Air-Gapped LLM for Defence CTOs: Zero-Outbound WaveNode

Security officers and CTOs running classified or critical-infrastructure workloads pick WaveNode because it is the only LLM appliance that ships a testable zero-outbound standard — no telemetry, no model pulls, no licence checks, no admin call-home — verifiable by their own egress monitoring on day one.

Most vendors sell 'air-gapped AI' as a deployment posture (private cloud, VPC isolation, GovCloud tenancy), but for a classified or NIS2/NERC-CIP operator the only definition that matters is byte-level: can your egress firewall and eBPF probes prove the appliance emits zero packets to anything you don't control? Almost no competitor will let you test that — because almost none will pass.

If you are the security officer or CTO of a defence contractor, a TSO, a naval programme, or a national agency, the question you bring to an LLM vendor is not 'where is the data processed' — it is 'can my own egress firewall and eBPF probes prove this box emits zero packets to anything I do not control?' That is the only definition of air-gapped that survives an accreditation review. WaveNode is built to pass exactly that test, in your rack, on day one, with your tooling.

Microsoft can deliver GPT-4 in an isolated classified cloud [4][5][6]. Scale AI can fine-tune Defense Llama for national security missions [7][8]. Both are real options if your threat model permits a vendor-operated control plane. They are not options if your accreditation forbids any outbound connection — including licence checks, telemetry, and managed updates. WaveNode is for the second case: sealed build, offline signed updates, customer-only identity, no vendor admin plane.

The problem

We cannot send prompts or embeddings to Azure OpenAI, Anthropic, or Scale Donovan — anything that leaves our enclave breaks the accreditation we spent two years getting.

WaveNode runs inference, embeddings, and RAG entirely inside the appliance; no prompt, document chunk, or token ever traverses its NIC except to the clients you authorise on your internal VLAN.

The 'on-prem' LLM vendors we evaluated still phone home for licence validation, telemetry, model auto-updates, or crash reporting — and our red team found packets to vendor IPs within an hour.

WaveNode ships with no licence server, no telemetry, no update poller, and no remote-admin tunnel; the firmware build is signed, reproducible, and provably free of outbound clients — verifiable with the egress capture you run on the upstream switch.

We have no defensible Day-2 story: how do we patch the OS, rotate model weights, and respond to CVEs on a box that lives behind an air gap?

Updates ship as signed, offline bundles on removable media; your engineers verify signatures, stage on a passive node, and roll forward or back within your existing change-control window — no internet, no vendor presence required.

We cannot show an auditor or our own Authorising Official a defensible attestation that the AI stack emits zero outbound traffic.

WaveNode ships with a signed Software Bill of Materials, an attested measured boot log, and an append-only audit journal; combined with your own NetFlow/eBPF capture, it produces the byte-level evidence ATO packages and NIS2 reviews ask for.

Generic 'private LLM' offerings do not address our actual threat model: weight exfiltration, supply-chain compromise of updates, model steganography in outputs, or prompt injection through ingested OT and SIEM logs.

WaveNode applies signed reproducible builds against supply-chain attack, output filtering and per-tenant weight isolation against exfiltration, and a hardened RAG ingester with content-type allow-lists against injection from OT/SIEM telemetry.

Why Air-gapped LLM with WaveNode fits

Operates fully on disconnected networks: no licence call-home, no model registry pull, no telemetry, no NTP-to-internet — verifiable with your own packet capture on the upstream port.
Sealed-build appliance: the WaveNode image is signed and reproducible, ships with a complete SBOM, and uses measured boot so your accreditation team can attest the running stack against the build manifest.
Offline signed updates with human approval: model and firmware bundles arrive on removable media, are signature-verified inside the enclave, and require operator approval before activation — aligned with the human-approval pattern that air-gapped buyers already expect [2].
Customer-controlled identity only: integrates with your internal Active Directory, Keycloak, or PKI; there is no Wavenetic-side admin plane, no shared tenancy, and no vendor break-glass account.
European sovereign supplier: Wavenetic is headquartered in Ljubljana, EU jurisdiction, with EU-resident engineering — fits sovereign supplier preferences in NATO/EU defence procurement and NIS2 scope.
Already in production on critical infrastructure: NEXUS runs at ELES, Slovenia's national electricity TSO, on the same WaveNode stack you would deploy.

In production

A national TSO needed RAG over grid operations manuals, incident reports, and control-room procedures. NIS2 essential-entity status and OT-adjacent classification ruled out every hyperscaler and every vendor with a managed control plane.

