✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Govern the blast radius.
Before the breach.
Lab-tested, partner-validated containment deployments for AI workloads. Each architecture ships with an insertion pattern, AI-aware SmartGroup model, and baseline policy pack. Security teams deploy from day one, with no application-team compliance required.
Lab-validated architectures available
New architecture every Wednesday
Per VCA deployment, billed as Workloads
Without containment architecture, every AI workload
is an ungoverned blast radius.
Without Containment
With Containment Architecture
Pick the path that matches where you are.
Every Validated Containment Architecture deploys on Aviatrix Enterprise — including the Controller, CoPilot, and Distributed Cloud Firewall. Start with a free trial or deploy directly from GitHub if you already run Enterprise today.
Enterprise is free — every VCA included on day one
Subscribe to Aviatrix Enterprise on AWS or Azure Marketplace, finish provisioning in under 15 minutes, and deploy any live architecture within the trial window.
30-day free trial · No contract · Full platform included
Deploy any live VCA from GitHub
Click into any live architecture below to find the blueprint for your environment — Terraform, Helm, or policy YAML. Each detail page has the full deployment guide.
Blueprint available on every live VCA · No additional license required
Validated Containment Architectures
Contain AWS Bedrock AgentCore
Zero-trust egress for Bedrock AgentCore agents at the network layer. AI-aware SmartGroups map Bedrock workloads dynamically; default-deny MCP egress means each agent declares its allowed destinations as policy-as-code.
Contain Azure AI Foundry Agents
Containment for Azure AI Foundry deployments. AI-aware SmartGroups target ai_agent resource types directly; east-west segmentation prevents agent-to-agent lateral movement and every flow is logged for compliance.
Contain Enterprise MCP (Obot)
Policy-as-code containment for Obot-based MCP infrastructure. FirewallPolicy CRDs let each MCP server declare its network scope; a compromised server cannot exfiltrate through ungoverned paths.
Contain Enterprise GitHub Pipelines
URL-path scoping for CI/CD and coding-agent workloads. Differentiate github.com/acme-corp/* from github.com/*. Blocks runtime package installs from npm, PyPI, and Docker Hub.
Contain Enterprise AI Chat
Production containment for enterprise AI chat. Managed WebGroups govern which LLM providers are reachable; AI workload URL categories block file-sharing and unauthorized providers by default.
Containment Plugin for Microsoft Agent Control Specification
Compile your .guardrails.yaml into Aviatrix DCF rules via the open-source acs-to-dcf shim. No Terraform blueprint — policy plugin, not a deployable architecture.
Contain Google Vertex AI Agents
Network containment for Vertex AI agent deployments on GCP. AI-aware SmartGroups keyed to Vertex AI agent identities via Cloud Asset Inventory. Completes the hyperscaler containment set.
Contain Enterprise NemoClaw
Network containment for NemoClaw-powered agentic environments. AI-aware SmartGroups segment by team, environment, or tag. Instance metadata endpoint is blocked by default.
Start the trial.
Deploy your first VCA this afternoon.
Subscribe to Aviatrix Enterprise on AWS or Azure Marketplace, finish provisioning in under 15 minutes, then deploy any Wave 1 architecture from GitHub.
Controller 8.1+ · 1 managed network per deployment · No developer compliance required