v2.4 · Plexus engine Read-only by default Human-in-the-loop

Every device.
Every control.
Live.

Cogent is an agentic auditor for enterprise networks. It reads every switch, router and firewall in your fleet, scores them against CIS, NIST and your own policy — then writes the remediation diff and waits for your approval.

Read-only onboarding · nothing installed on your devices
7
network OSes supported
15 min
default sweep cadence
0
writes without approval
How it works

From read-only access to an approved fix — in four steps.

Cogent connects the way your engineers already do — SSH, NETCONF, gNMI, or your NMS — then runs an agentic loop that audits, explains, and proposes fixes you approve. It never writes without you.

STEP 01

Connect, read-only

Point Cogent at a jump host, RADIUS account, or your NMS. It discovers the fleet, enumerates interfaces, and inventories firmware — without touching running config.

142 devices · 7 vendors · 41 min
STEP 02

Audit against policy

Plexus agents reason over running and startup config — diffing against CIS, NIST 800-53, PCI-DSS, your golden templates, and any rule you can describe in prose.

1,284 controls evaluated
STEP 03

Triage, with evidence

Every finding ships with the exact offending lines, a plain-English explanation, blast-radius analysis, and a proposed remediation diff — ready for change-control.

38 open · 6 new today
STEP 04

Remediate on your terms

Approve the diff to push through your change window, hand it to NetBox or Ansible, or open a Jira ticket. Cogent watches the rollout and re-audits on commit.

avg MTTR · 6.2h
Sample assessment

A finding you can act on. Not a 400-page PDF.

Every finding is one structured object — severity, control, evidence, blast radius, and an auto-fix diff. Export to CSV, stream to your SIEM, or let the agent open the change ticket itself.

Critical

Active CVE with a public exploit. Patched or mitigated within a 24-hour SLA.

High

Policy drift from your golden template. The auto-fix is usually 1–3 lines of config.

Medium

CIS or framework deviation — often a banner, ACL, or hardening default.

cogent / assessments / demo-fleet sample data
Posture score
0 / 100
+4 vs 7d
Devices audited
142
of 142
Open findings
38
6 new · 12h
MTTR
6.2h
−1.4h vs 7d
Open findings · by severitydemo fleet · 142 devices
Crit
Stale SSHv1 fallback allows unauth RCE via crafted KEX
ip ssh version compatibility
dist-sw-03CVE-2024-20399 · 2h
High
Privilege 15 enable secret stored as type 7 (reversible)
enable password 7 0822455D0A16
core-sw-01CIS-3.4.2 · 5h
High
TLS 1.0 enabled on management interface
ip http tls-version TLSv1.0
acc-sw-31CIS-1.2.1 · 5h
Med
Default community string 'public' on SNMPv2c
snmp-server community public RO
acc-sw-13NIST-AC-7 · 5h
Med
MOTD banner missing required warning text
no banner motd configured
dist-sw-01STIG-V-220532 · 6h
Info
uRPF disabled on uplink trunk Te1/1/1
no ip verify unicast source
acc-sw-32BCP-38 · 6h
The platform

Built for fleets that don't sit still.

One audit surface across every vendor, one finding format across every framework — running continuously, not once a year.

Multi-vendor by default

Cisco IOS-XE, NX-OS, Juniper Junos, Arista EOS, Palo Alto PAN-OS, Fortinet FortiOS — same audit surface, one finding format.

7 NOS · CIS · NIST · PCI · STIG

Continuous, not annual

The fleet sweep runs every 15 minutes by default. Drift is caught at commit time — not at the next auditor's visit.

15-min default cadence

Agentic remediation

Plexus reads, reasons, and writes. It proposes a config diff per finding — with a rollback plan — and waits for approval before anything ships.

human-in-the-loop · default

Air-gap ready

Self-host on a single VM inside your management VRF. No phone-home, no SaaS dependency, no config uploaded to anything you don't own.

on-prem · self-hosted

Custom controls in prose

"No SNMPv2 north of the dist layer." Describe the rule once; Cogent compiles it into a check that runs against every relevant device, every sweep.

natural-language policy

Slots into your stack

Reads inventory from NetBox, writes changes through Ansible or Terraform, opens tickets in Jira and ServiceNow, streams findings to your SIEM.

NetBox · Ansible · Jira · SIEM
Works with your stack
NetBoxAnsibleTerraformJira ServiceNowSplunkElasticPanther SlackPagerDuty
Pricing

Per-device. Transparent. No seat tax.

Every plan includes unlimited users, unlimited frameworks, and read-only deployment. Prices are billed annually; monthly is +20%. Volume discounts start at 500 devices.

Team
$8/ device / month
For network security teams getting started with continuous audits.
  • Up to 250 devices
  • 15-minute fleet sweep
  • CIS, NIST 800-53, PCI-DSS
  • Slack + email alerting
  • 14-day finding history
Contact team
Self-hosted
Sovereign
Custom
For air-gapped fleets, defense, and regulated industries.
  • Unlimited devices
  • Fully on-prem · no phone-home
  • Hardened reference architecture
  • Dedicated solutions engineer
  • 99.95% support SLA
Contact team
FAQ

The questions network teams ask first.

Not unless you tell it to. The default deployment is read-only: NETCONF/gNMI <get>, or an SSH user limited to show commands. Agentic remediation is opt-in per device class, and every change waits for human approval before it's pushed.
Cisco IOS, IOS-XE, IOS-XR, NX-OS; Juniper Junos; Arista EOS; Palo Alto PAN-OS; Fortinet FortiOS; HPE/Aruba AOS-CX. Anything SSH-able with a structured grammar is on the roadmap — talk to us about your fleet.
Ansible, NetBox and your IaC tools push state; Cogent assesses it. We slot in next to them — reading what's actually running on the device, comparing it to policy and your golden templates, and producing the change that your existing tooling then ships.
Yes. The Sovereign tier is a single appliance image (OCI / OVF) that runs inside your management VRF. No outbound traffic, no telemetry, model weights bundled. We work with your security team through review and deployment.
Describe the rule in plain English in the policy editor — no SNMPv2 north of the dist layer, enable secret must be type 9. Cogent compiles it into a check, shows you sample devices it would and wouldn't fire on, and once approved the check runs on every sweep.
Typical first-value is under two hours. Day 1: stand up the appliance, point it at a jump host, let discovery enumerate the fleet. Day 2: review the first sweep with our SE. Most teams merge their first auto-fix inside a week.
Contact

Talk to a human in Montreal.

Sales, support, press, careers — one inbox, answered by the team that builds the product. We reply within one business day.

Book a demo

See your own fleet on the next sweep.

Twenty minutes with a network security engineer. Bring a sanitized config — we'll audit it live and show you your first finding before the call ends.