Boot AI. Touch nothing.
Lictor Isolation OS is a USB stick you boot into a clean, isolated workspace. You get Claude, ChatGPT and Gemini with your own accounts, full power, and zero access to your company network. A VPS running AI, but local. Pull the stick out and there’s no trace.
Free during beta. The image is in final boot-testing. Invites roll out as it stabilises, newest hardware first. No card, no spam: we email you when your build is ready.
The boundary is physical, not a policy you hope holds.
Two zones, one stick. The AI lives in the red zone and can reach the public model APIs. Your real network lives in the black zone and is simply unreachable, dropped at the kernel, by construction.
Reaches the model
The browser talks to api.anthropic.com, ChatGPT and Gemini. Files live only in ~/projects, one folder per project. Ephemeral, wiped each boot.
Unreachable
Your LAN, domain, prod, and the host machine’s own disk (10.x, 192.168.x, your gateway): every path is blocked. Nothing here can reach, change, or delete your business.
Plug in. Power on. Done.
Plug in. Power on.
Boot the stick into a hardened, ephemeral OS, kept separate from the machine’s disk, the domain, and the company LAN. No install on the host.
Your AI, your accounts.
The top-3 clients open in a locked browser: Claude, ChatGPT, Gemini. Sign in with your own accounts; no new subscriptions, nothing to configure.
Reaches the model. Not you.
The workspace talks to the AI providers and nothing else. Your network stays invisible. It’s an air-gap by construction, not a setting you can forget.
Questions
Is it really isolated, or just “configured” to be?
Really isolated. At boot the OS drops every route to a private network (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, link-local and CGNAT) at the firewall, while allowing the public model APIs. We proved the exact same red/black boundary in our open-source container red-zone first. The AI reached api.anthropic.com and every internal address was blocked.
Which AI clients are included?
The top three at launch (Claude, ChatGPT and Gemini) open in a locked, full-screen browser. You sign in with your own accounts; Isolation OS never sees your credentials or sells you a subscription. More vendors follow.
Where do my files go?
Only into ~/projects, one folder per project, inside the red zone. The host machine’s disk is untouched. The profile is ephemeral by default, so you boot fresh every time, with an optional encrypted data partition on the roadmap.
What does it cost?
Free during the beta. When it reaches v1 there’ll be a paid, signed download, but beta members keep early access and get the friendliest pricing. No card to join the list.
Who is this for?
Anyone who wants to use powerful AI without giving it a path to their real systems: regulated businesses (clinics, law firms, fintech) that legally can’t let data wander, dev and security teams piloting AI safely, and founders who simply don’t want an agent one prompt away from prod.
Built by Raffa, a 20-year cybersecurity engineer. Isolation OS is the second pillar of the Lictor suite. It runs the same Core engine behind our security tooling and external scanner, now pointed at the one risk no one else covers: your own AI, reaching your own network.