Skip to main content
All systems normal
·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch
Taurine
Home/Architecture

One device per site.
One control plane.

Each site runs a single Linux device that classifies traffic and enforces policy on its own. A private VPN links every site to a cloud that operates the fleet. If the cloud goes dark, the sites keep running.

Book a demo See the enrollment flow
  • Offline-first dataplane
  • mTLS over private VPN
  • Open vSwitch · OpenFlow 1.3
  • One-line installer
CLOUD CONTROL PLANEpolicy · simba · model retrainingapi.taurinetech.cloudPRIVATE AXON VPNed25519 device identityAXON AGENTclassify · shapeLAN · APs · clientssite · cpt-01AXON AGENTclassify · shapeLAN · APs · clientssite · jhb-12AXON AGENTclassify · shapeLAN · APs · clientssite · wisp-02
control plane
private VPN
edge dataplane

What each layer does, in plain terms.

Edge dataplane

Sits at the WAN/LAN boundary of each site. Open vSwitch handles forwarding and policy enforcement in-kernel. Lightweight AI models classify traffic on-device; no flow ever leaves the site unless the operator asks for it.

Private Axon VPN

Every enrolled Axon Agent joins the private Axon VPN on first boot. Devices are never publicly addressable; the control plane and edge talk over mTLS inside that overlay. Telemetry and policy travel the same channel.

Cloud control plane

Fleet-wide policy, multi-site dashboards, the Simba assistant, and model retraining live here. When a site reconnects after an outage, it reconciles on its own.

Where the device sits, exactly.

The Axon Agent lives between your router and your LAN switch. By default it's a transparent L2 bridge: no IP renumbering, no DHCP changes, no DNS to hijack. Adds ≤1 ms of latency. If you'd rather not change the wire, point a SPAN port at it.

In-line bridge
Enforces policy, shapes, and rate-limits.
SPAN / mirror
Observation mode only OR full API integration with existing switches.
INTERNETupstream ISPROUTERexisting CPEAXON AGENTclassify · shapetransparent L2 bridgeSWITCHLAN trunkAP-01AP-02no IP renumbering · no DHCP changes · ≤1 ms added latency
Zero-touch enrollment

Generate a token. Paste one line. Done.

Enrollment is the most common failure point in fleet management. Axon collapses it to a single curl-pipe.

Talk to engineering
console.taurinetech.cloud / settings / device enrollment
live
Axon Device Enrollment, token modal with one-line installer
  1. 01

    Generate an enrollment token

    Settings → Device Enrollment → Create Token. Tokens are single-use, scope-able to a site, and revocable.

  2. 02

    Paste the one-line installer

    A curl-piped install script provisions the agent (Debian/RPM packaged), verifies its ed25519 signature, and writes a device identity to the TPM if available.

  3. 03

    Device joins the private Axon VPN

    The VPN handles NAT traversal for you, so devices come online without port forwards or static IPs.

  4. 04

    Classifier hot-loads, traffic flows

    Within seconds the on-device model is classifying flows. Policy can be applied immediately: globally, per-site, or per-device.