PRIVATE.ME PLATFORM

xWall: The Firewall That Proves It Never Saw Your Data

Information-theoretic network inspection. Traffic is threshold-split into K-of-N shares. Firewall rules are evaluated via multi-party computation on shares. Plaintext never exists at any firewall node. Every decision produces a zero-knowledge proof.

Network Security AVAILABLE NOW XorIDA Powered Quantum-Proof

<15µs

Split latency (64B)

2–11x

Faster than AES-256-GCM

120+

Tests passing

ACIs integrated

Keys to steal

GET STARTED

Fast Onboarding

Traditional firewall deployment requires manual configuration of inspection nodes, share distribution paths, MPC coordination, and zero-knowledge proof infrastructure. xWall collapses this to 15 seconds with zero-click accept, 90 seconds with one-line CLI, and 10 minutes with deploy buttons.

Speed Tiers

Level	Setup Time	Method	What It Does
Zero-Click	15 seconds	Env var auto-accept	Set `XWALL_INVITE_CODE`, deploy gateway on first packet. No manual setup.
CLI	90 seconds	One-line command	`npx @private.me/xwall init` generates gateway DID, configures inspection nodes, saves to `.env`.
Deploy Button	10 minutes	One-click templates	Vercel/Railway/DigitalOcean buttons provision gateway + 3 inspection nodes + ZK prover.

Quick Start: Zero-Click

ZERO-CLICK DEPLOYMENT

# 1. Set invite code (from platform onboarding email)
export XWALL_INVITE_CODE=XWALL-abc123

# 2. Deploy your first gateway (auto-accepts invite)
npx @private.me/xwall deploy \
  --threshold 2 \
  --total-shares 3 \
  --nodes "node1.example.com,node2.example.com,node3.example.com"

WHAT HAPPENS

Invite auto-accepted from XWALL_INVITE_CODE env var
Gateway DID generated and saved to .env
Inspection nodes auto-registered with gateway
Share distribution paths configured
MPC coordinator initialized
Ready to inspect traffic immediately

Total time: ~15 seconds

CLI Setup (90 seconds)

CLI DEPLOYMENT

# Install CLI globally
npm install -g @private.me/xwall

# Initialize (generates gateway DID, configures inspection nodes)
xwall init

# Deploy your first gateway
xwall deploy \
  --threshold 2 \
  --total-shares 3 \
  --nodes "node1.example.com,node2.example.com,node3.example.com"

# Output:
#  Gateway DID generated
#  Inspection nodes registered
#  Share distribution paths configured
#  MPC coordinator initialized
#  Ready to inspect traffic

Deploy Button Setup (10 minutes)

Click one button to provision gateway + inspection nodes + ZK prover on Vercel/Railway/DigitalOcean:

INCLUDES

Gateway node (packet ingestion, share splitting)
3 inspection nodes (MPC rule evaluation)
ZK proof generator (compliance proofs)
Audit log storage (HMAC-chained trail)
Monitoring dashboard

Viral Growth Mechanics

Every xWall deployment becomes a growth vector:

INVITE CODES

Network Effect Amplification

Each gateway deployment includes 5 invite codes. Security teams share codes with vendors, partners, and subsidiaries. Every invited gateway reduces setup time from 42-67 minutes (manual API key provisioning) to 15 seconds (env var auto-accept). 21-33× faster onboarding drives exponential adoption.

OBSERVABILITY

Compliance Dashboard Visibility

Zero-knowledge compliance proofs (xProve) demonstrate correct inspection without revealing traffic or rules. Auditors verify packet filtering via cryptographic proofs, not direct access. Organizations that deploy xWall can prove compliance to partners, creating pull-through demand across supply chains.

FEDERATION

Multi-Organization Trust Mesh

Split-path inspection enables cross-organizational threat intelligence sharing without exposing individual signals. When Organization A deploys xWall, their threat feed becomes shareable with partners via MPC convergence (xFuse). Every new deployment strengthens the collective security posture, creating incentive for competitors to collaborate.

