○─────────────────────────────────────────○
│ │
│ ┌──────────┐ ┌──────────┐ │
│ │ core-r01 │──────│ core-r02 │ │
│ └────┬─────┘ └────┬─────┘ │
│ │ │ │
│ ┌────┴─────┐ ┌────┴─────┐ │
│ │ sw-01 │ │ sw-02 │ │
│ └────┬─────┘ └────┬─────┘ │
│ │ ┌─────────┐ │ │
│ └────┤ fw-01 ├──┘ │
│ └────┬────┘ │
│ │ │
│ ┌────┴────┐ │
│ │ edge-r01│ │
│ └────┬────┘ │
│ │ ┌──────────────┐ │
│ └──│ INTERNET │ │
│ └──────────────┘ │
│ │
│ ● 10.0.1.1 Estab BGP 65001 │
│ ● 10.0.2.1 Estab BGP 65002 │
│ ○ 192.168.1.254 Active — │
│ │
○─────────────────────────────────────────○
NetNerd connects directly to your routers, switches, and firewalls via SSH and lets any engineer manage infrastructure through natural language — no CLI expertise required.
Every router, every switch, every firewall still demands the same cryptic commands from 1994. The industry built faster hardware and left the human interface behind.
Network operations demand engineers who memorize thousands of vendor-specific CLI commands. That expertise costs $130K+ per year and takes years to build.
A single typo in a routing command can take down an entire site. Network changes are high-stakes, high-stress, and largely undocumented after the fact.
When something breaks at 2AM, finding the root cause means manually SSHing across dozens of devices, reading raw output, and hoping you spot the right line.
Add your routers, switches, and servers via SSH credentials or serial console cable. Deploy NetNerd in one Docker command on any machine in your network.
"What's wrong with this router?" "Map the full network topology." "I need to isolate the guest WiFi." NetNerd understands the intent, not just the syntax.
It SSHes into the actual device, pulls live data, reasons across your full topology, and either delivers findings or proposes a configuration plan — waiting for your approval before touching anything.
Watch how NetNerd diagnoses a live network, maps topology, and safely applies a configuration change — all in plain English.
BGP sessions, interface health, CPU and memory, routing tables, system logs — analysed in seconds with a plain-English summary.
Proposes config changes with exact commands, waits for your approval, applies, and saves — across Cisco, Juniper, Arista, and more.
CDP/LLDP discovery builds a persistent Knowledge Graph. A real-time visual map renders per-device-type icons with live status: green (up), amber (stale), red (down).
Before any change, NetNerd tells you exactly which devices and services would be affected. No surprises, no unplanned outages.
When a device is unreachable from outside, NetNerd BFS-searches the topology graph and tunnels through a physically adjacent device to reach it.
USB-to-serial console cable support for brand new devices with no IP or SSH configured. Day-one provisioning with zero prior setup.
Cisco IOS/IOS-XE/NX-OS/IOS-XR, Juniper JunOS, Arista EOS, Linux (Ubuntu/Debian), and VyOS — all managed from one interface.
Upload network diagrams, configs, or runbooks as PDF, DOCX, or text. NetNerd reads them and incorporates them directly into its reasoning.
First-time users describe their hardware and goals. NetNerd generates a personalized, step-by-step setup plan in plain English — no prior networking experience required.
Scans routers and Linux devices for Mirai, Kadnap, Cyclops Blink, and 30+ malware families. Detects C2 connections, backdoor ports, rogue cron jobs, and hidden root accounts.
Every command passes through a three-layer validator before reaching SSH. Blocks shell escapes, backtick execution, dangerous Linux commands, and invalid pipe usage. Cisco IOS pipes are context-aware — | include is allowed, shell injection is not.
Every tool call, every command sent, every blocked attempt is recorded — who ran it, which device, what command, what result. Exportable as CSV. Satisfies SOC 2, PCI-DSS, and enterprise compliance requirements out of the box.
CSV Export · Compliance readyEvery user message is scanned for 12 known LLM hijack patterns before reaching the AI. Attempts to override instructions, change agent behaviour, or inject malicious device output are detected and blocked before they reach the model.
12 detection patternsActively scans routers and Linux devices for known malware: Mirai, Kadnap, Cyclops Blink, VPNFilter. Detects C2 connections, backdoor ports, malicious cron jobs, and hidden root accounts — all without installing anything on the device.
