Is Excalibur FedRAMP authorized?

FedRAMP is structurally inapplicable to Excalibur because it deploys entirely inside your existing ATO boundary with zero data egress, the same authorization pattern Splunk, ServiceNow, and CrowdStrike use on classified networks. There is no cloud service to authorize, so there is no FedRAMP delay and no gutted GovCloud variant. The product you demo is the product you deploy.

Can Excalibur run on air-gapped classified networks?

Yes. Excalibur by CyberAGI is built for air-gapped deployment on a dedicated NVIDIA DGX Spark. No phone-home, no telemetry, no license verification callbacks, no OTA updates. Threat intelligence syncs from NVD and EPSS are user-controlled and inbound only.

Does Excalibur help with CMMC compliance?

Yes. The Govern module auto-maps findings to CMMC L1 (FCI) and CMMC L2 (110 NIST 800-171 controls for CUI), generates audit-ready evidence packs, and produces a pre-audit checklist in days instead of quarters. PCI-DSS is auto-mapped as well.

How does Excalibur pricing compare to cloud AI for defense contractors?

Excalibur is a flat hardware cost: $10,000 for the NVIDIA DGX Spark (one-time) plus $5,000/month, with unlimited usage. There is no token meter, no per-seat billing, and no surprise invoice, which matters on DoD fixed-price contracts where metered cloud-AI costs eat margin you cannot recover.

How fast can a defense contractor deploy Excalibur?

Defense customers go from purchase order to running platform in the same week, because deployment is hardware delivery inside your existing authorization boundary rather than a cloud procurement cycle. Full operational maturity, including CMMC pre-audit readiness, lands within 90 days.

US Military Contractors · DIB

Sovereign AI. Inside your wire.

Cloud AI runs a meter you cannot afford. FedRAMP versions of commercial tools ship gutted. Every phone-home is American IP walking out the door. Excalibur was built for the wire.

Built for DIB security leads, ITAR program managers, and CMMC compliance owners

03 · The math todaySee platform →

Zero Data Egress. Period.

What the cloud-AI vendors structurally cannot offer.

Data egress allowed

Zero

NIST 800-171 controls (CMMC L2)

110

Deployment model

Inside your ATO

Proprietary private models·No offshore codebase·Cleared for ATO procurement

Your reality

Three constraints that disqualify almost every AI security vendor.

One company burned $500M on Claude in 30 days. Your fixed-price contract has no margin for that.

Uber torched its entire 2026 AI coding budget in four months. Microsoft pulled Claude Code licenses after seats hit $2,000 per engineer per month. Cloud AI is metered, not licensed, and the meter never stops. Every agentic loop is another invoice. On a DoD fixed-price contract, every token your team burns is margin you cannot get back.

The FedRAMP version of your vendor's tool is not the version they demoed. Most buyers find out after the contract is signed.

Commercial roadmaps ship faster than FedRAMP can re-authorize them, so the features in the sales deck rarely cross the boundary. The integrations you saw working, the AI capabilities that closed the deal, the dashboards on the brochure: quietly dropped from the GovCloud SKU. 90% of buyers find out after signing. You pay full price for a gutted product, the vendor keeps collecting, and the defense industrial base subsidizes a roadmap it never gets to use.

Your classified networks are air-gapped. Every phone-home is American IP walking out the door.

Cloud connectivity, license verification, telemetry pings, OTA updates. Every one of them is a covert export channel for the schematics, source code, and threat data you are cleared to protect. And the security budget is the first line every CFO trims. Vendors know it. They quote five SKUs for what one tool should do, bundle modules you will never deploy, and bill per seat on a team that cannot grow. You pay more, ship less, and lose IP on the way out.

The shift

Built for your constraints. Your entire security team in one platform.

Excalibur is the software that runs your whole security operation. Offensive, defensive, and compliance, all in one platform, with no compromise between them. The DGX Spark supercomputer is just where it lives, inside your datacenter and inside your ATO, with no token meter, no GovCloud SKU, and no phone-home. Every constraint other vendors call a deal-breaker is the requirement we shipped against.

What changes

Three outcomes that protect the mission.

Unlimited AI on hardware you own. The meter never runs.

Every model, every agent, every fine-tune runs on a DGX Spark in your datacenter. Hardware you own, not tokens you rent. Use it 24/7. No metered billing. No per-seat overage. No surprise invoice at quarter close.

Same flat cost whether you run one query or a million. Your AI line item becomes a fixed number on the contract, not a black-box pass-through eating the margin you bid the work at.

