Netcode Automation + Rez RCA

Network automation your engineers can trust.

Netcode turns live network state into controlled automation workflows: discover, model intent, plan bulk changes, validate safety, dry-run or canary, apply through gates, verify live state, roll back from Git, and monitor drift.

When live state does not match intent, Rez runs read-only RCA with device evidence.

Bulk change planning Git-backed rollback Dry-run / canary gates Governed secure shell Multi-vendor read adapters Drift detection Read-only RCA
Netcode Automation Console Ready for canary

Bulk Change CHG-2048

Deploy app segmentation across Region 3

Production writes: gated
12 sites96 devices3 vendors
Discover Intent Plan Validate Dry-run Canary Batch Apply Verify Drift
Git branch: change/region3-app-segmentation-2048 Risk: High - gated Canary: 6 devices Rollback: Git-backed
96devices affected
12sites in scope
384planned commands
7/7policy checks

Command preview

vlan 210
   name APP_SEGMENT
interface Port-Channel10
   switchport trunk allowed vlan add 210
ip prefix-list REGION3-APP permit 10.204.210.0/24

Rollback preview

interface Port-Channel10
   switchport trunk allowed vlan remove 210
no vlan 210
no ip prefix-list REGION3-APP permit 10.204.210.0/24
Expected after apply Application segment VLAN 210 is present, uplinks allow the VLAN, approved prefixes are advertised, firewall objects reference the segment, and verification confirms reachability only on approved paths.

Netcode Automation

From network intent to controlled execution.

Netcode is the automation workspace for network engineers. Start with live discovery and source-of-truth alignment. Define the intended outcome. Preview the exact network change. Validate safety. Dry-run or canary. Apply in controlled batches. Verify live state. Track drift over time.

01

Discover and model

Read live network state, normalize device facts, and align inventory with your source of truth before automation begins.

  • Device discovery
  • Source-of-truth sync
  • Vendor read adapters
  • Site and device grouping
02

Plan and validate

Turn intended outcomes into exact configuration changes, policy checks, risk summaries, and rollback plans.

  • Bulk change plans
  • Exact command preview
  • Policy gates
  • Blast-radius view
03

Apply and operate

Use canary, batch controls, approval gates, verification checks, drift watch, and Git-backed rollback.

  • Canary execution
  • Batch apply
  • Live verification
  • Git rollback

Bulk Network Automation

Plan one change. Apply safely across many devices.

Netcode is built for repeatable network changes across sites, regions, and device groups. Engineers define the outcome once, review the generated plan, canary the first batch, then promote safely.

1Select targetsRegion 3, Sites 101-112, 96 devices
2Define intentAdd app segment, trunk scope, route policy, firewall object
3Create Git branchchange/region3-app-segmentation-2048
4Generate plan384 commands, 384 rollback commands
5Validate safety7 checks passed, 4 policy warnings held
6CanaryApply to 6 mixed-role devices first
7Batch applyPromote batch 2 of 6, pause on failure
8Verify and driftVerify actual state, enable drift watch
Device Site Vendor Planned Change Validation Canary/Batch Verify
Access-SW-01Site 101EOSVLAN 210 + uplink trunkPassedCanaryVerified
Access-SW-02Site 101IOS-XEAccess VLAN + trunk scopePassedBatch 2Pending
Edge-FW-01Site 104FortiOSFirewall object + policy referenceWarningHeldNot applied
Core-RTR-02Site 108JunosPrefix export policyPassedBatch 3Pending
View bulk change workflow

Under the Hood / How Network Automation Works

The automation logic is simple: compare intended state to live state, then apply only what is proven safe.

Netcode does not blindly push templates. It follows a deterministic automation loop: read live state, model intended state, calculate the delta, validate policy, dry-run or canary, apply through gates, verify actual state, and keep rollback tied to Git.

Netcode automation is not template push. It is intent - plan - validation - controlled execution - verification - drift control.
Live State

Interfaces, VLANs, BGP neighbors, routes, ACLs, NTP, SNMP, firmware, interface state.

