Exhale Security

Your remote sites
are exposed.
We fix that.

A managed security platform for unmanned OT sites — sewage pumping stations, substations, gas governors. Deployed from a central console. No on-site IT required.

Talk to us How a pilot works
Download technical overview (PDF)

The problem enterprise security
products were never designed to solve.

Sewage pumping stations. Electricity substations. Gas governors. Tens of thousands of them — unmanned, power-constrained, running legacy OT protocols with no authentication or encryption — now connected to IP networks. Enterprise firewalls don't fit in DIN-rail cabinets. They can't inspect a Modbus command. And they require on-site IT staff that doesn't exist.

The sites

No IT staff. No server room. No mains-reliable power. Cabinets designed for RTUs, not rack-mount equipment.

The protocols

Modbus, DNP3, IEC 60870-5-104 have no native security. A standard firewall is blind to the commands passing through it.

The deadline

DWI e-CAF: March 2028. Ofgem RIIO: April 2028. Gas networks: April 2026. These are licence conditions, not recommendations.

What we do

A hardened gateway at each site.
One console for all of them.

Your Site

PLC / RTU / SCADA

Isolated — never on the internet

Exhale Gateway

Outbound-only · Audit log · Fail-safe

Encrypted
post-quantum tunnel

Exhale Platform

Fleet management & health

OT protocol inspection

Compliance evidence engine

Private certificate authority

Authenticated
access only

Your Team

Security dashboard

CAF evidence reports

Fleet health & alerts

Isolate your OT assets

Every site gets an isolated network segment. OT equipment is never directly reachable from the internet — even if a credential is stolen.

Inspect OT protocol commands

Deep packet inspection at the application layer. Every command logged, every anomaly flagged — before it reaches your equipment.

Manage thousands of sites centrally

One console. Remote firmware updates, automated certificate rotation, health monitoring. Zero site visits after initial deployment.

Generate compliance evidence automatically

CAF-aligned evidence generated continuously. Network segmentation proof, access logs, audit trails. Ready before your regulator asks.

Under the hood

Security-first from the ground up.

The gateway runs on industrial hardware rated for -40°C to +60°C, DIN-rail mounted, with dual-SIM failover. All communications are outbound-only — no inbound ports, no inbound attack surface. The platform runs in UK-owned infrastructure, not public cloud.

Zero trust architecture Outbound-only connectivity Post-quantum encryption (ML-KEM-768) mTLS device authentication Automated certificate rotation UK sovereign hosting Hardware safety limits enforced at edge Operates autonomously during connectivity loss Designed to NCSC CAF 4.0 principles Designed to IEC 62443 principles

Working with us

How a pilot works.

We're actively taking on first water sector pilots in 2026. Here's what the process looks like. The risk sits with us. You evaluate.

01

A 30-minute conversation

Tell us about your estate — number of sites, current setup, timeline pressure. We'll tell you honestly whether we're a fit right now. No pitch deck.

02

We scope a 25-site pilot

We agree a fixed scope: 25 sites, your choice. We pre-provision every gateway before it ships — field engineers connect power and Ethernet, the gateway calls home and self-configures. Typically 15–30 minutes per site.

03

You see your CAF evidence

Within 8 weeks of deployment, we run a compliance evidence workshop with your team. You see exactly what the platform generates for your DWI or Ofgem assessment — before committing to anything.

04

You decide

If it works, we discuss full rollout on commercial terms. If it doesn't, you've invested a few hours of your team's time and learned something useful. We'd rather earn your confidence than lock you in.

Indicative pricing

Enough to put a number in your budget submission.

Gateway hardware

from £800

per site, one-time — includes provisioning

Managed platform

from £600

per site per year — security, fleet management, compliance evidence

Indicative. Volume pricing applies at scale. We'll send you a detailed budget estimate within 24 hours of a conversation — including total cost for your estate, phased rollout options, and a like-for-like comparison with alternatives.

For context: a FortiGate Rugged equivalent costs approximately £2,000/site/year — with no fleet management and no compliance evidence generation.

Who we are

Two founders. Thirty years
of building infrastructure systems.

Gareth Williams

Gareth Williams

Co-Founder & CEO

25 years in technology leadership. Co-founded YellowDog — the world's largest distributed computing platform, coordinating unreliable compute nodes across multiple providers for major hedge funds. The architecture directly transfers: coordinating thousands of unreliable edge gateways is the same problem. Previously VP Product at Arieso through its acquisition by JDSU (now Viavi Solutions).

S

Simon Ponsford

Co-Founder & CTO

30+ years in distributed systems and real-time infrastructure. Previously held SC and DV security clearance; has architected UK secure government projects including the Police National Computer. Founder of Tivarri, providing UK sovereign data centre facilities to banks, hedge funds, and energy sector operators. 30+ technology patents.

"We're a small team. That means when you talk to Exhale, you talk to the people who built it — not an account manager reading from a slide deck. We'll tell you what we can do, what we can't yet, and what we'd recommend."

Gareth Williams, Co-Founder

Get in touch

The shortest path
to a conversation.

Tell us about your estate. We'll be straight with you about whether we're the right fit, what a pilot looks like, and what it costs. No pressure, no pipeline.

Gareth Williams

Gareth Williams

Co-Founder & CEO

gareth@exhale.systems Download technical overview (PDF)

Exhale Systems Limited · Bristol, UK · Co. no. 16808856