Routing in the dark.
Traditional networks build connections by default and rely on firewalls to carve down the danger. NullNet flips this logic: no network exists in advance. When a request is detected, a temporary network is created on demand based on strict policy guidelines. The attack surface is limited to a single, temporary connection that disappears in milliseconds when no longer needed or an anomaly is detected.
A private network
for every client.
Every client request spins up its own isolated network, on demand. The instant one behaves anomalously, that network — and only that one — is torn down. Everyone else keeps running, untouched.
Build first,
secure later.
In a traditional network everything is wired together on day one. The attack surface starts as the entire network and shrinks only as far as your firewall rules manage to carve it down.
Every host that can reach another host is a path an attacker can reach too. Breach one node and the whole internal mesh is laid out in front of you. Always on, always routable.
No network
exists.
There is no standing internal network waiting to be mapped. A path is created at the exact moment a service genuinely needs to communicate, then torn down the instant it doesn't.
No pre-built network
There is no standing internal network sitting idle, waiting to be attacked. Breach a node and you land in an unroutable void.
Just-in-time creation
A connection is built only at the exact moment a service genuinely needs to communicate. Never speculatively, never "just in case."
Immediate teardown
The path is destroyed the moment the conversation ends. The attack surface exists for milliseconds, then vanishes completely.
Three components.
One ephemeral plane.
A central brain that holds the blueprint, an agent on every machine, and an edge that meets the outside world. The control path and the data path never share a wire.
The brain
Sees the whole picture. Holds the configurable topology of allowed services and decides, request by request, when a connection is permitted to exist.
The agent
Runs on each machine. Announces the active local services and pauses outbound requests so it can ask the server to build a path first.
The front door
The ingress edge for external traffic. Requests arrive here seeking a named service, and the proxy hands them to the plane to be routed.
Control plane
The server walks the whole chain a request will travel and sends setup commands. It never sits inline with your traffic.
Data plane
Private, dedicated tunnels run directly between the two communicating machines and bypass the server entirely.
Traditional networks vs. NullNet
Blueprints, not roads.
A static routing table paves the roads permanently, even when they're empty. NullNet keeps only the blueprint; the roads are paved milliseconds before data flows and destroyed immediately after.
There is no broad internal network to map. An attacker who compromises a machine finds themselves in an unroutable void. The only paths that exist are narrow, temporary, and dedicated exclusively to legitimate traffic.
Inspect every byte of the plane.
NullNet-ai / nullnet
The full ephemeral-networking stack of server, client, and proxy is open source. Run it, read it, break it, and build a network that simply isn't there when it doesn't need to be.
Make the network
disappear.
Stop carving down an always-on attack surface. Start with one that never exists in the first place. NullNet is open source and ready to run.