Enterprise-grade VPN with AES-256 + REALITY transport. Hand-picked global nodes. VLESS + XTLS-Vision for near-line-rate throughput on any network.
No marketing fluff. These are the features wired into the production agents you connect to today.
AES-256 wrapped in REALITY transport that disguises VPN traffic from deep packet inspection.
Censorship-grade obfuscation: handshakes look like legitimate TLS traffic to a non-VPN destination, so heuristic DPI fingerprints don't match. No protocol signature for filters to learn.
Hand-picked nodes across regions with smart selection that prefers low load and low latency.
Every node is provisioned and health-checked by our agent; the app's location list re-ranks in real time so the suggestion you see is the one you should actually use.
VLESS + XTLS-Vision delivers near-line-rate throughput on any network.
Zero-copy splice on the data path means almost no CPU overhead — saturate your gigabit fiber, your 5G tether, or your office Wi-Fi without the usual VPN throttle.
If the tunnel drops, the network drops — no plaintext leaks, no fallback to your ISP.
iOS uses on-demand NEVPNManager rules; Android relies on VpnService allow-listing. Both modes survive backgrounding and app kills.
Route only the apps you want — keep streaming on your local IP while your browser tunnels.
Pick allow/disallow lists per installed app. Useful for banking apps that block VPN traffic, or for keeping LAN devices reachable while connected.
We don't keep what we don't need. Nothing about who connected when, where to, or for how long.
Agent telemetry is metric-only (CPU, bandwidth, connection counts) — not session-attributable. Independent audits and a public warrant canary are on the 2026 roadmap.
ML-KEM-768 hybrid key exchange secures your tunnel against future quantum attacks, today.
Our engine negotiates ML-KEM-768 + X25519 hybrid key exchange on every connection (NIST FIPS 203). Even if a quantum computer is recording your traffic now to decrypt later, it gets nothing — the session key is quantum-resistant from the first packet.
Every dot on the map is a location with at least one server online and accepting traffic right now. Hover any marker to see how many active nodes back it — the count comes straight from the agent telemetry our admin dashboard reads.
Generic VPN protocols — WireGuard, OpenVPN, IKEv2 — have identifiable handshake fingerprints. State-level DPI learns those signatures and drops them. We don't use them.
Instead the data path runs VLESS + XTLS-Vision over a REALITY transport that mirrors a real TLS handshake to a third-party server. To an observer there is no VPN — just a user visiting a perfectly ordinary HTTPS site.
Quantum computers capable of breaking RSA and elliptic-curve cryptography are expected within the decade. Every session on SecureFox is protected now.
Nation-state adversaries record encrypted VPN traffic today, storing it until a quantum computer can break the session keys. With classical VPNs, everything you've ever sent is potentially decryptable in the future.
SecureFox uses ML-KEM-768 + X25519 hybrid key exchange — standardised by NIST in August 2024. Session keys cannot be derived even with a future quantum computer.
NIST finalises ML-KEM-768 (FIPS 203)
SecureFox ships PQC hybrid KEM in production engine
"Q-Day" — quantum decryption of classical ciphers becomes viable
Module Lattice-based. Quantum-resistant key exchange replacing classical Diffie-Hellman.
Combined with ML-KEM-768 so the session is safe even if either algorithm is broken.
Authenticated encryption. Quantum-safe at 256-bit key length against Grover's attack.
Context-bound KDF. Faster than HKDF with equivalent security guarantees.
Billing is handled by the App Store and Google Play — we never see your card. Cancel from your device subscription settings at any time.
We ship VLESS + XTLS-Vision over REALITY transport — a stack designed for environments where ordinary VPN protocols (WireGuard, OpenVPN, IKEv2) get fingerprinted and blocked. On a clean network you still get near-line-rate speeds; on a censored network the tunnel survives.
No session logs and no DNS logs. The node agent reports aggregate metrics — CPU, bandwidth, connection counts — that aren't attributable to any user session. We're working toward an independent audit and a public warrant canary in 2026.
iOS 14+ and Android 8+ today, via the cross-platform Flutter client. Desktop (macOS, Windows, Linux) is on the roadmap for late 2026.
All subscriptions go through Apple App Store or Google Play in-app purchases — managed by your device subscription settings. We never see your card. Web checkout via Stripe/Coingate is reserved for crypto and gift codes.
The REALITY transport is specifically built for these environments. We can't guarantee 100% uptime against a state-level adversary, but you should expect significantly better resilience than commodity protocols.
Yes — capped at 5 GB / month and 10 Mbps on Tier-1 servers. It's enough for browsing, light streaming, and trying the product before committing.
Refunds are handled by the store you bought through (App Store / Google Play). Both stores allow refund requests within a regional grace window — typically 14 days in the EU and 48 hours in the US.
Install the app, open it, tap connect. Free tier gets you 5 GB and Tier-1 servers — upgrade when you're ready.
