DEV Community: Sruthik I

This Month in Networking - May 2026

Sruthik I — Mon, 08 Jun 2026 00:47:20 +0000

Quiet Defaults, DNSSEC Cracks, and Agents in the Data Plane

I read the AWS Nitro V6 TCP timeout change twice before I believed it.

Default went from 432,000 seconds to 350 seconds. Five days to six minutes. On the newest instance family. Quietly, in release notes most people won't read until something breaks.

That sort of set the tone for May. No flagship launch to anchor the month around. What there was a lot of: defaults moving in places vendor press releases don't celebrate. Post-quantum crypto pushing into campus boot chains. Every cloud vendor shipping some flavor of agentic-networking pattern. The .de TLD briefly breaking because of DNSSEC. None of it announced loudly. All of it the kind of thing that breaks production at 2am if you weren't paying attention.

What Moved This Month

Three things, fast.

Post-quantum crypto left the VPN tunnel. Cisco's full-stack PQC for campus and branch is the next chapter after April's PQ IPsec story — boot, firmware signing, supply chain attestation, and transport-layer crypto all moving together. If your campus has mixed-vintage gear (which is basically everyone), this is multi-year partial coverage with no clean switchover.

Agentic networking became a real category. Cloudflare's Town Lake / Skipper writeup and Claude Managed Agents, Palo Alto's Portkey-based unified AI Gateway, and AWS's Bedrock AgentCore connectivity patterns all dropped this month. The right question stopped being "can my agent reach the model" and became "what IAM blast radius does this agent have if it gets prompt-injected."

DNSSEC had a rough month. The .de TLD broke briefly, the DNSSEC root key was rolled, and Cloudflare also debugged a QUIC CUBIC death spiral that was hiding in plain sight. The Internet's core had a louder month than usual, and not in a good way.

1. Agentic AI Is Now Actually A Networking Problem

An agent in production isn't a fancy chatbot. It's a thing that calls APIs, reads logs, accesses SaaS data, and sometimes writes back to systems. Which means it's running with credentials. Which means it's a network principal. Which means someone has to think about what it can reach.

Palo Alto's unified AI Gateway from the Portkey acquisition makes the category real, but I'd want to measure actual latency overhead on my own workload before routing real inference through any of these things. Demo numbers and prod numbers are usually not the same animal. Cloudflare's Claude Managed Agents launch promises "isolated execution" — okay, but what kind of isolation? Worker isolate? Container? VM? The post hand-waves on this and I think that matters. If you're handing one of these real credentials, you need to know the sandbox primitive before you ship. The companion writeup on Town Lake and Skipper is useful as architecture inspiration even if you can't buy any of the underlying platform as a product. AWS's Bedrock AgentCore connectivity patterns is honestly the most useful of the bunch for me — it actually walks through user-to-agent, agent-to-tool, and agent-to-private-resource paths in a way you can take to a design review and argue about.

Cisco's Intelligent Packet Flow pitches a fabric that adapts to AI traffic in real time. I want to like this. But "real-time adaptive fabric" plus "application-level congestion control" gives you two adaptive control loops running at the same time, and that's how you get oscillation. Before I get excited I want to see a serious deep-dive on how the two layers behave together at scale, not just a "look how fast" benchmark. Their N9000 EANTC 2026 results are actually more interesting to me — twelve-vendor independent lab validation of VXLAN EVPN and secure PTP/MACsec is rare, and it's a lot more than slideware. Lab interop doesn't equal brownfield interop where firmware versions disagree, but it's still more than zero, and I'll take that.

2. The Internet Core Cracked, Then Quietly Got Better

DNSSEC had a rough May. Cloudflare's writeup of the .de TLD DNSSEC outage is the one piece I'd want everyone to read, and the takeaway most people will skip past is that resolver-side serve-stale behavior turned what could have been a country-scale outage into something a lot of users barely noticed. Resolver-side resilience is doing a lot more work than people give it credit for. APNIC also covered rolling the DNSSEC root key and the long-running question of centrality in the Internet's names. RIPE Labs' operational review of public ENUM had a quiet, unsexy stat that stuck with me: about half of public ENUM delegations have some kind of DNS problem. Half. That's what happens to boring infrastructure when nobody's watching.

BGP had a useful nuance week. Doug Madory's ephemeral BGP leaks piece (picked up by ipSpace's Worth Reading) argues that a lot of "leak" alerts are just convergence artifacts after a routing event, not policy violations. RIPE Labs' Legacy Out of Contract covers legacy address blocks without ROA coverage, and APNIC's PeeringDB update is more registry-quality work. Neither is glamorous, both matter.

On the lab side, ipSpace shipped netlab 26.05 with BGP-free SRv6 core support. I'm flagging this because SRv6 has been "ship next year" for what feels like half a decade, and credible lab tooling is what finally moves teams from PowerPoint to actually trying it. I'm planning to spin this up soon. APNIC's IPv6 in the boardroom is also worth a read if your org still pretends IPv6 is a governance problem rather than an infra refresh.

