Securing air-gapped environments with Elastic on Google Distributed Cloud

If you are not using AI to defend against AI, you will lose. But for organizations operating inair-gapped environments, the path to AI-driven defense can be blocked by the very isolation that protects them.

Today, we're announcing that Elastic Security is now the embedded security layer forGoogle Distributed Cloud (GDC) air-gappedenvironments, expanding our collaboration with Google Cloud. This brings Elastic'sagentic security operations platformto government agencies, defense organizations, financial institutions, and telecommunications providers using GDC to run workloads completely disconnected from the public internet.

In this blog, we'll explain why air-gapped environments face a widening defensive gap, how AI-driven defense is possible without compromising isolation, and what Elastic Security delivers inside GDC to close it.

Securing air-gapped environments

Isolation does not always equal protection. Adversaries like nation-state actors, advanced threat groups, and financially motivated operators increasingly use AI toclose the capability gap. Supply chain compromises havenearly quadrupled since 2020, and they are one of the primary vectors into disconnected environments.

Attacks can enter air-gapped enclaves through removable media, compromised supply chains, insider access, and tampered hardware. The pattern is clear: Adversaries are retooling for speed, prioritizing immediate execution over prolonged stealth. The organizations with the most sensitive data cannot afford to be the ones with the least capable defenses.

Why Elastic Security on GDC changes the equation

Elastic Security on GDC air-gapped delivers a single platform that unifies SIEM, XDR, and native automation. Rather than bolting together separate tools, Elastic Security on GDC air-gapped enables prevention, detection, investigation, and response in one stack with AI embedded throughout.

Prevention at the depth attackers operate

Prevention is the fastest possible response. When breakout times are measured in seconds, post-compromise investigation is already too late.

Elastic Defendprovides kernel-level visibility to prevent malware, ransomware, and memory threats before they execute. Advanced attackers operate below the surface where user-mode tools can't reach, and you need enforcement at the same depth they operate. When something does require investigation, live forensics and endpoint response actions are available directly from the platform — critical in remote, disconnected environments where external incident response support may not be an option.

This prevention-first approach is independently validated. Elastic was theonly vendor to maintain a 100% protection ratein AV-Comparatives' 2025 Real-World and Malware Tests for the entire year and followed that with a strong showing in the2025 EPR Test— stopping 50 out of 50 advanced attack scenarios with zero workflow delays. These results, combined with Elastic's unified licensing, earned recognition as aLeader in the IDC MarketScape for XDR.

Detection built on a search and analytics foundation

Detection without context is just noise. Most security stacks force analysts to manually correlate data across separate endpoint, network, identity, and cloud consoles. In an air-gapped enclave defending against a sophisticated intrusion, that fragmentation is a critical vulnerability.

Elastic is a data company with deep security DNA.Elasticsearchpowers search and analytics at global scale, and Elastic Security is built directly on that foundation. We build systems that not only collect telemetry they reason about it.

Endpoint telemetry, network data, identity events, and cloud logs all flow into the same platform and are analyzed by the same engine. When an alert fires, the full narrative is already assembled: which users and hosts are involved, how activity maps to theMITRE ATT&CKframework, and what the attack chain looks like end to end. That depth of context is what gives our AI more precise results and our analysts fewer dead ends.

This is where AI changes defense, not just detection.Attack Discoveryuses large language models to analyze alerts, understand the semantic relationships between them, and correlate disparate signals into discrete attack narratives.Elastic AI agentsground their responses with context from your environment's own data, so analysts can immediately ask follow-up questions, generate queries, and plan remediation. Both run continuously, triggeringElastic Workflowsthat hand findings to agents for enrichment and response, transforming triage from hours of manual correlation tominutes of focused investigation.

Automation where the data lives

In a connected environment, slow response is expensive. In an air-gapped environment, it can be catastrophic. When attackers are inside your most sensitive enclave, every minute of dwell time increases the blast radius.

The legacy answer has been standalone security orchestration, automation, and response (SOAR): a separate product with separate integrations that sits apart from your security data and adds latency at every step.Research showsthe average SOC operates across 11 different security consoles. In a disconnected enclave, that architecture compounds every problem. Each integration is a potential failure point to maintain without vendor support. Data moving between tools risks violating sovereignty requirements. And the cost of operating and licensing separate automation tooling on top of your SIEM is overhead that delivers no additional security value.

Elastic Workflowsbuilds automation natively into the platform right where the data lives. Data never leaves the enclave for processing. There's no separate product to license, integrate, or maintain. Playbooks execute defined tasks with consistency and reliability. AI agents reason through complex investigations, verifying user behavior, cross-referencing threat intelligence, and bundling findings into cases.

In practice, this means that during a supply chain compromise, Elastic's agentic automation doesn't wait for an analyst to begin investigating. It has already pulled the process tree, cross-referenced threat intel, and scoped the incident. By the time the analyst gets a notification, the observe and orient phases are finished. They're starting with assembled context, not a blank screen.

AI without connectivity requirements

A common objection in air-gapped and regulated environments is that AI-driven security requires connectivity to cloud-hosted models, which fundamentally conflicts with the reason for being air-gapped in the first place.

Elastic provides model sovereignty. You choose the brain of your SOC. GDC air-gapped bringsGoogle's Gemini models on-premises, and Elastic's AI capabilities, includingAttack DiscoveryandElastic AI agents, leverage that local model directly. Whether you want frontier models or fully disconnected local models for classified missions, Elastic supports it. You adopt AI at your pace and your risk tolerance, not your vendor's.

GDC air-gapped customers get the same AI-powered capabilities that connected Elastic deployments use: automated triage, investigation assistance, attack pattern discovery, and agentic remediation. The isolation posture stays intact. The defensive capability doesn't suffer for it.

Elastic Security: Defending the world's most sensitive workloads

Elastic’s partnership with GDC is the latest in a series of milestones aimed at securing highly sensitive workloads. In December 2025, Elastic[](https://ir.elastic.co/news/news-details/2025/Elastic-Partnering-With-CISA-to-Help-Standardize-Cyber-Defense-Across-Federal-Civilian-Agencies/default.aspx)partnered with the Cybersecurity and Infrastructure Security Agency (CISA)and ECS to deliver SIEM-as-a-Service across US Federal Civilian Executive Branch agencies, standardizing cybersecurity monitoring and significantly reducing costs tied to data access and retention. The through line is the same: The organizations with the most to protect are choosing Elastic to protect it.

• * *

_Every workstation and server in an air-gapped enclave handles sensitive data. Elastic Defend is included with__no per-endpoint pricing__, so coverage decisions are driven by risk, not license budgets. Get started with__Elastic Security__or learn more about__Google Distributed Cloud air-gapped_

_The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all._

_In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use._

_Elastic, Elasticsearch, and associated marks are trademarks, logos or registered trademarks of elasticsearch B.V. in the United States and other countries. All other company and product names are trademarks, logos or registered trademarks of their respective owners._