DEVELOPER EXPERIENCE

From 67 Minutes to 15 Seconds

Traditional firewall deployment: provision infrastructure (20 min), generate certificates (5 min), configure nodes (15 min), distribute keys (12 min), test connectivity (10 min), enable monitoring (5 min). Total: 67 minutes. xWall Zero-Click: set env var, run deploy command. Total: 15 seconds. This 268× time reduction eliminates the primary barrier to adoption.

VIRAL COEFFICIENT

Every gateway deployment generates 5 invite codes → 5 new potential deployments → 25 second-generation deployments. With 15-second setup, the friction barrier vanishes. Estimated viral coefficient: 1.2–5.0+ depending on industry network density.

Section 01

The Inspection Paradox

Every firewall in production today must see your data to protect it. TLS inspection is a man-in-the-middle attack you agreed to. One compromised appliance exposes everything.

Why Every Firewall Must See Your Data

To inspect encrypted traffic, traditional firewalls perform TLS interception: they terminate the TLS session, decrypt the plaintext, apply firewall rules, re-encrypt, and forward. This creates a single point of total visibility. Compromise one appliance and the attacker sees every byte of traffic flowing through it.

This is not a theoretical risk. In 2024-2025 alone, major firewall vendors disclosed critical vulnerabilities that gave attackers remote code execution on inspection appliances. Over 16,620 devices were found with persistent backdoors that survived firmware patches via symbolic link persistence.

The Privacy/Security Conflict

Regulations demand both inspection and privacy — simultaneously. HIPAA prohibits exposing protected health information to middleboxes. GDPR requires data minimization. CCPA restricts processing of personal data. Yet security best practice demands deep packet inspection.

The result: only 3% of organizations inspect all encrypted traffic. The other 97% are flying partially blind — and the problem is getting worse. TLS 1.3 Encrypted Client Hello (ECH) eliminates the last metadata-based filtering workaround (SNI). Certificate lifespans are dropping to 47 days by 2029, making break-and-inspect architectures increasingly fragile.

Failed Alternatives

Approach	Why It Fails
Homomorphic Encryption	100–1,000x too slow for inline packet processing. No production firewall product exists.
Confidential Computing (TEE)	Hardware trust assumption broken. A $1K interposer attack extracts keys from Intel TDX and AMD SEV enclaves.
Metadata-Only Analysis	Probabilistic, not definitive. TLS 1.3 ECH eliminates SNI. DNS-over-HTTPS hides queries.
Generic MPC Frameworks	MP-SPDZ, MOTION, etc. add 100–1,000x latency overhead. Unusable for per-packet evaluation.

The Harvest-Now, Decrypt-Later Threat

State actors are capturing encrypted traffic at scale today, banking on future quantum computers to retroactively decrypt it. The industry is spending $15B migrating to post-quantum cryptography — but even PQ algorithms (lattice-based, code-based) rely on computational assumptions that may fall to future mathematical advances.

xWall does not rely on computational assumptions at all. Information-theoretic security means there is no algorithm to break — not today, not with quantum computers, not ever.

Section 02

Information-Theoretic Network Inspection

Inspect on shares. Traffic is threshold-split via XorIDA. Each share is mathematically proven to contain zero information. Firewall rules are evaluated via multi-party computation on shares. Plaintext never exists at any firewall node.

Core Concept

Instead of decrypting traffic to inspect it, xWall splits traffic into K-of-N threshold shares using XorIDA (threshold sharing over GF(2)). Each share is routed to an independent firewall node via a separate network path. The nodes evaluate firewall rules collaboratively via multi-party computation (MPC) — without any node ever possessing the plaintext.

KEY INSIGHT

XorIDA operations are XOR-homomorphic. This means the most common firewall operations — IP matching, port filtering, protocol identification — can be evaluated directly on shares with zero inter-node communication. These operations are effectively free.

