Traditional VPNs route every packet through a single provider that sees the contents. Cognielo encrypts the data at rest, encrypts the lookups in flight with rotating DNS keys per session, and shares peer-to-peer without an operator in the middle. The VPN model assumes you trust one company. The Cognielo model assumes nobody — including us.
VPNs solve a real problem — they shield your IP from a watching network. But they only shield one dimension of your data exposure. Cognielo's substrate-locality covenant covers all five.
| Traditional VPN (NordVPN, ExpressVPN, ProtonVPN, Surfshark, Mullvad, etc.) |
Cognielo | |
|---|---|---|
| Hides destination from your ISP | ✓ Yes — but the VPN provider then sees it | ✓ Yes — and nobody after the local resolver sees it either |
| Hides destination from the resolver | ✗ No — the VPN's DNS sees every hostname tied to your account | ✓ Yes — rotating per-session AES-GCM-SIV lookup tokens |
| Encrypts data at rest on your device | ✗ Out of scope — VPN is network-layer only | ✓ Per-app AES-256-GCM under per-kit HKDF keys (eKAP) |
| Operator can decrypt your data | ✗ Yes, by design — they're the tunnel | ✓ No — operator-blind by construction. We can't read you. |
| Cross-session unlinkability | ✗ No — your VPN account ties every session together | ✓ Yes — fresh resolver key per launch + per kit + per 900s |
| Cross-app unlinkability | ✗ No — same tunnel for every app | ✓ Yes — each kit derives its own resolver key |
| Cross-device unlinkability | ✗ No — your VPN account follows your devices | ✓ Yes — substrate root key never leaves the device |
| Sharing without an operator | ✗ Out of scope | ✓ Operator-blind WebRTC P2P (Claim 1.14) |
| Forward secrecy on lookups | ✗ No — VPN logs (if any) capture history | ✓ Yes — keys live in volatile memory only |
| Subscription fee model | $5–$15/mo recurring, sometimes with kill-switch failures | Bundled into your existing Cognielo subscription. No per-VPN fee. |
| Trust model | "Trust the VPN provider's no-log claim" | "Don't trust anyone — proof in the cryptography" |
A VPN encrypts the channel between you and the VPN. We encrypt the lookup itself, with a key that rotates every session, every kit, every device. Even if a network observer captures every byte you send, they get opaque tokens that don't decrypt anywhere except inside your phone.
Your phone holds a substrate root key in the Secure Enclave. On each app launch (or kit switch, or every 900 seconds, or network change), Cognielo derives a fresh per-session resolver key via HKDF, scoped to the kit you're in. Every hostname your kit looks up is encrypted under that key into a 16-byte token. A tiny Rust resolver daemon on the same phone (no network) decrypts the token, looks up the real hostname against a public resolver pool, and returns the IP. The network never sees the hostname. The resolver never sees you. Two queries from two kits, or two sessions, or two devices, are cryptographically unlinkable.
If you need to appear to be in another country (geo-fenced streaming, work-from-abroad), a VPN does a job Cognielo doesn't try to do. Cognielo is about not being seen at all, not about looking like you're somewhere else. Different problems. If your only goal was masking your IP for Netflix region selection, keep your VPN. If your goal was protecting what you do online from being aggregated and sold, switch.
A NordVPN family plan is $14.99/mo. A Cognielo Pro Everything subscription — covering all 20 kits, with rotating DNS keys, per-kit HKDF encryption, operator-blind P2P sharing, and the Coach AI — is $29.99/mo. You're already paying for half a VPN. Pay $15 more and replace 19 other subscriptions too.
The rotating-DNS-keys methodology is captured in the May/June 2026 follow-on filing of U.S. Provisional Patent Application No. 64/041,821. The implementation recipe (the AES-GCM-SIV nonce-binding, the HKDF info-binding) is published in the architecture pages — the cryptographic claim is the differentiator, not a hidden trick.