Faction Networks — Introduction and Overview¶
Faction Networks delivers true Zero Trust cybersecurity for networking, data, and connected devices, including the smart, legacy, and dumb devices found in Operational Technology (OT) and Internet of Things (IoT) environments. Every Faction Network is created, controlled, and accessible only by the Network Owner and the devices and users they personally invite and authenticate.
Faction Networks also provides the cryptographic identity, access control, and network isolation foundation needed to secure AI autonomous agents and agentic workflows — where traditional credential-based and cloud-based controls are wholly inadequate. This will be addressed in a broader solution post version 1 that goes beyond the scope of the current application.
Faction is built for professionals, small and mid-sized businesses, and organizations that need real security without the cost and complexity of enterprise solutions. We call it Zero Trust for the Rest of Us.
The Problem Faction Solves¶
Network security has evolved through two generations, each a genuine improvement but each with its own critical limitations. Faction is the third generation.
Generation 1: VPNs and Firewalls¶
VPNs and firewalls remain the most widely used security tools for small and mid-sized businesses. They were the right solution for their era, but they are architecturally vulnerable in today's threat environment:
- They create a visible perimeter that attackers can scan, probe, and target.
- They rely on credentials — usernames and passwords — that are routinely phished, stolen, or brute-forced.
- A single compromised credential or misconfigured rule can expose an entire network.
- They leave smart, legacy, and IoT devices completely unprotected — these devices cannot run VPN agents and sit exposed on the local network.
- They have no mechanism to verify or control AI autonomous agents operating within or across networks.
- They are widely exploited and responsible for some of the most catastrophic breaches of recent years.
Generation 2: ZTNA and SDN Solutions¶
Zero Trust Network Access (ZTNA) and Software Defined Network (SDN) solutions, including enterprise platforms like Zscaler, Fortinet, and Palo Alto Networks, were developed specifically to address the vulnerabilities of VPNs. They represent a significant and genuine security advance: eliminating perimeter-based trust, enforcing continuous authentication married to identity management and verification, and enabling fine-grained access control.
However, for the vast majority of businesses and organizations, they introduce a different set of problems:
- They are expensive, typically priced for large enterprise budgets.
- They are complex to deploy and require dedicated IT staff or managed service providers to configure and maintain.
- They rely on centralized cloud control planes. Their servers, certificate authorities, and identity providers become high-value targets. A compromise of the vendor's infrastructure is a compromise of every customer on that platform.
- Their centralized identity and access management systems share the same Cloud vulnerabilities.
- They are software-only and cannot protect OT and IoT devices that cannot run agents or install software.
- They create metadata exposure — cloud providers can observe connection patterns, timing, and topology even when payload content is encrypted.
Note
Tailscale and ZeroTier are lighter-weight peer-to-peer alternatives in this space. Both are easier to use than enterprise ZTNA, but still depend on cloud coordination servers for initial connections and key management, and neither provides hardware protection for OT/IoT devices.
Generation 3: Faction Networks¶
Faction fills the gap between these two generations, delivering the security architecture of true Zero Trust with the simplicity and cost profile that makes it accessible to any organization:
- Eliminates the vulnerabilities of VPNs and firewalls, which are widely exploited and prone to catastrophic hacks.
- Provides the flexibility and micro-segmentation of SDNs, but with none of their complexity and cost.
- Secures the smart, dumb, and legacy devices that are critical to business operations but are left completely vulnerable by VPNs, SDNs, and firewalls alike.
- Provides the cryptographic identity, key-based access control, and network isolation foundation required to govern AI autonomous agents — ensuring that human-in-the-loop control can be asserted and enforced at the network level, not just at the software policy level.
Most importantly, Faction is low cost, easy to deploy, and easy to manage by any individual, workgroup, or organization, without specialist IT support.