Intended State

Approved NTP servers, VLAN standards, interface roles, routing peers, ACL rules.

Delta Plan

Devices affected, commands to add, commands to remove, rollback commands, risk summary.

Git Branch + Policy Gate

Each change is isolated, reviewed, checked, and blocked before execution if unsafe.

Dry-run / Canary

Candidate config, device syntax check, first-batch canary, and no-commit validation where supported.

Verify Actual State

NTP peers active, VLAN present, BGP session established, route installed, ACL ordered correctly.

Git Rollback + Drift Watch

Rollback to previous approved intent, validate reverse plan, apply through the same gates, and monitor drift.

Product Modules

Everything needed to move from scripts to governed NetDevOps.

Change Workspace

One guided workspace for intent, plan, validation, dry-run, apply, verify, rollback, and drift.

Bulk Change Planner

Select device groups by site, role, vendor, tag, or source-of-truth query. Plan one change across many devices.

Command Preview

Show exact generated commands and rollback commands before anything touches a device.

Git Workflow

Create review branches, commit generated artifacts, review diffs, merge approved intent, and roll back by reverting Git state.

Policy Gates

Block unsafe changes before apply using device groups, command patterns, maintenance windows, approvals, and rollback requirements.

Canary and Batch Apply

Apply to a small canary first, verify, then promote in controlled batches with automatic stop conditions.

Drift Watch

Continuously compare intended state to live state and create remediation plans when drift appears.

Secure Shell

Open governed SSH sessions with command guardrails, transcripts, change attachment, and runner-side credentials.

Automation Packs

Start with NTP standardization, VLAN rollout, interface standardization, BGP neighbor updates, ACL changes, firmware pre-checks, and branch onboarding.

Netcode Secure Shell

Governed device access, built into the automation workflow.

Network engineers still need a real CLI. Netcode Secure Shell gives them one with controls traditional SSH workflows do not provide: runner-side credentials, command guardrails, transcripts, change attachment, and a path from ad-hoc investigation into governed automation.

Credentials stay local

Device credentials resolve on the customer-side runner, not in the browser and not in the control plane.

Commands are governed

Read-only commands can run immediately. Config lines are staged into Netcode plans instead of becoming invisible one-off changes.

Every session is useful later

Transcripts can attach to a change, RCA, drift investigation, rollback, or approval record.

Netcode Secure Shell Governed SSH

Session attached to CHG-2048

Core-RTR-02 ยท Region 3

Runner customer-side Mode read allowed / config staged Transcript recording Policy credential + AAA guard active
Core-RTR-02# show bgp ipv4 unicast 10.204.210.0/24
BGP routing table entry for 10.204.210.0/24
  Paths: 2 available, best #1
  Community: region3-app-segment

Core-RTR-02# configure terminal
[guard] config mode detected
[staged] attach this command to CHG-2048 plan before apply
Safe handoff Create or attach a Netcode change with exact commands, rollback, validation, canary, and approval gates.

NetDevOps Governance

Every change has a branch. Every rollback has a known previous state.

Netcode uses Git as the system of record for network intent and generated artifacts. Engineers can review plans before apply, promote approved changes, and roll back by reverting to the last known good intent.

  • A change branch isolates every network change.
  • The plan shows exact intended delta.
  • Policy checks run before apply.
  • Canary result is committed back to the branch.
  • Merge means approved intent.
  • Drift watch compares live state to approved intent.
main change/region3-app-segmentation-2048 intent.yaml plan.md commands.txt rollback.txt validation.md canary-result.md verify.md

Git Rollback Panel

Rollback CHG-2048

Previous approved state
main@8f31a2
Current branch
change/region3-app-segmentation-2048
Rollback action
revert app segment, route policy, and firewall object references
Rollback commands
384 generated
Validation
Passed
Status
ready for rollback canary

Rez RCA

Troubleshooting that starts with live evidence, not guesses.

