Dev Blog
Engineering and marketing notes on Arbiter.
NIS2 in Ireland: From Compliance Burden to Cyber Resilience with Arbiter
Prepare for NIS2 with Arbiter: automatic device discovery, wired and wireless network access control, managed PKI and a live asset register for compliance and cyber resilience.
Read articleNAC for MSPs: Onboard Customers in a Day, Not a Quarter
Traditional NAC was built for a single large enterprise, not for a provider running fifty customers from one console. Arbiter is built the other way around: a new customer authenticated, segmented and visible in a day, with no per-site infrastructure, full security on every tier and EU residency as standard.
Read articleArbiter Asset Discovery
You cannot secure what you cannot see. Arbiter Asset Discovery is a continuously updated inventory of every device on your network, enriched with operating system, vendor and Intune MDM compliance, with unknown and unmanaged devices surfaced. It is the visibility-first entry point to full 802.1X network access control.
Read articleHow We Built Cloud-Based Certificate Enrolment for Intune-Managed Devices
Most 802.1X deployments are slowed down by the need to install and maintain additional infrastructure such as NDES, AD CS, on-premises connectors and Windows servers. Arbiter issues device certificates directly from each tenant's cloud PKI, allowing Intune-managed laptops to auto-enrol without any on-premises infrastructure or Active Directory domain. You can take a fresh tenant from zero to a working certificate on an Intune-managed laptop in under 30 minutes. Here's how.
Read articleNIS2 and Your Network: Where Arbiter Fits
NIS2 in Ireland is moving from a distant EU directive to a near-term obligation. The supply-chain rules pull in thousands of SMEs who were never the direct target. Arbiter is not a compliance product, but it carries a specific, load-bearing slice of the technical outcomes NIS2 expects: access control, asset visibility, encrypted authentication and an audit trail you can hand over.
Read articleDon't break the chain: offline 802.1X on a SaaS NAC
Cloud NAC has an obvious failure mode: if you lose the WAN, auth stops. MAB can be cached but 802.1X can't, as it's a live cryptographic handshake, not a replayable permit based on MAC address. So we built a real EAP-TLS server into the Edge. Here's the design.
Read articleBreaking Arbiter: scaling EAP-TLS in a multi-tenant cloud NAC
Round three tested Arbiter under sustained mixed 802.1X and RADIUS load across ten tenants in parallel over real WAN. 332,128 authentications, 100% expected policy-decision accuracy, zero auth-path drops. Four scaling limits surfaced; three were removed during the run, the fourth was characterised and queued for the next architectural change.
Read articleBreaking Arbiter, round two: ten tenants, four hours and the control plane that buckled
Round one (last week) was one tenant on the wheel: 10,000 auths/min, clean. Round two: ten tenants in parallel at 1,000 auths/min each, MAB-only, four hours straight. The auth path held perfectly. The control plane did not. Here is the honest account of what gave way, why and what we changed.
Read articleCloud NAC performance test: 10,000 RADIUS auths/min on production hardware
We ramped a single Arbiter tenant from 1,000 to 10,000 RADIUS authentications per minute on the production VM pair, then sat at 2,000/min for four hours. Everything held. Arbiter's target customer is SMEs and the MSPs supporting them: a 2,000-endpoint tenant's worst minute lands around 500/min, so 10,000/min is roughly 20x deliberate overshoot. Here's what we measured.
Read articleWhy we dropped public UDP RADIUS and went pure RadSec
Early on, Arbiter exposed a public UDP RADIUS endpoint on the internet, the same shape every other cloud NAC still ships. We turned it off. Every tenant now reaches the cloud through a RadSec tunnel from an Edge appliance, with no plain UDP exposed at all. This is why we made the call.
Read article