What Makes Faction Different¶
| Faction Principle | What It Means for You |
|---|---|
| Zero Trust by Default | Every device and user must be cryptographically verified before gaining any access. There are no implicit trusts, no shared passwords, and no anonymous connections possible. |
| Invisible by Default | Your Faction network cannot be discovered, scanned, or probed from the internet. There is no visible gateway or attack surface. Unauthorized parties cannot even attempt a connection. |
| Zero-Knowledge Infrastructure | Faction's infrastructure routes your encrypted traffic but holds no keys and has no access to your data, network content, or administrative control. Encryption keys and network identity are created and controlled exclusively by the Network Owner. |
| Owner-Controlled Keys | All encryption keys are generated on the Network Owner's device and never transmitted to or stored on Faction's infrastructure. Faction cannot access, read, or administer any Faction Network even if compelled to do so. |
| Out-of-Band Authentication | There are no usernames or passwords to phish or steal. Members join through a direct, personal, out-of-band process that cryptographically binds their identity to their device. |
| Hardware-Native OT/IoT Security | Faction Pods and Portals extend Zero Trust to physical locations and protect devices that cannot run software, including legacy equipment, IP cameras, industrial sensors, and IoT devices. |
| US-Made, Cyber-Assured Hardware | Faction hardware is manufactured in the USA, forensically inspected at the chip level, and continuously monitored for integrity after deployment. |
Core Capabilities¶
| Capability | What It Does |
|---|---|
| Encrypted Private Network (VPC) | Connects all your approved devices into one encrypted private network, at any location and on any connection. Powered by WireGuard. |
| Secure Direct File Transfer | Sends files of any size directly between devices. Files never touch Faction's infrastructure. |
| Encrypted Email (S/MIME) | Signs and encrypts email using your existing email client (Apple Mail, Outlook, and any native client email). No new tools required. |
| Encrypted Data at Rest | Encrypts files stored at rest on endpoint computing devices (PCs, laptops, smartphone, etc.). In the future, this will be integrated with Google Drive, Dropbox, and other cloud services so that the cloud provider stores only encrypted data. |
| Cryptographic Micro-Segmentation | Groups give teams, departments, or projects their own encryption keys. Access is binary: you hold the key, or you have no access at all. |
| Faction Pods and Portals | Secure networking appliances that extend Zero Trust to physical locations and protect any connected device regardless of its capability. |
| Multi-Device, Multi-Platform | Connect phones, laptops, desktops, and servers across iOS, Android, macOS, Windows, and Linux from one place. |
How Faction Compares¶
The table below shows how Faction's Virtual Private Circuit (VPC) product compares across the three generations of network security solutions:
| VPNs and Firewalls | ZTNA / SDN (Zscaler, Fortinet, Palo Alto, etc.) | Peer-to-Peer Mesh (Tailscale, ZeroTier) | Faction VPC | |
|---|---|---|---|---|
| Security Generation | Generation 1 Perimeter-based | Generation 2 Cloud Zero Trust | Generation 2 (lite) Partial Zero Trust | Generation 3 Zero-Knowledge Infrastructure |
| Architecture | Centralized gateway (single point of failure) | Cloud control plane (vendor is a target) | Cloud coordination server required | Zero-knowledge meeting point (routes but cannot read traffic) |
| Network Visibility | Exposed, scannable gateway | Cloud broker visible to attackers | Coordination server known and visible | Invisible by default — no attack surface |
| Authentication | Credentials (phishable) | Cloud IAM + 2FA (cloud CAs vulnerable) | Cloud SSO (vendor dependency) | Out-of-band, no credentials, cryptographic key |
| Human Identity Verification | None | Cloud IAM only (can be bypassed at scale) | Cloud SSO only | Pre-v1: Tier 2 device biometric; Tier 3: iValt 5-Factor Authentication with continuous presence verification (planned, v1) |
| OT / IoT Devices | Unprotected — no agent possible | Unprotected — software only | Unprotected — agent required | Hardware Pods protect any device, any age |
| AI Agent Control | None — no mechanism to verify or govern agents | Centralized IAM and cloud control plane vulnerable to compromise | None | Cryptographic access control and human-in-the-loop enforcement via iValt (planned) |
| Data Encryption | In-transit only | In-transit only | In-transit only | In-transit and at rest |
| Cost and Complexity | Low to moderate cost, moderate complexity | High cost, high complexity, heavy IT | Low to moderate cost, low to moderate complexity | Low cost, minimal IT needed |
| Key Rotation | None | Manual or policy-based | Manual (ZeroTier: none; Tailscale: manual) | Automated, owner-controlled |
| Hardware Security | None | None | None | US-made, chip-level forensic verification |
How Encryption Protects You¶
Faction uses four independent layers of encryption. Traffic between devices flows through Faction's F1 meeting point, which routes encrypted traffic but holds no keys and cannot read any content — in the same way that your internet traffic passes through many infrastructure nodes that cannot read your encrypted communications.
