Compliance alignment, SLA commitments, flexible deployment from cloud to air-gapped on-premise, and a design partner program for organizations that want to shape the roadmap alongside the team that built this.
A select group of enterprise security teams deploying Nantevo before general availability — in exchange for direct input on the product roadmap, priority support, and pricing that reflects the early stage of the partnership.
100–2,500 devices. A dedicated security function or IT team that evaluates vendors seriously. Existing Apple MDM deployment is ideal but not required. Distributed workforce or BYOD environment where agent-based solutions have created friction.
Financial services, healthcare, legal, or government contractors with DNS security as a compliance requirement. Organizations where on-premise deployment or data residency requirements make cloud-only solutions inadequate.
Teams that want to understand the architecture, not just evaluate the dashboard. Engineers who will read the how-it-works documentation and have opinions about the authentication design. Partners, not just customers.
Nantevo's architecture is designed to align with the security frameworks and regulatory requirements that govern enterprise DNS security purchasing decisions.
The NSA and CISA have published explicit guidance recommending Protective DNS as a foundational enterprise security control. Nantevo is built to the architectural requirements described in that guidance.
NIST SP 800-207 establishes that zero trust requires verification of every request from every device — authenticated DNS is a core component of that architecture. Nantevo enforces per-client identity on every query.
All DNS queries are transmitted over encrypted HTTPS. No plaintext DNS is sent by any enrolled device after profile installation. DNS query content is not visible to network observers, ISPs, or intermediate nodes.
Enterprise compliance requirements vary significantly. Nantevo's logging policy captures full query telemetry by default, with configurable retention windows to meet your specific requirements — from short windows for privacy-sensitive environments to extended retention for compliance mandates.
Two and a half years of continuous production operation across geographically distributed infrastructure. These numbers reflect live telemetry from the same platform your organization will run on.
Enterprise SLA terms are established per design partner agreement and will be formalized into standard contracts as the platform reaches general availability. The 99.97% availability record across 2.5 years of production operation is the commitment baseline — not an aspirational target. Organizations with specific availability requirements are encouraged to discuss them directly during the enterprise inquiry process.
Three deployment models covering every enterprise architecture — from cloud-native distributed teams to regulated data centers with strict data residency requirements. The same authentication architecture and RoCi intelligence operate across all three.
Globally distributed resolver nodes, proxied through redundant CDN infrastructure. MDM profile push for zero-touch Apple fleet enrollment. Fastest path to full fleet protection — operational within hours of decision.
Your DoH endpoint lives on your own subdomain. Local forwarder in your DC handles internal domains. External queries route upstream to Nantevo resolvers. Unified RoCi telemetry across both paths.
Complete resolver stack deployed as a virtual appliance in your data center or private cloud. DNS queries never leave your network. Only anonymized RoCi threat signals stream outbound. Sub-10ms response times on-network. CDN outages: irrelevant.
Nantevo's on-premise deployment model and configurable logging policy make it particularly well-suited for industries where data residency, audit requirements, and compliance posture drive security purchasing decisions.
Banks, investment firms, and fintech companies operating under SOC 2, PCI DSS, or financial regulatory frameworks. On-premise deployment keeps DNS resolution within the compliance boundary. Per-client telemetry provides the audit trail regulators require. RoCi's C2 and exfiltration detection addresses the threat categories most relevant to financial data theft.
SOC 2 · PCI DSS · GLBA alignedHospitals, health systems, and healthcare technology companies under HIPAA. DNS security is a required safeguard under HIPAA's technical safeguard provisions. On-premise deployment ensures PHI-adjacent DNS traffic stays within the covered entity's infrastructure. Configurable retention supports HIPAA audit requirements.
HIPAA aligned · PHI boundaryFederal agencies, defense contractors, and government technology suppliers for whom CISA's Protective DNS guidance is a direct operational mandate rather than a best practice recommendation. On-premise deployment supports air-gap requirements. The authentication architecture aligns with Zero Trust mandates under EO 14028.
CISA PDNS · EO 14028 · FedRAMP roadmapSoftware companies and technology platforms with distributed engineering teams, BYOD-heavy environments, and contractor populations that make agent-based solutions operationally impractical. MDM-native zero-touch enrollment covers managed fleets. Authenticated DoH provides coverage for unmanaged and contractor devices without IT ownership of the endpoint.
SOC 2 · BYOD coverage · Zero-touchLaw firms, consulting firms, and professional services organizations handling privileged client data. DNS-layer protection for client confidentiality — blocking data exfiltration channels before they can be established. On-premise deployment for firms with strict data handling obligations. Per-client visibility that doesn't aggregate attorney-client traffic.
Confidentiality · Exfiltration preventionUniversities, school districts, and EdTech platforms with COPPA, FERPA, and CIPA compliance requirements. Network-wide DNS filtering protects student devices across unmanaged networks — including bring-your-own-device policies that are standard in higher education. Content filtering at the DNS layer satisfies CIPA requirements for filtering without installing software on student devices.
COPPA · FERPA · CIPA alignedThe questions security and compliance teams ask during vendor assessment — answered directly.
Default configuration logs full query telemetry: timestamp, authenticated client ID, queried domain, response code, resolution latency, and threat classification. The queried domain is essential — it powers blocked domain event lists, RoCi DGA analysis, and incident forensics. Source IP addresses are not retained. Retention windows are policy-configurable. No data is shared with third parties. On-premise deployment keeps all query data within your boundary.
Each enrolled client receives a unique high-entropy endpoint subdomain (25 characters, a-z0-9, ~129 bits entropy) and a unique ClientID (25 characters, same alphabet). Both are required for every query. Unauthenticated requests receive no response — not an error, simply silence. This prevents fingerprinting or enumeration of the resolver infrastructure. Credentials are generated using Python's secrets module against the OS CSPRNG.
Nantevo's resolver infrastructure is built entirely on open source components — FreeBSD, established DNS resolver software, and well-audited open source libraries. No proprietary black-box components in the critical query path. Security-conscious enterprise teams that want to audit the stack are encouraged to do so — that's a feature of the architecture, not a limitation.
RoCi operates exclusively on the telemetry log stream — after query responses have already been delivered to devices. No AI inference is in the synchronous query path. This is an architectural constraint, not a limitation: DNS resolution latency is non-negotiable, and inference latency is not. RoCi's detections update the synchronous threat feed, which operates as a fast lookup with no AI overhead.
Nantevo takes security research seriously. If you have identified a potential vulnerability in the Nantevo platform, resolver infrastructure, authentication architecture, or any associated system, we want to hear from you.
We commit to acknowledging receipt within 24 hours, providing a timeline for investigation within 72 hours, and coordinating disclosure responsibly with the researcher before any public communication.
We do not pursue legal action against good-faith security researchers who follow responsible disclosure practices. We will credit researchers publicly unless they prefer to remain anonymous.
Enterprise design partners who require third-party penetration testing of the Nantevo platform as part of their vendor assessment process should contact the enterprise team to coordinate scope, timing, and rules of engagement.
Every enterprise inquiry is handled personally by the team that built the platform. No BDR handoff, no sales sequence — a direct conversation with people who can answer technical questions, discuss deployment requirements, and understand your compliance context.
Initial response within one business day. A 45-minute technical conversation covering your environment, deployment requirements, and compliance context. A live demo tailored to your fleet configuration. A clear proposal within a week of the conversation.
Reach us directly at [email protected]. Include your organization size, device fleet composition, and any specific compliance or deployment requirements. We'll respond with the right context for a productive first conversation.
No sales sequences. Direct response from the engineering and product team.
Live demo — your devices, your environment, your questions answered by the people who built it.