Encrypt
Protect data in motion and at restwolfSSL-based encryption stays in the transfer path and on protected files, so teams get strong protection without asking every application team to rebuild its workflow.
Security
Protect data in motion and at rest without adding more security tools.
PumaMesh keeps encryption, access control, and evidence in the same path that moves data. Teams can protect sensitive files, decide who can use them, and prove what happened from one platform.
That gives buyers one security story for partner exchange, regulated transfer, modern software delivery, and AI payload handling instead of separate products glued together.
Encrypt wolfSSL-based protection in flight and at rest
Control policy and identity stay attached to every file
Prove audit evidence is created as the work happens
Encrypt, Control, Prove
The first security questions buyers ask, answered in one path.
PumaMesh keeps protection in the workflow itself: encrypt sensitive data, decide who can use it, and keep evidence ready for review without moving those jobs into separate products.
Control
Turn file context into access decisionsClassification, identity, and policy decide who can see data, where it can move, and when a transfer should stop before it leaves the source.
Prove
Keep evidence ready the moment someone asksAudit trails, operator actions, and governed movement records are created as the work happens, making reviews and compliance conversations easier to support.
Secure Data Sharing
Six steps that happen on every shared object.
The same loop runs whether the payload is a file, model weight, report, or partner exchange. Label, authorize, encrypt, transport, enforce, and audit.
1 · Label
Auto-classify on creation or ingest120+ sensitive-data patterns across 7 taxonomies detect PII, PHI, CUI, and government markings. Findings convert to ABAC attributes and bind to the object via Ed25519 signatures.
2 · Authorize
PDP evaluates every share requestRBAC (22 permissions) composes with ABAC (up to 10,000 attributes per file). DLP policies — auto-classify, quarantine, deny-transfer — evaluate before any bytes leave the node.
3 · Encrypt
Node- and agent-scoped keys bound to the transfer pathThe current implementation uses node- and agent-scoped key material rather than a unique key per file. Key management stays inside the fabric, and the cryptographic stack currently uses wolfSSL 5.9.1.
4 · Transport
Post-quantum encrypted, relay never decryptsPost-quantum in flight end to end; the stateless router forwards ciphertext without ever decrypting. Signed manifest and attribute envelope travel alongside. See the Mesh for the full transport stack →
5 · Enforce
Recipient PEP re-evaluates before deliveryThe recipient validates the TLS peer, manifest signature, and BLAKE3 hash, then re-evaluates ABAC against local user attributes fresh within 300 seconds. Continuous authorization — not a one-time gate.
6 · Audit
Tamper-evident chain on every stepEvery action emits an AuditEvent with sequence number and BLAKE3-chained previous checksum. Forwarded to syslog/SIEM. The chain detects tampering including reorder and delete.
Compliance Posture
Compliance claims tied to product evidence.
The site should not ask buyers to trust acronyms alone. PumaMesh maps control coverage to the data-sharing behavior the product actually enforces.
All 110 CMMC controls for data sharing met by the product. NIST SP 800-171 Rev 2 and Rev 3 anchor requirements satisfied. The organizational practices that remain customer-side (training, IR procedures, personnel, physical, SSP authoring) sit outside the product surface by design.
21 of 24 SP 800-172 enhanced requirements addressed in-product. Remaining gaps are organizational: SOC, CIRT, and annual penetration testing — not product deficiencies.
All 7 tenets enforced with at least one enforcement mechanism each. Continuous authorization via 15-minute LDAP staleness with fail-closed revocation.
Data pillar (4.3–4.7) substantially covered. User, Device, Application, Network, and Visibility pillars covered. Automation partial.
Identity and Data pillars at Advanced (toward Optimal). Devices and Networks at Advanced. Applications at Initial-to-Advanced.
PumaMesh currently uses wolfSSL 5.9.1 in the cryptographic stack. The security page now reflects the deployed runtime and keying model directly.
Post-quantum encryption (ML-KEM-1024) and post-quantum signatures deployed. CNSA 2.0 compliant for National Security System use — the highest-strength post-quantum parameter set in production.
80+ NIST SP 800-53 Rev 5 controls mapped with direct code evidence. 7 partially met. FedRAMP-aligned control coverage supports federal deployment readiness.
Future "CMMC 3.0" anchor requirements already satisfied in the movement and evidence path include CUI flow enforcement (03.01.03) and information retention (03.14.08). Cryptographic posture should be described against the deployed wolfSSL-based implementation.
Three Layers of Protection
Protect the motion, the object, and the operator
Protection in PumaMesh is not one feature. It is three layers that run at the same time — every transfer, every file, every action.
Protect in Motion
Transfer and policy share one control planeCrypto and policy stay in the path. Fast movement never skips the protections that regulated environments require.
Protect the Object
File context stays attached to the decisionClassification, attributes, findings, and version history decide what can move, where it can go, and who can see it.
Protect the Operator
Everything is observable and auditableWhen teams move sensitive data, proof matters. Audit and posture views show what happened and the state of the system when it did.
Cryptographic Control
Certificates, keys, and crypto posture are operable — not implied
Trust anchors, issuing authorities, key lifecycle state, and cryptographic hygiene are visible and operable directly in the product. Security teams reason about crypto posture inside the same fabric that moves the data.
Certificates and Keys
Manage trust anchors and key state centrallyCertificate inventory, issuing authority, and key state are visible in-product — not implied by a vendor brief.
Crypto Posture
See cryptographic hygiene and modernization workInventory and risk views let security teams reason about crypto posture inside the same fabric that moves the data.
Audit
Operator-grade evidence for every actionFiltered audit views support investigation, review, and compliance reporting — no separate monitoring workflow required.
Policy & Compliance
Attributes, findings, and framework mapping in one surface
ABAC turns protection into rules. The same attributes that gate visibility, search, and movement also map findings to the compliance frameworks auditors already use.
Policy
Enforce visibility and movement through attributesABAC turns protection into rules. The same attributes gate visibility, search, and movement — no separate policy language to learn.
Posture
Security tied to the data itselfRisk score, findings, classification distribution, and compliance views show the security state of what is being moved.
Framework Alignment
Controls mapped to frameworks customers already useTalk to auditors in their language — CMMC 2.0, FedRAMP-aligned controls, NIST SP 800-207 Zero Trust, NIST AI RMF, EU AI Act — while every control stays visible in the product.
Finding Detail
Severity, category, and framework mapping per findingEach finding ties to severity, category, and the frameworks that govern it — before operators decide to move or quarantine.