A box at headquarters protects headquarters. It does nothing for the twenty branches that dial the internet on their own, and nothing for the people working from home. This solution delivers the inspection from a cloud service instead: a lightweight edge at each branch, zero-trust access for remote staff, one policy written once and pushed everywhere — designed on open-brand product categories, sized by sites and users, with the crossover point where a plain firewall is cheaper stated out loud.
Four problems that appear the moment a company has more than a couple of sites:
Security functions live in a cloud service between your sites and the internet; the branch keeps only what it needs to get there safely:
Architecture drawn by AtlasCommTech following carrier-grade network-security design practice. Diagram labels are kept in English for engineering clarity.
How this differs from our Enterprise Internet Edge Security solution — read this first. That page describes one company, one building, one internet exit: a firewall pair in your rack, zones, NAT, intrusion prevention, logs. Hardware you own and control, and for a single site it is the correct and cheaper answer. This page exists for the shape of company that model cannot cover: many branches plus staff who are not in any building. Put a box in every branch and you own that box's licence, its firmware, its configuration drift and its 2 a.m. failure — multiplied by however many sites you signed. Here the inspection moves to a cloud service, the branch keeps a small edge that just gets there safely, remote laptops join the same policy, and the rule set exists in one place. Same functions, different delivery model. The honest crossover is discussed in the limits section, because for a handful of branches, boxes still win.
Why us: our founder spent 13 years inside the Huawei partner ecosystem delivering carrier networks — the environment where a policy change has to land on hundreds of sites correctly, the first time, because there is no second window. That is the discipline we bring to a thirty-branch rollout.
The solution is sized to your requirements and budget first — the same architecture can be delivered on several vendors' product lines. We help you choose by supply availability in your destination country, budget and your team's operating habits.
Six capabilities — the point of all six is that the number of branches stops being the thing that decides how much work security is:
Cloud-delivered security is sized by users and sites, not by a throughput number on a datasheet — here is how the tiers differ:
| Scale tier | Typical organisation | What the design includes |
|---|---|---|
| ~5 branches | Small chain · regional office group · a few project sites | The crossover tier, and we treat it as one: light edge per branch with a single broadband link, cloud inspection for internet traffic, encrypted tunnels back to headquarters, remote access for a small user group. At this size we always price the box alternative alongside — and if it wins, we say so. |
| ~20 branches | Retail chain · bank branch network · school or clinic group | Where the model starts paying for itself: zero-touch onboarding as standard, dual link per branch (broadband plus cellular backup), local breakout for cloud applications under policy, one policy set with per-site exceptions, central logging with retention, zero-trust access for the whole mobile workforce. |
| 50+ branches & remote workforce | National chain · government branch network · distributed enterprise | Operations-first design: policy grouped by site role rather than by site, staged rollout with a pilot group before the fleet, redundant service connections per region, application-aware path selection tuned per branch class, endpoint posture tied into the access decision, and a change process that assumes people leave and documents must survive them. |
The solution is built from these product and service categories — the brand is chosen with you at design stage. Exact models depend on your site count, bandwidth, enabled functions and destination country — so we spec models after your requirements list, not before.
| Role | What it does |
|---|---|
| Branch edge devices | The small router or firewall-router at each site: builds the encrypted tunnel, selects the link per application, keeps a local rule set when the tunnel is down. Sized by branch bandwidth and user count, not by the biggest branch you have. |
| Cloud-delivered security service | Firewalling, intrusion prevention, web gateway and cloud-application control, subscribed per user per year. This is a service line in your budget forever, not a purchase — we say that plainly before you sign. |
| Unified controller / management platform | Where the single policy is written and from where it is pushed; also where onboarding, per-site exceptions and change history live. The component that makes fifty sites one job instead of fifty. |
| Zero-trust access gateway & client | Publishes internal applications per person instead of exposing the LAN, checks user and device each session, and replaces the full-tunnel VPN that everyone quietly disables. |
| Endpoint agent (posture & response) | Feeds device health into the access decision and handles what the network cannot see. Whether it is bundled with the service or bought separately depends on the brand — we spell out which, for your shortlist. |
| Branch links (broadband + cellular backup) | Not a box we sell, but the thing your branch availability actually depends on. Buy from local carriers; we specify what the design needs and how the backup should behave. |
Send us your requirements list — site count, users per site, links per branch, which applications must never stop — and the model list follows. That order keeps the design honest.
An engineer replies with an architecture outline, a policy structure and the equipment-category list — including whether boxes would serve you better at your size. Send us your requirements list; the model list follows.