AI · Software · Security — Amsterdam

We build the AI, software and networks other companies rent.

Kaperbrief is an engineering studio that ships custom AI agents, private on-prem models, secure software and hardened networks — the kind you own outright. We build with the sharpest tools available, Claude among them, but what we deliver runs on your infrastructure and answers to no one else's cloud.

  • AI agents
  • Local & private LLMs
  • Red-team audits
  • Defensive hardening
  • Mesh & UDP-punch networking
  • Encrypted remote access
  • Custom software

Not a reseller. We write the code.

We've built production remote-desktop stacks, LAN security auditors, network scanners with live CVE detection, DNS-and-reverse-proxy orchestration, and build-hardening toolchains — in Rust, PHP and Python. That same bench builds your project.

100%
Code we can hand you — no black boxes
On-prem
Deploy on your hardware, or ours
E2E
Encrypted by default, keys stay yours
EU
Amsterdam-based, GDPR-native

Why Kaperbrief

Why teams choose us

Privacy & ownership

Everything we build can run on hardware you control. No mandatory clouds, no third parties reading your data, no vendor lock-in. When we're done you hold the source, the servers and the keys — literally.

Full-stack range

One studio from model to metal: AI, applications, infrastructure and security. Offensive and defensive under one roof means the people who harden your systems are the people who know how to break them.

AI-accelerated, human-owned

We build with AI — Claude included — to design, review and ship faster: more capability per euro, and code that's tested, documented and maintainable. The leverage is ours; the result, and the freedom to run it anywhere you like, is entirely yours.

What we do

Six lines of work, one standard of care.

Most engagements combine a few. Full detail and pricing on the services page.

AI agents & automation

Claude-powered agents and automations that do real work — reading, deciding, drafting and acting across your existing tools, with guardrails and a human in the loop where it matters.

€4,500 – €60,000+ Detail

Private & local AI

Your own AI, running on your own hardware. On-prem or air-gapped inference, retrieval over your private documents, and fine-tuned open-weight models — so nothing sensitive ever leaves the building.

€3,500 – €50,000+ Detail

Custom software & web

Applications, internal tools, APIs and websites built from scratch — fast, accessible and free of the template look and the template baggage. In Rust, PHP, Python or whatever the job actually calls for.

€2,500 – €40,000+ Detail

Offensive security & red team

We find the holes before someone else does. Authorised network scanning, penetration testing and adversary simulation across your apps, networks and devices — reported in plain language, with fixes you can act on.

€1,800 – €25,000+ Detail

Defensive security & hardening

The other side of the coin: locking systems down, watching for intrusion, and making a breach survivable. LAN auditing that catches cleartext credentials, hardening, monitoring and incident-readiness.

€1,500 – €20,000+ Detail

Secure networking & remote access

Private networks that just work. Mesh overlays and UDP hole-punching to connect machines behind NAT with no open ports, encrypted remote desktop and file transfer, and clean HTTPS routing for every service you host.

€1,500 – €30,000+ Detail

Signature capability

AI that works for you, not the other way around

We design Claude-powered agents that actually do the job: read the inbox, draft the reply, update the system, file the ticket — with guardrails, human checkpoints and a full audit trail. When your data can't leave the building, we run open-weight models on your own GPUs instead, with retrieval over your documents. Either way, no per-seat SaaS tax and no training on your secrets.

See AI services
  • Multi-step agents with tool use and real integrations
  • Private RAG over your documents, contracts and wikis
  • On-prem / air-gapped inference on your hardware
  • Evaluation, guardrails and fallbacks so it's safe to trust

Signature capability

Your own private network, stitched together securely

We've written the hard parts ourselves: mesh overlays, UDP hole-punching to connect machines behind NAT with no open ports, encrypted remote desktop, and DNS-plus-reverse-proxy routing that gives every service a clean HTTPS name. The result is a private LAN spanning offices, homes and cloud — reachable from anywhere, invisible to everyone else.

See networking services
  • Mesh / overlay networking across sites and clouds
  • UDP hole-punching — no port-forwarding, no exposed surface
  • End-to-end encrypted remote access and file transfer
  • Self-hosted alternatives to VPN and remote-desktop SaaS

Selected work

Things we've actually built.

A few tools from our own workshop. The point isn't the tools — it's that the same hands, and the same standards, build yours.

Self-hosted remote-access platform

Reach any machine behind NAT, from anywhere, without exposing a single port.

An AnyDesk-style alternative you host yourself: encrypted screen, input, audio and file transfer, connect-by-ID, no per-seat fees.

  • Rust
  • Noise E2E
  • UDP relay
  • zstd

LAN credential-exposure auditor

Find the devices quietly leaking passwords in the clear on a flat corporate network.

A passive sniffer that flags cleartext HTTP, FTP, POP3, IMAP, SMTP and camera credentials by device — so insecure kit gets fixed before an attacker finds it.

  • Rust
  • AF_PACKET / Npcap
  • static musl

Report-only network & CVE audit

Inventory a network and its cameras and surface known-exploitable devices — without touching them.

An authorised recon tool with tiered active testing and full audit logging; catches exposed RTSP cameras and known-vulnerable firmware.

  • Rust
  • passive fingerprinting
  • CVE matching

Multi-domain DNS + reverse-proxy

Give a dozen self-hosted services clean HTTPS names on a single box.

One small binary points several subdomains at one server with automatic TLS and host routing — infrastructure that stays boring to operate for years.

  • Rust
  • Caddy
  • dynamic DNS
  • one TOML file

More in the workshop, from mesh VPNs to red-team tooling. Browse all projects

Process

How we work

Short loops, working software early, and honest reporting throughout.

  1. Scoping call

    A free, no-obligation conversation. We map what you actually need, what it should cost, and whether we're the right fit — in plain language.

  2. Fixed proposal

    A written proposal with scope, price range and timeline. You know what the low end buys and what the high end buys before anything starts.

  3. Build in the open

    Short iterations with working software early and honest progress reports. You see the real thing grow — not slideware.

  4. Handover & care

    You get the code, the servers, the docs and the training. Stay on a maintenance retainer or walk away self-sufficient — your call.

Tell us what you're trying to build, automate or secure.

The scoping call is free, and you leave with an honest read on cost and feasibility — whether or not you hire us.

Get in touch