Rez is the read-only RCA layer for network operations. It collects live SSH/API evidence, compares expected vs actual state, identifies failed conditions, and gives engineers the next safe action.

Ask an operational question

Investigate reachability, VLANs, BGP, routes, ACLs, firewall policy, interface health, and drift.

Collect live evidence

Rez gathers read-only facts from routers, switches, firewalls, wireless controllers, and network APIs.

Find the failed condition

Rez shows the likely cause, failed checks, supporting evidence, confidence, and recommended next action.

Rez RCA Investigation Read-only

Incident

Site 204 application segment unreachable

Finding

VLAN 210 exists on Access-SW-01, but the uplink toward Core-RTR-02 does not allow VLAN 210.

Commandshow interfaces trunk
ExpectedVLAN 210 allowed on uplink
ActualVLAN 210 missing
Next safe action Create Netcode remediation plan to add VLAN 210 to affected uplink trunks.

Closed Loop Operations

Automate, verify, investigate, remediate.

Bulk VLAN rollout across Sites 201-212. Verification fails on 4 devices. Rez identifies uplink trunk inconsistency. Netcode creates a remediation plan for affected devices only. Rollback remains available from Git.

01

Netcode automates

Define intent, plan changes, validate, canary, apply, and verify.

02

Drift is detected

Live state no longer matches approved intent.

03

Rez investigates

Read-only RCA identifies the failed condition and supporting evidence.

04

Netcode remediates

Rez finding becomes a safe Netcode remediation plan.

05

Rollback remains available

If remediation fails, rollback is generated from the previous approved intent.

Use Cases

Built for teams moving from manual changes to controlled automation.

Multi-site enterprise networks

Standardize NTP, SNMP, VLANs, interfaces, routing, and ACLs across many sites without pushing blind templates.

MSP and NOC teams

Run repeatable changes across customer environments, verify live state, and investigate failures without escalating every issue.

NetDevOps teams

Bring Git, review branches, policy gates, canary apply, and rollback workflows to network engineers without forcing them to become software developers.

Compliance-sensitive networks

Use approval gates, controlled execution, live verification, and change history for regulated environments.

Security

Built for skeptical network teams.

Netcode and Rez are designed for controlled enterprise adoption. Start with read-only discovery and RCA. Add automation gates when your team is ready. Keep credentials inside your environment with a customer-side runner.

Netcode Automation Safety

  • Production writes can be locked by policy
  • Exact command preview before apply
  • Git-backed rollback
  • Canary and batch controls
  • Approval gates
  • Governed secure shell with recorded sessions
  • Full change history
  • Emergency override controls

Rez RCA Safety

  • Read-only SSH/API checks
  • Command allowlist
  • No config writes
  • Fail-closed behavior
  • Evidence-backed findings
  • No model training on customer network data

Local / Community

For testing workflows and learning automation concepts.

Starter

For one team, one workspace, and starter automation packs.

Customer-side runner

For live device access while credentials remain inside the customer network.

Enterprise / MSP

For SSO, RBAC, private deployment, multi-workspace operations, and integration support.

Pricing

Start small. Automate one workflow. Expand when it works.

Community

Free

For learning, local examples, and testing the automation model.

  • Local examples
  • Sample inventory
  • Starter workflows
  • Community templates
Download Community

Automation Pilot

Scoped

For teams validating Netcode against a real workflow.

  • Source-of-truth alignment
  • Bulk workflow design
  • Validation gates
  • Canary execution
  • Drift and RCA handoff
  • Pilot success report
Book automation pilot

Team / MSP

Contact

For production teams and service providers.

  • Multi-workspace
  • SSO/RBAC
  • Customer-side runner
  • Git and ticketing integrations
  • Automation and RCA packs
  • Support
Contact us

Get Started

Ready to automate one real network workflow?

Start with a focused workflow such as NTP standardization, VLAN rollout, interface standardization, BGP neighbor updates, or ACL cleanup. Netcode plans it, validates it, gates it, applies it safely, verifies live state, and keeps rollback tied to Git.