PrismGuardPrismGuard

PrismGuard Whitepaper

Last updated: 2026-07-02

1. Summary

PrismGuard is a privacy-first VPN and Solana-aware Shield service built around transport resilience rather than a single protocol promise. The current product state is:

This document intentionally avoids claims that are not in the current implementation.

2. Plans

TierPriceAccessDataSpeedShield
Free0One free server: Frankfurt, Germany (de-fra-free); account required10 GB/monthUp to 5 Mbit/sNo
Premium5 USDC/mo · 14 USDC/3mo · 27 USDC/6mo · 50 USDC/12mo — or 300 ₽/mo · 800 ₽/3mo · 1500 ₽/6mo · 2500 ₽/12mo by Russian bank cardFull server fleet500 GB/monthFull speedYes

On-chain payment is USDC or SOL; other crypto is handled by the NOWPayments processor; Telegram Stars covers in-chat payment; FreeKassa handles Russian bank-card payment in rubles. Crypto prices are USD/USDC-denominated with SOL quotes converted at checkout.

3. Account and Payment Architecture

Sign-in requires no KYC. On the web account and in the Android app, supported sign-in methods are:

Solana wallet sign-in (Sign-In With Solana) is available only in the separate PrismGuard build for the Solana Seeker phone; it is not part of the public web account or the general Android app sign-in flow.

The backend at api.prismguard.xyz (PostgreSQL) tracks accounts, entitlements, and payments. A completed payment through any rail — Solana on-chain USDC/SOL, NOWPayments, Telegram Stars, or FreeKassa — activates the plan entitlement, and the backend provisions a VPN credential (Reality/VLESS) to the account.

Private keys and seed phrases are never collected.

Support is available via Telegram: @PrismGuardSupportbot.

4. Server Fleet

The fleet currently comprises 11 nodes:

Premium unlocks the full fleet; the Free tier is limited to the Frankfurt server. The current server list is delivered to the app at runtime.

5. Active Transports

The app exposes seven selectable transports. Auto is not a protocol — it is the default mode, which runs PRISM Camo with automatic fallback and rotates servers when a path stalls.

Product labelTransport idPurpose
PRISM CamocamoSSH-camouflaged carrier; bypasses the per-IP :443 policer on flagged servers.
PRISM MirrorrealityTCP Reality with mux — looks like an ordinary HTTPS connection.
PRISM Boltprism-boltNative post-quantum encrypted TCP carrier (ML-KEM-768 + ML-DSA-65).
PRISM AirxhttpSplit HTTP over Reality for hard DPI networks.
PRISM Shadowshadow-tlsShadowTLS-style TLS camouflage over TCP.
PRISM TunnelslipstreamLast-resort DNS tunnel (QUIC-over-DNS). Slow — suited to messaging and light browsing — but survives strict white-list networks where nothing else connects.
PRISM Fusionreality-boltReality TLS outer + post-quantum inner channel.

On strict Russian white-list networks, PRISM Tunnel is the survival path — it keeps working where ordinary transports are blocked.

5.1 Auto-mode helpers

Auto's fallback chain can additionally use internal transports that are not exposed as manual picks: PRISM Shell (hardened SSH carrier with post-quantum key exchange), PRISM Flux (obfuscated QUIC), and PRISM Veil (anti-fingerprint TLS, not yet deployed fleet-wide). They exist to keep Auto connected, not as standalone products.

5.2 Post-quantum key exchange

PRISM Bolt is the native post-quantum transport: ML-KEM-768 key exchange with ML-DSA-65 signatures. The TLS-based PRISM transports use a hybrid X25519 + ML-KEM-768 handshake. PRISM Fusion carries the post-quantum channel inside a believable Reality TLS cover.

5.3 Ownership

PrismGuard owns the PRISM transport profiles and their implementations. PRISM Bolt and PRISM Camo are built natively from scratch; the other PRISM transports are project-owned profiles and implementations on top of established camouflage foundations, with PrismGuard's post-quantum integration layered across them.

PrismGuard did not invent Reality, ShadowTLS, or the underlying TLS/QUIC/DNS standards. The claim is narrower and honest: PrismGuard owns the PRISM profiles, the post-quantum integration, and the implementations built over those foundations.

6. ShadowPath

ShadowPath is a multi-server PRISM routing layer. It can maintain or prepare paths across multiple PrismGuard servers for failover and aggregation: when one route degrades, ShadowPath moves traffic to another PRISM server path. It is transport-agnostic — it works across the fleet and the active transport set.

7. Storm

Storm is the bad-network optimization layer for high loss, weak signal, jitter, and path churn. It is resilience and throughput-stability work for poor mobile networks, not a speed multiplier. In practice that means handling lossy LTE and weak-signal conditions, repair/recovery behavior, fewer stalls under bad networks, and keeping browsing and media stable.

8. Shield

Shield is Premium-only.

Its protection is DNS-level blocking: while the VPN is connected, Shield blocks DNS lookups to known malicious crypto and phishing domains for any app on the device. The blocklist refreshes hourly from live scam feeds.

Shield limitations:

9. Public API Surface

Representative v1 endpoints from the backend at api.prismguard.xyz:

A paid entitlement provisions a VPN credential (Reality/VLESS) to the authenticated account; the app fetches its server list and configuration at runtime.

10. Security and Privacy Posture

PrismGuard supports Google, Telegram, and email+password sign-in with no KYC. The separate Solana Seeker build additionally supports wallet-based sign-in, needing no email. The backend keeps payment records and entitlement state to operate the product; it does not collect private keys, seed phrases, or KYC documents for ordinary access.

Operational metadata may be processed for entitlement, service health, abuse prevention, support, accounting, and legal obligations.