Post-Quantum Zero Trust for the Tactical Edge.
Post-Quantum Zero Trust for the Tactical Edge.
Embedded Files
[Status: Active R&D / Under Development]
WildHorse Enterprise transforms standard hardened, DISA STIG & FIPS-compliant Linux distributions into a cryptographically sealed, hardware-attested compartment designed for contested environments.
[Status: Active R&D / Under Development]
WildHorse Enterprise transforms standard hardened, DISA STIG & FIPS-compliant Linux distributions into a cryptographically sealed, hardware-attested compartment designed for contested environments.
Engineered to address security challenges present in defense, intelligence, and critical infrastructure environments.
Engineered to address security challenges present in defense, intelligence, and critical infrastructure environments.
Available to secure Enterprises, SMBs, and critical infrastructure.
Available to secure Enterprises, SMBs, and critical infrastructure.
Designed in alignment with security frameworks such as FIPS 140-3, CNSA 2.0, NIST SP 800-193, and DISA STIG
Designed in alignment with security frameworks such as FIPS 140-3, CNSA 2.0, NIST SP 800-193, and DISA STIG
Developed by OneCor10
Developed by OneCor10
Assume Breach. Assume Capture.
In contested environments, perimeter defense is obsolete. Adversaries possess advanced traffic analysis, physical access to hardware, and quantum data-harvesting capabilities.
WildHorse Enterprise is built on a Paranoid-Mode Architecture. We assume the physical network is hostile, the host operating system is compromised, and the physical disk will be captured.
What WildHorse Enterprise Is:
WildHorse Enterprise is a security platform for Enterprise Linux systems (RHEL, Rocky, Alma, Ubuntu Pro) that adds compartmentalized, zero-trust computing similar to Qubes-OS — while meeting FIPS, CNSA 2.0, and DISA STIG standards.(read more)
What WildHorse Enterprise Is:
WildHorse Enterprise is a security platform for Enterprise Linux systems (RHEL, Rocky, Alma, Ubuntu Pro) that adds compartmentalized, zero-trust computing similar to Qubes-OS — while meeting FIPS, CNSA 2.0, and DISA STIG standards.(read more)
WildHorse Enterprise natively extends into secure software development and AI-assisted engineering workflows. This includes WildHorse Code: Parametric AI Assist, a secure, dependency-aware coding environment that enables AI-assisted software development within the same compartmentalized, zero-trust architecture.
WildHorse Enterprise combines:
FIPS-compliant zero-trust networking (ZTNA/VPN) for secure mesh environments
Compartmentalized MicroAppVMs on immutable base architecture with persona-based isolation (e.g., untrusted, work, confidential, etc...)
Integrated AI-driven red teaming for continuous penetration testing
Endpoint protection, hardware firewalls (peripherals), software firewalls with deep packet inspection
Moving Target Defense and ephemeral identity systems
Optional OS demotion into a secure immutable VM
A parametric, AI-assisted coding environment (WildHorse Code) for secure, dependency-aware software development
WildHorse is designed as a compartmentalized architecture, where core security components—including AI—operate in isolated environments.
Who It’s For:
WildHorse Enterprise is designed for organizations that require high-assurance security in contested or sensitive environments, including: (read more)
Who It’s For:
WildHorse Enterprise is designed for organizations that require high-assurance security in contested or sensitive environments, including: (read more)
U.S. and allied defense and intelligence organizations
Critical infrastructure operators
Security-focused enterprises and SMBs
Teams operating in high-risk or adversarial environments
Defense software factories, DevSecOps teams, and organizations developing AI-assisted or mission-critical software systems
How It Works:
How It Works:
WildHorse installs alongside an existing Enterprise Linux system and restructures it into a compartmentalized, zero-trust environment: (read more)
The host system is network-isolated by default using a firewall kill switch
Networking is handled through secured system compartments (e.g., sys-net, sys-usb)
Administrators deploy a Central Control system to manage users, policies, and environments
Users are provisioned with:
Persona-based MicroAppVMs
Ephemeral identities and credentials
Network-bound disk encryption access
Workloads run in isolated compartments, communicating only through controlled, encrypted channels.
All updates, access, and operations are cryptographically signed and verified.
