Horizon Zero-Trust
Horizon exposes individual services on field-deployed devices to the public internet, with zero-trust policies, IP and geography controls, and a full audit trail on every request. No VPN client, no open ports, no firewall rules to maintain.
No client software
External operators, contractors, and vendors reach your device services via standard HTTPS. Nothing to install, no keys to distribute, no onboarding call required.
No exposed network
Each service endpoint gets its own unguessable address. The rest of the device, the factory network, and every other deployment stay invisible to the outside world.
No firewall tickets
Policies, IP rules, and expiring routes are configured in a web console. IT teams stop being the bottleneck for every new vendor integration.
Access policy
Every exposed service is one of three things: public, project members only, or an explicit allow list of named users. Change the posture without redeploying anything.
IP controls
Scope a circuit to a partner's office CIDR, deny a noisy ASN, or combine the two. Global rules apply to every circuit, per-circuit rules override them.
Geolocation
Drop traffic from countries you do not operate in. Set it once globally, or per-circuit when a service has a known reach.
Scanner defence
Known scanner user-agents and malicious crawlers are rejected before they reach your device. The pattern database is maintained centrally and updated automatically.
Sessions
Authenticated sessions use HMAC-SHA256 signed cookies, scoped to the circuit a user is accessing. A session for one service never carries over to another.
Route expiry
Set an expiry date when you create a circuit. A commissioning link for a contractor, a one-off demo, a temporary vendor loop: all removed automatically when the date passes.
Access levels
Three access policies cover the full range of field-device scenarios, from a public status page to a restricted vendor endpoint. Policies are per-circuit, so a single device can host services with very different reach.
Open to anyone on the internet, subject to IP, geography, and scanner rules. Useful for status pages, marketing dashboards, or documentation.
Anyone authenticated against the project can reach the service. Good for internal tools and shared operator consoles without a per-user allow list.
Only named users can reach the circuit. Combined with IP and route-expiry rules, this is the safest posture for vendor integrations and temporary access.
Observability
Every request that reaches a circuit is captured: source IP, country, path, status, outcome, and latency. The dashboard surfaces traffic by geography, filters by user or action, and lets you answer who-did-what questions without piping logs to a separate tool.
Source IP, country, path, HTTP status, and whether the request was allowed or blocked. Every outcome is a searchable row.
Geographic maps and time-series charts. See which countries are hitting which services, and spot a scan pattern before it becomes an incident.
A durable record of who reached what, when, from where. The data you need when a customer or auditor asks for evidence.
Control panel
Horizon ships with a web console for day-to-day operations. Create circuits, change access policies, manage IP rules, and set expiry dates without filing an infrastructure ticket. Routes are alive and monitored as soon as they are saved.
Create, rename, configure, and retire circuits in one place. Every change is attributed, every rule is reversible.
Heartbeat checks on every tunnel. Drops and latency spikes surface as alerts before a customer notices.
TLS termination is handled at the ingress with modern cipher suites. You bring the certificate, Horizon presents it securely.
Full datasheet for Horizon Zero-Trust. Public ingress for services on field-deployed devices.
| Specification | Detail |
|---|---|
| Public ingress | {guid}.horizon.mutexer.com |
| Protocol | HTTP, HTTPS |
| TLS termination | Modern cipher suites |
| Access policies | Public, project members, restricted users |
| IP filtering | Allow and block lists, CIDR notation |
| Geoblocking | Country-level allow and block |
| Scanner filtering | User-agent and pattern-based |
| Sessions | HMAC-SHA256 signed cookies, per circuit |
| Audit logging | Every request, with country and outcome |
| Analytics | Geographic, per-user, per-action, date range |
| Route expiry | Per circuit, fixed expiry date |
| External client | None required, standard HTTPS |
| Device runtime | mutexer agent |
| Supported devices | Any Linux-capable (x86, ARM) |
Expose a service in minutes, with access policies and an audit trail from the first request. Included with every mutexer project.