Our default posture: agents run in your Azure subscription, tailnet-segmented, with zero retention of client data at VCG. Here's how it works.
Agents deploy into the client's Azure tenant. VCG has operator access during the engagement. Access can be revoked at any time without disrupting the agent.
Agents talk to client infrastructure over tailnet-isolated networks. No shared runtime with other clients. Compromise surface is one-agent-at-a-time, not fleet-wide.
VCG runtime infrastructure holds zero persistent client data. Logs are client-side. Memory is client-side. We see what we need to see, when we need to see it — nothing sticks.
Each agent has a named identity in the client tenant. Every action is attributable.
API keys and credentials live in the client's Key Vault. VCG never mirrors them.
All agent action logs are written to the client's log sink. VCG keeps no copy.
When the engagement ends, VCG access is revoked. The agent keeps running — for you.
Email Anton directly. Encrypt if you want — a PGP key is available on request. We triage within one business day.
[email protected]