Remote Access OS

ProductSolutionsHow it worksPricingBook a Demo

All your sites in one place

Easy, Secure Remote Access to Every Site

Eradicate remote access pain. Stop juggling VPNs and multiple credentials. No new hardware or site software required*.

Book a DemoInstant quote

*Supports whatever VPNs, mesh networks or Teamviewer you already use. If you don't have any existing site connections we can provide IT infrastructure and advice, too.

Why bureaus leave legacy tunnels

Copy-pasting credentials and looking up IP addresses by hand doesn't scale.

first image
second image

Before Overlay

  • 10-30% of bureau time spent juggling VPNs and emailed credentials
  • Jury-rigged customer access solutions look amateurish and create risk
  • Lack of audit trail causes lack of compliance
Cluttered remote desktops. Shared site credentials. Zero audit defense.

After Overlay

  • Log in once, access all sessions in one browser tab
  • Secure kiosk links and customer portals in seconds
  • Auditable session logs for contractors, customers, and staff
Overlay keeps bureaus billable while satisfying enterprise-grade controls.

Unified command center

One Pane of Glass for All Sites

Securely reach any OT/BMS network—Trend, Tridium, Desigo, EcoStruxure, IQVision, and more—through a consistent, audited, identity-driven access workflow

  • Log in once to access all your remote connections
  • No more VPN sprawl, firewall battles, multiple Teamviewer accounts or IT dependencies
  • Works with all major VPNs including mesh networks like Tailscale and Zerotier
  • Logs you into head-ends automatically (currently works on Niagara 4, support for Siemens/Schneider coming soon)

Reduce Engineer Friction

Engineer Productivity

Overlay cuts the wasted hours caused by system switching and access chaos, helping bureau teams reclaim 10–30% of their day for proactive work and first-time fixes.

  • Convenient remote commissioning without losing security
  • Works Out-Of-The-Box with Workbench, IQSET, Desigo CC, Ecostruxure, and anything else that's TCP-based
  • Request hosted VMs with IPSec tunnels for full compatibility with BACnet and other UDP-based protocols
  • Auditable contractor access without compromising security
  • Just-in-Time access is automatically locked to engineer's IP address and expires at session end

Whitelabelled products and services

New Revenue Streams

Launch a turnkey customer access portal in a few clicks. Earn revenue from digital services and products. We'll provide the infrastructure, the support, and sales collateral to get you started.

  • Whitelabelled customer access portals, hosted under your own domain (or theirs)
  • Cloud-host customer head-ends that can cope with the largest buildings
  • You earn high-margin recurring revenue
  • We provide customisable sales literature and brochures
  • Easy onboarding for your customers

Deep tech / security

Built for Multi-Vendor BMS Environments

Overlay isolates every session, enforces policy inheritance for every OEM, keeps a complete auditable history. No more credentials in emails or sites exposed to the internet.

Identity-based access

Browser and engineering sessions map to individuals, never to shared credentials.

Zero-trust segmentation

Micro-segment every building system so authenticated users only see their assigned scopes.

Session sandboxing

Ephemeral session hosts isolate activity. Nothing can move laterally across networks.

Continuous logging

Satisfy enterprise compliance requirements with full audit trails for every session and action taken.

Multi-vendor native

Overlay normalises Tridium, Siemens, Schneider, and legacy stacks without gateway swaps.

BMS workflow-driven

Built around common BMS workflows, with secure defaults. Designed to save time and prevent breaches.

Compatibility & Onboarding

Works with the connectivity you already have.

Overlay doesn’t require new hardware, site software, or a network redesign. It plugs into your existing VPNs, mesh networks, and remote desktop tools so you can keep your current architecture.

  • No site changes required
  • No new firewalls or ports to open
  • Onboarding typically takes hours, not weeks

🔧 How it works (for IT & engineering teams)

OpenVPN, IPSec, Tailscale, WireGuard, TeamViewer, RDP & more

Overlay plugs into the connectivity you already use. Give Overlay secure access to the same networks your engineers use today, and it provides audited, identity-based access without new tooling.

VPNs (OpenVPN / IPSec)

If you already use a corporate firewall or VPN (e.g. OpenVPN or IPSec), your sites will already be connected into a private network.

To onboard Overlay, you provide a VPN profile that allows an Overlay connector to join that network. The connector is placed into a subnet that can reach the IP addresses you want to access — for example, the hub network in a hub-and-spoke setup.

If you need stronger segregation, you can run multiple Overlay connectors, such as one per customer or network segment.

Mesh networks (Tailscale / WireGuard / ZeroTier)

If you already use a mesh network, onboarding is simple.

You provide the configuration needed for an Overlay connector to join the mesh — just like adding another site or device. Once connected, Overlay can reach any permitted devices on the mesh.

If you'd like to use a mesh network but don't already have one, we can supply an Overlay environment with a managed WireGuard instance pre-configured.

Remote desktop tools (TeamViewer, RDP, VNC)

If you currently access sites using remote desktop software, Overlay can broker those connections for you.

For TeamViewer, you provide the site IDs and credentials once at setup. Your engineers then sign into Overlay and, based on the roles and permissions you define, can launch in-browser sessions without handling credentials themselves.

The same applies to RDP or VNC: Overlay needs network access to the host (via VPN or mesh, as above), and the login details are entered once when the resource is created. After that, authorised users can connect with a single click.

For other remote or virtual desktop technologies, please contact us to discuss support.

Guided setup. Adapts to your network, fast.

Four-step rollout

Go live without replacing hardware or site software.

Follow the same path as bureaus modernising dozens of head-ends in a month without changing their tech stack.

Step 1

Book a Demo

Review your connection architecture and how Overlay can streamline site access.

Step 2

Connect Your Sites

Self-service or fully managed onboarding.

Step 3

Empower Your Team

Invite staff, contractors, and customers to access their sites.

Step 4

Unlock New Revenue

Launch portals and hosted head-ends in hours, not weeks.

Guide + partner

Overlay guides every rollout with empathy and authority.

We have lived through bureau firefights and IT security audits. From small pilots to large rollouts, we have both self-service onboarding facilities and the ability to automate deployments at scale.

  • Self-service for small portfolios, fully managed for large bureaus
  • Compliance templates for bureaus, FM teams, and OEM partners
  • Managed rollouts that don't consume ops resource

How we work

Discovery

Bureau review + proof-of-value inside 14 days.

Rollout

We embed with your bureau leads and IT while we onboard your portfolio.

Growth

Co-market new services with ready-made collateral.

Pricing

Plans to suit teams of any size.

Small teams benefit from a cost-effective self-service, pay-as-you-go option. For bureaus, we provide dedicated environments, a white-glove onboarding service, and our leading zero-trust ephemeral jump hosts for compliance with the strictest customers.

Need specifics? Our team will tailor a plan for your portfolio and remote connection architecture.

Instant quote

Ready to move?

Solve remote connection pain in weeks, not years.

Book a DemoInstant quote