Skip to main content
Workflows

How Merideon Works in Practice

Real workflows from day-to-day operations — onboarding agents, pushing policies, managing your network, and responding to events in real time.

Workflow 1

Onboarding a New AI Agent

From first registration to active, credentialed, policy-governed network participant — in minutes.

1
Agent submits registrationAgent operator submits identity — name, model, version, team, declared capabilities. Enters Pending queue.
2
Security Office reviewsAdmin reviews identity and capabilities in the Pending Approvals queue. Approve or reject with a single action.
3
Badge issued automaticallyOn approval, a cryptographically signed badge is generated. Agent presents badge at governed resources.
4
Policy applied at the edgeAgent's policies push to the AI Router. Andrew applies them to nftables. Agent is now governed at the network edge.
5
Ongoing governanceInterviews assess behavior, alerts flag anomalies, policies can be updated anytime. Revoke the badge instantly if needed.
Typical time from registration to active: under 5 minutes
Security Office · Pending Approvals
DataSync Agent v2.1
ETL Pipeline · claude-haiku · submitted 3m ago
Pending
Declared capabilities
Read NAS files Write to database HTTP outbound
✓ Badge issued — MRD-0025
Policy pushed to Andrew Router · Agent active
Security Office → AI Router · Policy Push
Block external SSH
DROP TCP ANY→LAN :22
ON
Rate-limit agent API
100 req/min per agent badge
ON
Allowlist MRD-0001
Full access · Andrew badge
ON
Restrict MRD-0003 to read-only
AnalyticsBot quarantine mode
OFF
✓ 3 rules applied to nftables · 1.4s · Audit logged
Workflow 2

Pushing a Policy Update

Author security policies in the Security Office and enforce them at the network edge in under 2 seconds — no CLI, no SSH, no config files.

1
Open Policies in Security OfficeToggle rules on/off, set rate limits, define allowlists and blocklists for agents or agent groups.
2
Click "Push to Andrew"The SO sends the policy set to Andrew on the AI Router over the secure internal channel.
3
Andrew applies rules to nftablesRules are written to nftables and reloaded. Enforcement is live. Every rule application is logged.
4
Confirmation in both appliancesThe SO shows push confirmation. Andrew Events feed shows the policy application event. Audit logs on both ends.
Workflow 3

Responding to a Security Alert

An agent triggers an alert. Here's how the platform handles it — from detection to resolution.

!
Alert fires automaticallySO continuous monitoring detects AnalyticsBot attempting to reach an unauthorized endpoint. Critical alert created.
1
Admin reviews the alertAlert appears in SO Dashboard (red badge count), Alerts view, and Andrew Events feed. Full context visible.
2
Ask Andrew for diagnosticsOpen Andrew Chat: "Show me AnalyticsBot traffic for the last hour." Andrew pulls live network data and presents it.
3
Push quarantine policy or revoke badgeOption A: restrict the agent's network access via policy push. Option B: revoke the badge entirely — instant block at edge.
Resolve and logMark the alert resolved. Everything — detection, diagnosis, action, resolution — is in the immutable audit log.
🚨 Critical Alert 2m ago
Unauthorized endpoint access attempt
Agent AnalyticsBot (MRD-0003) attempted to reach api.external-service.com:443 — outside declared capabilities.
Andrew Chat · Diagnostic
Andrew
AnalyticsBot made 14 outbound attempts to api.external-service.com in the last hour. All were blocked by the existing firewall policy. No data exfiltration occurred. First attempt at 19:31 UTC — 37 minutes after badge was issued.
✓ Quarantine policy pushed · Badge suspended · Alert resolved
Workflow 4

Adding a New Network Service

A new application gets deployed. Here's how Merideon handles it — tracking the IP, cataloguing the service, adding DNS, and optionally load balancing it.

1
Container starts on networkDocker Sync (IPAM) detects the new container, creates an IP record automatically with hostname and detected ports.
2
Service appears in Web LinksIPAM detects the web port and auto-adds it to the service directory. Categorize, rename, add description.
3
DNS record createdAdd a DNS A record in IPAM — applied immediately to the AI Router's Unbound resolver. Service is now name-resolvable.
4
Optionally: add to load balancerCreate a pool in the AI Router's Load Balancer, add the service as a member, create a VIP. HAProxy is configured instantly.
IPAM · Docker Sync Result
New container detected
app-api-gateway · .172:8080
IP record created · Added to Web Links
IPAM · DNS Management
✓ Applied
AI Router · Load Balancer
VIP: api-gateway · .200.15:8080
pool-api-gateway → app-api-gateway:8080
HAProxy reloaded · Member health: UP

Ready to see it in your environment?

Deploy Merideon and run your first workflow the same day.

Get Started → Talk to us