verified_user Zero Trust AI for Real Production

Open Source + Self-Hosted + Air-Gapped + Audit Trails + No Install + No Inbound Ports + Human Approval = No Regrets

Drop a single binary. No ports, no dependencies, no phone-home. The AI thinks out loud. You pull the trigger.

View on GitHub See How It Works

No Internet Required Vendored Deps. No Phone-Home. No Inbound Ports

TLS 1.3 + mTLS In-Flight & At Rest. Credentials Never Touch Disk

Every Action Requires Human Approval

Encrypted Audit Trail Git-Backed. On-Host. Independent of the Platform

Passkey-Only No Passwords Stored Anywhere

DropOps Operator

$./dropops-operator -k op1_api_key

✓ Device registered. Waiting for authorization...

✓ Authorized. Starting operator...

✓ Sentinel bidirectional security active

✓ Local-First Audit Architecture enabled

→ Standing by for approved requests from DropOps agent.

How It Works

From message to execution — with you in control

Every command flows through a secure, human-gated pipeline. The AI reasons and proposes; you approve; the Operator executes on your infrastructure.

chat

You send a message

Natural language or use /run <command> to bypass AI entirely and execute directly.

arrow_forward

psychology

Primary AI proposes a command

The reasoning model interprets your intent and produces a candidate command to run on your infrastructure.

arrow_forward

auto_awesome

SLM Ensemble votes

An ensemble of models votes on the validity of the proposed command. You see the votes in real time — only a verified command moves forward.

arrow_forward

person_check

You approve or deny

Every state-changing operation requires your explicit approval. No autonomous execution. AI proposes — you decide.

arrow_downward

description

AI analyzes & responds

The AI reasons about scrubbed output, plans next steps, and presents results. Full audit trail retained locally via LFAA.

arrow_back

shield_lock

Sentinel scrubs the output

Raw output stored locally. Sentinel scrubs credentials, tokens, and PII — replacing them with placeholders like [AWS_KEY], [JWT], [PII] — before any data reaches the AI.

arrow_back

terminal

Operator executes

The Operator runs the approved command on your infrastructure. Raw output is captured locally and never leaves your machine unscreened.

arrow_back

security

Sentinel pre-execution check

58 MITRE ATT&CK-mapped threat detectors analyze the command before it runs. Dangerous patterns are blocked even if the AI was manipulated by prompt injection.

help_center

Advisory Mode — No Operator bound? The AI works without one: web search, documentation lookup, and best-practices guidance.

sync

Iterative — After step 6, the AI plans the next action and the loop continues until the investigation is resolved.

Self-Hosted

Three commands. Your infrastructure. No cloud.

Docker and docker compose are the only prerequisites. The platform builds itself, generates its own TLS certificates, and walks you through LLM provider selection on first run.

Quick Start

# Clone and enter the repo

$git clone https://github.com/dropops-ai/dropops.git && cd dropops

# Configure LLM provider + compile Operator binary

$./dropops platform setup

? Select LLM provider: ollama / openai / gemini / azure / vllm / custom

# Build containers + start platform

$./dropops platform rebuild

✓ TLS certificates generated

✓ Platform running at https://localhost

→ Open browser and register your passkey

dns

Any LLM — local or cloud

Ollama, vLLM, OpenAI, Azure OpenAI, Google Gemini, or any OpenAI-compatible endpoint. Swap providers by editing one environment variable — no code changes.

deployed_code

Single binary platform store

The same Operator binary runs in --listen mode as the platform's own persistence layer — SQLite document store, KV store with TTL, and WebSocket pub/sub broker. No Redis. No Postgres. No external message broker.

manage_search

Optional: Web Search

Enable the search_web AI tool for documentation and best-practices lookups during investigations. Powered by Vertex AI Search — one API key, opt-in only.

construction

Full CLI management

./dropops platform rebuild, ./dropops operator drop, ./dropops security certs, ./dropops test — everything managed through a single entry point.

Security Architecture

Built paranoid. Stays paranoid.

Every other AI ops tool asks you to trust it with your infrastructure. DropOps assumes it shouldn't be trusted — and builds the controls accordingly.

shield_lock

Human Intent Is the Security Layer

Nothing executes without a human explicitly saying so. That's not a policy or a setting — it's the architecture. An outsider cannot drive the Operator because there is no path to execution that bypasses human approval. Intent is the gate.

wifi_off

Fully Self-Contained

The Operator is a compiled Go binary — drop it on any Linux system and run it. No install, no runtime, no dependencies. It uses port 443 outbound only, so it works behind almost any existing firewall without new rules. No root required — it runs as the user who launched it, nothing more.

storage

Your Data Stays in Your Infrastructure

The platform stores data on your Docker host. The Operator keeps an encrypted audit trail on every system it touches. Two independent records, both entirely within your own infrastructure.

person_check

The AI Asks. You Decide.

The primary model proposes a command. A committee of specialized models votes on its validity. A dedicated verifier makes the final call. Only then do you see it — and nothing runs until you approve. Three layers of AI scrutiny before a single human decision.

security

Sentinel: Two-Way Firewall

58 MITRE ATT&CK-mapped detectors block bad commands going in — reverse shells, privilege escalation, data destruction. 27 scrubbers strip credentials, tokens, and PII coming out. The AI never sees your secrets. Even if it tries.

lock

Crypto All the Way Down

Three independent auth layers on every Operator: API key, pinned CA certificate, per-operator mTLS client cert. AES-256-GCM at rest. TLS 1.3 only in transit. Git-backed audit ledger with cryptographic commit hashes. If verification fails, the binary kills itself — exit code 7, no retry.

