Hardware data diodes (Waterfall, Owl, Fox) have been the default for critical infrastructure OT security for 25 years. Paramant is different. This page explains when to use which, honestly.
Last updated: April 2026 · All claims verified against vendor documentation and IEC 62443 / NERC-CIP / ANSSI guidance
Let's start with what the established vendors do better than Paramant can, because an honest comparison starts there.
A hardware data diode is a fibre optic circuit where the transmit end has an emitter and the receive end has a sensor, with no electrical path in the reverse direction. The one-way property is physics, not software configuration. No firmware update, no compromised CPU, no malware can make data flow backward.
Paramant is software. Even with post-quantum encryption, burn-on-read, and RAM-only storage, the underlying network supports bidirectional traffic. A compromised Paramant relay cannot decrypt files (architecturally impossible), but in theory it could be used for signalling attacks through metadata or timing. A hardware diode makes this class of attacks physically impossible.
Owl Talon Torrent reaches 100 Gbps sustained throughput on a single appliance. Waterfall's top-end gateways similarly support very high bandwidth. For continuous SCADA data replication in power generation, refining, and large manufacturing, this matters.
Paramant per-relay throughput is currently measured in tens to hundreds of megabits, constrained by the web relay architecture. For individual file transfers and periodic sensor data push, this is fine. For continuous high-bandwidth historian replication, it is not the right tool.
ANSSI (French national cybersecurity agency) mandates hardware-enforced unidirectional security for critical infrastructure. NERC-CIP provides explicit compliance exemptions for organizations using unidirectional gateways. ISA/IEC 62443-3-3 recommends them by name.
These frameworks were written when hardware diodes were the only option. Software-based solutions like Paramant are addressed under different control categories (encryption, zone segmentation) and may require additional documentation to demonstrate equivalence to auditors.
Waterfall has 25 years of deployments in nuclear, power generation, rail, and defence. Owl has extensive government and defence adoption with Common Criteria evaluations. For risk-averse buyers in highly regulated verticals, this matters.
Paramant is newer. No publicly available nuclear facility deployments. No Common Criteria evaluation. For organizations that need 25-year track records, Paramant is currently not the right choice.
Software has constraints hardware doesn't. It also has flexibility hardware can't match. Here is what Paramant brings that hardware diodes do not.
Hardware data diodes are inherently one-way. That is their core security property but also their biggest operational limitation. Paramant supports genuine bidirectional file transfer with end-to-end cryptographic integrity guarantees. For OT/IT handoffs that include firmware updates, configuration pushes, or receipt confirmations, this removes the need for complex "return channel" workarounds that most diode deployments require.
Hardware data diodes protect against network-level attacks but depend on classical cryptography for identity, integrity, and authentication of the data crossing them. Most current deployments use RSA or classical ECDSA for these functions.
Paramant uses ML-KEM-768 and ML-DSA-65 (NIST FIPS 203/204, Level 3) for all authenticated transfers. This protects archived data from future quantum decryption, which matters because OT configurations and firmware have lifetimes measured in decades.
A single hardware data diode pair from established vendors costs €15k to €200k depending on throughput and certification. Deployment requires fibre cabling, rack space, specialist installation, and typically specialist services. Lead times are weeks to months.
Paramant Community Edition is free (BUSL-1.1 non-commercial) or runs on a €80 Raspberry Pi for commercial test deployments. Deploy in 60 seconds with install-pi.sh. This does not make it equivalent to a certified hardware diode for nuclear applications, but it does make it suitable for the thousands of OT environments that can't justify diode pricing.
Hardware data diodes are proprietary. Evaluation depends on vendor certifications (Common Criteria, ANSSI qualification, etc.) that are expensive to obtain and update. Customers generally cannot inspect the implementation themselves.
Paramant is open source under BUSL-1.1. Any auditor can read every line. Any security researcher can test assumptions. Any customer can verify that the deployed binary matches the published source.
Hardware data diodes typically log locally or to a SIEM. There is no external audit trail that third parties can verify. If the diode's logging component is compromised, no external observer would know.