| Layer | Technology | Protects |
|---|---|---|
| API Communication | RSA-4096 + AES-256-GCM + Ed25519 | All traffic between your device and Faction's infrastructure |
| Network Transport | WireGuard (ChaCha20-Poly1305) | All traffic across your private network, routed through the F1 meeting point |
| Peer-to-Peer (P2P) | Mutual TLS 1.3 with X.509 certificates | Direct device-to-device sessions (file transfers) |
| Data at Rest | AES-256 encrypted SQLite + platform keychain | All data stored on your device and in cloud storage |
Note
Your private keys are generated on your device and never transmitted to Faction's infrastructure. There is no master key. Faction cannot unlock your data even if compelled to do so.
How Your Security and Privacy Is Protected¶
Faction's zero-knowledge architecture means that Faction's infrastructure is technically incapable of accessing your data, not just policy-prohibited from doing so. The table below shows what Faction's infrastructure can and cannot see:
| Data Type | Can Faction See It? |
|---|---|
| Contents of your files | No — files are transferred between devices and never stored on Faction's infrastructure |
| Your private encryption keys | No — generated and stored only on your device, never transmitted |
| Your seed phrase or backup passphrase | No — never transmitted to Faction under any circumstances |
| Content of your encrypted emails | No — only you and your recipient hold the decryption keys |
| Your local encrypted database | No — encrypted with keys only your device holds |
| Your server backup contents | No — encrypted locally before upload; Faction's infrastructure holds only ciphertext |
| Your network activity or connection metadata | No — zero-log architecture; no connection, timing, or topology data is recorded |
Each Faction network you belong to is cryptographically independent, with its own WireGuard interface, its own RSA key pair, its own certificate authority, and its own encrypted database. If you belong to multiple factions, a compromise of one faction's keys provides zero leverage against any other.
Authentication in Faction Networks¶
Faction implements a three-tier authentication model that scales from baseline cryptographic security to fully verified human identity:
| Tier | Method | What It Verifies | Status |
|---|---|---|---|
| Tier 1: Key / Certificate | Cryptographic key or certificate possession | That the correct device holds the correct key. No human identity concept — purely cryptographic. The baseline for all Faction Networks. Note: Even at Tier 1, joining requires personal, human-to-human out-of-band verification. The Network Owner personally authenticates each member. In small trusted groups this can be the strongest form of identity assurance possible. | Current release |
| Tier 2: OS-Native Biometric | Face ID, Touch ID, Windows Hello, or equivalent | That someone who can unlock this device is present. Prevents unauthorized use of an unlocked device. Acknowledged limitation: PIN fallback and other OS bypass paths mean this verifies 'someone who can unlock this device,' not a specific verified human identity. | Near-term roadmap, no extra charge |
| Tier 3: iValt Human Identity | iValt 5-Factor Authentication with continuous presence verification | A cryptographically verified human identity, bound to the Faction key. No PIN fallback. AI-resistant liveness detection. Ensures the person controlling a device is the verified, authorized human — not another agent or a compromised credential. | Planned for v1, premium licensed add-on |
Note
The iValt integration proof-of-concept has been completed. Full integration is planned for the v1 release.
Faction Networks and Agentic AI Security¶
The rapid rise of AI autonomous agents — accelerated by the adoption of Model Context Protocol (MCP) — is creating an urgent new category of security challenge. AI agents now connect to applications, data, devices, and physical systems at machine speed, with capabilities that far exceed the speed and scale for which existing security controls were designed. The question is not just how to monitor what AI agents do, but how to ensure that when a human needs to assert control, that control is guaranteed to work.
Faction as the AI Security and Control Layer¶
Faction Networks is an overlay network — it sits on top of existing infrastructure without requiring changes to the underlying network. This is the same approach taken by enterprise AI security solutions. The fundamental difference is what controls the overlay. Cloud-managed solutions route traffic and enforce policy through a vendor-managed cloud control plane that is itself a target. Faction's overlay has no cloud control plane. The Network Owner holds all keys. Faction's infrastructure routes encrypted traffic but cannot read it, administer it, or be compelled to override it.
