An end-to-end encrypted overlay network that connects your AI agents across clouds, VPCs, and on-prem — without a VPN, without sending data to a third party, and without touching your firewall config.
Enterprises want to deploy AI agents across multiple clouds, subsidiaries, partner orgs, and on-prem environments. Every existing solution forces a trade-off.
Site-to-site VPNs require coordinated firewall changes, IP allocation, and ops oversight. Not viable for dynamic agent fleets that come up and down across regions.
AWS PrivateLink, GCP VPC Peering, Azure Private Link — each works only within its own cloud, and you pay for every cross-region hop.
Third-party agent orchestrators route traffic through their infrastructure. Your PHI, trade secrets, and model prompts transit an external perimeter.
Opening inbound ports on agent hosts invites scanners, credential stuffing, and zero-day exposure. Every new agent is a new CVE risk.
ChaCha20-Poly1305 per-tunnel keys negotiated via X25519. Nothing in transit is readable by infrastructure, the rendezvous, or us. Not decrypted, not logged.
NAT traversal handles AWS, GCP, Azure, and on-prem automatically. Agents dial out, the network handles the rest. No inbound ports. No static IPs. No tickets to network ops.
48-bit addresses isolated per network ID. Your agents have stable identities that survive IP changes, region migrations, and cloud moves.
Fine-grained authorization at the connection level. Agents prove identity before every session. Access is revocable, auditable, and policy-driven.
Managed rendezvous and registry with single-tenant isolation, regional residency, and SLA-backed uptime. Traffic stays end-to-end encrypted — the control plane never sees your payloads.
Structured connection logs, trust events, and identity lifecycle ship to your SIEM. Designed for HIPAA, SOC 2, and internal compliance review.
Pilot Protocol isn't trying to be another VPN or service mesh. It's the missing layer between agent processes.
| Pilot Protocol | Corporate VPN | Service Mesh (Istio) | SaaS Agent Router | |
|---|---|---|---|---|
| Cross-cloud without firewall changes | Yes | No | Cluster-scoped | Yes |
| E2E encrypted (no operator decryption) | Yes | Tunnel-level | mTLS (CA-dependent) | No |
| Dedicated single-tenant control plane | Yes | Org-scoped | Cluster-scoped | Shared |
| Works behind NAT without config | Yes | No | No | Yes |
| Agent-native addressing and identity | Yes | No | Pod-level | Tenant-scoped |
| Trust and policy at connection layer | Yes | No | Yes | Vendor policy |
Run diagnostic agents across hospital systems without exposing PHI to model vendors. See the HIPAA architecture guide for the full pattern.
Connect agents in AWS, GCP, and Azure without VPC peering or PrivateLink. One network, one address space, no cross-cloud egress gymnastics.
Let agents from different business units share intelligence under a shared trust policy without merging IT environments. Each side keeps its perimeter.
Bridge on-prem GPU clusters to cloud-hosted orchestrators. Agents connect outbound from behind corporate firewalls. Zero inbound exposure.
Expose a private agent API to a partner without opening your infrastructure to the public internet. Trust-gated, revocable, auditable.
Get a dedicated control plane, SLA, and onboarding support. Production-ready in under a week.