AI-Assisted Development Integration:
Developers operate within isolated MicroAppVMs using WildHorse Code. AI models are accessed securely via CNSA 2.0 ZTNA, with only minimal, dependency-scoped context exposed. All AI-generated code is validated, dependency-checked, and cryptographically signed before integration into the system.
Why It Matters:
Why It Matters:
WildHorse is designed to enable a ‘clean-room’ computing model intended to maintain system integrity even under compromise scenarios: (read more)
Compromised hosts can be demoted and isolated as virtual machines
Workloads are contained in independent compartments, preventing lateral movement
AI continuously tests system defenses from within a controlled environment
Moving Target Defense removes persistent attack surfaces
Administrators maintain full auditability and control, aligned with DISA STIG requirements
The result is a system that assumes breach—and remains secure anyway.
WildHorse extends this model to software engineering itself. With WildHorse Code, organizations can safely leverage AI-assisted development without exposing sensitive code or introducing uncontrolled dependencies—ensuring that even AI-generated systems remain deterministic, auditable, and mission-ready.
This work addresses emerging post-quantum cybersecurity threats and contributes to the protection of critical digital infrastructure, an area of recognized strategic importance.
Core Capabilities
Post-Quantum Cryptographic Mesh (CNSA 2.0).
Designed to defeat "Harvest Now, Decrypt Later" attacks. WildHorse is built upon a proprietary, memory-safe cryptographic engine—currently in advanced prototyping—designed to enforce post-quantum key establishment (ML-KEM) and modern authenticated encryption (AES-256-GCM) at the tactical edge.
Legacy algorithms are entirely banned from the core.
Low Probability of Intercept (LPI).
Camouflaged to hide from adversary traffic analysis.
WildHorse shapes tactical traffic using UDP obfuscation, dynamic encapsulation, and automated "Chaff" (decoy packet) injection. Your VPN tunnel looks like background noise.
The "Hollow Host" & Firewalls.
Upon boot, WildHorse strips the host machine of its IP addresses and disables physical peripherals.
Workloads run in highly isolated MicroVMs protected by Rust-based hardware firewalls. Even if a virtual machine is compromised, the host kernel remains strictly isolated via hardware-enforced virtualization boundaries.
Moving Target Defense (MTD).
Our proprietary "Double Roll" mechanism enforces cryptographic amnesia. Upon session termination, data-at-rest volumes undergo deterministic key rotation and physical storage obfuscation.
Users, machine identities, and storage locations constantly shift, leaving adversaries with zero forensic trace of access patterns or historical data structures.
Our MTD maintains auditability and DISA STIG compliance.
Continuous Automated Red-Teaming (CART).
Defenses must be actively tested to be trusted. WildHorse Enterprise natively integrates WildHorse AI — an autonomous, multi-agent penetration testing framework.
Operating safely within our cryptographically sealed mesh, it relentlessly maps, tests, and validates your internal Access Control Lists (ACLs) and zero-trust policies with or without the need for human oversight.
[Under Development]
WildHorse AI: Your Built-In Autonomous Red Team
To continuously validate and stress-test our post-quantum defenses under realistic adversarial conditions, WildHorse Enterprise includes a native, autonomous multi-agent red-teaming system. The platform also provides a modular harness for organizations to deploy their own proprietary AI models for ongoing adversarial security validation.
Elite Offensive Power, Safely Contained
WildHorse AI is engineered to think and act like a sophisticated human adversary, with key advantages:
Based on Peer-Reviewed Research: WildHorse AI integrates and adapts multi-agent autonomous red-teaming research developed by Stanford Trinity, including the ARTEMIS framework, and extends it for deployment in high-assurance, hardware-attested environments..
In an independent 2025 evaluation (arXiv:2512.09882), ARTEMIS was tested head-to-head against 10 professional penetration testers on a live enterprise network of ~8,000 hosts. It placed 2nd overall, discovered 9 valid vulnerabilities with an 82% valid submission rate, and outperformed 9 out of 10 human participants.
"Assumed Breach" Specialist: Operating from inside your ZTNA mesh, our multi-agent AI simulates a compromised device. It replaces static scanners with intelligent, multi-step exploitation chains, relentlessly testing your Access Control Lists (ACLs) and validating your zero-trust policies 24/7.
