Catalyst
The Common Operational Data Layer. Quantum-ready. Zero trust.
Catalyst is the CODL — the foundational data layer of CODA™. Contested environments have connectivity, but the network itself is hostile. Adversaries reroute traffic, hijack BGP, issue fraudulent certificates, and record encrypted data for future quantum decryption. Catalyst delivers zero trust when you cannot trust the network.
The Operating Reality
The Russia-Ukraine conflict proved that internet access survives sustained military operations — but the network becomes a weapon. These threats compound when coalition partners share data across contested infrastructure.
Traffic Rerouting
After occupying Kherson, Russian forces rerouted local internet through Rostelecom for passive surveillance of all unencrypted traffic.
BGP Hijacking
Rostelecom conducted BGP hijacks affecting thousands of routes, silently redirecting traffic through Russian infrastructure without detection.
Fraudulent Certificates
Russia created its own TLS Certificate Authority, enabling machine-in-the-middle interception of HTTPS traffic across occupied regions.
Satellite Destruction
Russian GRU operators wiped Viasat KA-SAT modems across Europe on invasion day, disabling satellite communications for Ukrainian military units.
Deep Packet Inspection
Myanmar's military deployed Chinese-manufactured DPI equipment at ISP peering points for real-time interception of all traffic.
Harvest Now, Decrypt Later
Adversaries record today's encrypted traffic for future quantum decryption. In contested environments where traffic is already intercepted, this is the expected operating model.
How Catalyst Solves This
The Common Operational Data Layer — a decentralized service mesh that connects organizations into a unified data-sharing fabric — without centralized infrastructure, without trusting the network, and with protection against both current and quantum-era threats.
Post-Quantum Encryption on Every Link
Every byte travels inside a QUIC tunnel encrypted with X25519MLKEM768 — a hybrid cipher combining classical X25519 with post-quantum ML-KEM-768. Always present, not optional. Applications that add mTLS get a second, independent encryption layer with different CAs and key material.
Zero Trust Without a Center
Each node generates its own Root CA on first boot. Trust is established through out-of-band certificate exchange — no central CA server needed. Certificate-bound tokens (RFC 8705), SPIFFE identity on every service, and 1-hour certificate lifetimes eliminate the need for revocation infrastructure.
BGP-Style Routing
Modeled after the protocol that routes the internet, Catalyst nodes discover each other through direct peering. Routes propagate organically. When connectivity is lost, each node continues operating with its last-known state.
Multi-Party Coordination by Design
When two organizations decide to share data, they exchange Root CA certificates out of band and mint tokens defining access. No shared infrastructure, no common identity provider, no VPN tunnel to a joint operations center. Each organization maintains full sovereignty.
Compliance Posture
Catalyst satisfies two converging compliance mandates — post-quantum cryptography and zero trust — in a single deployment.
Post-Quantum Key Exchange
FIPS 203 (ML-KEM) — deployed and confirmed working in Envoy 1.33+ with BoringSSL's ML-KEM implementation. Not a roadmap item.
Zero Trust Architecture
Aligned with DoD Zero Trust Strategy, NIST SP 800-207, and CISA ZTMM v2.0. Designed for DDIL environments where centralized models like DISA Thunderdome fail.
CNSA 2.0 Timeline
On track for the NSA mandate requiring post-quantum algorithms in all National Security Systems by 2030. PQ certificate signatures (ML-DSA) architecture-ready.
DDIL Operations
Native support for denied, disrupted, intermittent, and limited connectivity environments. Aligned with Army T-ICAM requirements for zero trust at the tactical edge.
Deployment Model
Catalyst's default deployment runs on Orbis-managed commercial cloud infrastructure — but its decentralized architecture means it can run on any infrastructure your mission requires.
Default: Managed Commercial Cloud
Out-of-the-box, Catalyst runs on Orbis-managed commercial cloud infrastructure — providing global reach, DDoS resilience, and zero-trust network controls with no client infrastructure required to get started.
On-Premises Deployment
Catalyst nodes can be deployed on client-managed hardware — bare metal, VM, or container — in any facility. No dependency on external services once deployed. Fully air-gappable for classified and sensitive compartmented environments.
Sovereign & Private Cloud
Deploy on AWS GovCloud, Azure Government, C2S, or any sovereign cloud of choice. Catalyst has no hard dependency on a specific cloud provider — it runs wherever Envoy and Linux run.
Tactical Edge & DDIL
Catalyst nodes operate autonomously without persistent connectivity — designed for denied, disrupted, intermittent, and limited (DDIL) environments at the tactical edge where centralized architectures fail.
Post-quantum. Zero trust. Decentralized. Deployed today.
For organizations that operate where the network is hostile, the infrastructure is unreliable, and the adversary is already listening.