Why This Works at Wire Speed

Generic MPC is too slow because it requires extensive communication between parties for every operation. XorIDA's XOR-homomorphic property eliminates this for the majority of firewall rules. At packet sizes (64B–1KB), XorIDA splitting is 2–11x faster than AES-256-GCM encryption:

Payload	XorIDA Split	AES-256-GCM	Speedup
64 bytes	~14µs	~160µs	11.4x faster
256 bytes	~35µs	~122µs	3.5x faster
1 KB	~58µs	~140µs	2.4x faster
1,500 bytes (MTU)	~80µs	~155µs	~1.9x faster

Packet-sized payloads are the sweet spot for this technology. The crossover point where AES-256-GCM becomes competitive is around 1–2 KB — well above typical packet sizes.

Rule Classification

Firewall rules compile to boolean circuits with two classes of gates:

Class	Gate Type	Cost	Examples
Class 1	XOR-homomorphic	Free (zero communication)	IP matching, port filtering, protocol ID, allowlist/blocklist, bloom filters
Class 2	AND via Beaver triples	1 communication round	DPI signatures, regex matching, stateful tracking, application-layer detection

Most common firewall rules are Class 1 — free evaluation. Complex DPI requiring AND gates adds approximately 500µs per round, but the fast path eliminates this for established connections.

Split-Path Architecture

Each node processes exactly one share. No node can reconstruct the traffic. The destination reconstructs only after MPC approval. Independent network paths for share delivery ensure that compromising the network path to one node does not compromise the path to another.

Fast Path for Established Sessions

Full MPC evaluation runs on the first packet of a new connection. Once the connection is classified as allowed, subsequent packets use the information-theoretic fast path (~1ms via xChange key transport). Session binding prevents bypass. Periodic re-evaluation is configurable per policy.

Section 03

Zero-Knowledge Compliance

The first firewall that can prove its rules were correctly applied — without revealing the traffic. Compliance by architecture, not by policy.

The Audit Problem

Enterprise firewalls accumulate rules over years. Studies consistently find 47% unused rules in the average enterprise, with 23% shadow rules and 12% with conflicts. Manual audits cannot keep pace with 15–20% annual rule growth. Organizations must demonstrate compliance with PCI-DSS, HIPAA, SOX, NIST 800-207, NIS2, and DORA — often simultaneously.

Provably Correct Inspection

Every rule evaluation in xWall produces a zero-knowledge proof (via xProve Tier 4 KKW). The proof is approximately 50 KB per evaluation and can be verified by anyone — auditor, regulator, or automated compliance system — without access to the traffic itself.

What the Proof Contains

• Cryptographic commitment to the rule that was evaluated
• Commitment to the decision (allow or block)
• Execution receipt with timing metadata
• Chain hash linking to the previous evaluation (HMAC-chained audit trail)
• The auditor verifies: correct circuit, correct evaluation, correct decision — all without seeing a single byte of traffic

Compliance Framework Mapping

Framework	xWall Architectural Guarantee
NIST SP 800-207	Per-packet verification. No implicit trust. Identity-based access via DID.
CISA ZTMM	All 5 pillars: Identity (xId/xFuse), Devices (xBoot), Networks (split-path), Apps (xCompute), Data (XorIDA).
CNSA 2.0	Information-theoretic security exceeds all post-quantum requirements.
HIPAA	No plaintext exposure to middlebox. Inspection without decryption.
GDPR / CCPA	Data never reconstructed at firewall. Privacy by architecture.
PCI-DSS 4.0	ZK proofs of rule application. Immutable HMAC-chained audit trail.
SOX	DID-watermarked rule changes. K-of-N approval for modifications.
NIS2 / DORA	Provable incident response. Auditable rule enforcement. Resilient architecture.
FedRAMP	Air-gapped deployment via QR-based rule distribution. FIPS-aligned crypto.
CMMC	Multi-level deployment models. Provable control implementation.