Bring Your Own Agent (BYOA): While WildHorse includes our powerful native red-teaming AI, we do not lock you into our models. Our architecture is built as an entirely modular harness. DoD and intelligence organizations can seamlessly inject their own proprietary, highly classified multi-agent systems or offensive cyber models into the mesh to safely evaluate their capabilities in a live environment.
Air-Gapped & Secure by Design: Unlike commercial AI tools that leak sensitive network data to public APIs, the WildHorse AI harness is designed to operate entirely within your CNSA 2.0 ZTNA perimeter, interfacing with locally or cloud-hosted models inside classified (IL5/IL6) environments.
Secure Containment by Design: All red-teaming agents — whether native to WildHorse AI or user-supplied — are executed within dedicated, hardware-attested MicroAppVM compartments.
These compartments are built from minimal, hardened OS templates aligned with DISA STIG and FIPS requirements, enforcing strict mandatory access controls and maintaining a deliberately reduced attack surface.
This architecture is designed to enforce a tightly constrained blast radius, designed to keep even highly capable offensive agents isolated from the host system and other compartments.
The result is strong practical isolation suitable for contested, tactical-edge, and high-assurance (IL5/IL6) environments, while remaining fully compatible with existing DISA STIG and FIPS-aligned infrastructure.
Overview
Overview
Compartmented Architecture:
The Lead-Mare & The Herd
WildHorse Enterprise abandons the vulnerable, monolithic operating system model. Instead, it deploys as an immutable, high-assurance supervisor that dynamically manages highly restricted, isolated workloads. We operate on the principle of Strict Blast Radius Containment.
The Lead-Mare (The Immutable Supervisor):
The central nervous system of the platform. Operating under strict, Seccomp-enforced system-call filtering, the Lead-Mare acts as the cryptographic gateway. It natively hosts the Zero Trust Network Access (ZTNA) control plane, hardware-level eBPF killswitches, ephemeral identity generation, and an advanced Deep Packet Inspection (DPI) firewall. It controls the hardware, but executes no user applications.
The Herd-Members (Hardware-Attested Compartments):
Mission-critical applications are stripped of standard OS privileges and executed inside fully isolated MicroVMs or strictly bound rootless namespaces.
Out-of-the-Box Workloads: Includes an eBPF Intrusion Detection System (IDS), Secure Git with CNSA 2.0 commit signing, automated SBOM supply-chain validation, Low-Latency 4K RDP, our "Twin-Engine" Hardened PostgreSQL databases, and WildHorse AI (our autonomous, hardware-caged penetration tester).
Peripheral Firewalls: Workloads do not get direct access to hardware. We place Rust-based micro-firewalls between the MicroVM and the host's GPU, Audio, and Input devices to structurally enforce memory safety and physically mitigate hypervisor escapes.
Lateral Movement Prevented: Herd-Members possess no standard network stack. They communicate exclusively via encrypted internal memory buses (VSOCK) or cryptographic tunnels. Even if a workload is fully compromised by a zero-day exploit, the adversary is trapped in a blind, network-less vacuum.
Strategic Use Case: Secure Agentic AI Evaluation
As AI evolves from passive chat models to autonomous agents, traditional container-based evaluation harnesses are no longer safe. Agentic red-teaming requires executing potentially malicious tool-use in a secure sandbox.
OneCor10 is currently prototyping the WildHorse AI Evaluation Harness. By integrating industry-standard evaluation frameworks (such as UK AISI Inspect or other proprietary tools) with our hardware-attested MicroAppVMs, we provide a hardware-attested "Blast Radius Containment Sandbox." This entire system operates within a private, CNSA 2.0-compliant, peer-to-peer mesh network, giving teams the security of a logically air-gapped environment.
Evaluators can safely test untrusted, unaligned frontier AI agents in classified (IL5/IL6) Multi-Persona environments. Even if an AI agent executes a zero-day breakout payload, it is trapped inside a network-less, eBPF-shielded micro-environment—fully protecting the host infrastructure and preventing model exfiltration via our Moving Target Defense (MTD) rolling vaults.
This same military-grade harness is used to safely contain our own native red-teaming agent, WildHorse AI.
