IX Bond is built from the ground up on proven cryptographic primitives, zero-trust principles, and a cloud-managed model that keeps your data entirely under your control.
Built on WireGuard's modern, audited cryptographic stack
IX Bond leverages WireGuard's carefully chosen cryptographic primitives. Unlike legacy VPN protocols that offer dozens of cipher combinations (many of which are insecure), WireGuard uses a single, opinionated set of state-of-the-art algorithms. This eliminates cipher negotiation attacks and dramatically reduces the attack surface.
Symmetric encryption for all tunnel traffic
ChaCha20-Poly1305
Elliptic curve Diffie-Hellman
Curve25519 (ECDH)
Cryptographic hash function
BLAKE2s
Keyed hash for internal tables
SipHash24
All four primitives are modern, fast, and resistant to known attacks. ChaCha20-Poly1305 provides authenticated encryption that is immune to timing attacks and outperforms AES on devices without hardware acceleration. Curve25519 provides 128-bit security with compact 32-byte keys.
Automated key lifecycle with zero human intervention required
All private keys stored on disk are encrypted with AES-256-GCM. The encryption key is derived from hardware-bound secrets where available (TPM 2.0, Secure Enclave).
Node identity is established on first registration and pinned to the control server. Any key change triggers an alert and requires administrator approval.
WireGuard key pairs are automatically rotated every 30 days. Rotation is seamless with zero downtime — new keys are distributed and activated before the old keys expire.
Compromised keys can be revoked instantly through the control server. All peers remove the revoked key within seconds, and the node must re-authenticate to rejoin the mesh.
Every connection is verified. No implicit trust, ever.
IX Bond implements a genuine Zero Trust Network Access (ZTNA) model where trust is never assumed based on network location. Every connection between any two nodes requires cryptographic authentication, authorization against the current policy, and continuous verification throughout the session.
Every new connection requires a valid WireGuard handshake using the node's current key pair. There are no session tokens to steal or replay.
Access policies are defined using tags, not IP addresses. Tags are assigned to nodes and users, and ACL rules specify which tags can communicate. This decouples policy from network topology.
Nodes can be required to meet posture requirements before joining the mesh: OS version, disk encryption status, firewall enabled, antivirus running, and custom checks.
Device posture is checked continuously, not just at connection time. Nodes that fall out of compliance are automatically quarantined until posture is restored.
Cloud-managed means your data is protected by enterprise-grade encryption, access controls, and SOC 2 compliant infrastructure
One of the most impactful security decision in IX Bond's architecture is the cloud-managed deployment model. When you use a SaaS VPN provider, your encryption keys, network topology, access policies, and metadata all live on their infrastructure. With IX Bond, everything stays on yours.
Secure connectivity without exposing internal networks
IX Bond uses STUN, UDP hole punching, UPnP, and NAT-PMP to establish direct peer-to-peer connections through NAT devices without opening inbound ports or exposing internal networks.
The kill switch prevents any traffic from leaking outside the WireGuard tunnel if the VPN connection drops unexpectedly. Configurable per-node with bypass rules for critical services.
When direct P2P connection is not possible (e.g., symmetric NAT), traffic is relayed through encrypted DERP servers that you self-host. Relayed traffic remains end-to-end encrypted.
Built-in DNS resolution with optional threat filtering. Block known malware domains, phishing sites, and C2 servers at the mesh level without additional software.
Internal PKI with automatic issuance and rotation
IX Bond operates an internal Certificate Authority (CA) for securing communication between the control server and mesh nodes. This is separate from the WireGuard data plane encryption and provides an additional layer of authentication for the control plane.
Complete visibility into every action across your mesh
IX Bond provides comprehensive audit logging that records every significant action within your mesh network. Logs are structured, searchable, and designed for integration with your existing SIEM and monitoring tools.
Node registrations, key rotations, ACL changes, authentication attempts (successful and failed), administrative actions, and policy modifications are all logged with full context.
Configure webhooks to receive real-time notifications for security-relevant events. Send alerts to Slack, PagerDuty, Opsgenie, or any HTTP endpoint.
Audit logs are append-only with cryptographic chaining. Each log entry includes a hash of the previous entry, making tampering detectable. Export to immutable storage for compliance.
Export logs in JSON, CEF, or syslog format. Native integrations with Splunk, Elastic, Datadog, and any syslog-compatible collector.
Meeting the standards that regulated industries require
Independent audit of security, availability, and confidentiality controls. Expected completion Q3 2026.
Cloud-managed model with DPA available. Data stays on your infrastructure in your chosen jurisdiction.
Architecture supports HIPAA requirements. Business Associate Agreement (BAA) available for healthcare organizations.
Compliant with U.S. Export Administration Regulations (EAR). Uses publicly available encryption algorithms.
Proactive security through testing, research, and responsible disclosure
We welcome and appreciate security researchers who report vulnerabilities to us responsibly. If you discover a security issue in IX Bond, please report it to security@ixbond.com. We ask that you:
We commit to acknowledging receipt within 24 hours, providing an initial assessment within 72 hours, and keeping you informed throughout the remediation process.
IX Bond maintains an invitation-only bug bounty program for experienced security researchers. The program covers the IX Bond control server, agent, API, and web dashboard. If you are interested in participating, please contact security@ixbond.com with your background and areas of expertise.
IX Bond undergoes annual third-party penetration testing conducted by an independent security firm. Tests cover the full stack: network layer, application layer, API security, authentication and authorization, cryptographic implementation, and privilege escalation. Remediation is tracked to completion, and re-testing confirms that all findings are resolved.
Found a security issue? We take every report seriously and will respond within 24 hours. Your contributions help keep IX Bond and its users safe.
security@ixbond.com