XoT Technology Overview
Introduction
XoT Technology enables precise policy-driven control of network communication. Instead of giving users and devices access to whole networks, and encrypted tunnels are created between authenticated users and the specific assets they are authorized to use.
This system is built around the following components:
- The XoT-Lock that when placed in front of an asset, from a single device to multiple subnets, can control access to it. Its primary job is to enforce the access rules defined by administrators, ensuring only authorized traffic can reach what is connected to its protected interface.
- An XoT Client can initiate secure connections. While this is often the desktop software used by an end-user, any XoT-Lock can also function as a client, enabling secure machine-to-machine communication.
- The XoT Management System (XMS) is where administrators define access policies, manage users and assets, and monitor the system. Policies determine precisely who can access what, where they can access it from, when they are allowed, and how they can connect.
- The XoT-Bridge allows access to devices that would not otherwise be accessible due to networking or firewall constraints.
The following sections will explore each of these components, and some others, in greater detail, explaining their specific roles and capabilities within the XoT ecosystem.
XoT-Lock
The XoT-Lock protects assets, from a single device or to several subnets across multiple VLANs. By placing a XoT-Lock in front of an asset, administrators can enforce access policies defined in the XMS.
XoT Clients (desktop clients or other XoT-Locks) which have policy access then establish encrypted tunnels to the XoT-Lock, ensuring that only authorized traffic reaches the protected asset.
XoT-S1
The XoT-S1 is a compact hardware platform designed specifically for running XoT software. It comes pre-installed and can be deployed within minutes: connect power and network, enroll it into your XMS, and it is ready to be used.

Specifications:
- Dimensions: 92x98x30 mm.
- Weight: 120 g.
- 2x 10/100/1000 MB Ethernet ports, auto-sensing.
- 1x USB-C, only for power source. 5 W normal load / 10 W max load.
- 1x USB-A, for peripherals, deactivated by default.
- Mounting: DIN-rail brackets.
- Network latency: min 3.19, avg 6.27, max 42.8 ms.
- Cold boot time: less than 50 s.
- Hot reboot time: less than 33 s.
- Firmware upgrade time: less than 2:30 min.
- Recommended environment temperature: 0 – 50 *C.
Other Hardware Platforms
The XoT-Lock software can also be installed on any 64-bit x86 system, be it bare metal or virtual machines, providing flexibility for different deployment environments.
XoT Clients
An XoT Client can authenticate and establish an encrypted connection to an XoT-Lock. XoT Clients are available in several forms to suit different use cases.

Desktop Client
The XoT-Desktop Client is the graphical application designed for end-users. It provides a simple interface where users can see which devices and services they are authorized to access and establishes secure tunnels automatically based on XMS policies. The desktop client is available for Windows, macOS, and Linux.

Hardware Tokens and Passkeys
For strong authentication, the XoT-Desktop Client supports hardware tokens and passkeys. These provide secure storage of certificates and private keys, and are recommended best practice.
Supported tokens include:
- Yubico YubiKey
- Thales ID-series smart cards
- Other devices supporting certificate-based authentication
Local key files can also be used, but hardware tokens are preferred for higher security.
Headless Client
For servers and automated environments, the client can run in headless mode without a graphical interface. This provides the same secure connectivity and policy enforcement as the desktop version, making it suitable for background services and machine-to-machine communication.
XoT-Lock Client
Every XoT-Lock includes a built-in client capability. This allows it, while still performing its normal functions, to establish a connection to other locks. This dual role is essential for enabling advanced scenarios such as secure network segmentation or providing access for devices that cannot run client software themselves.

XMS
The XoT Management System, usually referred to as XMS, serves as the central command and control panel for the XoT Technology infrastructure. It is the tool used by administrators to configure, manage, monitor, and secure the XoT Technology. The XMS distributes configuration and policy updates, receives telemetry, and provides visibility into system health and activity.
Administrators can:
- Manage users and permissions
- Define and edit assets (devices and networks)
- Create and manage access policies
- Monitor system health and status
- View logs and audit trails
Access Policies
Creating and managing access policies is designed to be intuitive and accessible even for users without technical experience. Policies are configured by following specifying the following:
- Who: User groups or devices allowed access
- What: Target devices or device groups
- Where: Geographical or logical location of assets
- When: Time-based access (one-time or recurring)
- How: Network filters such as protocols, ports, or firewall rules
This approach allows administrators to define precise, fine-grained access without requiring deep technical expertise.
Communication
All XoT components communicate with the XMS using the MQTT protocol. This channel is used for:
- Delivering configuration and policy updates to clients and locks
- Receiving telemetry and status updates
When a XoT Client comes online:
- It connects to the XMS.
- The XMS issues an access ticket (time-limited credential).
- The client uses the ticket to connect to XoT-Locks.
Connections between clients and locks (or bridges) are established using WireGuard tunnels with mutual authentication. Authentication is repeated every 30 seconds to ensure tunnel integrity.
Connections may be terminated due to:
- Ticket expiration or revocation
- Failed authentication
- Expired certificates
- Client deactivation
Note: As long as tickets remain valid, established tunnels continue to function even if the XMS is temporarily unavailable.
XoT-Bridge
A XoT-Bridge enables communication when clients and locks are on separate networks and cannot reach each other directly.
The bridge works by relaying encrypted traffic without decryption, allowing secure access across firewalls or NAT boundaries.
In the default mode of an XoT-Bridge, both clients and locks call in to the Bridge (sometimes referred to as rendezvous mode). For traditional network configurations, the XoT-Bridge can be configured to initiate the connection to XoT-Locks, though these usually requires more extensive firewall configuration.
Since the XoT-Bridge is simply a configuration of the XoT software, it can run on the same platforms as a XoT-Lock.
XoT-WebAccess
XoT-WebAccess provides a browser-based client for situations where installing software is not possible, for example: contractors, bring-your-own-device scenarios, or restricted workstations.

Use Cases
- Temporary or third-party access
- Secure remote operations in isolated environments
- Jump-host deployments to prevent direct system access
How It Works
- The user logs in via a web browser.
- A virtual desktop session is created.
- The session runs the XoT-Desktop Client, applying the user’s policies.
- Built-in tools (browser, SSH, RDP, etc.) are available for work.
- When the user logs out, the session is destroyed, leaving no data behind.
Xertified’s official XoT-WebAccess VM supports SSH, HTTP(S), RDP, and Telnet. Additional services can be added as needed.