Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Competitive Landscape

TrojAI deploys as a containerized Kubernetes package into customer Azure/AWS environments. Their entire sales pitch to defense primes and large enterprises is “your prompts and responses never leave your environment.” They hold SOC 2 Type II and Canadian Controlled Goods Program certification. No FedRAMP authorization yet. Customers include enterprises protecting 200+ AI systems. They integrate with JFrog Artifactory for model artifact governance and deploy via standard Helm into customer-managed K8s clusters. Lakera Guard offers three deployment modes: SaaS, self-hosted Kubernetes (Helm chart from Docker Hub with autoscaling, TLS, health probes, GPU acceleration), and full air-gapped (containers exported and loaded without internet). Dropbox runs Lakera as an internal Docker service — zero external calls. Their self-hosted docs are gated behind customer access, but the shape is: single container with an API endpoint, license key validation, and optional GPU for their detection models. CrowdStrike Falcon is cloud-native SaaS only — no on-prem backend. Government customers use Falcon on GovCloud (FedRAMP High authorized, March 2025). The sensor is lightweight and endpoint-local, but all detection logic, threat intel, and management happen in CrowdStrike’s cloud. This is a deliberate architectural choice: they argue cloud-native detection is superior. For true air-gap customers, CrowdStrike is not an option. Sysdig offers full on-prem deployment of their backend onto customer Kubernetes. A documented government deployment took three months with a dedicated task force. Their architecture: eBPF agents on nodes, NATS Streaming for internal messaging, Elasticsearch for storage, API/collector/worker pods. They support air-gapped environments with local rule delivery and offline vulnerability feeds. The operational burden is significant — Sysdig provides TAM-assisted installs.

Compliance Requirements

FedRAMP Moderate (now “Class C” under CR26)

  • 325 controls, 3PAO assessment required
  • Cost: 500K500K-1.5M initial, 200K200K-500K/year ongoing
  • Timeline: 12-18 months traditional; FedRAMP 20x pilot targeting 3-month Moderate authorizations by Q3-Q4 2026
  • FedRAMP 20x replaces narrative documentation with automated Key Security Indicators (KSIs) and compliance-as-code. Phase 2 (Moderate) pilot wrapped March 2026 with ~13 participants. Wide-scale adoption projected H2 2026
  • Startup reality: Beyond Identity’s public post-mortem says validate a 10x ROI before committing. $1M+ and 12+ months for a startup is real
  • Recommendation for Quint: Do not pursue FedRAMP directly pre-Series A. Instead, build the architecture that can be FedRAMP’d (BYOC in GovCloud, FIPS-validated crypto, audit logging) and let a defense prime sponsor the ATO post-funding

DoD IL5

  • FedRAMP High baseline + 9 additional DoD controls
  • Data must reside in US-controlled facilities; US citizens only
  • Physical and logical separation from non-government tenants
  • Personnel background checks (6-12 months for clearance eligibility)
  • Achievable via customer-managed GovCloud account (BYOC tier)

DoD IL6

  • Classified SECRET — 618 controls
  • SIPRNET connectivity required; commercial CSPs cannot host directly
  • Dedicated, isolated DoD facilities only
  • Google Distributed Cloud air-gapped has IL6 PA — this is the “true air-gap” reference architecture
  • Quint’s play: Tier 3 (true air-gap) runs on customer hardware in their SCIF. We provide the software bundle; they provide the infrastructure and cleared personnel

Air-Gap Deployment Patterns

The industry has converged on two toolchains for air-gapped Kubernetes delivery: Zarf (Defense Unicorns, open source): Packages images, Helm charts, manifests, and config into a single declarative tarball. Injects a Rust-based bootstrap registry, then uses mutating webhooks to rewrite all image paths to the internal registry. Boeing uses this in production. Auto-generates SBOMs. Single zarf deploy command on the air-gapped side. Replicated/KOTS: Commercial platform. Handles license files, air-gap bundles (.airgap format), admin console UI for config/updates, and support bundle collection from disconnected environments. 70 of the Fortune 100 manage apps via Replicated. Helm air-gap builds in seconds. Common pattern across both:
  1. Connected side: build bundle (images + charts + config), sign it, generate SBOM
  2. Transfer via portable media (USB, DVD, cross-domain solution)
  3. Air-gapped side: load into private registry (Harbor is the standard), deploy via Helm
  4. Updates: same transfer process on a cadence (weekly/monthly/quarterly)
  5. License: offline file, cryptographically signed, checked locally — no phone-home

