What airgapped actually means (and what vendors mean when they say it)
Vendors say airgapped to mean anything from a private cloud tenant to true zero-egress operation. The differences that matter: where analysis happens, whether licensing phones home, how updates arrive, and what breaks without connectivity. Five test questions separate marketing airgap from architectural airgap.
Sit through enough vendor briefings and you will hear “we support airgapped deployments” applied to architectures that require internet access weekly. The term has been stretched to cover everything from a dedicated cloud tenant to genuine zero-egress operation, and for buyers in defense, banking, and critical infrastructure, the difference is not semantic: it decides whether the tool can legally run at all.
Here is the actual spectrum, and how to locate any product on it.
The spectrum
SaaS with private branding. Your data, their cloud, perhaps a dedicated tenant. Whatever the adjectives, code or artifacts leave your network for analysis. For genuinely restricted environments this is disqualified at the architecture diagram.
On-premises with an umbilical. The software installs in your datacenter but assumes connectivity: license checks against vendor servers, telemetry, cloud-fetched rule updates, activation flows. Sever the internet and it degrades or dies within some grace period. This is the most common thing “airgapped” turns out to mean in practice, and the degradation clauses hide in appendices.
Offline-capable. The product can run disconnected as a supported mode, though it was designed connected-first. Workable, but the offline path is the less-tested path, and features quietly assume the happy case. Ask what specifically differs offline; the honest answer is rarely “nothing” here.
Offline-first. Disconnection is the design center, not a mode. Installation from media, licensing with no callbacks ever, updates as signed artifacts you carry across the boundary, full functionality with zero egress, forever. There is no degraded state because there is no connected state to degrade from. This is what airgapped environments actually require, and it is rare, because it constrains the vendor’s entire architecture.
Five questions that sort vendors quickly
- “Where does analysis execute?” If any code, artifact, or finding transits vendor infrastructure, the conversation is over for restricted networks. No follow-up needed.
- “What happens to licensing after 12 months with zero connectivity?” The honest answers are “nothing” or a specific expiry mechanism you can plan around. Watch for grace periods measured in days.
- “How does vulnerability and rule content arrive, and how do we verify it?” The right shape is a signed bundle, verified cryptographically on import, with every report recording which bundle version it used. That last detail turns offline data into an audit advantage rather than a staleness worry.
- “What telemetry exists, and can it be disabled or is it absent?” “Disabled” means the transmit path exists and awaits a config regression. “Absent” means it was never built. Different answers.
- “Will results be identical to a connected deployment?” The trap question. If the connected version consults cloud services during analysis, the offline version is a different, lesser product wearing the same name. Deterministic, self-contained analysis is what makes the answer “identical” possible.
Why architecture beats configuration
The recurring failure with retrofitted-offline products is not malice; it is entropy. Every feature added by a vendor whose test environments have internet quietly assumes internet, and each release erodes the offline path a little more. Products built offline-first cannot regress this way, because their own development gates would fail: the zero-egress property is the architecture, not a flag.
This is also why the question matters beyond truly airgapped sites. Every restricted-network property, no telemetry, verifiable updates, no silent behavioral drift, is a supply-chain-security property in disguise. The tool that cannot leak your code because no egress path exists is making a stronger promise than any data-processing addendum, and it makes that promise to connected customers too.
If a vendor’s “airgapped” survives all five questions, you have found the rare genuine article. It is a short list. We are on it, verifiably: the first command our platform teaches you is the one that proves the network is not required.