for malvertising campaigns, and Global Cyber Alliance research found DNS-layer filtering could prevent roughly a third of data breaches.

~25% query reduction · production fleet average
Production device coverage

Every device in the
household. Proven.

Device coverage wasn't designed in a lab and claimed on a spec sheet. It was proven across 2.5 years of real households using real devices. Every category below has been operational in production since October 2023.

iPhone iPad MacBook Android Windows Linux FreeBSD Home routers Chrome Firefox Brave Edge Safari

Router-level deployment provides network-wide protection for every device on the network — including smart TVs, IoT devices, and anything else that makes DNS queries.

Van deployment — hybrid architecture
DeviceRPI local resolver
local cache hit → <1ms
lightweight first-line filtering

Cache misscloud endpoint upstream
authenticated DoH to nantevo.com
full RoCi analysis + deep filtering
response cached locally

optimistic caching
upstream latency transparent
after initial resolution

result: local speed + cloud intelligence

This hybrid model is not a workaround — it is the production architecture for the on-premise deployment tier. Local caching for speed. Cloud intelligence for depth. The upstream latency becomes invisible after the first resolution cycle.


The architecture decision

DNS is the most impactful layer.
Everything else is downstream.

After twenty years of building and operating public-facing internet services, one observation stands above the others: DNS sits at the foundation of every internet interaction a device makes. Every HTTP request, every API call, every application connection begins with a DNS lookup. No other layer in the OSI model provides as broad and consistent a vantage point for security intervention.

An endpoint agent can only see what happens on the device it runs on. A firewall can only see traffic that flows through it. A SIEM sees what other tools choose to send it. DNS sees everything — on every device, through every application, across every network connection — before any of it happens. A threat that is blocked at DNS resolution is a threat that never had the opportunity to deliver a payload, establish a connection, or exfiltrate data.

The incumbent solutions understood this. What they got wrong was the deployment model. Agents create the operational overhead they're supposed to eliminate. Kernel extensions introduce the attack surface they're supposed to prevent. Complex enrollment workflows mean the devices most in need of protection — unmanaged, BYOD, contractor — are the ones least likely to have it.

The authenticated DoH architecture wasn't designed from theory. It came from someone who has managed agent rollouts across enterprise fleets, debugged kernel extension conflicts at 3am, and watched BYOD coverage gaps get exploited in production. The transport-layer credential approach solves the operational problem by removing the operational burden entirely.

"I compulsively built useful things for two decades. Every one of those things generated value for someone else's company. Nantevo is the one that generates it for mine."

Track record

Twenty years of building
things that mattered.

The professional history that informs Nantevo's architecture, operational discipline, and product decisions.

2005 — Department of Defense

DNS and network infrastructure for DoD eMall

Server infrastructure and DNS services for the DoD's procurement platform — government employee PII and purchasing data under top-secret clearance. DNS running in FreeBSD jails. The same isolation architecture that underpins Nantevo's virtual appliance deployment model two decades later.

Top-secret clearance · FreeBSD jails · DNS operations
2012 — Adobe Marketing Cloud

DNS at Fortune 500 scale — billions of queries per day

DNS and network services for the Adobe Marketing Cloud. Global anycast network, 24+ data centers, billions of queries per day serving analytics for a significant share of the Fortune 500's web properties. Latency and availability were business requirements measured in revenue impact per millisecond.

Anycast · Global infrastructure · Fortune 500 scale
2016 — SaltStack / Adobe

HubbleStack — CSO50 award winner

Real-time FIM, CIS benchmark visibility, and osquery fleet telemetry integrated into SaltStack at enterprise scale. CSO50 award for innovative thought leadership. Multiple SaltStack engineers credit it with saving the company before their $51M VMware acquisition.

CSO50 award · $51M acquisition context · Novel security tooling
2019 — Open source

BastilleBSD — global deployment

Created the leading FreeBSD jail manager. Deployed in enterprise telecoms across Europe and embedded in Zenith set-top boxes in hotels globally. The container isolation architecture directly informs Nantevo's virtual appliance deployment model.

EU telecoms · Hotel infrastructure · Global deployment
2023 — WGU · Cybersecurity

MS Cybersecurity — four months, competency-based

Master's degree completed in four months through competency demonstration. BS capstone on HubbleStack. MS capstone on Protective DNS architecture using the production QueryGuard platform as the design and implementation subject. Formal credentials for twenty years of operational expertise.