WaveNode deployed inside the TSO perimeter running NEXUS. Egress monitoring on the upstream switch shows zero outbound packets from the appliance VLAN. Operators query procedures and incident history with citation tracking back to source documents.

A defence prime evaluating LLM options for a programme handling NATO RESTRICTED material. The accreditation authority required documentary proof that no prompt, embedding, or model artefact could traverse the boundary, and rejected vendor-operated classified-cloud options because the control plane was out of customer scope.

WaveNode L appliances installed in the programme enclave; signed offline update procedure accepted into the change-control plan; SBOM and measured-boot attestation included in the ATO package. No vendor remote access, no telemetry endpoint, no licence server.

A naval engineering group operating disconnected from shore for weeks at a time required onboard document intelligence over technical manuals and mission reports without any expectation of connectivity.

Single WaveNode in a shipboard rack; model and content updates loaded from signed media during port calls; no degraded mode when offline because there is no online mode.

When this is the right call

Pick WaveNode if your accreditation, ATO, or NIS2/NERC-CIP scope requires that you prove zero outbound traffic with your own tooling, not the vendor's word.
Pick WaveNode if your sites are disconnected or intermittently connected and you need an LLM that has no online dependencies at all — not even for licensing, telemetry, or update polling.
Pick WaveNode if your procurement model is capex sealed appliance with multi-year accreditation cycles, and a sovereign EU supplier is a hard requirement.
Pick a classified-cloud LLM (e.g. Azure Government Top Secret-style offerings [4][5][6]) instead if your threat model permits a vendor-operated control plane inside an accredited cloud and you prefer opex over capex.
Pick a fine-tuned mission model (e.g. Defense Llama-class [7][8]) instead if your priority is doctrine-specific tuning rather than zero-outbound deployment posture — these are complementary, not competing, choices.

Frequently asked

How do we verify that WaveNode actually emits zero outbound traffic?

Place the appliance on a dedicated VLAN behind your own firewall or TAP, then run full packet capture, NetFlow, or eBPF egress probes for as long as your accreditation requires. The appliance has no licence server, no telemetry endpoint, no update poller, no NTP-to-internet, and no remote-admin tunnel — so a clean capture is the expected baseline. We provide the SBOM and build manifest so your team can also audit the image statically.

How are model and firmware updates handled in a fully disconnected environment?

Updates are distributed as signed offline bundles on removable media. Your operators verify the signature inside the enclave, stage the update on a passive node, and promote it within your existing change-control window. Human approval is required before activation, matching the air-gap update pattern that buyers in this segment already use [2], and rollback to the prior signed image is supported.

How does WaveNode compare to Azure Government Top Secret GPT-4 or Scale's Defense Llama?

Those are credible options for organisations whose accreditation accepts a vendor-operated classified control plane — Microsoft's offering runs in classified clouds physically unconnected to the public internet [4][6], and Scale's Defense Llama is fine-tuned on military doctrine and policy [7][8]. WaveNode targets the stricter case: no vendor control plane at all, the appliance lives entirely inside customer scope, and there is nothing to attest beyond the box you bought.

Does WaveNode fit a NIS2 essential-entity or NERC-CIP environment?

Yes. NEXUS runs on WaveNode at ELES, Slovenia's national electricity TSO, which is exactly that profile. The sealed-build, no-outbound, customer-only-identity model maps cleanly onto NIS2 supply-chain and access-control obligations, and onto NERC-CIP electronic security perimeter requirements.

What identity and access control does the appliance use?

WaveNode integrates with your internal identity provider — Active Directory, Keycloak, or PKI/smart-card — over your internal network only. There is no Wavenetic-side admin account, no shared SSO tenant, and no vendor break-glass path. All authentication and authorisation events are written to an append-only audit journal that you can forward to your SIEM.

How long does deployment and accreditation typically take?

Physical install and integration with your identity provider, SIEM, and document sources is measured in days. The longer timeline is your accreditation cycle, not ours; because the appliance has no external dependencies and ships with SBOM and measured-boot attestation, the artefacts your AO or auditor needs are available at delivery rather than negotiated later.

The takeaway

The reader will be able to decide whether their environment requires a true zero-outbound appliance (vs. a sovereign-cloud LLM), what eight egress vectors to test against any vendor's 'air-gapped' claim, and whether WaveNode's sealed-build + offline-update model fits their change-control and audit regime.