Secure every web request.
On your own infrastructure.

Q: How is EnforceGate vX licensed?

Three editions — Lite, Pro and Enterprise — on an annual subscription. Each bundles connector sessions sized to its deployment (10 / 25 / 50); optional 5-session packs add capacity as you grow. No per-byte, per-user or per-endpoint metering, so you know your cost at signing. Lite is available now; Pro follows in Q4 2026 and Enterprise in Q2 2027.

Q: Where does our traffic and data go?

Nowhere external. EnforceGate runs inside your perimeter as a container or virtual appliance; traffic, policies and logs stay on your infrastructure with no cloud backhaul.

Q: How is EnforceGate vX managed?

Three ways, to match how your team works. Scripted, system-administrator style: drive the engine non-interactively with the egctl utility and clear, self-describing verbs (show-version, show-policy-list, request-policy-reload) — ideal for shell scripts, cron and CI. Interactive, network-engineer style: a modal CLI that blends Cisco IOS and Juniper Junos, where you add, set, edit, remove, comment and annotate policies, validate them, and roll a change back without leaving the session — staged edit, commit and rollback will feel familiar to anyone who runs Junos. And a REST Client API (coming soon) for your own tooling and automation. In every case the underlying policy configuration is backed by git, so every change is versioned, easy to back up, and simple to diff or audit.

Q: How large does EnforceGate vX scale?

The engine loads and matches up to ~150 million rules entirely in memory, evaluating every request locally with no cloud lookup. In an in-house benchmark, 150 million rules ran in under 5 GiB with common-case decisions in about 0.2 microseconds, and that decision time stayed flat as the rule set grew from 50 to 150 million — adding rules adds memory, not delay. You add capacity with connector sessions (10 / 25 / 50 per edition, plus 5-session packs) and scale out or run high availability by adding engines. Cost follows your deployment footprint, not traffic or rule count, so growth stays predictable.

Q: Can it filter by category?

Yes. A category is simply a domain or URL list a policy points at: you source the lists you want from public blocklists or community feeds, and community scripts fetch, convert and refresh them into the engine's local .policy lists. Matching stays on-box with no cloud category service and no per-request lookup, and the ~150-million-rule capacity is large enough to load full category sets. You decide which categories to enforce and how current they are; Exosys does not impose a fixed taxonomy.

Q: Can I just build this on Squid myself?

Squid is part of what EnforceGate ships, but turning a bare proxy into a managed web gateway is the hard part — and the open-source add-ons people used to reach for to do it are largely unmaintained today. EnforceGate is the maintained, supported layer on top: a verdict engine that matches up to ~150 million rules in memory, the interactive Cisco IOS / Juniper Junos-style CLI and scriptable command-line tooling, a category-list workflow, signed and integrity-checked images, and a Swiss engineer to call. You get a product that stays current, not a pile of cron jobs and abandoned plugins to maintain.

Q: Is SSL/TLS inspection legal to enable?

Inspection ships disabled by default. peek reads only the SNI; bump performs full decryption and requires an explicit, audited acknowledgement. Lawfulness depends on your jurisdiction and the notice or consent you provide. In bump mode you also distribute the inspection CA to client trust stores, and certificate-pinned applications (many banking and mobile apps, and some SaaS) cannot be decrypted and need explicit bypass rules.

Q: How long does deployment take?

Minutes. Download the signed Docker bundle, verify it, run the guided installer and point your clients at the proxy. A turnkey virtual appliance is also available as ready-to-import images in OVA, QCOW2, VHDX and VMDK formats for VMware, KVM and Hyper-V. The engine self-initialises keys, certificates and a default policy on first boot.

Q: How are upgrades performed?

Upgrades are in-place and seamless — typically 1-2 minutes end to end, with under a minute of service interruption while the new components start. Configuration, license activation, policy history and audit log are preserved across upgrades, including yearly release transitions. On the virtual appliance the host OS updates continuously as atomic, rollback-capable snapshots, so it is always current; only the EnforceGate components are swapped. Docker deployments pull the new image versions.

Q: Can it run air-gapped or offline?

Activation happens once per validity period — once a year. The engine validates its license against the Exosys Control Server when activated and then caches it, so the deployment runs for the rest of the year without ongoing connectivity. For air-gapped or restricted networks, support can provide an offline-activation procedure.