[Under Development]
WildHorse Code: Parametric AI Assist
[Under Development]
WildHorse Code: Parametric AI Assist
High-Assurance Software Engineering for the Tactical Edge.
Standard AI coding assistants introduce significant Operational Security (OPSEC) risks within defense and enterprise environments. Sensitive source code is often transmitted to external APIs, and large-scale code generation can produce inconsistent or incomplete dependency handling across complex systems.
WildHorse Code applies the rigor of aerospace and parametric CAD engineering to software development. It introduces a deterministic, dependency-aware development model designed specifically for AI-assisted workflows.
Instead of exposing entire repositories to a Large Language Model (LLM), WildHorse Code constructs a structured Parametric Model Tree—a dependency graph where code elements are explicitly linked through parent-child relationships, enabling controlled and predictable change propagation.
Core Capabilities of WildHorse Code:
Core Capabilities of WildHorse Code:
Deterministic Dependency Tracking
Code structures are explicitly linked within a structured dependency graph. When an AI agent modifies a function or module, all downstream impacts are precisely identified and surfaced, reducing the risk of inconsistent or incomplete updates.Contextual Data Minimization
Eliminates reliance on large context windows. Only the minimal set of relevant code and dependency constraints are provided to the AI, improving accuracy while reducing exposure of sensitive logic.
Secure AI Execution Path
Developer endpoints interact exclusively with air-gapped, on-premises, or authorized cloud-hosted LLM environments. All inference traffic is routed through the WildHorse CNSA 2.0 ZTNA mesh, cryptographically enforcing data localization and preventing external data leakage.Cryptographic Chain of Custody
Fully integrated with the WildHorse Secure Git Herd-Member. All AI-assisted modifications are validated, SBOM-scanned, and committed with enforced CNSA 2.0 cryptographic signing.
Operational Impact
Operational Impact
WildHorse Code enables software teams to leverage AI-assisted development at scale, while maintaining the deterministic control, traceability, and security required for mission-critical systems.
Engineered for the Nation's Most Critical Missions:
WildHorse Enterprise was purpose-built from the ground up to strictly adhere to DISA STIG (Defense Information Systems Agency Security Technical Implementation Guide) and FIPS (Federal Information Processing Standards).
But baseline compliance is not enough for contested environments. We engineered our architecture to natively enforce CNSA 2.0 (Commercial National Security Algorithm Suite), directly addressing the stringent post-quantum mandates required by high-assurance environments—including those seen across defense, intelligence, and national security contexts.
By solving the post-quantum threat at the tactical edge, we are able to deliver that exact same military-grade survivability to secure modern Enterprises, critical infrastructure, and highly targeted SMBs against advanced persistent threats (APTs) and sophisticated adversaries.
Engineered to meet the rigorous constraints of contested environments:
Safe Autonomous Red-Teaming: Conduct continuous, AI-driven penetration testing and vulnerability mapping without violating DISA STIG compliance or risking host-kernel compromises.
Network-Bound Disk Encryption (NBDE): Pre-boot cryptographic unlocking via CNSA 2.0 compliant tunnels.
Hollow Host: The underlying host system is hollowed out and restricted, minimizing the physical attack surface.
Host OS Demotion: For additional security, an advanced option allows the main OS to be fully demoted into an immutable, virtualized environment.
Multi-Persona Isolation: Strict, hardware-enforced partitioned workflows for role-based access control.
Disposable Ephemeral MicroAppVMs: Task-specific, high-integrity isolation with full DISA STIG compliance.
Air-Gapped Survivability: Maintains local integrity and cryptographic verification even in offline or high-jamming environments.
CNSA 2.0 compliant Ecosystem: Establishes an end-to-end encryption environment for Email, Cloud Storage, Central Control, and Data-at-Rest.
Secure Application Delivery: Run Windows Applications via MicroAppVMs (e.g., Microsoft Office 365), on a hardened Linux foundation.
Operations & Team Leader
Operations & Team Leader
Mr. Nicolaas J. Janse van Rensburg
Founder | R&D Designer | Chief Technology Officer
LinkedIn: www.linkedin.com/in/nj-jvrensburg
The work behind WildHorse Enterprise is grounded in ongoing research and development in secure systems architecture, virtualization, and applied cryptography, with a focus on post-quantum resilience and zero-trust computing models.
