DNS security built for
how enterprises
actually operate.

Compliance alignment, SLA commitments, flexible deployment from cloud to air-gapped on-premise, and a design partner program for organizations that want to shape the roadmap alongside the team that built this.

Platform at a glance
Production sinceOctober 2023
Resolver availability99.97% · 2.5 years
Query response time<50ms global · <10ms on-premise
Endpoint agents requiredZero
Deployment modelsCloud · Hybrid · On-premise
NSA / CISA PDNSAligned
Patent statusPending
Design partnersNow accepting
Limited availability · Now open

The Nantevo Design
Partner Program.

A select group of enterprise security teams deploying Nantevo before general availability — in exchange for direct input on the product roadmap, priority support, and pricing that reflects the early stage of the partnership.

Full platform access across your production fleet
Dedicated deployment support — direct access to the engineering team
Quarterly roadmap sessions — your requirements shape what gets built next
Early access to new capabilities before general release
Preferred pricing locked at design partner rates for 24 months
Custom filtering rules, threat feeds, and RoCi sensitivity tuning
On-premise appliance deployment assistance if required
Who is the right fit

Security-conscious mid-market teams

100–2,500 devices. A dedicated security function or IT team that evaluates vendors seriously. Existing Apple MDM deployment is ideal but not required. Distributed workforce or BYOD environment where agent-based solutions have created friction.

Regulated industry operators

Financial services, healthcare, legal, or government contractors with DNS security as a compliance requirement. Organizations where on-premise deployment or data residency requirements make cloud-only solutions inadequate.

Technically sophisticated IT teams

Teams that want to understand the architecture, not just evaluate the dashboard. Engineers who will read the how-it-works documentation and have opinions about the authentication design. Partners, not just customers.

Design partner slots are limited. Priority given to organizations that can provide actionable feedback on deployment experience, compliance requirements, and integration needs.
Compliance & framework alignment

Built to meet the requirements
your procurement team will ask about.

Nantevo's architecture is designed to align with the security frameworks and regulatory requirements that govern enterprise DNS security purchasing decisions.

NSA & CISA Protective DNS Guidance

The NSA and CISA have published explicit guidance recommending Protective DNS as a foundational enterprise security control. Nantevo is built to the architectural requirements described in that guidance.

  • Per-client DNS filtering policy enforcement
  • Encrypted DNS transport — DNS-over-HTTPS (RFC 8484)
  • Threat intelligence feed integration with automated blocking
  • Per-client telemetry and incident logging
  • Support for remote and BYOD device coverage

NIST Zero Trust Architecture

NIST SP 800-207 establishes that zero trust requires verification of every request from every device — authenticated DNS is a core component of that architecture. Nantevo enforces per-client identity on every query.

  • Per-request client authentication — no implicit trust
  • Unique credential pair per enrolled device or device group
  • Instant revocation without device access or agent removal
  • Per-client policy — different rules for different trust levels
  • Full query metadata audit trail per authenticated client

DNS-over-HTTPS — RFC 8484

All DNS queries are transmitted over encrypted HTTPS. No plaintext DNS is sent by any enrolled device after profile installation. DNS query content is not visible to network observers, ISPs, or intermediate nodes.

  • TLS 1.3 encrypted DNS transport on all enrolled devices
  • System-wide DoH via MDM profile — covers all applications
  • Hardened bootstrap option — resolver IP pinned in profile
  • No plaintext DNS leakage after enrollment
  • Compatible with existing network monitoring tools

Configurable Logging & Retention

Enterprise compliance requirements vary significantly. Nantevo's logging policy captures full query telemetry by default, with configurable retention windows to meet your specific requirements — from short windows for privacy-sensitive environments to extended retention for compliance mandates.

  • Query metadata logged by default — client ID, response code, latency, threat classification
  • Full query telemetry logged by default — domain, timestamp, client ID, response code, latency, threat classification
  • Configurable retention window per organizational policy
  • On-premise deployment keeps all data within your network
  • No third-party data sharing — ever
Reliability & SLA

Production-proven uptime.
Not a promise — a record.

