Configuration management, modernized

Tens of Thousands of Nodes on a Single Server.

You set the check-in cadence.

The Distributed State Enforcement Engine built for fleet scale and operational simplicity.

A true self-healing network: every agent corrects its own drift on every check-in — one second apart, by default. Measured live on one 8 vCPU / 32 GB server: ~7,450 nodes at the one-second default, ~30,000 as you relax the cadence — see how we measured it.

Get Started Free See the benchmark

Free for up to 100 nodes. No credit card. No time limit.

Measured on a single server

An 8 vCPU server with 32 GB of RAM. The check-in cadence sets the ceiling — here's what it held, measured live, not extrapolated. Full methodology and the scaling table →

Vigo measured capacity and footprint on a single 8 vCPU / 32 GB server, across check-in cadences.
Measured on the test rig	Vigo
Nodes at a 1-second cadence	~7,450
Nodes at a 30–60-second cadence	~30,000
RAM per connected node	~220 KB
Agent binary	~8 MiB
Binding limit	CPU at 1 s, memory at slow cadence

Measured live on an 8 vCPU / 32 GB server. At a one-second cadence the server is CPU-bound (~7,450 nodes); relax the cadence and it becomes memory-bound in the tens of thousands (~30,000 at 30–60 s). Capacity scales ~linearly with cores and RAM. See the full sizing analysis →

⚡

Capacity

Tens of thousands / server

On a single 8 vCPU / 32 GB server, measured live — ~7,450 envoys at the one-second default, ~30,000 as you relax the cadence. You set the trade-off; capacity scales linearly with cores and RAM. No compile masters, no worker pools, no database clusters. Performance & sizing →

⏱

Speed

Microseconds, not milliseconds

The hot path is a ~53 µs ED25519 signature verify (benchmarked) against an in-memory index — the rest is sub-microsecond. No catalog compilation, no Ruby interpretation, zero database queries on the check-in path.

📄

Simplicity

YAML. Not a DSL.

No custom language to learn. No compiler. No Ruby, no Python, no JVM on managed nodes. A sysadmin unfamiliar with Vigo can read a config file and understand what it does. One format, one directory, one publish command.

💰

Cost

100 nodes free. Forever.

No enterprise-only features. No gated add-ons. Every feature works at every tier. See pricing →

Architecture

Server up and running with one copy-paste

            mkdir -p /srv/vigo
docker run --rm -v /srv/vigo:/srv/vigo us-west1-docker.pkg.dev/project-69f2499e-5082-48f0-b19/vigo/vigo:latest --seed-only
cd /srv/vigo
docker compose up -d
        

That's it. TLS certificates, database, secrets, and example configs are auto-generated on first start. Open https://localhost:8443 to see the dashboard.

Agents enrolled in 30 seconds

curl -sSfk https://server:8443/bootstrap | sudo sh

Downloads the 8 MiB agent binary. Generates TLS certificates. Enrolls with the server. Installs the system service. Verifies connectivity.

Works on Linux, macOS, FreeBSD, OpenBSD, NetBSD, and illumos.
Windows: irm https://server:8443/bootstrap?os=windows | iex

See everything at a glance

Vigo dashboard showing fleet convergence, security posture, compliance status, and risk scoring

Vigo compliance dashboard with framework coverage for HIPAA, SOC 2, PCI DSS, and NIST

Standards compliance

Vigo security page with CVE impact analysis, vulnerability scanning, and threat detection

Security posture

Vigo risk posture page with fleet risk scoring, contributing factors, and trend analysis

Risk quantification

Vigo documentation browser with the Ask Claude AI assistant drawer answering a question about database disaster recovery with scenario-based guidance

Documentation + AI assistant

Vigo swarm page showing peer-to-peer content distribution with seeding allowlist, file roster, SHA256 chunks, and per-file distribution status across envoys

Peer-to-peer distribution

Vigo CVE impact detail drawer grouping 7 affected packages by CVE, with Trivy / Debsecan / Lynis / rkhunter / ClamAV / AIDE scanner columns and Ask AI remediation buttons

CVE impact analysis

Vigo envoys page with 5 managed nodes, per-host agent version, root-fs usage, reachability and convergence counters, plus fleet-wide totals and drift-rate header cards

Fleet inventory

AI-drafted remediation

One config. Every platform.

69 resource types — 68 built-in (16 of them SSH-based network-device executors for Cisco, Arista, and Juniper) plus a user-supplied custom executor. Write type: service and the agent dispatches to the correct backend. No platform-specific configs required.