Section 04

Eliminating the Attack Surface

Traditional firewalls are high-value targets because they see everything. xWall nodes are low-value targets because each one sees nothing.

No Single Point of Compromise

In a traditional architecture, compromising one firewall appliance gives the attacker total traffic visibility. In xWall, compromising K-1 nodes reveals zero information about the inspected traffic. This is not a computational hardness assumption — it is an information-theoretic guarantee that holds regardless of the attacker's resources.

Deployment	Nodes	Threshold	Nodes to Compromise
Enterprise perimeter	3	K=2	2 (any 1 node = zero info)
Multi-cloud	5	K=3	3 (any 2 nodes = zero info)
Defense / classified	7	K=4	4 (any 3 nodes = zero info)

Supply Chain Resilience

Firmware never exists on disk in plaintext. Each node boots via threshold reconstruction from K shares (xBoot split-boot). Rule sets are never extractable from any single node. Persistent backdoors — like the FortiGate symbolic link persistence technique that survived firmware patches across 16,620+ devices — extract noise, not data.

Ephemeral Rule Protection

Rules are reconstructed per-evaluation and purged immediately afterward (via xGhost). The full ghost cycle completes in less than 2 milliseconds. An attacker with memory access to a running node sees the reconstructed rule for microseconds before it is purged. A tamper-evident audit entry is generated for every evaluation.

Identity-Based Administration

No passwords. No certificates. No PKI. Administrators authenticate with decentralized identifiers (DIDs) via xBind. Sessions use ephemeral per-session DIDs derived via xId (~50µs seed exposure). High-privilege operations require K-of-N multi-factor convergence via xFuse. Rule changes require K-of-N multi-approver gates via Authorize.

Quantum Immunity

xWall does not use post-quantum cryptography. It uses information-theoretic security. There is no algorithm to break. No mathematical advance changes this. No migration cost. No transition period. The security is already unconditional.

Property	Post-Quantum Crypto (Lattice)	xWall (Information-Theoretic)
Security basis	Computational assumption (lattice hardness)	No assumption. Unconditional.
Quantum threat	Safe against known quantum algorithms	Safe against all algorithms, known and unknown
Mathematical advance	Could break lattice assumptions	Cannot break. No algorithm exists.
Migration cost	$15B industry migration	$0. Already unconditional.

Section 05

Solving Industry Pain Points

Seven critical network security problems. One architecture.

ENCRYPTED TRAFFIC

Inspect Without Decryption

90%+ of traffic is encrypted. TLS 1.3 ECH eliminates the last metadata-based workaround. xWall inspects on shares — end-to-end encryption is preserved. HIPAA/GDPR compliant by architecture.

XorIDA + xCompute

LATERAL MOVEMENT

Agentless Microsegmentation

90% of organizations experienced lateral movement attacks. Microsegmentation adoption sits at 5–20%. XorIDA splitting at segment boundaries gives agentless microsegmentation: lateral movement yields shares, not data.

XorIDA split at boundaries

INSIDER THREATS

East-West Traffic Protection

90% of organizations had insider incidents. 72% lack visibility into user-data interaction. East-west traffic split means insiders see shares, not data. Connection binding requires both parties (2-of-2).

Split-channel binding

DNS EXFILTRATION

Split Resolver Paths

87% of organizations are hit by DNS attacks annually. DNS-over-HTTPS makes queries invisible to traditional monitoring. xWall splits DNS queries across resolver paths — a single resolver sees a partial query, useless for exfiltration.

