Local‑first, by architecture.
Filtering decisions happen on the device on your network. The dashboard runs on the device. There is no vendor cloud control plane sitting between you and your own protection.
Take your home network back.
Most home networks have quietly become someone else's territory. The router phones home to a vendor cloud. The “protection” is a subscription that watches the same traffic it claims to protect. The data drifts off the property.
WOMBATS Shield is a calm, sovereign appliance that runs on your network, not in someone else's cloud. Filtering, parental controls, ad, tracker and adult-content blocking, and (if you want it) private storage, media, backups and travel Wi‑Fi. Buy it once. Own it. Keep it for years.
What we mean by “sovereign networking”.
Buy once. Own it.
Network protection should not be rented. Shield is a piece of hardware. You pay for it once. There is no monthly fee, no feature unlock, no “professional tier” behind a paywall.
Sovereign, your data stays on your side of the door.
We don't ship your traffic to a vendor cloud for inspection. We don't collect query logs, browsing history, or behavioural profiles back to us.
Long‑lived, by design.
If WOMBATS as a company disappears, your Shield keeps working. There is no required activation server, no cloud login that can lapse, no subscription that can stop. Filter lists are public.
Calm, not hacker.
No green-on-black dashboards. No fearmongering. No countdown timers. A calm appliance that takes care of the network and lets you forget it's there.
Honest about boundaries.
We'll tell you where Shield protects, where it deliberately stops, and what we're still working on. Hedging less, claiming less, meaning more.
Built on trusted open technology, then carefully hardened.
We'd rather tell you what's in Shield than pretend we wrote it all from scratch. Shield runs on Raspberry Pi 5 silicon (2 GB on Core and Edge, 4 GB on Vault) with a Debian 12 base. The DNS-layer filtering engine is AdGuard Home, but every default that conflicted with our privacy or security goals has been disabled, restricted or redesigned. nftables enforces network policy on the device. Software bundles are signed and verified before they're applied. The encrypted partitions are unlocked at boot through a hardware-assisted key path on a real ATECC secure element, bound to the device. On Shield Vault, the storage SSD adds a user passphrase and a recovery key alongside the auto-unlock, three independent ways in.
The full architectural story is on the security page.
Who Shield is for.
Households, privacy-first professionals, small offices, sovereignty-conscious buyers, prosumers, and travellers, Shield fits more lives than you might think. We tell each story properly on the use-cases page, with the desks, lounge rooms and hotel-rooms that go with each.
See who Shield is forIf we disappear, your Shield keeps working.
Shield does not require an activation server, a cloud login, or a subscription to keep filtering. The filter lists it uses are public and continue updating without us. The dashboard is on the device, on your network. The hardware is real, repairable Raspberry Pi 5 silicon. The only thing you lose if WOMBATS as a company goes away is us, not your network.