Supported platforms with their init system and package manager. Vigo ships 69 resource types — 68 built-in (16 SSH-based network-device executors) plus a custom executor.
Platform	Init System	Package Manager	Executors
Linux	systemd	apt, dnf, yum, zypper, pacman, apk	Cross-platform
macOS	launchd	Homebrew	Cross-platform
FreeBSD	rc.d	pkg	Cross-platform
OpenBSD	rcctl	pkg_add	Cross-platform
NetBSD	rc.d	pkgin	Cross-platform
illumos	SMF	IPS	Cross-platform
Windows	Windows Service	Chocolatey, winget, Scoop	Cross-platform
Network Devices	—	—	16 SSH-based (Cisco, Arista, Juniper)

Remote access from the browser

SSH terminals and RDP desktops in your browser. No VPN. No bastion host. No port forwarding. Through the same mTLS tunnel the agent already uses.

SSH

Full terminal via xterm.js. Ephemeral keys generated per session. No permanent SSH credentials stored on the server.

RDP

Graphical desktop via Guacamole. Fit-to-window or 1:1 scaling. Clipboard sync, file transfer, on-screen keyboard.

Shadow / Assist

See and control a user's live desktop session. Observe what they see in real time, or take the wheel to help. User consent prompts built in. Linux (x11vnc) and Windows (TightVNC).

Zero infrastructure

No jump boxes, no VPN concentrators, no SSH bastion. The agent tunnels through its existing gRPC connection. One fewer attack surface.

22 compliance frameworks. Enforced, not just reported.

Vigo maps configcrate resources to regulatory controls and tells you exactly what it enforces, what it monitors, and what requires external validation. No overclaims.

HIPAA

Access controls, audit logging, encryption, session management

SOC 2

Change management, access provisioning, monitoring, availability

PCI DSS v4.0

Firewall, hardening, access control, integrity monitoring

NIST 800-53

AC, AU, CM, IA, SC control families

CIS Benchmarks

Ubuntu, RHEL, Windows Server — 260+ controls

ISO 27001

Asset management, cryptography, operations security

Also: SOX, FINRA, MiFID II, GDPR, NERC CIP, HITRUST, IEC 62443, FDA 21 CFR Part 11, Cyber Essentials Plus, CCSS, UKGC, Nevada GCB, MGA, NY DFS 23 NYCRR 500. Full framework list →

Observe before you enforce

Run Vigo alongside your existing configuration management. See exactly what it would change — without changing anything.

Per-node or fleet-wide

Enable observe mode globally in server.yaml or per-node in config. Agents report drift without applying changes.

Safe migration path

Enroll nodes managed by your existing configuration management. See what Vigo would do. Cut over when you're confident.

Configcrate retraction

Mark a configcrate state: absent and Vigo reverses what it applied — files, packages, services, commands — on the next check-in. Declarative, version-controlled, server-side.

Distribute anything. Peer-to-peer.

Underneath every agent runs Swarm, an envoy-only mTLS peer-to-peer network with no server in the data path. Six content subsystems ride on it, all rooted in per-user puddle identity: Filecast pushes files from administrators to the fleet, Longdrawer and Lockbox sync per-user directories across your own machines (plaintext and encrypted), Gitback mirrors personal git repos, Curator is a content-addressed artifact registry, and Poolq is an ordered append-only log for the fleet.

Filecast

Administrator-pushed file distribution. Seed a payload from the CLI or the admin UI and every targeted envoy pulls it peer-to-peer. Rarest-first chunk scheduling, adaptive bandwidth, real-time progress tracking with per-chunk source visualization.

Longdrawer

Drop a file in ~/longdrawer/ on any machine. It appears on every other machine where you have an account. Delete it and it disappears everywhere. LAN-only, fully peer-to-peer, no server involvement, no config, no commands.

Lockbox

Encrypted sibling of Longdrawer. Files in ~/lockbox/ are ciphertext at rest on every envoy, encrypted to each peer's public key. Unlock with vigo swarm puddle unlock to decrypt locally. Pick this for anything you want to stay unreadable on a stolen machine.

Gitback

Personal git mirroring with no third-party host. Run vigo swarm gitback project init in any repo and every push fans out as a bundle to your other envoys over mTLS. If your workstation dies, git clone gitback://<your-name>/<repo> from another machine pulls the full history back. No external git service, no code leaving your network.

Curator

Content-addressed peer-to-peer artifact registry. Publish binaries and container images once and every envoy resolves them by hash and pulls them off the swarm — no registry server, no central store in the data path.

Poolq

An ordered, append-only log and queue for the fleet. Records and events stream across envoys peer-to-peer in a consistent order, with no broker in the data path.

Server goes down? Agents keep working.

Agents cache signed policy bundles in LMDB. When the server is unreachable, convergence continues using the last-known policy. Results queue locally and drain automatically when connectivity returns. No other state enforcement engine offers this level of offline resilience.

Try it now

Free for up to 100 nodes.* No credit card. All features included.

Get Started Free Why Vigo

* Free tier is provided AS IS with no support obligation. See Commercial Terms.