Kygnos · Shinbashira 心柱 · Managed Security Infrastructure

Kygnos · Advanced System Architecture

Technology Is Not
A Moveable Feast

Most professional firms run a patchwork of services — a Linux server, cloud email, Windows desktops, backups on a drive someone remembers to plug in — or a cloud platform that bundles everything together and quietly orients your decision making process. Integration is, in a manner of speaking, done with duck-tape and soldering, and choices are delimited.

Kygnos believes that data is a first order concern, and therefore deserves first order prioritisation — that rather than data being consumed by and relegated within a Byzantine system, data requires a dedicated specialized system whose primary purpose is to nurse the data. Neither eclectic general purpose systems nor SaaS were ever designed to do this. Our architecture is conceived from first principles, with the protection of data as its overriding purpose.

All of our systems are designed to be hermetic: self-contained, complete, declared, immutable IT estates — engineered from first principles, for clients who cannot afford to lose what they hold.

Explore the System Begin a Conversation

NIS Aligned ISO 27001 Annex A UK & EU Sovereign

Organisations that do not focus on their technology base as core to their prosperity are no longer just naïve — they are failing to grasp the reality of today's world.

Dr Richard Horne, CEO · NCSC
CYBERUK Glasgow · April 2025

Taking It On Trust

The bundling together of different elements that is often seen in standard systems aggravates risk. Every element is in itself an attack surface, so the more elements you incorporate, the more attack surface you create. To this we can add that there is a certain arbitrariness in combining disparate elements — if for instance you choose a Linux server over Windows for security reasons, why then would you allow Windows workstations within the nexus?

Furthermore, incorporating different load-bearing elements in a system creates interfaces because composite parts need to be made to work together, and doing this creates interstices* which are more predisposed to vulnerability.

On top of this, disparate elements can involve disparate vendors, which also entails trusting more and more third parties with your data.

Overall, you have created a system that is variegated — complex and diverse — which by its nature is much harder to fully comprehend. In fact, wherever closed source software is employed, your system becomes by default unknowable. These kinds of setup engender complexity — harder to defend and to audit — and extraneity — impossible to defend and to audit.

* Interstices tend towards vulnerability. This is because they are essentially extemporaneous fixes rather than deliberate design — and extemporaneous fixes carry less stringency by their nature. They are frequently undocumented, have no native security posture, and are much harder to monitor. In a world of weakest links, interstices are flag waving exemplars.

Tectonic Shifts

We are actually still in the very early days of the Digital Age. The 1980s and 90s saw corporations devising in-house platforms, with huge technical overhead and so huge expense, and with varying degrees of success. The data however was generally ring-fenced.

Small wonder that as we moved into the 21st century, the cloud promised liberation. Vast swathes of technical overhead could be intermediated by a specialist third party, and companies could be liberated from running their own servers, and their own development teams. Software as a service was for many a very easy sign-off.

A Sea Change

In April of 2026, the French government issued a formal directive that sent shockwaves through the global technological community: they mandated the migration of all public services away from Microsoft and onto Linux.

This was in fact a drama that had been brewing for twenty-five years, signposted notably by the Snowden/Merkel/Élysée/BlackBerry scandal of 2013. However, the 2018 US CLOUD Act brought things to a head. It compelled any US-controlled provider to hand over data stored anywhere in the world, on demand, regardless of local law^†. In June 2025, Anton Carniaux, Director of Public and Legal Affairs at Microsoft France, when asked under oath before the French Senate whether he could guarantee that French data would not be seized by US authorities, could only answer no.

Whilst France is not the first nation to have made its technology base a matter of geo-strategic importance, the significance of their action indicates a sea change. Silicon Valley Big Tech is deeply embedded worldwide, and moving away from it involves no inconsiderable risk and challenge. But far outweighing the logistics are the geopolitical and commercial stakes; the apex battlefield is now technology — notably AI, chip manufacture, systems and data sovereignty. The French here appear to be the trailblazers, although similar moves are afoot elsewhere. Germany's northernmost state, Schleswig-Holstein, has been engaged since 2024 in migrating some 30,000 government computers off Windows and Microsoft Office onto Linux and open-source equivalents — explicitly in the name of digital sovereignty and freedom from foreign technology dependencies. The state expects to save €15 million in licensing costs in 2026 alone. The City of Lyon has made similar moves, as has the Danish government in parts of its public sector.

“We can no longer accept that our data, our infrastructure and our strategic decisions depend on solutions whose rules, pricing, evolution and risks we do not control. The state can no longer simply acknowledge its dependence; it must break free.”

— David Amiel, Minister of Public Action and Accounts, France, April 2026

How Did We Get Here?

The question this all begs — and which might have puzzled an alien landing in Paris in say 2025 — is how sovereign nations and corporates came to hand over their critical data, infrastructure and strategic communications, lock, stock and barrel, to a handful of private American corporations, operating under US law, with US government access baked in by statute.

