Managed SCADA connectivity
The secure line into the field.
Your VTScada makes one outbound connection to us. Alarms and remote access flow over it. Nothing reaches back into your control network.
Your SCADA reaches out to us. Nothing reaches back in.
Remote sites, alarms at 2am, and no clean way in.
You run wells and facilities that are hours from anyone. An alarm has to reach a person in the middle of the night. An operator needs to see the HMI from town. Today the options are all bad.
Put VTScada on the internet so it can be reached. Every IT and IS person you have says no, and they are right.
Stand up a VPN, change the firewall, and get IT on a three-way call every time someone new needs access.
Send someone to site to read a screen or clear an alarm. Hours of windshield time for a two-minute look.
There is a better line into the field.
One outbound connection. Zero inbound ports.
A small connector on your side dials out to Tethyr and forms an encrypted tunnel. Your firewall opens nothing. Alarm callouts and remote access ride that one line. The direction is the whole point: your SCADA reaches out to us, and nothing reaches back in.
Four steps, one direction.
- 01connector: outbound only
The connector dials out
Install one package on the VTScada box or a small separate host. It only dials out. Your IT opens no ports.
- 02wireguard: encrypted, outbound
The tunnel forms
The connector builds a WireGuard-encrypted tunnel to Tethyr over an ordinary outbound connection. Nothing listens for inbound traffic on your side.
- 03callouts: validated, forwarded
Callouts flow
An alarm condition places a callout through Twilio. Tethyr validates the request cryptographically and forwards only genuine callbacks over the tunnel. Nothing spoofed gets through.
- 04access: brokered, mfa
Access flows
An operator signs in and launches VTScada in a browser. The session is brokered over the tunnel with MFA on every login. The browser is never on your network.
One dashboard for the whole fleet.
Connector health, callouts, and access in one place. This is the product direction, shown with the real brand. It is a vision of the build, not a claim that it has shipped.
Fleet status
12 / 12
37
3
cnrl-battery-04
10.20.4.11
tourmaline-ci-2
10.20.9.30
westbrick-sat-7
10.20.7.12
Bringing the site online
- +Account and tenant created
- +Connector command generated
- +Connector dialed out, tunnel formedonline now
- VTScada reachable through tunnel
- Independent alarm fallback confirmedrequired to go live
Launch a session
- Launch
Battery 04 HMI
overview, trends, alarms
- Launch
Compressor CI-2
runtime, suction, discharge
- Launch
Sat 7 Wellheads
12 wells, statuses
session brokered over the tunnel. the browser is never on the control network.
Two streams. Buy one or both.
Alarm callouts that just work.
Your alarm callouts reach a person, reliably, without exposing anything. Requests are validated cryptographically and forwarded over the tunnel. Nothing spoofed reaches your SCADA.
- Cryptographically validated
- No inbound ports
- Reliable delivery to a human
Launch VTScada from anywhere.
Operators open a branded portal and launch the HMI in a browser, brokered securely over the tunnel. MFA on every login. The browser never touches your control network.
- Runs in the browser, no install
- MFA on every login
- Access control you delegate
The security story is the architecture.
This is the answer for your IT and IS team. Stated as fact, not fear.
Outbound-only, zero inbound ports
Your side opens nothing to the internet. The connector dials out. There is no inbound port to scan, probe, or exploit.
WireGuard-encrypted tunnel
Traffic rides a modern, audited encryption layer end to end. We do not deploy raw crypto, we manage a proven one.
Tenant isolation
Every customer is isolated at multiple independent layers. One site's traffic can never reach another site's SCADA.
MFA on every login
Multi-factor is required for remote access, on every tier. Access is authenticated before a session is ever brokered.
Credentials stay protected
Customer secrets are stored encrypted and access is audited. They never sit in plain text and never travel further than they must.
Audited by design
Security-relevant actions are logged to an append-only record. SOC 2 controls are in place and on the roadmap to audit.
Built by Exact Automation.
Tethyr is built by the team that already configures your VTScada. This is not a security startup guessing at oil and gas. It is the integrator you already trust, productizing the secure-connectivity work we do by hand today.
- Deep VTScada and SCADA integration experience
- Built for oil and gas operators across the Western Canadian basin
- Support from people who understand a control room, not a call center
The questions they will ask.
Do we have to open any ports?+
No. The connector only dials out. There is no inbound port on your side, nothing to expose, nothing to scan.
Is our SCADA on the internet?+
No. VTScada stays on your control network. It is reached only through the outbound tunnel, and only for the streams you enable.
Is the connection encrypted?+
Yes. The tunnel is WireGuard-encrypted end to end. Remote access requires MFA on every login.
Where do our credentials live?+
Customer secrets are stored encrypted with audited access. They are never held in plain text.
Can one customer reach another customer's SCADA?+
No. Tenant isolation is enforced at independent layers, from routing to the tunnel to the VTScada side. The system fails closed.
Is Tethyr the system of record for alarms?+
No. Tethyr is secure transport. Every site keeps an independent alarm fallback that does not run through Tethyr. We confirm it before you go live.
See the secure line into the field.
Book a short demo. We will show you the outbound-only model, the callouts flow, and remote access in a browser, using your kind of setup.
hello@tethyr.network