February 12, 2026 -
"The industry and critical infrastructure are planning to move towards compartmentalisation, which is often associated with specialised CPU architectures, such as CHERI and Morello. However, hardware-led approaches can take years to reach mass deployment.
Herein, Microservice Store provides an alternative path, delivering compartmentalisation on today’s devices, on any architecture, without waiting for a hardware upgrade. By packaging functionality as isolated, authenticated Microservices and enforcing boundaries through the Embedded Microservice Runtime, teams can accelerate device security now, while remaining compatible with hardware-enhanced compartmentalisation when it becomes available."
Architecture-Agnostic Isolation, Enforced by the Embedded Microservice Runtime
Compartmentalisation is a modern security approach where software is divided into small, well-bounded modules, and each module can access only the memory and resources it is explicitly permitted to use. This reduces blast radius, improves reliability, and makes it significantly harder for a single bug or exploit to compromise the whole device.
"embedded Microservice Runtime", by Microservice Store, brings compartmentalisation to embedded systems through embedded Microservices, enforced by an integrated Embedded hypervisor inside the embedded Microservice Runtime. The result is practical isolation on real devices, including highly constrained microcontrollers, without requiring a specific new CPU architecture.
Traditional embedded firmware often behaves like a single, tightly coupled application. A fault in one library, driver, or third-party component can corrupt memory elsewhere, trigger unpredictable behaviour, or expose sensitive data. Compartmentalisation addresses this by:
separating functionality into independent compartments
restricting each compartment to its own address space and authorised interfaces
containing faults, so the rest of the device remains operational
This is increasingly aligned with how security expectations are evolving across the industry and critical infrastructure.
In our model, each compartment is an independent Microservice image, built and packaged as a standalone unit. This enables:
different toolchains per compartment
different programming languages per compartment
independent deployment, update, and rollback per compartment
clearer ownership and maintenance boundaries across teams and suppliers
This is design-time compartmentalisation, you architect the system as compartments from the start, rather than trying to retrofit boundaries into a single binary.
2. Runtime Enforcement via an integrated Embedded Hypervisor
The Embedded Microservice Runtime includes an integrated embedded (Micro) Hypervisor that enforces isolation between Microservices in a CPU-Architecture-Agnostic way. Microservices run as microcontainers with controlled access to memory and system services, so a failure or policy violation in one compartment is contained.
3. Authenticated compartments
Each Microservice compartment is authenticated as a first-class software unit. This means you can build systems where every compartment has a verifiable identity, version, and integrity, and only approved compartments can be installed and executed.
Compartmentalisation is often associated with newer hardware security architectures. Some provide strong run-time enforcement features in silicon, for example, approaches associated with industry initiatives such as the CHERI or Morello.
Microservice Store’s approach is deliberately platform-agnostic:
You can deploy the same Microservice-based compartment model, whether with or without specialised hardware enforcement. In this way, you can share the same Microservices between architectures without any architecture dependency. embedded Microservice Runtime handles and hides the architectural details behind and guarantees the compartmentalisation.
When advanced hardware enforcement is available, the same Microservice packaging and lifecycle model can leverage it.
This means you get a consistent developer and operations model across platforms, rather than fragmenting your software supply chain per CPU family.
(Practically, this allows you to build once around Microservices, then benefit from stronger enforcement on platforms that support it, without changing your fundamental application structure.)
A key benefit of Microservice-based compartmentalisation is that it naturally supports lifecycle automation at the same granularity as isolation. Each compartment can be:
installed independently
upgraded independently
rollback-protected
tracked by identity, version, and integrity
managed across provisioning, factory reset, and decommissioning workflows
In other words, compartmentalisation is not just a security primitive; it becomes the foundation for operating embedded systems like maintainable platforms, fully integrated with compliance support, such as EU CRA or UK PSTI, where it automates SBOM and Vulnerability Reporting at the module level.
Microservice Store delivers compartmentalisation through Microservices, enforced by an integrated embedded hypervisor in the Embedded Microservice Runtime. It is platform-agnostic, individually deployable on constrained devices, and designed to provide compartment-level security and lifecycle automation across the entire device supply chain.