EnforceGate vX is a self-hosted secure web gateway — URL filtering, network access control, SSL/TLS inspection and a captive portal. Enterprise-grade web security that runs inside your perimeter, deploys in minutes, and is priced by edition — not per seat or per Gbps.

Join Early Access

or talk to an engineer

EnforceGate vX

StatusOperational

Connectors5 / 5

Policy rules1,247

# 1 · create a rule — it compiles & reloads automatically [root@xeg01] # eghost policy new 50-block-malware ● compiled /etc/enforcegate/rules.d/50-block-malware.policy ● engine reloaded — no restart, no dropped connections # 2 · dry-run a URL against the live policy [root@xeg01] # egctl show-policy-match "https://www.c2.com/" Verdict: deny Rule: block-malware Action: redirect to captive portal Reason: Known C2 / malware domain [root@xeg01] #

Deploys in minutes on Docker VMware KVM Hyper-V Signed & integrity-checked builds Your data stays on-premises 🇨🇭 Engineered in Switzerland

the operator cli

An operator CLI you already know.

If you run Cisco IOS or Juniper Junos, EnforceGate vX feels like home — a real interactive CLI with operational, privileged and configuration modes, show verbs and staged commits. No web console required.

eghost cli — interactive control

[root@xeg01] # eghost cli EnforceGate vX · interactive control — type ? for help xeg01> show policy list ID NAME ACTION MATCH HOSTS 10 block-malware deny domain-list 1,284 20 warn-social warn domain-list 46,901,233 40 allow-corp permit uri-regex — Total: 3 rules · 150,000,000 domain hosts loaded xeg01> enable xeg01# configure terminal xeg01(config)# edit policy warn-social xeg01(config)# commit ✓ validated · applied · snapshot saved xeg01(config)#

Cisco IOS & Juniper Junos, in one shell

It works like the network gear you already run — the same command modes, inline ? help, and a safe staged workflow: you edit a change, commit it, and roll it back if needed. Know Cisco IOS or Juniper Junos? You're productive on day one.
Up to 150M rules — built for categories

The engine loads up to ~150 million rules in memory and matches every request locally — large enough to run full URL-category filtering from your own lists, with no cloud lookup. Benchmarked in under 5 GiB with sub-microsecond decisions that stay flat as the rule set grows.
A scriptable toolbox

Every verb is also a flat, scriptable command. Wrap them in your own shell scripts, cron jobs and CI — a sysadmin-friendly environment you can automate end to end, no SDK required.

the platform

One gateway. Complete control of web traffic.

Every core capability below ships in every edition — no essential filtering, inspection or policy control locked behind a higher tier. Identity-aware access, the web console and operator SSO unlock with Pro and Enterprise.

URL filtering

Allow or deny HTTP and HTTPS by URI, hostname, SNI, user-agent and client IP (MAC on the local segment). Every request gets a per-URL verdict before it leaves your network.

$ egctl show-policy-match "https://…"

Network access control

Permit or deny by identity principal (users, groups), client posture, or network origin — matched on the same attributes as your URL policies.

$ eghost policy new 20-nac-eng

SSL/TLS inspection

Three modes — off, peek (SNI) and bump (full decryption) — so you choose how much HTTPS visibility each deployment needs. The inspection CA is generated in seconds by the interactive installer.

$ eghost restart enforcegate

Captive portal

Block, warn and AUP verdicts redirect the visitor to an in-product explanation page in English, French, German and Italian — with an optional, recorded "Proceed anyway".

$ eghost links

Plain-text policies

Edit .policy files with the editor of your choice such as vi, or nano — domain lists, regex, SNI and user-agent matching. The engine saves a snapshot before every reload, so you can roll back to a previous version with a single command.

$ eghost policy edit 90-denyurlshort

Git-backed policies

Policies and domain/URL lists are plain-text files kept under git. Every change is versioned and attributed — who changed what, when and why — so you can diff, audit and roll back to any point, with the built-in commands or the git you already know.

$ show policy log

solutions

Built for the jobs you actually have.

From acceptable-use enforcement to threat control and guest access — one engine, configured to your policy.

Compliance

Acceptable use & compliance

Enforce what your organisation may browse — block or warn by category, with an Acceptable Use page users acknowledge.

