Recent Breaches
Breaches
View All →

Control Blueprints

FIRE controls the path. VAULT protects the asset.

Six buyer-led Blueprints. Each one names its lead layer, the primary modules that deliver it, and the supporting modules that round it out.

6
Blueprints
9
Modules
3
Lead types

What a Blueprint is

A pattern. A lead layer. A defined set of modules.

FIRE-led

Controls the path. Disconnects, isolates and severs the route the attack would take.

VAULT-led

Protects the asset. Holds the data, identity and evidence behind verifiable controls.

FIRE + VAULT

Path and asset together. Used where access must be controlled and what it touches must be locked.

Blueprints in play

See the modules compose a Blueprint.

Deal nine modules into a path. Firebreak lands on the gate and the route severs. Click any card to pause.

How to read this
The cards are modules. The line is the path between the user and the asset. Each Blueprint chooses which modules sit on the path and which support it.
Untrusted
Internet, email
Firebreak · Isolate
Corporate IT
Endpoints, file shares
Clean Recovery
Backups, snapshots
Untrusted
Internet, email
Firebreak · Isolate
Corporate IT
Endpoints, file shares
Open
Clean Recovery
Backups, snapshots

RW·Break the attack path, contain systems, preserve clean recovery.

Module deck
Re
Relay
Ex
Execute
Un
Unlink
Va
Validate
Ar
Archive
Lo
Lock
Tr
Transfer
Fire — path controlProtect — asset protection

The six Blueprints

Pick a Blueprint to see the modules in detail.

Filter by lead layer, module or sector to narrow the patterns that fit your environment.

Showing 6 of 6 Blueprints
CP-01FIRE-led

Stop Kill-Chain Ransomware

Stop ransomware moving, spreading or reaching the crown jewels.

Primary modules
FirebreakIsolateExecute
Supporting
UnlinkLock
Financial servicesHealthcarePublic sectorDefence
View Blueprint
CP-02FIRE-led

Contain Active Breaches

When prevention fails, containment must be physical, immediate and provable.

Primary modules
FirebreakIsolateExecute
Supporting
ArchiveLock
Financial servicesEnergyPublic sectorDefence
View Blueprint
CP-03FIRE + VAULT

Control Third-Party Access

Give third parties access without giving them a permanent doorway.

Primary modules
ValidateRelayLock
Supporting
TransferArchiveExecute
Financial servicesHealthcareEnergyPublic sector
View Blueprint
CP-04FIRE-led

Enforce Physical Segmentation

Segmentation should not just be logical. It should be physically enforceable.

Primary modules
FirebreakIsolateUnlink
Supporting
LockRelay
DefenceCritical infrastructurePublic sectorManufacturing
View Blueprint
CP-05FIRE + VAULT

Protect Critical Infrastructure

Keep critical systems available, controlled and disconnected from unnecessary exposure.

Primary modules
FirebreakIsolateRelayExecute
Supporting
TransferArchiveLock
EnergyCritical infrastructureDefenceManufacturing
View Blueprint
CP-06VAULT-led

Prove Compliance Through Control

Compliance becomes stronger when control can be demonstrated, not just documented.

Primary modules
ValidateLockArchive
Supporting
TransferRelayExecuteFirebreak
Financial servicesHealthcarePublic sectorCritical infrastructure
View Blueprint

The nine modules

Every Blueprint is built from these.

FirebreakFIRE

Physically opens or closes connection paths to prevent unauthorised access and stop attack progression.

IsolateFIRE

Separates systems and networks into controlled zones to reduce lateral movement and enforce trust boundaries.

RelayFIRE

Allows connectivity only when needed, for a defined purpose, under controlled conditions and for a limited time.

ExecuteFIRE

Initiates control actions when a policy, approval, schedule, incident state or supervisory override requires action.

ValidateVAULT

Checks whether a request, command or approval should proceed before access, action or transfer is allowed.

ArchiveVAULT

Preserves critical files and records for recovery, retention, compliance, continuity and evidential integrity.

UnlinkVAULT

Removes persistent connections, live dependencies and inherited trust relationships that keep sensitive assets exposed.

LockVAULT

Restricts access through identity, authority, policy, permission and operational controls.

TransferVAULT

Controls how sensitive assets move into, out of or between protected environments through approved paths.

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Compose Control for your environment

Talk to our team about combining these Blueprints around your estate.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up

    Firevault

    Firevault is Offline Secure Storage. Hardware you own, physically disconnected by default, with KYC-verified access. Ransomware-proof by design, not by patch.

    © 2026 Firevault Limited. Disconnect to Protect®