Compliance & Regulatory

Built for regulated environments

7 out of 7 pillars: EXCEEDS. NSA Zero Trust Implementation Guidelines — Discovery Phase, Phase One, and Phase Two ZIG (January 2026). Self-evaluated; not independently audited.

account_balance

Government & Defense

Designed for federal environments with Zero Trust alignment to NSA ZIG. Veteran-owned small business (VOSB) eligible for set-aside contracts and GSA Schedule consideration. View on SAM.gov

NSA ZIG Phase 1 & 2 alignment
MITRE ATT&CK mapped detectors
FedRAMP architecture aligned
CMMC architecture aligned
Air-gapped deployment supported
Complete data residency on your infrastructure

local_hospital

Healthcare (HIPAA)

PHI remains entirely on your infrastructure through Local-First Audit Architecture. Raw command output never leaves the Operator. Business Associate Agreement available.

PHI detection & scrubbing (SSN, credit cards, emails, phone numbers)
Local-First data retention — no external transmission
AES-256-GCM encryption at rest (HKDF-SHA256 key derivation)
Tamper-evident audit trails with cryptographic commit hashes
BAA available

business

Enterprise

Deploy across thousands of devices with a single Device Link token. Integrate with existing SIEM, PAM, and identity infrastructure. Multi-operator binding for cross-system operations.

Device Link deployment (up to 10,000 devices)
SIEM integration (JSON/CSV/SSE)
Industry-aligned DLP patterns
mTLS with private CA
Team management & shared Operators
Advisory mode for guidance without Operator binding

NSA Zero Trust Implementation Guidelines Alignment

ZIG Pillar	Status	DropOps Implementation
1. User	EXCEEDS	Passkey-only authentication (FIDO2/WebAuthn) — no passwords exist anywhere in the platform. The private key never leaves the user's device; only the public key is stored server-side. No password database to breach, no credential stuffing, no phishing surface. Authentication is local-only: the platform generates a cryptographic challenge, the device signs it, the signature is verified — entirely self-contained with zero dependency on any external identity provider. Human-in-the-loop enforced for every operation, JIT access with 1-hour TTL, session context binding detects anomalous shifts.
2. Device	EXCEEDS	On first authentication, a unique device fingerprint is generated from machine ID, CPU, hostname, and OS — permanently bound to that Operator slot. Every subsequent command request and result is authenticated using the Operator's API key, which exists only in process memory and is gone the moment the process dies. Every connection uses mTLS with platform CA certificate pinned in the binary at compile time — the Operator refuses connections from anything not signed by that exact CA. Device Link provisioning: single-use for one-off deploys or multi-use (up to 10,000) for mass rollouts, each token time-bounded and consumed on first use. CRL-based certificate revocation, deny-by-default.
3. Application & Workload	EXCEEDS	Fully open source (BSL-1.1) — the entire platform runs in Docker with no external dependencies; source is auditable by anyone. The Operator is a plain OS process: no installer, no service registration, no residual footprint. Kill the PID and it's gone — credentials, certs, and keys were only ever in memory. Sentinel pre-execution threat detection (58 MITRE ATT&CK-mapped patterns) blocks dangerous workloads before any process is spawned. Zero standing privileges — the workload starts with nothing and cannot grant itself more.
4. Data	EXCEEDS	Sentinel operates at both ends of every command: pre-execution blocks 58 MITRE ATT&CK-mapped threat patterns before a process is spawned; post-execution applies 27 scrubbing patterns to strip credentials, tokens, PII, and connection strings before any data reaches the AI — the platform never sees your raw output. LFAA (Local-First Audit Architecture) stores three independent vaults on the Operator host: a Raw Vault (unmodified output, never transmitted), a Scrubbed Vault (Sentinel-processed, AI-readable on demand), and an encrypted Audit Vault (append-only session timeline of every message, command, and file mutation — AES-256-GCM). A separate audit trail exists server-side in the platform console covering authentication events, session lifecycle, and operator activity. The two records cross-validate each other. Operational data (IPs, hostnames, file paths) is intentionally preserved — scrubbing it would make the AI useless for actual troubleshooting.
5. Network & Environment	EXCEEDS	Zero inbound connectivity on Operators, outbound TLS 1.3 only, mTLS with private CA, network segmentation via docker-compose internal networks, fully self-hosted with zero external dependencies, air-gap capable — no internet required at runtime
6. Automation & Orchestration	EXCEEDS	Fully autonomous AI execution is architecturally impossible — human approval is enforced at the platform level, not a policy toggle. The AI cannot dispatch a single state-changing command without explicit user consent. Zero Standing Privileges, 48 intent-scoped policies, 1-hour TTL, Sentinel automated threat blocking. Orchestration is human-driven by design, not by configuration.
7. Visibility & Analytics	EXCEEDS	Two independent, cross-validating audit records: platform-side console (authentication events, session lifecycle, operator registrations, binding events) and on-host LFAA (every command executed, every file mutated, every user and AI message — encrypted, append-only, survives platform outages). Full session history is accessible directly from the Operator via the UI audit page — no cloud dependency required. MITRE ATT&CK technique IDs on all Sentinel threat signals, 58 pre-execution + 27 post-execution detectors, SIEM-ready exports (JSON/CSV/SSE), real-time streaming.

Open source. Self-hosted. Zero cloud.

Clone the repo, run three commands, and you're live. Fully air-gapped. No external dependencies. Full human control from day one.

github.com/dropops-ai/dropops mail Licensing inquiries — sales@dropops.ai