← gong.com

Jeffrey Gong

Founder, Gong

In 1994 I started an ISP in Phoenix called Internet Access. The domain was neta.com. We still have it.

The whole company ran on a single Sun SPARC 20. That machine handled RADIUS authentication for dial-up modems, Apache for web hosting, DNS, Sendmail — and later Qmail when Sendmail's security problems became impossible to ignore. Every classical Unix service, one box, real customers depending on it.

As the business grew we acquired GetNet, a competing Phoenix ISP, through a debtor-in-possession purchase when they went under. GetNet had real brand recognition in the Valley — a lot of people in Phoenix remember them. We took on their customers, their domain, and their reputation. If you were online in Phoenix in the nineties, there is a reasonable chance your connection ran through one of our machines.

Running that ISP meant watching the protocols of the internet up close, from the inside. SMTP had no concept of authentication. DNS had no concept of authenticity. The early internet was designed by people building a network — people focused on routing packets from point A to point B reliably. Nobody modeled bad actors. The assumption was that everyone on the network was a researcher or a colleague.

That assumption was wrong in 1994. It is catastrophically wrong now.

The ISP experience planted a question I've been working on ever since: what would the internet look like if it had been designed with cryptographic identity at the foundation, rather than bolted on afterward?


In 2009 I wrote The Getnet Plan — a white paper arguing that fiber optic cable should be treated as public infrastructure, like roads and water, with passive Coarse Wave Division Multiplexing allowing multiple ISPs to share a single strand of fiber to each home. The municipality owns the pipe. Providers compete on the wavelengths.

The ISP monopoly problem and the internet security problem are the same problem at different layers. Concentrated control over infrastructure means no competition, no accountability, and no incentive to fix structural weaknesses. The answer in both cases is the same: open, auditable infrastructure with no single point of control.

Chattanooga built something close to what I described. Google Fiber confirmed the monopoly was vulnerable. The incumbents fought it exactly as predicted.


Through 2016 and 2017 I was deep in OpenStack — building private cloud infrastructure on recycled data center hardware, writing about deploying production-grade infrastructure on a GhettoStack budget and what cloud-native actually means. The theme is consistent: infrastructure that should be open and composable, controlled by no one, accessible to anyone with the skill to operate it.


Gong is the convergence of those threads.

The internet shipped without identity. Thirty years of patching — SSL, DNSSEC, DKIM, OAuth, FIDO2 — and we still don't have a layer where you can say: this action was authorized by this specific human, verified by hardware they physically possess, with a cryptographic audit trail that cannot be forged or deleted.

AI agents make this urgent. An AI agent that can send email, commit code, approve transactions, or call APIs is operating with the authority of the person who deployed it — but with no mechanism to verify that authority, audit its use, or revoke it surgically when something goes wrong. The current state is the same structural problem as the early SMTP: a protocol built for a world without adversaries, deployed into a world full of them.

Gong splits a user's master cryptographic key across their personal hardware — iPhone Secure Enclave, a custom nRF54 token — using Shamir Secret Sharing. Any two devices reconstruct the key. The nRF54 token never transmits its key share; it receives the iPhone's share, combines them internally, signs the request, and returns only the signature. The firmware on the token can only be updated by the same ceremony that authenticates the user. The manufacturer cannot push malicious firmware to an enrolled token.

Every agent action, every SSH session, every API call signed through Gong traces cryptographically to a human being who authorized it with hardware they physically held. That is the layer the internet never shipped with. We are shipping it now.


Thirty years ago, employers hired programmers because they didn't want to operate a compiler. Today they hire us because they don't want to supervise an LLM.

The work pattern is cyborg. Human and AI tightly fused — every line understood and owned, AI accelerating rather than replacing comprehension. On critical sections — cryptography, security boundaries, core data paths — the code is written by hand. The audit trail is clean.

Available for contract work. End employers only.
$200/hr C2C · $225/hr short-term · $1,600/day

AI tooling and Anthropic subscription costs are on me — not your budget.

jeffreyacegong@gmail.com