Knox.
Internal AI platform
Internal · Proposal v1

One app for everything
our techs need to know.
Built like a vault.

Knox unifies the dozen tools our technicians juggle every day into a single place to look, think, and document — powered by AI that runs inside our own walls.

10+
Tools unified
1
App to open
0
Client data leaves our network
~6wk
To first usable version
What we're solving

Knowledge lives everywhere, and that's the problem.

Our techs don't lack skill. They lack a single place to find what they already know. The cost shows up everywhere: repeated questions, missed renewals, slow tickets, and patterns across clients we never notice until they become problems.

01
Knowledge is fragmented
OneNote, Passportal, ConnectWise, tribal knowledge — answers exist, but finding them costs more than answering from scratch.
02
No unified client view
Tenant type, MFA setup, license mix, security posture — every ticket starts with ten minutes of "wait, what kind of environment is this?"
03
We're reactive, not proactive
Client problems become our problems when the phone rings. The signals were there earlier — we just had no system to read them.
04
Recurring obligations slip
Cert renewals, license renewals, scheduled reviews — the calendar lives in someone's head until it doesn't, and then it's an emergency.
05
We solve the same problem repeatedly
The same Outlook bug hits eight clients in a month. No one connects them. The fix gets re-derived eight times.
06
Documentation is a chore
We've always meant to be better at it. The honest fix isn't more discipline — it's making documenting easier than not documenting.
The centerpiece

Knox is the one app our techs open first.

Type a client name. See everything that matters about them. Ask Knox a question and it pulls the answer from whichever system actually has it. Resolve a ticket and Knox offers to write the documentation for you.

knoxplatform.dev / clients / acme-corp
how do we handle Intune autopilot for Acme Corp
Snapshot
Acme Corp
Hybrid AD · Entra Connect
MFA: Authenticator (number match)
M365 Business Premium × 47
Patched 2 days ago
Risk score
62 ↑ 8
3 ThreatLocker elevations
Sign-in risk +12% wk/wk
No Huntress incidents
Coming due
2 items
SSL cert · 14 days
Quarterly access review · overdue
Backup verified
OneNote Intune Autopilot — Acme-specific deployment notes updated 23d ago
Knox KB Acme · Autopilot enrollment process (migrated) v3 · 2 mo ago
ConnectWise Ticket #48211 — Autopilot hash collection issue (resolved) 6 wks ago

Unified search

One box. Every system. Semantic search that understands what you mean, not just what you typed.

Document this

Resolve a ticket, click once, get a draft KB article. Edit, publish back to the right place.

Find the gap

Knox flags tickets that resolved without matching documentation — every gap becomes a queue item.

Snapshot view

Tenant type, MFA, license mix, recent activity, risk trend, what's coming due. At a glance.

How it's built

A platform, not a product.

Knox is what techs see. Underneath is a layered platform that makes new capabilities cheap to add. Each layer has one job. The Privacy Boundary is non-negotiable: nothing identifying crosses it without being tokenized first.

Knox
What our techs use
Unified client view Semantic search Doc-Assist Tier-1 Assist Snapshot Recurring Obligations
Executive views
What leadership reads
Monthly trends report Risk dashboard Repeat-issue digest KPI dashboards
Intelligence layer
Where the AI lives
Categorize Cluster Score Correlate Narrate Embeddings store
Privacy Boundary
The vault. Nothing passes raw.
Tokenize identifiers Filter secrets Local key Audit log Local-model routing
Data layer
Where the truth already lives
BrightGauge N-central ConnectWise OneNote MSP Process ThreatLocker Huntress DNSFilter ESET M365 Graph GlassHive QuickBooks
Why it's called Knox

Client data stays inside our walls.

Concerns about AI seeing client data aren't a constraint to work around — they're the architectural foundation. Knox is built so that nothing identifying ever leaves our network, and the most sensitive analysis never leaves our hardware.

Acme Corp
Real data
stays local
CLIENT_07
Tokenized
at the boundary
Insight
De-tokenized
on return

Tokenization

Client names, hostnames, emails, IPs — all replaced with stable anonymous tokens before any external AI call. The mapping never leaves our key store.

On-prem inference

Sensitive workloads — security incidents, anything touching credentials or PII — run on a 4-GPU local AI server. Never leaves the building. Ever.

Mesh-only access

Knox has no public DNS, no internet-facing ports. Every connection — technicians, dashboards, anything — runs through our private Netbird mesh. From the office, from home, from a client site: same private network.

Passportal stays separate

Knox has no live connection to Passportal. Credentials never enter the AI pipeline. Documentation may be exported once as a seed for Knox's own KB; after that, all new docs land in Knox.

No-train contracts

External AI services run on contractual no-training tiers. Documented vendor agreements, not handshake assurances.

Full audit log

Every AI call is logged: what was sent, what came back, who triggered it. Reviewable, reportable, defensible.

Analytical power preserved

Stable tokens mean Knox can still cluster, score, and trend across clients — privacy doesn't cost us insight.

How we get there

Phase by phase. Each phase ships standalone value.

The platform is modular by design. Phase 0 lays the foundation. Phase 1 puts Knox in techs' hands. Every phase after adds capability without breaking what came before. Nothing requires a big-bang launch.

Phase 0
Foundation
Platform spine. Privacy Boundary stood up. Data ingestion from BrightGauge, N-central, OneNote. Embeddings store ready.
~2 weeks
Phase 1
Knox MVP Demo-able
Knox v1 in techs' hands: unified client view, semantic search across everything. Monthly trends report. Repeat-issue detection. KB-gap surfacing.
~4–5 weeks
Phase 2
Doc-Assist · Risk · Obligations
"Document this" AI workflow. Multi-source client risk scoring (Huntress + ThreatLocker + DNSFilter + Defender + MSP Process). Recurring Obligations: cert/license renewals.
~5–6 weeks
Phase 3
Workflow assists
Tier-1 Assist conversational mode. Followup Enforcer for ticket notes & timesheets. MSP Process verified-caller context wired in.
parallel
Phase 4
Financial overlay
QuickBooks integration: profitability per client overlaid on risk score. Red AND unprofitable is a different decision than red AND high-margin.
TBD
Phase 5
Marketing module
GlassHive integration. Ticket-trend content generation. Win/loss analysis. Same platform, separate module.
TBD
What it's built on

Standard tools. No vendor lock.

Boring, well-supported, internally hostable. Python everywhere so two engineers can work on any part without context-switching. Nothing exotic; nothing we can't replace.

Backend
Python · FastAPI
Where the AI ecosystem lives. Async-native, type-checked, fast where it matters.
Database
Postgres · pgvector
Relational data and vector embeddings in one place. Mature, free, runs anywhere.
Background work
arq · Redis
Ingestion, batch categorization, embedding generation. Simpler than Celery at our scale.
Local AI serving
vLLM
Best-in-class throughput for self-hosted LLMs. Its own LXC with GPU passthrough.
Host platform
Proxmox VE
Workloads as containers and VMs. Snapshots before every deploy. One-click rollback.
Network access
Netbird mesh
Private WireGuard mesh. Same access from office, home, or client site. No public ports.
Auth
OIDC · Entra
Single sign-on through our existing M365. No separate user database to maintain.
Frontend
React (likely)
Knox's interactive client view earns a real SPA. Decision finalized first design pass.

Other languages permitted for one-off tools and experiments. The platform standardizes.