Self-hosted Deployment
Self-hosted and air-gapped deployment modes for Secbez Enterprise.
Secbez Enterprise ships in two deployment shapes. Both run inside your infrastructure; the difference is what crosses your network boundary.
Self-hosted (Secbez-routed models)
The default Enterprise mode. The full Secbez stack — control plane, scan workers, graph engine, dashboard, storage — runs inside your VPC or data center. Reasoning calls are routed through Secbez's managed model providers under our enterprise data-retention agreements, so your team doesn't have to procure or operate model capacity.
- Code stays in your infrastructure. It's read by the workers and parsed locally.
- Reasoning calls go to Secbez-managed model endpoints. Inputs are redacted (secrets are masked before any AI call) and the providers we use are configured for zero-retention / short-retention as part of our agreements.
- Findings, baselines, audit, and snapshots persist inside your boundary.
This is the path for teams that want self-hosting without operating a GPU fleet.
Fully air-gapped (BYO GPUs)
For customers who can't allow any outbound model calls, Secbez supports a fully air-gapped deployment.
- Bring your own GPUs. Reasoning runs on open-source models inside your network. As part of the engagement, we recommend models that work well with our structured contracts and validate them against the Secbez evals harness for your environment.
- Scans are triggered locally. Use the Secbez CLI or the local-upload path from your developer workstations or CI runners. There is no GitHub.com webhook in the air-gapped path; GitHub Enterprise Server is supported if you want PR-style integration.
- No outbound traffic at runtime. The deployment is configured to block outbound network calls.
- Updates ship as signed image bundles delivered out-of-band. Operators pull bundles into their internal registry and apply them on their own schedule.
Air-gapped deployments are scoped per engagement — including the upgrade workflow, license posture, and validation against your specific environment.
Choosing between the two
| Scenario | Mode |
|---|---|
| You want self-hosting but don't want to run GPUs | Self-hosted (Secbez models) |
| Compliance requires zero outbound model calls | Fully air-gapped |
| Your code can't leave your network at all | Fully air-gapped |
| You already have a GPU fleet and want to use it | Fully air-gapped |
| You want PR-style integration with hosted GitHub | Self-hosted (Secbez models) |
| You're on GitHub Enterprise Server inside your network | Either works |
What's negotiable
Almost everything operational. Install target, image registry, secrets management, network topology, observability integration, support cadence — all of it is part of the Enterprise engagement and can be tailored to your environment.
If you have a specific install constraint (regulated network, internal CA, mirrored registry, in-house compliance framework), bring it to the conversation. The default answer is yes, with details scoped together.
Getting started
Contact your account team to start a deployment engagement. We'll scope the deployment shape (self-hosted vs. air-gapped), confirm the model approach, and produce the bundle and onboarding plan with your operations team.