Skip to main content
The Platform

One Platform. Two Appliances. Complete Control.

Merideon is a two-appliance AI agent security platform. The Security Office governs. The Edge Router enforces. Together they form a closed loop that no agent β€” compromised or otherwise β€” can circumvent. Multiple Edge Routers can connect to a single Security Office, spanning subnets, sites, and environments.

Architecture

Two Appliances. One Closed Loop.

Each appliance owns a distinct layer of your security infrastructure. Together they form a closed loop β€” govern, enforce, detect, respond.

🌐 Internet External traffic & AI API calls βš™οΈ Edge Router nftables Β· BIND9 RPZ Β· nfqueue TLS/SNI Β· DHCP (Kea) Native IPAM Β· HAProxy LB Β· Multi-WAN failover Andrew AI β€” natural language ops Β· fail-closed enforcement πŸ›‘ Fail-Closed πŸ”— Multi-Router Policy push Events Internal LAN(s) AI agents Β· containers Β· VMs Β· services πŸ›‘οΈ Security Office Agent registry & badges Behavioral interviews Policy authoring Deployment pipeline governs agents βš™οΈ Edge Router 2 Site B / Segment B Same SO β€” independent enforcement also connected to same Security Office πŸ“œ Unified Audit Trail Every action, both appliances β€” immutable, attributed, timestamped Governance & policy flow Network traffic path Audit trail
βš™οΈ
Enforcement Layer β€” Edge Router

Sits between your agents and the network. Enforces DNS policies at the kernel level, inspects TLS ClientHello for SNI-based blocking, manages DHCP and native IPAM, and runs Andrew AI for natural language network operations. Fail-closed: if enforcement crashes, new agent connections are blocked by the kernel.

Edge Router details
πŸ›‘οΈ
Governance Layer β€” Security Office

The authoritative registry for every AI agent. Manages the full agent lifecycle β€” registration, approval, credentialing, behavioral interviews, policy authoring, and automated deployment. Policies authored here are pushed live to connected Edge Routers in seconds.

Security Office details
Integration

How the Appliances Work Together

Each appliance is powerful standalone. Together they form a closed security loop β€” from governance decision to kernel-level enforcement in seconds.

πŸ”
Security Office β†’ Edge Router: Policy Push

When an admin authors or updates a policy in the Security Office and pushes it, the policy travels directly to the Edge Router. BIND9 RPZ rules and nftables sets update in under 2 seconds. Badge revocations propagate immediately β€” a revoked agent's network access is cut off at the kernel level within seconds.

πŸ”
Edge Router β†’ Security Office: Network Events

Every DNS policy violation, traffic block, new host detection, and DHCP event is surfaced in the Security Office in real time. The SO sees everything the edge sees β€” across all connected Edge Routers. One governance view, multiple enforcement points.

πŸ”—
Multi-Router Topology

Multiple Edge Routers can connect to a single Security Office. Enforce the same agent policies across subnets, network segments, or geographically distributed sites β€” governed from one place. Each Edge Router enforces independently, so an outage at one site doesn’t affect enforcement at others.

πŸ›‘
Fail-Closed Enforcement

If the Edge Router’s enforcement engine crashes or is restarted, the kernel continues to block new agent connections until enforcement is fully restored. No gap. No window. Established connections continue; new unauthorized connections cannot be established.

πŸ“œ
Shared Audit Philosophy

Both appliances maintain immutable audit logs: every action, attributed to an actor, with timestamp and outcome. Security reviews can trace a complete chain of events β€” from agent registration and badge issuance through policy push to network enforcement event.

Andrew AI

The AI That Runs the Edge

Andrew lives in the Edge Router. He monitors the network, responds to natural language commands, enforces policies from the Security Office, and takes autonomous action β€” always with your explicit approval before changing anything.

πŸ”’ Approval-gated writes
πŸ“Š Real-time state awareness
πŸ“œ Immutable audit trail
πŸ”— Policy enforcement
Meet Andrew β†’
Deployment

On-Premises. Your Infrastructure. Your Control.

Merideon runs entirely on your hardware. No cloud dependency, no data leaving your network.

Docker Compose

Both appliances ship as OVF/OVA packages for VMware, or APT packages for bare-metal Ubuntu 24.04. Deploy on any Linux host with Docker installed.

TLS Everywhere

Both appliances serve exclusively over HTTPS. Self-signed certs provided out of the box. Replace with your CA certs for production β€” paths are fully configurable.

Persistent Data

All data persists on Docker named volumes. Survives container restarts, rebuilds, and updates. PostgreSQL for the Security Office, SQLite for the Edge Router.

Minimum Hardware Requirements

Appliance CPU RAM Disk NICs
πŸ›‘οΈ Security Office 2 vCPU 4 GB 40 GB 1
βš™οΈ Edge Router 4 vCPU (8 prod) 8 GB (16 prod) 40 GB (80 prod) 1+ (LAN-facing required)

Ready to deploy Merideon?

Two appliances. Your infrastructure. Your control. Governing agents from day one.