Skip to main content
All systems normal
·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch
Taurine
Overview/Architecture

One device per site.
One control plane.

Axon is split into three things that never change: an edge dataplane that runs at every site, a private VPN that connects them, and a cloud control plane that operates the fleet. The edge enforces policy and classifies traffic locally; the cloud orchestrates and retrains. If the cloud is gone, the site keeps running.

See the enrollment flow Continue → AI Assistant
  • Offline-first dataplane
  • mTLS over private VPN
  • Open vSwitch · OpenFlow 1.3
  • One-line installer
CLOUD CONTROL PLANEpolicy · simba · model retrainingapi.taurinetech.cloudPRIVATE AXON VPNmTLS overlay · ed25519 device identity · never publicly addressableAXON AGENTclassify · shapeoffline-firstLAN · APs · clientssite · cpt-01AXON AGENTclassify · shapeoffline-firstLAN · APs · clientssite · jhb-12AXON AGENTclassify · shapeoffline-firstLAN · APs · clientssite · wisp-02
control plane
private VPN
edge dataplane
Stack

What each layer does, in plain terms.

Layer 01

Edge dataplane

One Linux device per site at the WAN/LAN boundary. Open vSwitch handles forwarding and policy enforcement in-kernel. Lightweight AI models classify traffic on-device; no flow ever leaves the site unless the operator asks for it.

Layer 02

Private Axon VPN

Every enrolled Axon Agent joins the private Axon VPN on first boot. Devices are never publicly addressable; the control plane and edge talk over mTLS inside that overlay. Telemetry and policy travel the same channel.

Layer 03

Cloud control plane

Fleet-wide policy, multi-site dashboards, the Simba assistant, and model retraining all live in the cloud control plane. Sites operate independently if the cloud is unreachable and reconcile when connectivity returns.

Placement

Where the device sits, exactly.

The Axon Agent lives between your router and your LAN switch. By default it's a transparent L2 bridge: no IP renumbering, no DHCP changes, no DNS to hijack. Adds ≤1 ms of latency. If you'd rather not change the wire, point a SPAN port at it and run in observe-only mode.

In-line bridge
Enforces policy. Shapes and rate-limits. Logs every flow.
SPAN / mirror
Observation-only. Full telemetry, no enforcement.
INTERNETupstream ISPROUTERexisting CPEAXON AGENTclassify · shape · logtransparent L2 bridgeSWITCHLAN trunkCONTROL PLANEvia private VPNAP-01AP-02no IP renumbering · ≤1 ms added latency · keeps running offline
Zero-touch enrollment

Generate a token. Paste one line. Done.

Enrollment is the most common failure point in fleet management. Axon collapses it to a single curl-pipe, and the device never has to be reachable from the public internet for it to work.

Talk to engineering
console.taurinetech.cloud / settings / device enrollment
live
Axon Device Enrollment, token modal with one-line installer
  1. 01

    Generate an enrollment token

    Settings → Device Enrollment → Create Token. Tokens are single-use, scope-able to a site, and revocable.

  2. 02

    Paste the one-line installer

    A curl-piped install script provisions the agent (Debian/RPM packaged), verifies its ed25519 signature, and writes a device identity to the TPM if available.

  3. 03

    Device joins the private Axon VPN

    The agent uses the token to join the private Axon VPN that handles NAT traversal for you, so devices come online without port forwards or static IPs.

  4. 04

    Classifier hot-loads, traffic flows

    Within seconds the on-device model is classifying flows. Policy can be applied immediately: globally, per-site, or per-device.