30+ malware familiesPROMETHEUS_URL in .env to pull device metrics from your existing monitoring stack.
Managing a multi-site, multi-vendor network is exhausting. NetNerd dramatically accelerates diagnostics, enforces safe change management, and gives your whole team — not just senior engineers — the ability to operate the network confidently.
NetNerd lets your engineers manage more client environments with less overhead. Deploy one instance per client, or a shared instance with per-user device scoping. Audit logs give you the documentation your SLAs require.
New to networking or a seasoned tinkerer — NetNerd adapts. Complete beginners get a guided 5-step setup wizard that builds a personalized plan from your exact hardware. Advanced users get the full ops console with VyOS, Linux, Cisco, and more.
Forward Networks and NetBrain are the two dominant names in network intelligence. Both are genuinely powerful. Both also require enterprise sales cycles, dedicated professional services teams, and six-figure budgets just to get started. NetNerd gives you the same operational power — without any of that overhead.
| What matters |
Forward Networks
$116M raised · Enterprise only
|
NetBrain
Blackstone-owned · 2,500+ enterprise clients
|
NetNerd
Built for real teams · Ships today
|
|---|---|---|---|
|
Time to value
How fast can you go from zero to running?
|
✕ Professional services engagement required before deployment. Weeks to months before you see anything working. | ✕ Multi-week implementation. Jump servers and collector agents must be deployed across the network first. |
✓ docker compose up -d
Running in under 10 minutes. No vendor engagement. No professional services. No waiting. Same day · Zero friction
|
|
Configuration execution
Can it actually make changes, or just watch?
|
✕ Read-only. Forward Networks is a verification and analysis platform only — it cannot push any configuration changes to devices. | ◐ Can execute via runbooks, but every runbook must be hand-built by your engineers first. Execution is only as good as the scripts you write. |
✓ Describe what you want in plain English. NetNerd proposes the exact commands, you approve, it executes — across 20+ vendor platforms out of the box.
Propose → approve → execute
|
|
Topology & discovery
How does it learn your network?
|
◐ SSH/SNMP collection builds a mathematical digital twin. Powerful formal verification (NQE) — but requires learning a proprietary query language to use it. | ◐ Agent-based collection across 2,500+ device types. Strong breadth, but agents add complexity and ongoing maintenance overhead. |
✓ CDP/LLDP live discovery builds a persistent Knowledge Graph automatically. Query your topology in plain English — no formal query language, no agents, no maintenance.
Conversational · No agents
|
|
Who it's built for
What size team can actually use this?
|
✕ Built for Fortune 500, US DoD, and hyperscalers. The platform assumes a dedicated NetOps team and enterprise infrastructure to support it. | ✕ Targets large enterprise NOC teams. 2,500+ customers globally — all enterprise. Not designed for teams without a full operations department. |
✓ Built from the ground up for IT teams of 1–10 people, MSPs, and mid-market orgs. Fully self-serve — no vendor relationship required to get started.
5–500 devices · Any team size
|
|
Data & privacy
Where does your network data live?
|
◐ On-premise options exist, but the platform has cloud-connected components. Sensitive network topology may transit vendor infrastructure. | ◐ On-premise deployment available but adds significant infrastructure complexity on top of an already complex agent architecture. |
✓ Fully self-hosted. Your network topology, credentials, and device data never leave your infrastructure. Air-gap and private cloud compatible.
100% on-premise · Air-gap ready
|
|
Cost
What's the real all-in cost?
|
✕ Pricing not published. Enterprise contracts, multi-year agreements, plus professional services fees billed on top. Budget: six figures minimum. | ✕ Pricing not published. Enterprise licensing, implementation services, and ongoing support packages. Budget: six figures minimum. |
✓ A fraction of the cost. No professional services fees. No enterprise sales cycle. No per-device licensing tiers. Transparent pricing, available on request.
Significantly cheaper · No hidden fees
|
Forward Networks and NetBrain are trademarks of their respective owners. All competitor information sourced from public documentation, company websites, and press releases. Forward Networks funding figure from public 2022 Series C announcement. NetBrain acquisition by Blackstone from public 2021 announcement.
Request a live demo or deploy from GitHub today.