Faction provides three layered levels of AI security protection:
- Network isolation: every Faction Network is invisible and unreachable from the internet by default and AI servers have no visibility into or route to protected resources.
- Cryptographic micro-segmentation: Groups containing AI instances, data, and authorized users enforce access by key possession, not cloud policy.
- The Authorization Purse: AI agents receive only ephemeral, scoped tokens authorizing specific actions, issued by the human Network Owner — never persistent access. Persistent access can be effectuated easily, but always with this underlying control.
Human-in-the-Loop Control and the Cryptographic Kill Switch¶
AI agents, like human employees, must operate within defined boundaries of authority — with accountability to the humans responsible for their actions. Faction enables this at the cryptographic level. Each agent's authorization derives from and is traceable to a specific human sponsor. The agent acts only within the scope that sponsor has granted. Every action is attributable — there are no anonymous operations on a Faction Network.
When a human needs to revoke an agent's access, Faction's cryptographic kill switch takes effect immediately at the network layer — not through a cloud policy update that propagates with delay, but through cryptographic invalidation that takes effect before any further operation can proceed. The iValt integration (planned for v1) adds verified human identity to the authorization layer: ensuring that the person issuing or approving an agent's authorization is cryptographically verified as a specific, living human — not another agent, not a compromised credential. This can also be implemented with approval workflows that encompass multiple humans and steps when needed for particularly high risk actions.
Deployment and Roadmap¶
For self-hosted AI engines, Faction's Cloud Connectors bring the AI server inside the Faction Network entirely — invisible to the internet, fully contained. For large cloud AI platforms, Faction controls what those systems can reach: protected resources sit inside the Faction Network, accessible to AI only through the Authorization Purse token model. Faction Pods and Portals extend the same protection to edge devices and OT/IoT systems that AI agents may interact with or control.
Note
Faction's AI security capabilities are forward-looking but architecturally straightforward — they extend the same cryptographic access control, network isolation, and human identity verification that underpin the current platform to the specific challenge of governing AI agents. For a full treatment of Faction's AI security architecture, use cases, and deployment scenarios, refer to the companion document: Faction Networks and Agentic AI Security (April 2026).
Glossary¶
| Term | Definition |
|---|---|
| AES-256-GCM | Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode. Used for encrypting data payloads. |
| BIP-39 | A standard for generating human-readable seed phrases (word lists) from cryptographic entropy. Faction uses 24-word phrases. |
| CA (Certificate Authority) | An entity that signs and issues digital certificates. In Faction, the network owner's device acts as the CA. |
| ChaCha20-Poly1305 | The authenticated encryption algorithm used by WireGuard for VPN traffic. |
| CRDT | Conflict-free Replicated Data Type — a data structure that ensures consistency across devices that may be offline. |
| Ed25519 | An elliptic-curve signature algorithm used by Faction for authentication and action key signing. |
| Faction Connector | A standalone Rust CLI daemon that allows headless Linux and macOS devices (servers, NAS, Raspberry Pi) to join a faction network. |
| Faction Pod | A dedicated hardware appliance that extends the faction network to a physical location over Wi-Fi and Ethernet. |
| Forward Secrecy | A security property where new encryption keys are generated after membership changes, so a removed member cannot decrypt future communications. |
| mTLS / Mutual TLS | TLS where both sides (client and server) authenticate each other with certificates, not just the server. |
| RSA-4096 | A public-key cryptographic algorithm with a 4096-bit key, used for key exchange and encrypting action keys. |
| S/MIME | Secure/Multipurpose Internet Mail Extensions — a standard for email signing and encryption using X.509 certificates. |
| Shamir Secret Sharing | A cryptographic technique to split a secret into N shares where any M shares can reconstruct the original. |
| TOTP | Time-based One-Time Password — a 2FA method that generates a 6-digit code every 30 seconds. |
| WireGuard | A modern, high-performance VPN protocol. Faction uses WireGuard for all mesh VPN connectivity. |
| X.509 | A standard for public key certificates. Faction issues X.509 device certificates signed by the faction owner's CA. |
| Zero-Knowledge | An architecture where the service provider has no ability to read user data, even if compelled. |