Control Zero Self-Hosted
The full platform, inside your network.
Same product as Cloud, your infrastructure. Gateway, policy engine, audit store, dashboard, admin CLI. Nothing leaves your VPC. Available to regulated, air-gapped, and sovereign-cloud teams in private preview.
// 001
What We Solve
Four categories of AI risk that security teams face today. Control Zero Self-Managed addresses each one with a dedicated capability.
AI Coding Tools
AI Coding Tool DLP
MCP-level controls govern what tools AI coding assistants can invoke and what data they can access. Policy enforcement happens before any tool call executes, preventing source code, credentials, and proprietary logic from leaving your network.
Chat Applications
Chat Application DLP
An SSL-inspecting proxy sits between your users and browser-based AI chat services. It detects, blocks, or masks sensitive content before it reaches external AI providers. Configure DLP rules per domain with detect, block, or mask modes.
API Traffic
API-Level DLP
A transparent gateway proxy intercepts all LLM API traffic. PII detection and masking, model blocking, cost caps, and tool call interception happen inline with zero application code changes. Change your base URL and enforcement begins.
Discovery
Shadow AI Discovery
Coming soonEndpoint and network agents discover unauthorized AI tools, exposed API credentials, and hidden model traffic across your fleet. Continuous scanning with dashboard visibility. No manual audits required.
// 002
How Deployment Works
Docker Compose is the only deployment method. Standard requirements: Docker 24+, 4 GB RAM, 2 CPU cores, 10 GB disk. Full control over networking, storage, and access policies.
01
Pull Images
Authenticate with the Control Zero container registry and pull the latest images. All images are signed and verified. Works on any Linux host with Docker 24+.
02
Configure
Set your license key, network bindings, and policy configuration in the compose environment file. Optional: TLS certificates, log destinations, proxy settings.
03
Deploy
Run docker compose up. Preflight health checks verify the environment automatically. All services start, connect, and report status. No outbound internet required after initial pull.
Air-gap tarball and Kubernetes Helm chart also available. Hybrid (cloud control plane + self-hosted data plane) is planned for a future release.
Deployment Architecture
// 003
Key Capabilities
Licensing
License Management
Seat-based, time-limited licenses with offline validation. No phone-home requirement. Grace period and read-only mode prevent disruption during renewal.
Monitoring
Health Checks
Preflight checks verify the environment before installation. Postflight checks confirm all services are operational. Run manually or integrate with your monitoring.
Diagnostics
Support Bundles
Generate diagnostic packages with automatic secret redaction. Includes service logs, container state, system info, and health check results.
Observability
Metrics and Logging
Prometheus metrics endpoint with seven metric families. Structured JSON logs with correlation IDs. Configurable log levels. Compatible with Splunk, Elasticsearch, Grafana, and Datadog.
Security
Anti-Tampering
Policy bundles are cryptographically signed and verified on every load. Configuration integrity monitoring detects unauthorized changes. Binary checksums verified on startup.
Network
SSL Proxy
Chat DLP for browser-based AI services. Deploy a CA certificate to endpoints and configure detect, block, or mask modes per domain. Scoped inspection, no blanket interception.
DLP
Multi-Locale PII Detection
Bidirectional DLP with 59 patterns across US, Korean, Japanese, and European locales. Check digit validation for high precision. Detect, mask, or block PII in both requests and responses.
Rate Limiting
Configurable Rate Limits
Per-user, per-organization, and per-provider rate limits. Standard headers (X-RateLimit-Remaining). All limits configurable at runtime without restart.
i18n
Multi-Language Dashboard
Dashboard available in English and Korean, with an extensible locale system. Adding a new language requires only a single translation file.
Coding Tools
Coding Assistant Hooks
One-command hooks for Claude Code, Gemini CLI, and Codex CLI. Every tool call is evaluated against your policy before it executes. Full local audit log, fleet enrollment, and centralized policy sync.
Browser DLP
Browser Extension for AI Chat DLP
Coming soonChrome and Edge MV3 extension enforces DLP rules on Claude.ai, ChatGPT, Gemini, and Perplexity. Deploy via MDM. Fail-closed on cold boot. Compliance acknowledgment gate for regulated environments.
// 004
Compliance
Every governance decision is recorded, queryable, and exportable. Built for environments where audit readiness is a requirement, not a feature request.
Audit
Immutable Audit Trails
Every policy evaluation is logged with timestamp, agent identity, action, resource, decision, and the policy that matched. Audit records are append-only.
Privacy
PII Detection and Masking
Bidirectional DLP scans both requests and responses for PII across multiple locales. 59 patterns with check digit validation. Configure detect, mask, or block modes per policy.
Transparency
Full Decision Logging
Every allow and deny decision includes the complete evaluation context: which policy matched, why it matched, and what action was taken. No silent decisions.
Integration
Export Capabilities
Export audit data in JSON or CSV format for integration with your existing compliance and reporting workflows. Filter by date range, agent, action, or decision.
Ready to evaluate Self-Hosted?
Tell us about your use case, scale, and timeline. We ship a preview package, a private documentation portal, and a direct line to the team during early access.