"Just as the builders in Nehemiah carried swords while they worked, we must ensure our security tools are always at hand—balancing constant vigilance with uninterrupted productivity as we secure every step of our digital journey."
— N.J. Janse van Rensburg
Our Foundation
"But now, whoever has a purse should take it, and likewise a bag; and whoever has no sword should sell his cloak and buy one." — Luke 22:36
About OneCor10
OneCor10 is a defense-tech startup built unapologetically on Christian principles. We engineer the most advanced post-quantum zero-trust architecture for the tactical edge, but we recognize that human effort alone is not enough. Wisdom comes from above, and we operate under the truth of 1 Corinthians 3:7: "So then neither is he that planteth any thing, neither he that watereth; but God that giveth the increase."
OneCor10 was founded with a singular mission: to rethink network security from the silicon up. In an era where quantum computing threatens legacy encryption and hardware at the tactical edge is routinely compromised, standard VPNs and operating systems are no longer sufficient.
Currently bootstrapping as a lean, research-driven startup focused on developing advanced security architectures for high-risk and critical computing environments, OneCor10 is pioneering a 'Clean-Room' approach to tactical computing.
WildHorse Enterprise is currently in an Invite-Only development and prototyping phase. To maintain operational security and strict blast-radius containment, our architecture is being engineered exclusively in controlled environments and is not publicly available for open download. Following our DIU submission and successful early prototyping, we are currently reviewing applications for early-access pilot partners among forward-leaning DoW and IC components.
100% of our resources are dedicated to backend systems architecture, cryptographic engine development, and advanced virtualization. We are committed to bringing true, hardware-attested "paranoid-mode" computing to the DoW, Intelligence Community, and critical enterprise sectors.
[Apply for Early Access / Technical Briefing]
[Apply for Early Access / Technical Briefing]
Current Development Status & Roadmap
Note: To maintain strict Operational Security (OPSEC), this roadmap provides only a high-level overview of core platform capabilities. Granular architectural schematics, zero-IP routing implementations, and advanced technical documentation are reserved exclusively for authorized evaluations and classified briefings under NDA. Therefore, the following status is abridged:
Phase 1: Core Architecture & Cryptographic Mesh (Status: Active Prototype / Code Complete)
Pure Go FIPS 140-3 Foundation: Complete. The cryptographic engine natively utilizes Go's `crypto/fips140` module.
CNSA 2.0 Post-Quantum Cryptography: Complete. Legacy WireGuard algorithms (Curve25519/ChaCha20) have been eradicated. The mesh operates exclusively on a True Hybrid SAKE protocol combining ML-KEM-1024 (Quantum Resistant) with ECDH P-384 (Classical Fallback) and AES-256-GCM.
The Lead-Mare (Supervisor): Complete. The immutable orchestration engine successfully manages MicroVM and Rootless Namespace isolation.
Hardware Firewalls: Complete. Peripheral isolation is implemented, physically separating workloads from the host kernel.
Moving Target Defense (MTD): Complete. The "Double Roll" encrypted vault rotation and ephemeral identity generation is active.
Phase 2: Hardening & Compliance Remediation (Status: In Progress)
Codebase Auditing: Active remediation of legacy anti-patterns.
Network Bound Disk Encryption (NBDE): Refining the pre-boot vTPM attestation and Phase-2 LUKS payload injection.
Immutable UKI Factory: Finalizing the STIG-compliant OS kickstart and Dracut module generation.
WildHorse Code (Parametric AI Assist): Environment Setup designing the Parametric Core, (e.g., AST Parser & Database, and Parent/Child Call Graph)
Phase 3: Autonomous Defense & DevSecOps (Status: Active R&D)
WildHorse AI (CART): Development of the hardware-caged multi-agent penetration testing harness. Currently integrating the required eBPF ring-buffer telemetry to feed the models.
WildHorse Code (Parametric AI Assist): Prototyping the deterministic dependency graph and secure CNSA 2.0 LLM routing to allow safe, air-gapped AI code generation.
Phase 4: Formal Certification (Future)
NVLAP Laboratory Submission: Formal validation of the cryptographic modules and system architecture against FIPS 140-3 Level 2 and DISA STIG compliance matrices.
Page updated
Google Sites
Report abuse