Three Tiers for Quint

Tier 1: BYOC (Customer-Managed AWS Account)

Model: Snowflake Openflow / Databricks pattern. Customer provides an AWS account. Quint provides a Terraform module + CloudFormation stack. Data plane runs in customer VPC. Control plane (license validation, update checks) calls back to Quint. What stays the same: SNS, SQS, ECS Fargate, RDS Postgres, ElastiCache Redis — all AWS-managed services, just in the customer’s account. What changes:
ComponentCurrent (Quint SaaS)BYOC
AWS accountQuint-owned (471112754669)Customer-owned
TerraformInternalPublished module, versioned
SecretsQuint Secrets ManagerCustomer Secrets Manager
AuthSupabase JWTSupabase JWT OR customer IdP via OIDC
DashboardVercel (cloud.quintai.dev)ECS service in customer account
UpdatesCI/CD pushTerraform module version bump, terraform apply
LicenseDeploy token from Quint APIDeploy token + license file with org/endpoint cap
TelemetryImplicit (our infra)Optional OpenTelemetry collector, customer controls export
Phone-home: License validation only (POST to license.quintai.dev with machine fingerprint + endpoint count). No event data leaves customer account. Engineering effort: 4-6 weeks. Mostly extracting Terraform into a publishable module, parameterizing account-specific values, adding OIDC auth support, and packaging the dashboard as an ECS service.

Tier 2: On-Prem Connected

Model: Customer’s data center or private cloud. Kubernetes cluster (customer-managed). Outbound HTTPS for updates and license checks only. No AWS managed services. Architecture diff from SaaS:
ComponentCurrent (AWS)On-Prem Replacement
ECS FargateManaged containersK8s Deployments (Helm chart)
SNS + SQSManaged pub/sub + queueRedis Streams (already have Redis) or NATS JetStream
RDS PostgresManaged databaseSelf-hosted Postgres (Bitnami Helm chart or operator)
ElastiCache RedisManaged cacheSelf-hosted Redis (Bitnami Helm chart)
Supabase AuthManaged authOry Kratos (open source, self-hosted, OIDC/SAML)
S3Object storageMinIO
Secrets ManagerManaged secretsKubernetes Secrets + sealed-secrets or Vault
ALBLoad balancerIngress controller (nginx/traefik)
ACMTLS certscert-manager + customer CA or Let’s Encrypt
Message bus decision: Redis Streams over RabbitMQ or NATS. Quint already depends on Redis for token caching and org ID resolution. Redis Streams gives us pub/sub + consumer groups with zero new dependencies. Fan-out (currently SNS -> 3 SQS queues) becomes 3 Redis consumer groups on one stream. Throughput ceiling is ~100K msg/s on a single node, which is 100x our current volume. Auth replacement: Ory Kratos for identity (email/password, OIDC, SAML) + Ory Oathkeeper as the auth proxy. Same JWT-based flow the API already expects. Kratos is Apache 2.0 licensed, battle-tested, and runs as a single Go binary. Keycloak is the alternative but it is a Java monolith — heavier operationally. Update mechanism: Quint publishes a signed Helm chart bundle to a customer-accessible registry (or HTTPS endpoint). Customer’s K8s cluster pulls on a schedule. Chart versions are signed with cosign. Customer can pin versions and control rollout. Engineering effort: 8-12 weeks. The hard parts are: abstracting the message bus (SNS/SQS -> Redis Streams), Helm chart for the full stack, replacing Supabase auth with Ory, and integration testing the full stack on K8s (not ECS).

Tier 3: True Air-Gap

Model: No outbound network. Customer’s SCIF, classified network, or isolated data center. Updates via portable media on a defined cadence. Same as Tier 2, plus:
ConcernSolution
Container deliveryZarf bundle OR Replicated air-gap bundle
Private registryHarbor (deployed as part of the bundle)
License validationOffline license file, Ed25519-signed by Quint, verified locally
UpdatesSigned bundle transferred via approved media; zarf deploy or helm upgrade
TelemetryLocal OpenTelemetry Collector -> local Prometheus/Grafana. Zero egress
Time syncCustomer NTP (SCIF networks have internal NTP). Critical for cert validation and log correlation
SBOMShipped with every bundle. Required for IL5+ ATO packages
License file format: 
{
  "org_id": "uuid",
  "org_name": "Lockheed Martin - Aeronautics",
  "max_endpoints": 500,
  "features": ["proxy", "esf", "dashboard"],
  "issued_at": "2026-05-03T00:00:00Z",
  "expires_at": "2027-05-03T00:00:00Z",
  "signature": "Ed25519-base64"
}
Daemon checks this file at startup. No network call. Quint’s signing key is baked into the binary. Customer cannot forge a valid license without the private key. Update cadence: Quarterly for air-gap (matches typical SCIF change-control windows). Monthly for connected on-prem. Continuous for BYOC. Engineering effort: 4-6 weeks on top of Tier 2. Mostly packaging (Zarf bundle creation, offline license validator, Harbor bootstrap, SBOM generation pipeline). The application code is identical to Tier 2.