Two and a half years of continuous production operation across geographically distributed infrastructure. These numbers reflect live telemetry from the same platform your organization will run on.

99.97%
Resolver availability — trailing 2.5 years production
VERIFIED · status.nantevo.com
<50ms
Typical global query response — <10ms achievable on-premise
PRODUCTION TELEMETRY · P50
Zero
User-reported service interruptions beyond known CDN events
2.5 YEARS · ZERO COMPLAINTS
Resolver availability99.97%
Proxy authentication layer100.0%
RoCi threat intelligence99.94%
Per-client telemetry pipeline99.89%

Enterprise SLA terms are established per design partner agreement and will be formalized into standard contracts as the platform reaches general availability. The 99.97% availability record across 2.5 years of production operation is the commitment baseline — not an aspirational target. Organizations with specific availability requirements are encouraged to discuss them directly during the enterprise inquiry process.

Deployment models

Your infrastructure.
Your requirements. Your choice.

Three deployment models covering every enterprise architecture — from cloud-native distributed teams to regulated data centers with strict data residency requirements. The same authentication architecture and RoCi intelligence operate across all three.

Model 01 — Cloud

Nantevo-hosted resolvers

Globally distributed resolver nodes, proxied through redundant CDN infrastructure. MDM profile push for zero-touch Apple fleet enrollment. Fastest path to full fleet protection — operational within hours of decision.

endpoint: {entropy}.nantevo.com
deployment: MDM profile push
queries: processed on Nantevo infra
best for: distributed teams, cloud-native
Model 02 — Hybrid

Your subdomain, our intelligence

Your DoH endpoint lives on your own subdomain. Local forwarder in your DC handles internal domains. External queries route upstream to Nantevo resolvers. Unified RoCi telemetry across both paths.

endpoint: dns.yourdomain.com
internal: local resolver
external: Nantevo upstream
best for: hybrid DC, mixed infrastructure
Model 03 — On-Premise

Air-gapped resolver

Complete resolver stack deployed as a virtual appliance in your data center or private cloud. DNS queries never leave your network. Only anonymized RoCi threat signals stream outbound. Sub-10ms response times on-network. CDN outages: irrelevant.

appliance: jail · container · OVA
queries: never leave your DC
roci: signals only, no query data
best for: regulated, high-security, DC
Regulated industries

Where the architecture matters most.

Nantevo's on-premise deployment model and configurable logging policy make it particularly well-suited for industries where data residency, audit requirements, and compliance posture drive security purchasing decisions.

Financial services

Banks, investment firms, and fintech companies operating under SOC 2, PCI DSS, or financial regulatory frameworks. On-premise deployment keeps DNS resolution within the compliance boundary. Per-client telemetry provides the audit trail regulators require. RoCi's C2 and exfiltration detection addresses the threat categories most relevant to financial data theft.

SOC 2 · PCI DSS · GLBA aligned

Healthcare

Hospitals, health systems, and healthcare technology companies under HIPAA. DNS security is a required safeguard under HIPAA's technical safeguard provisions. On-premise deployment ensures PHI-adjacent DNS traffic stays within the covered entity's infrastructure. Configurable retention supports HIPAA audit requirements.

HIPAA aligned · PHI boundary

Government & defense

Federal agencies, defense contractors, and government technology suppliers for whom CISA's Protective DNS guidance is a direct operational mandate rather than a best practice recommendation. On-premise deployment supports air-gap requirements. The authentication architecture aligns with Zero Trust mandates under EO 14028.

CISA PDNS · EO 14028 · FedRAMP roadmap

Technology & SaaS

Software companies and technology platforms with distributed engineering teams, BYOD-heavy environments, and contractor populations that make agent-based solutions operationally impractical. MDM-native zero-touch enrollment covers managed fleets. Authenticated DoH provides coverage for unmanaged and contractor devices without IT ownership of the endpoint.

