The Byos µGateway

A Secure Endpoint Edge
gen3 1-1

A hardened security stack on a simple plug-and-play USB device, the Byos µGateway (pronounced “micro-gateway”) provides protection from OSI layers 1 to 5 through hardware-enforced isolation.

Each µGateway isolates the connected endpoint onto its own micro-segment of one that protects it from compromised networks and other endpoints on the network.

Portable & Lightweight.

The Byos µGateway fits in the palm of your hand and can be transported anywhere.

It is powered solely by its male USB-C connector, with no need for a power outlet or battery to work.

The µGateway also does not impact or restrict connection speeds.

gen3 hand held 1 (webside)-1

The Apple© iPad® and MacBook® Pro are trademarks of Apple Inc. The Microsoft© Surface Pro® is trademark of Microsoft Corp.

Works with any device.

The µGateway is technology agnostic and can be used with any connected device regardless of its operating system, model or age.

It doesn’t require any software or drivers and connects to your device via USB-C.

The solution is plug-and-play, doesn’t require any previous security knowledge, making it easy to use.

Powerful. Secure.

The Byos µGateway is built on proprietary hardware, and runs a customized operating system.

The hardware board offers several security features to prevent tampering, protecting your information:

  • Encrypted eMMC

  • Secure Boot

  • Signed Binaries

  • Crypto Coprocessor

  • Tamper Resistant Enclosure

  • No JTAG Connector

The Byos µGateway is built in North America, with a certified supply chain of components.

gen3 MBP 2 close up

Robust Endpoint Protection

Hardware-enforced isolation created by the Byos µGateway hardware device puts the user in a protected environment isolated from the local network. Because the µGateway is a “security stack on a stick,” all security service processing occurs on its hardware with no protection dependencies in the cloud.


The specific security services running on the µGateway include:


Byos runs a bi-directional firewall, offering incoming and outgoing access control based on country-based and protocol-based traffic, restricting specific domain names, IP addresses and ports.


The user’s Wi-Fi connection is prevented from being intercepted, cloned, bypassed or hijacked.


The µGateway maintains direct and confidential communications with the network gateway without allowing the poisoning of routing tables.

Private DNS

The µGateway runs an in-device encrypted DNS server to prevent DNS hijacking and preserve the confidentiality of the user’s browsing data.


The µGateway detects changes in packet routing to the Internet and takes the necessary actions to prevent any data leakage.

Traffic Volume

The µGateway detects exponential changes in network traffic volume often triggered by hidden malware running on the user’s device.


The µGateway runs an internal security service to detect directed threats and block fingerprinting, enumeration, DoS and exploit attacks.

Tracking and

The µGateway blocks ads and tracking transparently on the network level without requiring additional software on the host or in the browser.

Are you a Security Researcher?

Are you interested in testing the security of the µGateway? Purchase a µGateway and participate in our Bug Bounty Program.

 Threat Management

The µGateway performs continuous analysis on the connected Wi-Fi network, alerting IT of threats immediately and, if required, cutting network access autonomously when the network environment becomes hostile.

Any attack attempts against the µGateway will be detected by the in-device threat management, and live alerts will be sent to the user and IT through the Management Console. The µGateway also autonomously blocks attacks without the need for interference from the user or the IT department, and can decide in real time whether the user should be disconnected from the network as a fail-safe.

(work from home) Deploy-3b-3

Are you looking for better protection over remote endpoints?

Get Started with our Business Starter 5-Pack to see how easy deployment, usage, and provisioning are with the Byos Endpoint Micro-Segmentation Solution. Start small with a pilot deployment of 5 µGateways and access to the Management Console, see the value, and then deploy more µGateways from there.

OSI Model Protections

OSI 1 - Physical

  • Wired connection to host

  • Hardware security layers

  • Rogue AP protection


OSI 2 - Data Link

  • Wi-Fi identity checks

  • ARP-poisoning protection

  • Gateway integrity checks

OSI 3 - Network

  • Restrictive firewall

  • Route alteration detection

  • Network identity checks

OSI 4 - Transport

  • In-device encrypted DNS

  • Malware containment

  • Multi-factor traffic control

OSI 5 - Session

  • Bandwidth spike checks

  • In-device VPN tunneling

  • Multi-factor Network Access Control

Deployment and Implementation

With streamlined provisioning for all categories of endpoint devices, Byos enables zero-trust migration and implementation through simple plug-and-play security. There is no need to physically install software or agents on users’ devices. The solution is easy to use and requires no previous end user security knowledge, and provides automatic device enrollment and integration into enterprise security programs and infrastructure.

deployment and implementation

User Privacy

The µGateway does not perform Deep Packet Inspection. The µGateway maintains TLS encryption as the traffic passes through it – the Internet connection is transparent to the endpoint and the egress traffic is clean, which allows it to communicate as the endpoint normally would. Because there is no software running on the endpoint the user’s privacy is maintained.


VPN Connections

For organizations with an existing VPN infrastructure, user VPN connections can be tunneled through the µGateway. The Management Console gives the administrators the ability to see if the user is connected to a VPN and visibility into the VPN’s session information. The µGateway detects potentially malicious activity related to the VPN connections including changes in public/local IP address of the VPN Gateway or a dropped VPN connection without action from the user.


Technical Specifications

  • Dimensions: 1.76 x 1.38 x 0.57 inches (4.48 x 3.49 x 1.45 cm)

  • Type of Device: Plug-and-Play USB Ethernet Gateway

  • Power Consumption: Under 5W

  • Port Requirements: USB 3.0 /USB Type-C

  • OS Requirements: Any OS compatible with USB-OTG

  • Special Driver Requirements: None

  • Enclosure: 2 mm Plastic

  • Manufactured in: Canada/USA

  • Certified Supply Chain of Hardware components: Yes

  • Certified Chain of Custody of Software: Yes

  • Software Updates: Automatic, Over-the-air

Get Started with Byos

Get Started with Byos

Order the Byos Business Starter 5-pack now.