Multi-path DNS

IoT / OT

Legacy Protocol Protection

332% increase in internet-exposed OT devices. Legacy protocols (Modbus, DNP3) lack encryption. xWall provides low-latency information-theoretic transport (~1ms) and firmware integrity verification for constrained devices.

xBoot + xChange

AI EVASION

Adversarial ML Resistance

89% year-over-year increase in AI-powered adversary operations. Adversarial ML crafts inputs to fool classifiers. xWall evaluates on shares — an opaque representation. Attackers cannot craft adversarial inputs against an unknown representation.

Opaque share-space

ALERT FATIGUE

Mathematical Certainty Replaces Probabilistic Alerting

70% SOC analyst burnout. 47% cite alerting as their top SOC inefficiency. ZK proofs from the firewall layer eliminate false positives. When xWall says a rule matched, it provides a mathematical proof — not a confidence score.

xProve ZK proofs

Section 06

Orchestrator Architecture

Production-ready flagship with 628-line orchestrator and 20 integration modules. Real-time traffic analysis without plaintext reconstruction.

Core Orchestrator (628 LOC)

The orchestrator implements an 8-step atomic pipeline that coordinates all 20 integrated ACIs:

Phase	Operation	Latency
1. Pre-flight	Boot attestation (xBoot), billing check (xPass), rate limit (xGate), identity validation (xId)	<1ms
2. Ingest	Packet ingestion and XorIDA splitting (crypto)	~15µs (64B)
3. Distribution	Share routing via low-latency transport (xChange)	~1ms
4. Inspection	MPC-based rule evaluation on shares (xCompute)	<5µs (Class 1), ~500µs (Class 2)
5. Scoring	Multi-signal threat convergence (xFuse)	~2ms
6. Proof	Zero-knowledge compliance proof generation (xProve)	~50ms
7. Audit	Split-storage audit trail with HMAC chaining (xStore)	<1ms
8. Enforcement	Allow/block decision + rule purging (xGhost)	<2ms

20 Integration Modules

Each ACI is wrapped in a dedicated integration module. The orchestrator composes all 20:

DATA PLANE

Traffic Processing

crypto: XorIDA threshold splitting • xFormat: Share serialization • xChange: Low-latency routing • xCompute: MPC rule evaluation

SECURITY

Protection Layers

xProve: ZK compliance proofs • xGhost: Ephemeral rule protection • xRedact: PII detection • xGate: Rate limiting

IDENTITY

Access Control

xBind: Split-channel comms • xId: Ephemeral DIDs • xWallet: Credential verification • xFuse: Multi-signal convergence

OPERATIONS

Infrastructure

xBoot: Secure boot attestation • xStore: Distributed audit logs • xPass: Connection billing • Deaddrop: Async delivery

GOVERNANCE

Policy Enforcement

xLock: Split-approval for policy updates • Authorize: Authorization policies • Trust: Trust boundary enforcement • xGit: Version-controlled rules

PRODUCTION READY

xWall is a production-ready flagship with 120+ passing tests, 4,000+ lines of code, and comprehensive integration of all 19 building blocks plus Deaddrop. Docker and Kubernetes deployment configurations included.

Split-Path Architecture

Traffic never exists in plaintext at any single inspection node. Each node evaluates firewall rules on its share via MPC. The orchestrator coordinates decision aggregation without any node reconstructing the packet.

Section 07

Technology Stack

Data plane, management plane, and infrastructure. Complete ACI integration mapping.

Data Plane

Function	Technology	Role
Traffic splitting	XorIDA	K-of-N threshold split at packet level
Rule evaluation	xCompute	MPC on shares — Class 1 (free) + Class 2 (1 round)
Fast path	xChange	Known-good traffic: ~1ms IT-secure transport
Rate limiting	xGate	Per-DID, per-scope, per-connection throttling
PII detection	xRedact	Entity detection on reconstructed output (if authorized)
Decision proofs	xProve	Tier 4 KKW zero-knowledge proof per rule evaluation
Rule protection	xGhost	Rules reconstruct per-eval, purge in <2ms