Domain-list & regex policies
Audited acknowledgement
Default-permit or default-deny

Threat control

Malware, phishing & C2 egress

Stop outbound connections to known-bad destinations before they leave your network, with optional HTTPS inspection.

Block phishing & C2 domains
SSL/TLS inspection (opt-in)
Daily-updated threats feed (add-on)

Access

Guest, kiosks & BYOD

Give unmanaged devices safe, filtered access with a self-service CA install page and per-origin policy — no agent required.

Self-service CA install page
Per users / groups / origin rules
Multilingual captive portal

how it works

From signed download to enforcing in three steps.

Verify & install

Download the cosign-signed bundle, verify it, and run the guided installer — it loads the images, starts the stack, and waits for the engine to be ready.

$ sudo ./install.sh

Point your clients

Send web traffic through the bundled Squid proxy on :3128. The connector forwards every request to the engine over the encrypted Defendr protocol.

$ eghost status

Write policies & enforce

Edit plain-text .policy rules in the editor of your choice. eghost policy compiles and reloads the engine live — no restart, no dropped connections.

$ eghost policy new 90-denyurlshort

ClientsHTTP/HTTPS

→

Squid:3128

→

ConnectorDefendr

→

Engineverdict

→

Captive portalblock · warn · aup

And the policy behind it is a plain-text, human-readable file — inline comments, unquoted keys, no rigid syntax. Save it in rules.d/ and it compiles & reloads live.

rules.d/40-web-policy.policy

# plain-text policy — comments and unquoted keys/values block-malware: { action: deny match-domain-list: lists/c2.txt # one domain per line description: Known C2 / malware domains } warn-social: { action: warn # soft-block + AUP notice match-domain-list: lists/social.txt time-window: Mon-Fri 09:00-17:00 # office hours only description: Social media during work hours }

why EnforceGate vX

The enterprise gateway, re-engineered for ownership.

Everything a secure web gateway should give you — without the cloud lock-in, the per-seat bill, or the expensive hardware. Built on proven open-source technologies and shipped as signed, verifiable images you can run and control.

Your data stays home

Traffic, policies and logs never leave your infrastructure. No backhaul through a vendor cloud, no data-residency headaches.

Predictable cost

A fraction of a cloud web gateway — priced by edition, not per seat, per Gbps, or per request. You know your spend at signing, with no renewal-time surprises.

Verifiable supply chain

Hardware-anchored signing, in-image integrity checks, and a read-only root filesystem. Trust you can verify, not take on faith.

Swiss engineering & support

Built in the Swiss Alps and supported by the engineers who write the code — with a reply within one business day.

how we compare

A secure web gateway you run — not a cloud you rent.

How EnforceGate vX stacks up against cloud secure-web-gateway services and on-prem proxy appliances — on the criteria that actually move the needle.

	EnforceGate vX	Cloud SWG / proxy appliance
Deployment	Self-hosted container or VM, live in minutes	Proprietary appliance, or forced cloud
Your data	Stays inside your network	Backhauled to the vendor cloud
Scale	~150M rules in <5 GiB, sub-µs, all local	Cloud lookups, capped local lists
Management	Cisco / Junos-style CLI; plain-text, git-backed policies	GUI console and change tickets
Open source	Open, signed, adaptable — ships `vi`, `git`, `bash`	Sealed, unverifiable appliance
Pricing	Flat by edition — no usage metering	Per-seat plus bandwidth tiers
Upgrades	In-place, 1–2 min	Maintenance windows, manual patching
Lock-in	No cloud or data lock-in — runs on your infrastructure	Deep platform lock-in

≈ 4× lower

first-year cost — USD 299 with EnforceGate vX versus ~~USD 1,200~~ for a comparable cloud secure web gateway or proxy appliance. Same control of your web traffic — and predictable cost: no throughput tiers, no per-seat creep, no renewal audits.

Comparison reflects typical cloud secure-web-gateway and on-prem proxy deployments; capabilities vary by vendor and tier.

proven at scale

150 million rules, matched in microseconds.

EnforceGate vX matches up to ~150 million rules entirely on-box — no cloud lookup — on a single commodity x86 server, with no purpose-built appliance and no hardware offload. The policy match itself takes about two-tenths of a microsecond and stays flat as the rule set triples — and measured end to end against a live engine, EnforceGate adds about 70 µs per decision (~68,000 per second per node).

