Remote Access Made Easy

ProductHow it worksPricing
Solutions
Customer accessBMS ProjectsBureausBook a Demo

All your sites in one place

Easy, Secure Remote Access to Every Site

Say goodbye to juggling VPNs and login credentials. Overlay gives you centalised remote access to your BMS without a system overhaul*.

Book a DemoHow it works

*Supports whatever VPNs or mesh networks you already use. If you don't have any existing site connections we can provide IT infrastructure and advice, too.

Why BMS operators leave legacy tunnels

Copy-pasting credentials and looking up IP addresses by hand doesn't scale.

first image
second image

Before Overlay

  • Jury-rigged customer access solutions look amateurish and create risk
  • Remedials require on-site presence even though they could be done remotely, leaking margin
  • Lack of audit trail causes lack of compliance
Head-ends exposed on the public internet. Shared site credentials. Zero audit defense.

After Overlay

  • Log in once, access all sessions in one browser tab
  • Secure kiosk links and customer portals in seconds
  • Sell whitelabelled remote connection services to customers
Overlay blends convenience with enterprise-grade controls.

Unified command center

Unified Access for Customers and Staff

Give your staff and your customers secure access to any OT/BMS network—Trend, Tridium, Desigo, EcoStruxure, IQVision, and more. Everything is auditable and identity-driven.

  • Log in once to access all your remote connections
  • No more VPN sprawl, firewall battles, multiple shared accounts or IT dependencies
  • No need to expose head-ends to public internet traffic
  • Works with all major VPNs including mesh networks like Tailscale and Zerotier
  • Logs you into head-ends automatically (currently soon for Niagara 4)

Reduce Engineer Friction

Engineer Productivity

Overlay cuts the wasted hours caused by system switching and access chaos, helping project teams perform remedials and commissioning remotely, and bureau teams reclaim 10–30% of their day for proactive fixes.

  • Convenient remote commissioning without losing security
  • Works Out-Of-The-Box with Workbench, IQSET, Desigo CC, Ecostruxure, and anything else that's TCP-based
  • Request hosted VMs with IPSec tunnels for full compatibility with BACnet and other UDP-based protocols
  • Auditable contractor access without compromising security
  • Just-in-Time access is automatically locked to engineer's IP address and expires at session end

Whitelabelled products and services

New Revenue Streams

Launch a turnkey customer access portal in a few clicks. Earn revenue from digital services and products. We'll provide the infrastructure, the support, and sales collateral to get you started.

  • Whitelabelled customer access portals, hosted under your own domain (or theirs)
  • Cloud-host customer head-ends that can cope with the largest buildings
  • You earn high-margin recurring revenue
  • We provide customisable sales literature and brochures
  • Easy onboarding for your customers

Deep tech / security

Built for Multi-Vendor BMS Environments

Overlay isolates every session, enforces policy inheritance for every OEM, keeps a complete auditable history. No more credentials in emails or sites exposed to the internet.

Identity-based access

Browser and engineering sessions map to individuals, never to shared credentials.

Zero-trust segmentation

Micro-segment every building system so authenticated users only see their assigned scopes.

Session sandboxing

Ephemeral session hosts isolate activity. Nothing can move laterally across networks.

Continuous logging

Satisfy enterprise compliance requirements with full audit trails for every session and action taken.

Multi-vendor native

Overlay normalises Tridium, Siemens, Schneider, and legacy stacks without gateway swaps.

BMS workflow-driven

Built around common BMS workflows, with secure defaults. Designed to save time and prevent breaches.

Compatibility & Onboarding

Works with the connectivity you already have.

Overlay doesn’t require new hardware, site software, or a network redesign. It plugs into your existing VPNs, mesh networks, and remote desktop tools so you can keep your current architecture.

  • No site changes required
  • No new firewalls or ports to open
  • Onboarding typically takes hours, not weeks

🔧 How it works (for IT & engineering teams)

OpenVPN, IPSec, ZeroTier, WireGuard, RDP & more

Overlay plugs into the connectivity you already use. Give Overlay secure access to the same networks your engineers use today, and it provides audited, identity-based access without new tooling.

VPNs (OpenVPN / IPSec)

If you already use a corporate firewall or VPN (e.g. OpenVPN or IPSec), your sites will already be connected into a private network.

To onboard Overlay, you provide a VPN profile that allows an Overlay connector to join that network. The connector is placed into a subnet that can reach the IP addresses you want to access — for example, the hub network in a hub-and-spoke setup.

If you need stronger segregation, you can run multiple Overlay connectors, such as one per customer or network segment.

Mesh networks (WireGuard / ZeroTier)

If you already use a mesh network, onboarding is simple.

You provide the configuration needed for an Overlay connector to join the mesh — just like adding another site or device. Once connected, Overlay can reach any permitted devices on the mesh.

If you'd like to use a mesh network but don't already have one, we can supply an Overlay environment with a managed WireGuard instance pre-configured.

Remote desktop tools (RDP, VNC)

If you currently access sites using remote desktop software, Overlay can broker those connections for you.

The same applies to RDP or VNC: Overlay needs network access to the host (via VPN or mesh, as above), and the login details are entered once when the resource is created. After that, authorised users can connect with a single click.

For other remote or virtual desktop technologies, please contact us to discuss support.

Guided setup. Adapts to your network, fast.

Four-step rollout

Go live without replacing hardware or site software.

Follow the same path as bureaus modernising dozens of head-ends in a month without changing their tech stack.

Step 1

Book a Demo

Review your connection architecture and how Overlay can streamline site access.

Step 2

Connect Your Sites

Self-service or fully managed onboarding.

Step 3

Empower Your Team

Invite staff, contractors, and customers to access their sites.

Step 4

Unlock New Revenue

Launch portals and hosted head-ends in hours, not weeks.

Guide + partner

Overlay guides every rollout with empathy and authority.

We have lived through bureau firefights and IT security audits. From small pilots to large rollouts, we have both self-service onboarding facilities and the ability to automate deployments at scale.

  • Self-service for small portfolios, fully managed for large bureaus
  • Compliance templates for bureaus, FM teams, and OEM partners
  • Managed rollouts that don't consume ops resource

How we work

Discovery

Bureau review + proof-of-value inside 14 days.

Rollout

We embed with your bureau leads and IT while we onboard your portfolio.

Growth

Co-market new services with ready-made collateral.

Pricing

Simple pricing that scales with how you work.

Start with pay-as-you-go pricing for individual projects, or move to a enterprise environment with predictable costs, lower unit pricing, and enterprise-grade features as you scale.

Need specifics? Our team will tailor a plan for your portfolio and remote connection architecture.

Pricing details

Ready to move?

Solve remote connection pain in minutes, not years.

Book a DemoHow it works