Management Plane

Function	Technology	Role
Admin auth	xBind	DID-based, PQ-encrypted (V3: Ed25519 + ML-DSA-65)
Admin identity	xId	Ephemeral per-session DIDs, ~50µs exposure
Admin MFA	xFuse	K-of-N convergence for high-privilege operations
Rule changes	Authorize	K-of-N multi-approver gate for policy modifications
Rule versioning	xGit	Version-controlled rules with DID watermarking
Access credentials	xWallet	Verifiable credentials for network access policies
Peer trust	Trust	TOFU + SAS key verification between nodes

Infrastructure

Function	Technology	Role
Firmware integrity	xBoot	Split-boot: firmware never on disk in plaintext
Log storage	xStore	Split audit logs across backends (S3/IPFS/Redis)
Billing	xPass	Per-connection billing, session binding
Binary envelope	xFormat	IDA5 header for share identification and routing
Air-gapped rules	Deaddrop	QR-based rule distribution for classified networks

COMPOSITION

xWall composes all 19 building blocks from the PRIVATE.ME platform plus Deaddrop (20 total ACIs). Zero new core technology required. Every component is built, tested, and independently available. Each integration module averages 150-200 lines of production code.

Complete Integration List

All 20 ACIs integrated with dedicated modules:

ACI	Module	Role
crypto	crypto-integration.ts	XorIDA threshold splitting for packet fragments
xFormat	xformat-integration.ts	IDA5 binary envelope for share serialization
xBind	xbind-integration.ts	Split-channel communication between inspection nodes
xChange	xchange-integration.ts	Low-latency share routing (~1ms)
xRedact	xredact-integration.ts	PII detection and stripping from audit logs
xBoot	xboot-integration.ts	Secure boot attestation for inspection appliances
xPass	xpass-integration.ts	Per-connection billing enforcement
xCompute	xcompute-integration.ts	MPC-based rule evaluation on shares
xLock	xlock-integration.ts	Split-approval for policy updates
xStore	xstore-integration.ts	Distributed storage of inspection logs
xWallet	xwallet-integration.ts	Credential verification for network access
xId	xid-integration.ts	Ephemeral per-session DIDs for identity-based policies
xFuse	xfuse-integration.ts	Multi-signal threat convergence via MPC
xGhost	xghost-integration.ts	Ephemeral firewall rule deployment (<2ms purge)
xGit	Not integrated	Version-controlled rules with DID watermarking
xGate	xgate-integration.ts	Rate limiting per flow
xProve	xprove-integration.ts	Zero-knowledge proofs of inspection integrity
Deaddrop	deaddrop-integration.ts	Async delivery of blocked packets
Trust	trust-integration.ts	Trust boundary enforcement between nodes
Authorize	authorize-integration.ts	Authorization policies for admin operations

Rule Circuit Compilation

Firewall rules compile to boolean circuits. The compiler maps each operation to Class 1 (XOR, free) or Class 2 (AND via Beaver triples, 1 round). The optimization target is minimizing AND gates for performance.

Rule Compilation Example

// Firewall rule: Block TCP port 443 from 10.0.0.0/8 to external

const circuit = compile({
  src_ip:   { match: '10.0.0.0/8',  gates: 'XOR' },  // Class 1, free
  dst_port: { match: 443,            gates: 'XOR' },  // Class 1, free
  protocol: { match: 'TCP',          gates: 'XOR' },  // Class 1, free
  action:   'AND(src_ip, dst_port, protocol)'    // Class 2, 1 round
})

// Evaluated on shares via xCompute
// Decision bit: 0 = allow, 1 = block
// ZK proof generated via xProve Tier 4 KKW

Deployment Models

Model	Nodes	Threshold	Use Case
Inline 3-node	3	K=2	Enterprise perimeter, branch office
Distributed 5-node	5	K=3	Multi-cloud, hybrid datacenter
Air-gapped 7-node	7	K=4	Defense/IC, classified networks
Cloud-native	N containers	Configurable	FWaaS, SASE replacement
Overlay	3+	K=2	Augment existing firewalls (zero disruption)

Section 08

Benchmarks

Performance at every stage of the inspection pipeline.

