The Byos Secure Endpoint Edge

Endpoint blue side 3

A hardened security stack on a simple plug-and-play USB device, the Byos Secure Endpoint Edge provides protection from OSI layers 1 to 5 through hardware-enforced isolation.

Each Secure Endpoint Edge isolates the connected endpoint onto its own micro-segment of one that protects it from compromised networks and other endpoints on the network.

Get started with the Byos Secure Endpoint Edge Overview


Portable & Lightweight.

The Byos Secure Endpoint Edge fits in the palm of your hand and can be transported anywhere.

It is powered solely by its male USB-C connector, with no need for a power outlet or battery to work.

The Secure Endpoint Edge also does not impact or restrict connection speeds.

Endpoint in hand
MBP full

The Apple© MacBook® Pro are trademarks of Apple Inc. 

Works with any device.

The Secure Endpoint Edge is technology agnostic and can be used with any connected device regardless of its operating system, model or age.

It doesn’t require any software or drivers and connects to your device via USB-C.

The solution is plug-and-play, doesn’t require any previous security knowledge, making it easy to use.

Powerful. Secure.

The Byos Secure Endpoint Edge is built on proprietary hardware, and runs a customized operating system.

The hardware board offers several security features to prevent tampering, protecting your information:

  • Encrypted eMMC

  • Secure Boot

  • Signed Binaries

  • Crypto Coprocessor

  • Tamper Resistant Enclosure

  • No JTAG Connector

The Byos Secure Endpoint Edge is built in North America, with a certified supply chain of components.

MBP crop

Robust Endpoint Protection

Hardware-enforced isolation created by the Byos Secure Endpoint Edge hardware device puts the user in a protected environment isolated from the local network. Because the Secure Endpoint Edge is a “security stack on a stick,” all security service processing occurs on its hardware with no protection dependencies in the cloud.


The specific security services running on the Secure Endpoint Edge include:


Byos runs a bi-directional firewall, offering incoming and outgoing access control based on country-based and protocol-based traffic, restricting specific domain names, IP addresses and ports.


The user’s Wi-Fi connection is prevented from being intercepted, cloned, bypassed or hijacked.


The Secure Endpoint Edge maintains direct and confidential communications with the network gateway without allowing the poisoning of routing tables.

Private DNS

The Secure Endpoint Edge runs an in-device encrypted DNS server to prevent DNS hijacking and preserve the confidentiality of the user’s browsing data.


The Secure Endpoint Edge detects changes in packet routing to the Internet and takes the necessary actions to prevent any data leakage.

Traffic Volume

The Secure Endpoint Edge detects exponential changes in network traffic volume often triggered by hidden malware running on the user’s device.


The Secure Endpoint Edge runs an internal security service to detect directed threats and block fingerprinting, enumeration, DoS and exploit attacks.

Tracking and

The Secure Endpoint Edge blocks ads and tracking transparently on the network level without requiring additional software on the host or in the browser.

Are you a Security Researcher?

Are you interested in testing the security of the Secure Endpoint Edge? Purchase a Secure Endpoint Edge and participate in our Bug Bounty Program.

 Threat Management

The Secure Endpoint Edge performs continuous analysis on the connected Wi-Fi network, alerting IT of threats immediately and, if required, cutting network access autonomously when the network environment becomes hostile.

Any attack attempts against the Secure Endpoint Edge will be detected by the in-device threat management, and live alerts will be sent to the user and IT through the Management Console. The Secure Endpoint Edge also autonomously blocks attacks without the need for interference from the user or the IT department, and can decide in real time whether the user should be disconnected from the network as a fail-safe.

(work from home) Deploy-3b-3

Are you looking for better protection over remote endpoints?

Get Started with our Business Starter 5-Pack to see how easy deployment, usage, and provisioning are with the Byos Endpoint Micro-Segmentation Solution. Start small with a pilot deployment of 5 Secure Endpoint Edge and access to the Management Console, see the value, and then deploy more Secure Endpoint Edge from there.

OSI Model Protections

OSI 1 - Physical

  • Wired connection to host

  • Hardware security layers

  • Rogue AP protection


OSI 2 - Data Link

  • Wi-Fi identity checks

  • ARP-poisoning protection

  • Gateway integrity checks

OSI 3 - Network

  • Restrictive firewall

  • Route alteration detection

  • Network identity checks

OSI 4 - Transport

  • In-device encrypted DNS

  • Malware containment

  • Multi-factor traffic control

OSI 5 - Session

  • Bandwidth spike checks

  • In-device VPN tunneling

  • Multi-factor Network Access Control

Deployment and Implementation

With streamlined provisioning for all categories of endpoint devices, Byos enables zero-trust migration and implementation through simple plug-and-play security. There is no need to physically install software or agents on users’ devices. The solution is easy to use and requires no previous end user security knowledge, and provides automatic device enrollment and integration into enterprise security programs and infrastructure.

deployment and implementation

User Privacy

The Secure Endpoint Edge does not perform Deep Packet Inspection. TheSecure Endpoint Edge maintains TLS encryption as the traffic passes through it – the Internet connection is transparent to the endpoint and the egress traffic is clean, which allows it to communicate as the endpoint normally would. Because there is no software running on the endpoint the user’s privacy is maintained.


VPN Connections

For organizations with an existing VPN infrastructure, user VPN connections can be tunneled through the Secure Endpoint Edge. The Management Console gives the administrators the ability to see if the user is connected to a VPN and visibility into the VPN’s session information. The Secure Endpoint Edge detects potentially malicious activity related to the VPN connections including changes in public/local IP address of the VPN Gateway or a dropped VPN connection without action from the user.


Technical Specifications

  • Dimensions: 1.76 x 1.38 x 0.57 inches (4.48 x 3.49 x 1.45 cm)

  • Type of Device: Plug-and-Play USB Ethernet Gateway

  • Power Consumption: Under 5W

  • Port Requirements: USB 3.0 /USB Type-C

  • OS Requirements: Any OS compatible with USB-OTG

  • Special Driver Requirements: None

  • Enclosure: 2 mm Plastic

  • Manufactured in: Canada/USA

  • Certified Supply Chain of Hardware components: Yes

  • Certified Chain of Custody of Software: Yes

  • Software Updates: Automatic, Over-the-air

Get Started with Byos

Get Started with Byos

Request a demo to see how Byos would work in your environment