Match time per request stays flat at about 0.23 microseconds as the policy scales from 50 to 150 million rules — on a commodity x86 CPU, no cloud lookup. — Lab-measured on a single core of a commodity x86 CPU. This is the rule-match step; the full end-to-end decision is ~70 µs — see the performance white paper.

Read the performance & scale white paper

editions

Three editions, sized to your deployment.

One core platform, three editions. Each bundles connector sessions sized to your deployment (10 / 25 / 50) — add optional 5-session packs as you grow, with no per-seat, per-Gbps or per-request metering. Lite is available today and free during Early Access; Pro and Enterprise follow in Q4 2026 and Q2 2027.

Currency

	Lite Available now	Pro Available Q4 2026	Enterprise Available Q2 2027
filtering & inspection
HTTP/HTTPS URL filtering	✓	✓	✓
SSL/TLS inspection	off · peek · bump	off · peek · bump	off · peek · bump
Captive portal	EN · FR · DE · IT	EN · FR · DE · IT	EN · FR · DE · IT
Squid connector	✓	✓	✓
access control
Network access control	IP, Subnet	User, Group, IP, Subnet	User, Group, IP, Subnet
Identity integration	None	Active Directory	Active Directory, RADIUS
policies & management
Plain-text policy engine	✓	✓	✓
Zero-downtime reload & rollback	✓	✓	✓
Interactive CLI	Cisco / Junos-style	Cisco / Junos-style	Cisco / Junos-style
Command-line CLI	Unix / shell-style	Unix / shell-style	Unix / shell-style
Learning mode & diagnostics	✓	✓	✓
Web admin interface	✕	✓	✓
Operator SSO / SAML	✕	✕	✓
deployment & scale
Deployment	Docker · VMware · Hyper-V · KVM	Docker · VMware · Hyper-V · KVM	Docker · VMware · Hyper-V · KVM
Hardware	x86-64	x86-64	x86-64
High availability	✕	✓	✓
Logging & SIEM export	✕	✕	✓
security & supply chain
Signed & integrity-checked images	✓	✓	✓
Read-only root filesystem	✓	✓	✓
optional add-ons
Threats protection	Add-on	Add-on	Add-on
connector capacity
Bundled connector sessions	10	25	50
Add-on connector packs	—	Up to 1 (+5)	Unlimited
support
Support tier	Direct	Direct · Extended optional	Premium
pricing — limited-time launch offer
Launch price^†1	~~USD 395 / yr~~ USD 299 / yr	~~USD 895 / yr~~ USD 680 / yr	Priced to the size of your environment
	Join Early Access
^†1 Prices are per edition licence, per year, including the edition's bundled connector sessions. The struck figure is the standard list price; the highlighted figure is the limited-time launch rate. Optional connector packs add 5 sessions for USD 199 / pack / yr (standard USD 295); Extended support for Pro is USD 499 / yr (standard USD 1,499). Enterprise is priced per deployment — request a quote. Launch rates are limited-time and subject to change. The software is fully operational throughout the active subscription period; once the subscription expires, the product can no longer be used.

questions

Answers before you ask sales.

The things security and IT teams check before they trial a gateway.

How is EnforceGate vX licensed?

Three editions — Lite, Pro and Enterprise — on an annual subscription. Each bundles connector sessions sized to its deployment (10 / 25 / 50); add optional 5-session packs as you grow. There's no per-byte, per-user or per-endpoint metering, so you know your cost at signing. Lite is available today; Pro follows in Q4 2026 and Enterprise in Q2 2027. During Early Access, Lite is free to run in your network.

Where does our traffic and data go?

Nowhere external. EnforceGate runs entirely inside your perimeter as a container or virtual appliance — traffic, policies and logs stay on your infrastructure. There is no cloud backhaul and no vendor telemetry on inspected traffic.

How is EnforceGate vX managed?

Three ways, to match how your team works.

Scripted, system-administrator style — drive the engine non-interactively with the egctl utility and clear, self-describing verbs (show-version, show-policy-list, request-policy-reload), ideal for shell scripts, cron and CI.

