Deployment

Deployment Models

SaaS, on-premise, and self-managed deployments—security, network architecture, and isolation.

Last updated May 2026

Deployment models

  • SaaS — Vendor-hosted control plane; customers deploy lure nodes or use shared edge per contract
  • On-premise — Full stack inside customer DC; air-gap options for government
  • Self-managed — Customer operates control plane + lures on their cloud (AWS/Azure/GCP) with H1VE support boundaries defined in SLA

Diagram Placeholder

Deployment Architecture

1
Corporate / internet
2
Perimeter firewall
3
H1VE control plane zone
4
Lure runtime zone (isolated VLAN)
5
SIEM / SOAR egress
Insert: Split diagram: SaaS (vendor CP + customer lure subnet) vs on-prem (single boundary) with Traefik, Docker host, PostgreSQL, and SIEM egress arrows.

Security and network architecture

Segregate lure VLANs from production AD and databases. Egress from lures should pass through inspection—you want outbound C2 attempts visible, not routed blindly to production.

Isolation model

One container per lure, Traefik label isolation, workspace-scoped API tokens. PostgreSQL holds telemetry; encrypt at rest per your compliance baseline. Rotate integration secrets on the same cadence as other security tooling.