SOC 2 · BYOD coverage · Zero-touch

Legal & professional services

Law firms, consulting firms, and professional services organizations handling privileged client data. DNS-layer protection for client confidentiality — blocking data exfiltration channels before they can be established. On-premise deployment for firms with strict data handling obligations. Per-client visibility that doesn't aggregate attorney-client traffic.

Confidentiality · Exfiltration prevention

Education

Universities, school districts, and EdTech platforms with COPPA, FERPA, and CIPA compliance requirements. Network-wide DNS filtering protects student devices across unmanaged networks — including bring-your-own-device policies that are standard in higher education. Content filtering at the DNS layer satisfies CIPA requirements for filtering without installing software on student devices.

COPPA · FERPA · CIPA aligned
Security posture

What enterprise security teams
need to know about Nantevo.

The questions security and compliance teams ask during vendor assessment — answered directly.

Data handling

Query metadata logged. Query content — your choice.

Default configuration logs full query telemetry: timestamp, authenticated client ID, queried domain, response code, resolution latency, and threat classification. The queried domain is essential — it powers blocked domain event lists, RoCi DGA analysis, and incident forensics. Source IP addresses are not retained. Retention windows are policy-configurable. No data is shared with third parties. On-premise deployment keeps all query data within your boundary.

Authentication architecture

128-bit entropy per credential. Two required. Silent drop on failure.

Each enrolled client receives a unique high-entropy endpoint subdomain (25 characters, a-z0-9, ~129 bits entropy) and a unique ClientID (25 characters, same alphabet). Both are required for every query. Unauthenticated requests receive no response — not an error, simply silence. This prevents fingerprinting or enumeration of the resolver infrastructure. Credentials are generated using Python's secrets module against the OS CSPRNG.

Supply chain

Open source stack. Auditable components. No black boxes.

Nantevo's resolver infrastructure is built entirely on open source components — FreeBSD, established DNS resolver software, and well-audited open source libraries. No proprietary black-box components in the critical query path. Security-conscious enterprise teams that want to audit the stack are encouraged to do so — that's a feature of the architecture, not a limitation.

RoCi & AI

AI analysis is asynchronous. It never touches a live query.

RoCi operates exclusively on the telemetry log stream — after query responses have already been delivered to devices. No AI inference is in the synchronous query path. This is an architectural constraint, not a limitation: DNS resolution latency is non-negotiable, and inference latency is not. RoCi's detections update the synchronous threat feed, which operates as a fast lookup with no AI overhead.

Responsible disclosure

Nantevo takes security research seriously. If you have identified a potential vulnerability in the Nantevo platform, resolver infrastructure, authentication architecture, or any associated system, we want to hear from you.

We commit to acknowledging receipt within 24 hours, providing a timeline for investigation within 72 hours, and coordinating disclosure responsibly with the researcher before any public communication.

We do not pursue legal action against good-faith security researchers who follow responsible disclosure practices. We will credit researchers publicly unless they prefer to remain anonymous.

[email protected]
PGP key available on request
Expected response: <24 hours
Penetration testing

Enterprise design partners who require third-party penetration testing of the Nantevo platform as part of their vendor assessment process should contact the enterprise team to coordinate scope, timing, and rules of engagement.

Enterprise inquiry

Start the conversation.

Every enterprise inquiry is handled personally by the team that built the platform. No BDR handoff, no sales sequence — a direct conversation with people who can answer technical questions, discuss deployment requirements, and understand your compliance context.

What to expect

Initial response within one business day. A 45-minute technical conversation covering your environment, deployment requirements, and compliance context. A live demo tailored to your fleet configuration. A clear proposal within a week of the conversation.

Prefer email?

Reach us directly at [email protected]. Include your organization size, device fleet composition, and any specific compliance or deployment requirements. We'll respond with the right context for a productive first conversation.

Enterprise inquiry

No sales sequences. Direct response from the engineering and product team.

See Nantevo protect a fleet
in under 60 seconds.

Live demo — your devices, your environment, your questions answered by the people who built it.