What you saw is what ships. Same week, not next year.

One product. One codebase. One feature set. No GovCloud SKU. No gutted FedRAMP variant. Because Excalibur deploys inside your ATO with zero egress, FedRAMP is structurally inapplicable, and the procurement death march disappears with it.

Defense customers go from purchase order to running platform in the same week. The roadmap in the demo is the roadmap you run on day one, the same roadmap every other Excalibur customer is running today.

Your network stays sealed. Your IP stays American.

Built to defend American critical infrastructure and the defense industrial base. Hardware-only delivery. No phone-home. No telemetry. No license check. One platform replaces the five-vendor stack: ASM, pentest, threat modeling, compliance, and intel all in the box.

Your schematics, source, threat data, and prompts stay inside your federated network. One purchase order, one box, one boundary. The IP the program office trusts you to protect is protected by architecture, not by a vendor's promise.

What you will actually run

The modules built for the DIB constraint set.

Air-gapped sovereign deployment. Proprietary private models. No offshore codebase. These are the modules built specifically for the DIB constraint set; the full 9-stage lifecycle (Discover, Model, Validate, Correlate, Prioritize, Remediate, Govern, Predict, Learn) lives on the Excalibur page.

Govern · CMMC L1 + L2, NIST 800-171, PCI-DSS

Auto-generates control questions, fills them from lifecycle data, produces audit-ready reports. Findings auto-map to controls. No manual spreadsheet reconciliation.

Validate · Agentic pentesting, internal/external

Customer-controlled scope. Atomic Red Team tests, MITRE ATT&CK simulations, API testing. Human-verified before any action.

Air-gapped threat intel sync

Pre-loaded CVE corpus, nuclei templates, TTP playbooks at delivery. User-controlled inbound sync from NVD, EPSS. Nothing flows out, ever.

Discover · External attack surface

Continuous EASM mapping for your perimeter. Native scanner, no third-party cloud dependency, no asset data leaving your environment.

Correlate · Cross-tool intelligence

Direct integrations for Wiz, CrowdStrike, Qualys, Defender, Tenable. Pulls data in, deduplicates, presents unified intelligence. One-way ingestion, never egress.

Model · AI threat modeling

STRIDE, ATT&CK, kill-chain modeling against your architecture. Maps to your CUI flows, classification boundaries, and ITAR perimeters.

Predict · Attack-path forecasting

Forward-looking risk against the systems you actually own. 30-day horizon at 89% confidence. Where the adversary will land, before they do.

Posture · Executive reporting

Translate technical risk into program-office language. CUI flow, CMMC readiness, ITAR exposure. One dashboard for the people signing the contract.

The leverage

What the AI-security category sells as standalone products, we ship as core architecture.

Sold by others as

Built into Excalibur as

Cloud AI tokens (OpenAI / Anthropic Enterprise)

Metered, no ceiling

→

Flat hardware cost · use 24/7

Lakera / HiddenLayer LLM protection

$50K-$200K+/yr

→

Base architecture by default

Standalone CMMC consulting

$80K-$250K engagement

→

Govern module · 90 days to ready

BreachLock / NetSPI continuous pentest

$100K+/yr

→

Validate module

Mandiant ASM + TI

$75K-$1.1M/yr

→

Discover + Correlate + Predict

The DIB procurement window

The first sub to put sovereign AI on a fixed hardware cost rewrites the flow-down.

Every prime is auditing AI cost and IP exposure across their tier-one and tier-two subs right now. Every sub running a GPT-wrapped tool on a fixed-price contract is one quarterly invoice away from a margin call, and every phone-home is American IP walking out the door. The sub who stands up air-gapped sovereign AI with a known hardware cost before the next DCMA touchpoint becomes the reference architecture every other contractor in the program gets benchmarked against. The flow-down language is being written. The question is whether you set the precedent or chase it.

✓First sub to ship sovereign AI on a fixed hardware cost rewrites the flow-down

✓Primes are auditing AI cost and IP exposure across tier-one and tier-two subs right now

✓Cloud-AI token billing has no ceiling. Your fixed-price contract margin does

✓ATO inheritance compounds across program offices once one sub is authorized

✓DCMA and DCSA touchpoints are the trigger event, not the deadline

✓Air-gapped sovereign AI deploys in the same week. Full operational maturity in 90 days

Sovereign AI for the mission.

See the platform that ships into environments where cloud AI cannot go. Then we talk about deployment inside your authorization boundary.

Try Excalibur Brief for DIB primes→

Built for your constraints. Your entire security team in one platform.