Case study

A full superyacht IT stack, built from scratch

As primary technical lead, we designed and built the complete onboard IT platform for a privately owned sailing yacht, bringing identity security and network segmentation normally seen in corporate headquarters to life at sea, and supporting it ever since.

At a glance

Vessel
SY Shagala Bagala (privately owned sailing yacht)
Role
Primary technical lead, full IT stack
Scope
Network, WiFi, connectivity, security, M365
Status
Built from scratch · ongoing support
SY Shagala Bagala (privately owned sailing yacht)

A network built from the ground up

We designed and built the complete onboard network, with a segmented VLAN architecture separating guest, crew, navigation and IoT / camera traffic. The whole platform runs on a full UniFi ecosystem of gateway, switches and access points, engineered for the hull and its operation.

  • Segmented VLANs: guest, crew, navigation, IoT / cameras
  • Full UniFi gateway, switching and wireless
  • Documented, scalable, built for the vessel

Coverage from cabin to masthead

Interior and deck WiFi was engineered for complete coverage, including an exterior access point mounted on the mast to extend connectivity across the full deck, with strong signal wherever owner, guests and crew actually are.

  • Full interior and deck coverage
  • Exterior mast access point for full-deck WiFi
  • Tuned for dense marina RF environments

Identity security from the corporate world

WiFi is protected by certificate-based EAP-TLS authentication, backed by an on-board RADIUS / AD / NPS / ADCS stack. This is the identity model used to protect corporate headquarters, rarely seen on a yacht, and it ensures only trusted, known devices can ever connect.

  • Certificate-based EAP-TLS WiFi authentication
  • On-board RADIUS / Active Directory / NPS / ADCS
  • No shared passwords; only trusted devices admitted

Isolated navigation

Radar and bridge electronics are segmented onto a dedicated navigation VLAN, so navigation traffic never competes or interferes with the rest of the network, and cameras and IoT devices sit on their own contained segment.

  • Radar and bridge electronics on an isolated VLAN
  • Navigation kept strictly separate from guest and crew traffic
  • Cameras and IoT on their own contained segment

Resilient connectivity & email security

Starlink provides primary connectivity with automatic failover and outage diagnostics for uninterrupted internet. On the cloud side, we secured the yacht's Microsoft 365 tenant, and successfully responded to a business email compromise (BEC) attack, containing it and hardening the tenant against recurrence.

  • Starlink with automatic failover and outage diagnostics
  • Microsoft 365 email security and hardening
  • Successful response to a business email compromise (BEC) attack

The outcome

  • Corporate-grade reliability, security and privacy aboard a sailing yacht
  • A network only trusted devices can join, with each segment contained
  • Uninterrupted connectivity underway, with graceful failover
  • A Microsoft 365 tenant hardened and proven against a real-world attack
  • Supported after handover, with issues resolved quickly when they arise

TODO: owner / captain testimonial. Placeholder: “It is the first time the technology aboard has simply faded into the background. Everything works, and we never think about it.”

Captain · SY Shagala Bagala (pending approval)

Out of respect for owner privacy, this case study is deliberately free of sensitive detail. The vessel name can be anonymised on request.