MS Cybersecurity · Competency-based · Production capstone
October 2023 — Present

Nantevo — 2.5 years in production, zero downtime

Launched October 2023 with real households across all major device categories. 2.5 years of continuous operation. Per-client authentication, dashboard access, customizable filtering, and protection telemetry from day one. Zero user-reported downtime beyond known Cloudflare events.

Production · Patent pending · 2.5 years · Zero downtime
Open source

A decade of building in public.

Open source contribution is where the architectural thinking behind Nantevo was developed, tested, and validated by the communities that use it.

HubbleStack

Creator

Security visibility platform for SaltStack environments. Real-time FIM, CIS benchmark compliance, osquery fleet telemetry at enterprise scale. Integrated into SaltStack's commercial offering. CSO50 award winner.

$51M VMware acquisition context · Enterprise adoption · CSO50

BastilleBSD

Creator

The leading FreeBSD jail manager. Lightweight container isolation for FreeBSD hosts. Adopted by EU telecoms and deployed in Zenith hotel infrastructure globally. Now maintained by a trusted contributor team.

EU telecoms · Hotel set-top boxes · Global deployment

Rocinante

Creator

Lightweight configuration management for FreeBSD hosts using BastilleBSD templates. The "workhorse" tool for automating infrastructure configuration — named deliberately for the van that carried this work across the country.

FreeBSD · Configuration management · Open source

SaltStack

Contributor

Extensive contributions including the integration work connecting HubbleStack's security telemetry to the broader SaltStack ecosystem at Adobe Marketing Cloud scale.

Enterprise automation · Security integration

FreeBSD

Contributor

Ongoing contributions rooted in twenty years of running FreeBSD in production — from DoD infrastructure in 2005 through the current Nantevo resolver deployment.

20+ years production use · Operating system

Nantevo

Founder

The platform that closes the loop — from twenty years of open source contribution and operational experience to a production security company. Built on the same stack, the same principles, the same discipline.

Patent pending · Production · Bay Area, CA
Operating principles

How we think
about this work.

These aren't mission statements drafted in a planning session. They are the actual operating beliefs that produced the architecture, the product decisions, and the way Nantevo shows up in every customer conversation.

"Treat everyone you meet like God in drag."
— Ram Dass

This is not a business philosophy. It predates Nantevo by years. It is the lens through which every customer conversation, every support interaction, and every product decision gets made. Competence and kindness are not in tension. They are the combination that builds something worth trusting.

01

Operational honesty

The bootstrap DNS lookup exists. The Cloudflare dependency exists. The current node footprint is the starting point, not the end state. Honest limitations build more trust than claimed perfection — and they lead to better architectural decisions.

02

Latency is sacred

DNS is in the critical path of every internet connection. Adding latency is a tax on every user and every transaction. RoCi never touches a live query. Every synchronous operation is a lookup, never an inference. This is non-negotiable.

03

Build for the operator

Security products are designed for the buyer and inflicted on the IT team. Zero-touch MDM enrollment, proxy-layer revocation, and TTL-aware maintenance windows exist because this engineer has been that IT team dealing with the Friday 6pm emergency.

04

Earn the enterprise label

2.5 years of production uptime. A documented maintenance process. A patent-pending authentication architecture. The willingness to tell a customer when something is a known limitation. These are what earn it — not a logo on a slide deck.

Get in touch

We want to hear from you.

Whether you're a security team evaluating DNS protection options, an investor interested in the space, a potential design partner, or an engineer with questions about the architecture — reach out directly. Early conversations are taken seriously and responded to personally.

General inquiries
Product questions, partnership inquiries, press
Enterprise & sales
Deployment discussions, design partner program, demos
Security disclosure
Responsible disclosure — we take these seriously and respond promptly
Investor relations
Funding conversations, strategic partnership discussions
Current status
PlatformOperational since Oct 2023
Uptime record99.97% · 2.5 years
StageEarly access
Design partnersNow accepting
Patent statusPending
LocationBay Area, CA

See it working.

A live demo covers the full architecture — authentication, MDM enrollment, per-client telemetry, and a RoCi detection scenario. Under 60 minutes. No obligation.