Interactive, network-engineer style — a modal CLI that blends Cisco IOS and Juniper Junos: add, set, edit, remove, comment and annotate policies, validate them, and roll a change back, all without leaving the session. Staged edit → commit → rollback will feel familiar to anyone who runs Junos.

REST Client API (coming soon) — integrate EnforceGate with your own tooling and automation.

In every case the underlying policy configuration is backed by git, so every change is versioned, easy to back up, and simple to diff or audit.

How large does EnforceGate vX scale?

The engine loads and matches up to ~150 million rules entirely in memory, with every request evaluated locally — no cloud lookup. In our in-house benchmark, 150 million rules ran in under 5 GiB with common-case decisions in about 0.2 µs — and that decision time stayed flat as the rule set grew from 50M to 150M, so adding rules adds memory, not delay (see the performance white paper). You add capacity with connector sessions (10 / 25 / 50 per edition, plus 5-session packs) and scale out or run high availability by adding engines. Cost follows your deployment footprint — editions and connectors — not traffic or rule count, so growth stays predictable.

Can it filter by category?

Yes. A category is simply a domain or URL list a policy points at — adult content, gambling, hacking tools, social media, or any other grouping you define. Source the lists you want from public blocklists or community feeds, and community scripts fetch, convert and refresh them into the engine's local .policy lists. Matching stays on-box with no cloud category service and no per-request lookup, and the ~150-million-rule capacity is large enough to load full category sets. You decide which categories to enforce and how current they are — Exosys doesn't impose a fixed taxonomy.

Can I just build this on Squid myself?

Squid is part of what we ship — but turning a bare proxy into a managed web gateway is the hard part, and the open-source add-ons people used to reach for to do it are largely unmaintained today. EnforceGate is the maintained, supported layer on top: a verdict engine that matches up to ~150 million rules in memory, the interactive Cisco IOS / Juniper Junos-style CLI and scriptable command-line tooling, a category-list workflow, signed and integrity-checked images, and a Swiss engineer to call. You get a product that stays current — not a pile of cron jobs and abandoned plugins to maintain.

Is SSL/TLS inspection legal to enable?

Inspection ships disabled by default. peek reads only the SNI; bump performs full decryption and requires an explicit, audited acknowledgement before it will start. Whether decryption is lawful depends on your jurisdiction and the notice or consent you provide — you remain responsible for that determination. In bump mode you also distribute the inspection CA to client trust stores, and certificate-pinned applications — many banking and mobile apps, and some SaaS — can't be decrypted and need explicit bypass rules.

How long does deployment take?

Minutes. Download the signed Docker bundle, verify it, run the guided installer, and point your clients at the proxy. Prefer a VM? The turnkey virtual appliance ships as ready-to-import images in OVA, QCOW2, VHDX and VMDK formats for VMware, KVM and Hyper-V. Either way, the engine self-initialises its keys, certificates and a default policy on first boot.

How are upgrades performed?

Upgrades are in-place and seamless — typically 1–2 minutes end to end, with under a minute of service interruption while the new components start. Your configuration, license activation, policy history and audit log are preserved across upgrades, including yearly release transitions. On the virtual appliance the host operating system updates continuously as atomic, rollback-capable snapshots, so the OS underneath is always current — only the EnforceGate components are swapped at upgrade time. Docker deployments simply pull the new image versions.

Can it run air-gapped or offline?

Activation happens once per validity period — once a year. The engine validates its license against the Exosys Control Server when activated and then caches it, so the deployment runs for the rest of the year without ongoing connectivity to the server. For air-gapped or restricted networks, support can provide an offline-activation procedure.

What support is included?

Every licence includes Direct support — email and a support portal, triaged by an Exosys engineer who works on the product, not a community forum. Extended, a paid upgrade available on Pro, adds scheduled callbacks and priority engineering triage. Premium, included with Enterprise, adds a named engineering contact, special-release builds and rollout consultation.

free during early access

Test EnforceGate vX in your own network.

Join the Early Access waiting list. If you're selected, we'll email your invite and the verified download — no credit card, no sales call.

Please accept the Privacy Policy to continue.

Something went wrong — please try again.

No spam. Unsubscribe anytime.

✓

You're on the list.

If you're selected, we'll email with your invite and download.

Secure every web request.On your own infrastructure.