Architecture Diff Summary

Current SaaS Stack              Self-Hosted Stack (Tier 2/3)
=====================           ============================
ECS Fargate                 ->  K8s Deployments (Helm)
SNS + SQS (3 queues)        ->  Redis Streams (3 consumer groups)
RDS Postgres                ->  Self-hosted Postgres
ElastiCache Redis           ->  Self-hosted Redis
Supabase Auth               ->  Ory Kratos + Oathkeeper
S3                          ->  MinIO
Secrets Manager             ->  K8s Secrets + Sealed Secrets
ALB + ACM                   ->  Ingress Controller + cert-manager
CloudWatch                  ->  OpenTelemetry + Prometheus + Grafana
GitHub Actions deploy       ->  Helm chart release + Zarf bundle
The edge daemon (proxy + ESF) requires zero changes — it already runs on customer hardware with no cloud dependencies at runtime. It just needs a license file path instead of a deploy token API call for Tier 3.

Pricing Model

Industry standard for self-hosted security: 3-5x SaaS pricing.
TierModelIndicative Pricing
SaaSPer-endpoint/month$15-25/endpoint/month
BYOCAnnual platform fee + per-endpoint50Kbase+50K base + 30-40/endpoint/month
On-Prem ConnectedAnnual platform fee$100K-250K/year for up to 500 endpoints
Air-GapAnnual platform fee + support$200K-500K/year, includes quarterly update bundles + TAM support hours
Defense primes expect annual contracts with SOWs, not monthly billing. Goldman/JPM expect enterprise agreements with volume discounts.

First Target Market

Defense primes first. Reasoning:
  1. Budget: Defense has allocated AI security budget lines (DoD AI Strategy, CDAO mandates). Finance is interested but procurement cycles are longer and more committee-driven.
  2. Pain: Defense primes are deploying AI agents on classified networks right now with zero observability tooling. They know they need this.
  3. Moat alignment: Quint’s proxy+ESF architecture is the only approach that works at IL5/IL6. CrowdStrike can’t serve them (cloud-only). TrojAI is the closest competitor but lacks the OS-level truth layer (Tier 2 in Quint’s architecture).
  4. Channel: Defense Unicorns (Zarf creators) are the warm intro. They already work with Boeing, Raytheon, USAF. Package Quint as a Zarf bundle and it slots into their existing delivery pipeline.
  5. Revenue per deal: 200K500K/yearvs.200K-500K/year vs. 50K for a mid-market SaaS deal. Fewer deals needed to hit milestones.
Sequence: Lockheed Martin (Aeronautics or Space, both heavy AI adopters) -> Raytheon (RTX) -> Boeing -> then pivot to Goldman/JPM once the defense reference customers are signed.

Engineering Roadmap

PhaseScopeEffortPrerequisite
Phase 0Abstract message bus interface (SNS/SQS vs Redis Streams)2 weeksNone
Phase 1BYOC Terraform module + license file4-6 weeksPhase 0
Phase 2Helm chart + Ory auth + full K8s stack8-12 weeksPhase 0
Phase 3Zarf bundle + offline license + Harbor bootstrap4-6 weeksPhase 2
Phase 4FedRAMP 20x prep (audit logging, FIPS crypto, SBOM)4-6 weeksPhase 2
Pre-Series A recommendation: Ship Phase 0 + Phase 1 (BYOC) in 6-8 weeks. This unlocks defense prime POCs without requiring the full on-prem stack. Phase 2+3 are post-funding work ($500K-1M engineering investment), timed to first design partner contract. Phase 0 is the critical path — once the message bus is abstracted behind an interface, every service works identically on AWS managed services or self-hosted Redis Streams. Do this first regardless of timeline.