We would suggest that it is primarily a result of being in the early days of the digital revolution — these are effectively growing pains. In the early 2000s, emigrating from the in-house model to third party services seemed like the most obvious choice in the world. The overhead of local infrastructure was real, the convenience of third-party services was genuine, and the long-term implications at that point were not particularly visible. What we are witnessing now is really an epiphany — a growing recognition that the traditional goalposts of privacy and confidentiality across all sectors — government, corporate, R&D, defence, finance, healthcare, legal, professional services, infrastructure — have not moved, that vital and critical systems and data cannot be outsourced to peer group competitors, and that unlike thirty years ago, we have in our own hands the resources to much more readily manage these problems. Indeed at a structural level, it is an abdication of economic autonomy for any state not to prioritise their home-grown technology sector.

Our System

We provide a wholly in-house IT solution. (Hardware costs are no longer prohibitive.)

Your data is managed on our system, with no third party service intermediation, thus giving you optimised security. Our Shinbashira system itself is designed for security — we can provide both empirical evidence and NIS validation of that.

We cover the entire gamut of your IT infrastructure and responsibilities: from server to client workstation, including local LLMs. We can also integrate mobile phones into the system. Thus we are a complete IT suite. We also manage the system. Our service is an ongoing custodianship of your IT estate — a single accountable engineer who knows your setup completely, much as a retained solicitor knows your affairs.

Your entire system is built from the ground up. It is constructed to your remit — around your workflows, organisational practices and procedures, and security requirements — which means deliberate design choices can be made with specific outcomes in view.

You are not locked in to the system. The system and your data are not enmeshed. Your data is yours and can be extracted from the system in a matter of hours.

We are a peer partner. We are not a multinational floating above sovereign law. We are bound by the same professional ethics, the same jurisdiction, the same obligations as you.

*Above kernel level.

^† The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), enacted by Congress in March 2018, compels any company under US jurisdiction to produce data held on servers anywhere in the world in response to a valid US government request — regardless of where the data is physically stored or what local law may say. A European data centre is no protection. The Act was passed with bipartisan support and signed into law by President Trump. It effectively extended the reach of US law enforcement and intelligence agencies to every server operated by Microsoft, Google, Amazon, Apple and any other US-headquartered provider, globally.

"The universe is written in the language of mathematics."

— Galileo Galilei, The Assayer, 1623

Core Immutability

Most operating systems — and by extension, collections of disparate operating systems — are in a state of constant change. Updates, patches, configuration drift, software added and removed, settings altered by users, vendors, or time. Flux is their natural condition.

Such operating systems are literally floating jetties, oscillating on the water. The parts are interconnected — but no single part is truly fixed. And anyone who has walked on a floating jetty knows that finding your feet and navigating it is rather haphazard. Idem a mutable operating system or mutable ecosystem.

Our systems are immutable and stateless by design. In metaphorical terms: the house is fixed, and the ornaments and furniture don't move about. This principle — controlling state absolutely — is axial to any meaningful security posture. If you think about it, it is obvious, perhaps tritely so, but to defend something, one a priori needs to know and understand what one is defending. We can think like Sun Tzu, like Clausewitz, or like Kant — it matters not. As Kant might have said: "You cannot defend something you know nothing of", and by extension, the better one knows something, the better one can defend it.

A truly static system is knowable. A mutable system is not.

Shinbashira makes several design choices, employs various best practices, and has its own unique logic (see our Shinbashira section), but immutability underpins the entire system. Immutability is the product of mathematical certainty — the same certainty that allowed Mendeleev to predict elements that had not yet been discovered, that generates the Fibonacci pattern of a sunflower, and that determined the shape of DNA before Crick and Watson saw it. Mathematics is deterministic. NixOS — the operating system behind Shinbashira — is deterministic, through mathematical enforcement, expressed as functional programming. What is declared completely can be known before it is observed.

The global cybercrime industry currently costs an estimated $10.5 trillion annually (2025). It is projected to reach $12.2 trillion by 2031 — growing faster than any legitimate economy on earth.

Cybersecurity Ventures · Official Cybercrime Report 2025

To put this in perspective: at its current scale, cybercrime would rank as the world's third largest economy — behind only the United States and China. Ahead of Germany. Ahead of Japan. Ahead of every other nation on earth. Perhaps the most unsettling detail is that no business is immune. Hacking is in large part automated, and it is a scatter gun. Any target is a good target.

This reality is evident in the national statistics. In the UK alone, 43% of businesses experienced a cyber breach or attack last year. Among medium and large businesses — the firms most likely to hold valuable client data — the figure runs to 74%. And for those who identified a breach, nearly half went on to become victims of actual cyber crime.

Source: UK Cyber Security Breaches Survey 2025, DSIT / Home Office

The picture across Europe is no different.

"SMEs and mid-sized businesses remain the most targeted organisations, representing 34% of all ransomware attacks observed — precisely because they hold valuable data and lack the defences of larger enterprises."