Every Paramant transfer is logged in a public Merkle-tree Certificate Transparency log. External auditors, compliance officers, and any curious party can verify that transfers happened without being able to see what was transferred.
| Capability | Paramant | Waterfall | Owl | Fox DataDiode |
|---|---|---|---|---|
| Architecture | Software relay | Hardware diode | Hardware diode | Hardware diode |
| One-way physical guarantee | No (bidirectional by design) | Yes, fibre optic | Yes, optical | Yes, optical |
| Maximum throughput | ~100 Mbps per relay | Gbps-class | Up to 100 Gbps | Gbps-class |
| Post-quantum cryptography | ML-KEM-768 in production | Classical only | Classical only | Classical only |
| Bidirectional file transfer | End-to-end encrypted | Requires pair of diodes | Bidirectional Owl Talon option | Not by design |
| Firmware/config push to devices | Signed with ML-DSA-65 | Via return diode | Via bidirectional model | Not standard |
| Deployment time | Minutes (Raspberry Pi) | Weeks (cabling + install) | Weeks | Weeks |
| Entry price | €0 (self-host BUSL) | €20k-100k+ | €15k-200k+ | €15k+ |
| Source code auditable | BUSL-1.1 public | Proprietary | Proprietary | Proprietary |
| Common Criteria certified | Not certified | Yes (multiple products) | Yes (selected products) | Yes |
| ANSSI qualification | Not qualified | Qualified | Not confirmed | Dutch MIVD |
| Public CT log / external audit trail | Merkle tree, signed STH | Internal logs | Internal logs | Internal logs |
| Self-hostable | Docker, Raspberry Pi | Vendor appliance only | Vendor appliance only | Vendor appliance only |
Sources: vendor product pages (waterfall-security.com, owlcyberdefense.com, fox-it.com), Common Criteria product listings, ANSSI product qualification register, IEC 62443-3-3 reference.
| Your situation | Best choice | Why |
|---|---|---|
| Nuclear power plant, Tier 1 compliance | Hardware diode (Waterfall/Owl) | Regulatory track record and Common Criteria needed |
| 100 Gbps continuous historian replication | Hardware diode | Bandwidth requirement exceeds Paramant's current capacity |
| Classified government OT network | Hardware diode | ANSSI / BSI / national certifications required |
| Mid-size manufacturer sending daily configs to vendors | Paramant | Cost-effective, post-quantum, auditable |
| Water utility sensor telemetry to cloud | Paramant | Small files, periodic, needs audit trail |
| Wind farm firmware distribution | Paramant | ML-DSA-65 signed firmware, burn-on-read |
| OEM delivering updates to deployed OT fleet | Paramant | Bidirectional, fleet management capable |
| Post-quantum requirement anywhere | Paramant | Only provider with ML-KEM-768 in production |
| Budget-constrained pilot / Raspberry Pi edge | Paramant | Free Community Edition, runs on €80 hardware |
| Hybrid: hardware diode + encrypted file relay downstream | Both | Diode at DMZ boundary + Paramant for encrypted application layer |
Many mature OT environments use hardware diodes at the critical-infrastructure boundary and need a secondary, cryptographically-strong transport for data that has already crossed the diode. This is where Paramant fits well: post-quantum encrypted, burn-on-read delivery of files that are consumed by analytics, monitoring, or vendor systems. The hardware diode enforces one-way physics; Paramant enforces cryptographic confidentiality and integrity from that point forward.
If your regulatory framework explicitly requires hardware-enforced unidirectional transfer (ANSSI-qualified French critical infrastructure, NERC-CIP compliance with specific diode exemptions, nuclear safety cases), Paramant does not replace the diode. It complements it, or serves different use cases.
Many OT environments today use firewalls, VPNs, or plain SFTP for data transfer because hardware diodes are too expensive or too rigid. These alternatives have weaker security properties than Paramant: no post-quantum encryption, persistent storage, mutable logs, and depending on operator for confidentiality.
For these scenarios, Paramant is a significant security upgrade at a fraction of the cost of hardware diodes.
Different tools for different tiers. Hardware diodes for the absolute top tier of critical infrastructure. Paramant for the broad middle tier where post-quantum encryption, burn-on-read, and auditability matter more than physical one-way guarantee. Firewalls and VPNs for nothing, because they are no longer adequate for sensitive OT data.
If you are currently using SFTP, VPN tunnels, or HTTPS POST for OT data transfer because hardware diodes are too expensive, Paramant is a meaningful upgrade. If you are using hardware diodes and they work, keep them.
Install on a Raspberry Pi or Linux VM. Free for up to 5 devices under BUSL-1.1 Community Edition. Enterprise pricing available for dedicated relays and SLA.