Splitting Performance

Payload Size	XorIDA Split	AES-256-GCM	Advantage
64 bytes	~14µs	~160µs	11.4x
256 bytes	~35µs	~122µs	3.5x
512 bytes	~45µs	~130µs	2.9x
1 KB	~58µs	~140µs	2.4x
1,500 bytes (MTU)	~80µs	~155µs	~1.9x

Rule Evaluation Performance

Rule Type	Class	Evaluation Time
IP allowlist/blocklist	Class 1 (XOR)	<5µs (free)
Port filtering	Class 1 (XOR)	<5µs (free)
Protocol matching	Class 1 (XOR)	<5µs (free)
Connection rate limit	Class 1 (XOR)	<5µs (free)
Basic DPI signature	Class 2 (AND)	~500µs (1 round)
Complex regex	Class 2 (AND)	~1ms (multi-gate)
Stateful connection tracking	Class 2 (AND)	~500µs (1 round)

End-to-End Latency

Scenario	xWall	TLS Inspection (FWaaS)
New connection (Class 1 rules)	<1ms	10–50ms
New connection (with DPI)	<2ms	10–50ms
Established (fast path)	<1ms	10–50ms
ZK proof generation	~50ms	N/A (no proofs)
ZK proof verification	<1ms	N/A

Proof Generation

~50KB

Proof size (KKW)

~50ms

Generation time

<1ms

Verification time

Section 09

How xWall Compares

Side-by-side comparison across six dimensions.

Dimension	Traditional NGFW	FWaaS / SASE	TEE-Based	HE-Based	xWall
Sees plaintext?	Yes	Yes	Yes (in enclave)	No	No
Single point of failure?	Yes	Yes (cloud PoP)	Yes (TEE host)	Yes	No (K-of-N)
Quantum-safe?	Migrating	Partial	No (TEE broken)	Yes (lattice)	Unconditional
Provably correct?	No	No	Attestation (forgeable)	No	ZK proof per decision
Privacy compliant?	Conflicts with HIPAA/GDPR	Conflicts	Hardware trust	Yes	By architecture
Performance	Baseline	+10–50ms	~Baseline	100–1,000x slower	2–11x faster

Section 10

Honest Limitations

What xWall cannot do today, and the mitigations in progress.

Limitation	Detail	Mitigation
Class 2 latency	AND gate operations add ~500µs per round. Complex DPI with many AND gates increases latency.	Fast path for established connections. Pre-generated Beaver triples. Most common rules are Class 1 (free).
Line-rate throughput	Software-only implementation not yet at 100 Gbps. Current target: >1 Gbps.	FPGA acceleration planned. XOR operations are trivial in hardware. SmartNIC integration on roadmap.
Infrastructure complexity	N nodes instead of 1 appliance. Network paths must be independent for security guarantee.	Kubernetes-native deployment. Cloud-native container orchestration. Overlay mode for gradual adoption.
Rule expressiveness	Boolean circuit compilation limits expressiveness vs. Turing-complete rulesets. Complex regex with backreferences require deep circuits.	Most practical firewall rules compile efficiently. Circuit compiler covers common patterns. Expanding library.
Current scope	Software-only v1. Circuit compiler covers common rules, not arbitrary logic.	Focus on highest-value rules first. Community rule library planned.

TRANSPARENCY

Current benchmarks reflect measured performance of the underlying building blocks. End-to-end system benchmarks under production workloads are available upon request. FPGA acceleration and hardware SmartNIC integration remain future enhancements.

Deployment Options

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xwall
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While xWall is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

GET STARTED

Ready to deploy xWall?

Talk to Sol, our AI platform engineer, or book a live demo with our team.

Book a Demo