LightNet logo

LightNet

A Trusted, Verifiable, and Encrypted Sub-Network — Carved Within an Untrusted One

LightNet is a kernel-resident network security product. It decides which applications may communicate — on the basis of their cryptographic identities rather than their network addresses — and transparently encrypts and authenticates the traffic between permitted applications, without modifying the applications or the network between them. Deployed across cooperating hosts, it carves a trusted sub-network within whatever larger network those hosts inhabit, including the public Internet.

How it works
Tap to enlargeLightNet architecture — two protected hosts each running a LightNet Node, communicating over a mutually authenticated encrypted channel within the trusted sub-network, each backed by a Key Server with certified HSM, while an unprotected host is refused at the boundary.
Permitted applications communicate over a mutually authenticated, encrypted channel inside the carved sub-network, each host backed by a Key Server and certified HSM; an unprotected host is refused at the boundary.

Status — In development · foundation for the Agent Security Operating Layer (ASOL)

What LightNet provides

Service 1

BCEI-based network access control

Enforces access on each application’s behaviorally constrained execution identity — bound to its executable, dependencies, and runtime, not to an address or port. Every socket operation is decided in the kernel before traffic leaves the host.

Service 2

Transparent in-kernel traffic protection

Mutually authenticates two permitted applications and applies authenticated encryption on the existing socket path. Applications see plaintext; the network sees ciphertext; no app links a crypto library or handles a key.

Effect

A carved-out sub-network

Membership scoped to the cryptographic identities of participating applications. Trusted, verifiable, and encrypted — carved, not constructed: routing and infrastructure are unchanged.

LightNet’s app-to-app authentication is built directly on LineageCrypt: each endpoint authenticates with the private key its application cryptographically owns, so LightNet authenticates the applications themselves — not the hosts they run on or the credentials they carry.

Problems LightNet solves

Lateral movement after compromiseAn attacker reaches a host from which no lateral conversation inside the sub-network is possible.
Identity & trust for AI agentsAn agent’s identity is bound to its model, tools, configuration, and live execution context.
ICS, OT & legacy systemsPer-application identity and encryption for controllers — no app or topology changes.
Microservice communicationPer-application crypto identity and access control without service-mesh sidecars or mTLS plumbing.

Why LightNet matters in the AI era

AI-assisted attacks have compressed two timelines: discovery-to-exploitation, and initial-access-to-lateral-movement. QDocSE addresses the first by making exfiltrated data valueless ciphertext. LightNet addresses the second — it removes the post-compromise terrain on which AI-assisted attackers operate. The defense holds whether the attacker is a human operator, an automated script, or an AI agent at machine speed.

The Agent Security Operating Layer (ASOL)

LightNet is the foundation for ASOL: the substrate on which AI agents are given verifiable cryptographic identities, contained against lateral movement, and prevented from leaking plaintext state or escalating privilege in multi-agent systems. LightNet is also designed to be cryptographically future-proof, supporting post-quantum algorithms as those standards mature.

What deployment looks like

LightNet deploys as two components: a kernel-resident node on each protected host (application binaries and network configuration unchanged), and a key server backed by an HSM — operable as a BicDroid service, a customer-managed appliance, or a hybrid. Policy is expressed in terms of protected application identities and distributed over a secure channel, taking effect without restarting applications or interrupting active connections.

The BicDroid family

Each product enforces its guarantee without depending on perimeter trust, host integrity, or the correct behaviour of the software it protects. Deploy one, or combine them for the complete cryptographic lifecycle.

PACSACQDocSEBIACSLineageCrypt
Talk to BicDroid

Carve a trusted network through an untrusted one.

LightNet does not secure the network — it removes the post-compromise terrain attackers depend on.

Talk to us →Contact details