Engineering blog

Notes from the audit floor.

Short essays from the team on what we see building an agentic auditor: configuration drift, the breaches that start on a switch, and the design decisions behind Cogent.

Credentials

Type 7 is not encryption

Run enough first sweeps and you stop being surprised: somewhere in the fleet there's an enable password 7 0822455D0A16. Type 7 is a Vigenère cipher with a hardcoded key, published in the 90s. Any config file that leaks — a backup on a share, a TFTP directory, a pasted snippet in a ticket — leaks the password with it, reversible in microseconds by tools that fit in a tweet.

The dangerous part isn't the algorithm; it's the false sense of coverage. The line looks protected, so it passes casual review for years. Meanwhile config backups are the single most commonly exfiltrated artifact in network intrusions — attackers who land on one device immediately harvest configs to pivot, because credentials travel in them.

What good looks like: type 9 (scrypt) secrets everywhere, service password-encryption understood as cosmetic, and TACACS+/RADIUS so device-local credentials are a break-glass exception — audited every sweep, not every audit season.

Breach anatomy

What the IOS XE web UI incident taught us

In October 2023, CVE-2023-20198 turned an exposed web UI into privilege-15 accounts on tens of thousands of Cisco devices in days. Full compromise of the boxes that carry everything else. The industry takeaway was "patch faster" — ours is different.

The devices that were never compromised weren't the fastest-patched ones. They were the ones where ip http server was disabled, or the interface only answered inside a management VRF. A configuration decision made months earlier beat every incident-response process invented after.

Exposure is a config property. You can audit it before the CVE exists.

The generalization: most named network-device vulnerabilities in recent years — J-Web, GlobalProtect, SSL-VPN — were reachable only because a management or remote-access plane faced the wrong direction. That's checkable, continuously, on every device, with read-only access. It's the highest-leverage audit in the book, and it's why exposure checks run first in every Cogent sweep.

Config drift

Golden templates drift in weeks, not years

Every network team has a golden config. Ask when a device last fully matched it and the room goes quiet. Drift doesn't come from negligence — it comes from work: the emergency ACL during an incident, the debug settings that never got rolled back, the "temporary" NAT for a migration that finished two quarters ago, the new hire's slightly different SNMP stanza.

Each change is rational. The sum is a fleet where no two devices agree and nobody can say what's intentional. Then the annual audit samples twelve devices, files a PDF, and the drift keeps compounding for another year.

The fix is cadence, not discipline. Diffing running config against the template every fifteen minutes turns drift from an archaeology project into a same-day code review: here's the line, here's who'd know why, here's the diff to put it back — or promote it into the template, because half of drift is the template being wrong.

Design decisions

Why our agent is read-only by default

An agent that can reason over your fleet could also reconfigure it. We deliberately don't let it. Cogent deploys with show-level access — NETCONF/gNMI gets, or an SSH user that can't enter configure mode. The agent reads, reasons, and writes exactly one thing: a proposed diff, with a rollback plan, that waits for a human.

This isn't caution theater. Networks are the substrate everything else runs on; a wrong change doesn't degrade a service, it removes the floor. Agent mistakes and prompt-level manipulation are real failure modes, and the honest way to handle them is structural: the agent can't push what it can't reach.

The result is an asymmetry we like: full agentic leverage on analysis — reading thousands of configs, correlating advisories, drafting fixes — and human judgment exactly where the blast radius lives. Write access is opt-in per device class, gated by your change window, and revocable in one line. The agent earns trust the same way a new engineer does: by proposing good changes, for a long time.