ANSSI · Cyber Threat Overview 2024 · France

To this already daunting landscape, we must add the AI factor. Since 2024, AI has transformed the economics of cybercrime. AI-assisted attacks have increased by 72%, and phishing has surged 1,265% through the use of generative tools. Over 80% of phishing emails now deploy some form of AI — up 53.5% on the previous year. Deepfake incidents increased 680% year on year. What once required expert knowledge is now automated. What once took days now executes in minutes. What once targeted random victims is now personalised at scale. By late 2025, AI-generated phishing had become the top enterprise email threat — surpassing ransomware, insider risk, and traditional social engineering combined.

AI is completely redefining this landscape, by orders of magnitude.

To give you an idea of the extent of the peril, since you have been browsing on this site...

Systems compromised worldwide (live)

000,000

~30,000 per day · Cybersecurity Ventures

Cyberattacks worldwide (live)

000,000

~1 every 39 seconds · IBM Security

Sounding the alarm should not be confused with alarmism. The dangers are absolutely existential and pervasive, for all businesses. Here is a breakdown of the risks any business now runs.

The bill — click each item

Direct remediation & forensics

▶

Legal liability

▶

Reputational damage

▶

Operational disruption

▶

Corporate damage

▶

Regulatory penalty

▶

Total Damages

▶

Regulatory Cost

Security malfeasance can also be punished.

NIS legislation gives competent authorities — including the ICO — the power to demand information, conduct inspections, and impose fines entirely independently of any breach. Think of it as the food standards inspector: they do not wait for a customer to fall ill before visiting the kitchen. They can arrive, audit your security posture, and fine you for what they find. Failure to demonstrate adequate, proportionate security measures can result in fines of up to £17 million in the UK — and up to €10 million or 2% of global annual turnover under EU NIS2, whichever is higher. — ICO · NIS Regulations 2018 · EU NIS2 Directive

Shinbashira 心柱

One Central Pillar, Many Dependencies

詳しくはこちら · hover

Most security is a posteriori, initiated by symptoms. When problems are diagnosed, solutions are sought. They can be remedial — of the type 'take more walks, eat less fried food' — so: patch your systems, update your firewall. Or palliative — of the type 'take these pills regularly' — so: buy another monitoring tool, generate a compliance report at year-end.

Just as the doctor rarely advises nor oversees fundamental change — moving location, changing profession, terminating a relationship, completely recalibrating your diet — the underlying security issues are not properly addressed. Instead of holistic repair, you tend to get a fix, a one-time patch.

Our platform, Shinbashira, is an entire infrastructure built from the ground up — prophylactic by design, addressing structural and operational weak points before they become vulnerabilities.

I. Isolation 隔離 · Kakuri

Sandboxed services, ephemeral processes, systemd hardening. A compromise in one service cannot propagate — boundaries are architectural, not procedural.

II. Identification 完正 · Kansei

Cryptographic certainty. Package hashes, hardware binding, reproducible builds. We prove the system is exactly what it claims to be.

III. Encryption 秘密 · Himitsu

Full disk encryption, TLS everywhere, encrypted secrets at rest. Physical access to the hardware yields nothing.

IV. Definition 形 · Katachi

The system is exactly what is declared. No drift. No hidden state. Changes that are not declared in code cannot be made to stick.

V. Precision ポカヨケ · Poka-yoke

Correctness enforced at build time. Insecure configurations are structurally impossible — not merely discouraged by policy. Security is logic, not documentation.

VI. Continuity 不死滅 · Fushimetsu

Atomic upgrades. Instant rollbacks. The system can always return to a known good state. There is no partial failure mode.

VII. Audit 明確 · Meikaku

Complete change history, software bills of materials, signed logs. Every security property is demonstrable to a regulator, insurer, or opposing counsel.

VIII. Culture 生き甲斐 · Ikigai

Culture is powerful when it is experienced as pleasurable and meaningful. If our systems are experienced positively, good security habits become a natural state of affairs.

NIS compliance is a consequence, not a goal

For a person who lives a healthy life, a medical check-up is a formality. For a pizza-eating couch potato, it is more likely to be diagnostic. Our system is designed to be secure, to be healthy, and NIS compliance is simply what happens when you get the engineering right.

See NIS evidence mapping →

ポカヨケ Poka-yoke — mistake-proofing.

Shigeo Shingo, Toyota Production System, 1960s. The principle that systems should make errors impossible, not merely discouraged. A car part that only fits one way. A server configuration that cannot compile if insecure. The wrong shape does not fit. The build fails. The breach never happens.

Disaster Recovery

Standard Breach / Attack (An Illustration)

◄ Fri 14:47

4½ days · 6,516 minutes

Tue 19:23 ►

Conventional System

14:47 Fri

All systems normal

›

15:20

Email degraded

staff losing access

›

17:00

All systems down

client data inaccessible

›

19:30

Backups not working

no recovery path

›

Weekend

Forensics called in

£8k/day

›

19:23 Tue

System restored

but is it clean?

ransomware executing

attacker inside · data exfiltrating

backups encrypted · no recovery path

evidence contaminated · ICO notified

status unclear · forensics ongoing

✓ working

⚠ unclear

✕ offline

? restored
but clean?

◄ Fri 14:47

7 minutes

Fri 14:54 ►

Shinbashira