3. The Cloud Defaults Moved (And Most People Won't Notice Until It Hurts)

If you read only one section, read this one. The AWS Nitro V6 TCP idle timeout change is the one I keep coming back to. The applications most likely to break are the ones nobody is actively maintaining. Long-poll endpoints. Idle DB pool connections. Persistent message broker consumers. Service-mesh sidecars that idle quietly between requests. The failure mode is not a clean reset. Your app holds a TCP socket that the cloud already evicted from conntrack state. The next packet goes into a black hole. The connection only dies when your TCP keepalive trips, which on most defaults is minutes later. If your keepalive is at two minutes, you've got a two-minute hang on every idle connection that gets evicted, and if a deploy window kicks off a bunch of reconnects you've got an incident on your hands. Test this on a Nitro V6 instance against your actual workload before assuming you're fine.

Cloudflare's QUIC death spiral fix deserves a callout too. CUBIC's congestion window got pinned at the floor because of a Linux kernel idle-detection optimization that miscounted idle time. Throughput looked low, the connection looked fine, no alerts fired. This is the kind of bug your dashboard cannot see — it's hiding below the socket. They only caught it with packet captures. I spend a lot of time with PCAPs and I'll say it again here: dashboards are at the wrong level of abstraction when the bug is in the kernel or the transport. You have to go look at packets. There's no shortcut.

The rest of the AWS roundup pushes the same direction. FIS centralizing 13,000 VPC endpoints is one of those rare real-customer-scale architecture posts worth reading for the blast-radius-per-workload pattern — honestly the most enterprise-honest AWS post of the month. DMZ architecture with VPC Block Public Access makes public reachability an explicit choice rather than something that drifts in over time. And Site-to-Site VPN BGP migration plus production-ready DNS with AWS CDK are both quietly nudging cloud teams to treat routing and DNS as code, which I'd argue they should have been doing already.

4. Security: Quantum-Safe, And Trying To Govern Agents

Two storylines stacked this month.

The first is PQC pushing out from VPNs into every closet in the campus. Cisco's full-stack PQC for campus and branch is the natural next chapter from April — boot, firmware signing, supply chain attestation, and transport-layer crypto all moving together. Honestly, mixed-vintage campus gear (which is everyone I've seen) is going to live in partial coverage for the next two years. That's not a planning flaw, it's just reality. Budget for the gap up front, or end up with a fleet that's only as quantum-safe as its weakest negotiated session. And while that long migration is happening, today's CVEs still need patching: SDxCentral wrote up the fresh Cisco SD-WAN root access vulnerability. Yeah, patch it this week.

The second is the agent-security side. Palo Alto's SaaS supply chain security post hits the right problem — GenAI plugins inside SaaS apps are OAuth-scope creep that almost nobody is auditing, and the interesting failure mode is data exfil through legitimate-looking integrations rather than a direct compromise. Cloudflare's Claude Compliance API integration with CASB is useful if you're already on Cloudflare's stack, but I do wonder if vendor-specific compliance hooks are the new flavor of lock-in. And APNIC's RADIUS isn't going away, so let's fix it properly is unglamorous but important. RADIUS is still sitting in the auth path for wifi, VPN, NAC, basically everything we do. The proposed fixes have to ship without breaking thirty years of deployed gear, which is honestly a much harder problem than the protocol design itself.

5. Operations Is Becoming A Software Discipline

The operations story I most want people to read is Cloudflare's Code Orange: Fail Small, Fail Complete. The point isn't the catchy name. It's the engineering discipline of designing config changes so the blast radius is bounded by construction, not by post-incident review. Most "global outage" postmortems I've read are the inverse story — a change with unbounded blast radius reached production because nobody enforced the bound up front. Cisco's Nexus Data Broker integration in Nexus Dashboard 4.2 pitches a unified source of truth, which only actually works if your underlying inventory is accurate. Most "data broker" rollouts I've seen paper over inventory drift instead of fixing it, and then you've got a more confident lie.

Kentik's AI Advisor for MTTR and Cisco's agentic workflows pitch are the same story in different wrappers — AI-assisted RCA only compresses time-to-fix when your telemetry is already clean. Garbage telemetry plus an LLM in a loop just gives you faster, more confidently-worded garbage. ipSpace's piece on ARP issues with EVPN asymmetric IRB is the kind of operational detail vendor slides skip but every DC engineer hits sooner or later. NetBeez's ttl modern traceroute and APNIC's reimplementing traceroute in Rust are reminders that path diagnostics haven't meaningfully improved in two decades. Better tooling at this layer pays back every single time you have to debug an asymmetric path or a per-hop loss issue.

6. Wireless And Edge: Identity, Identity, Identity

Arista's Cognitive Campus Center journey and Cisco's lean-IT AI-assisted wireless management are basically the same trend with different branding — campus is becoming the proving ground for AI-assisted ops because it's the largest bounded environment most enterprises have, and it's where you can actually measure your own changes.

The post that mattered to me most this month was APNIC's persistent device identity in the era of MAC address randomization. MAC randomization is great for user privacy. It's genuinely awful for operational visibility. When MACs lie, your inventory becomes a guess, your per-device policy becomes a guess, your client-level telemetry becomes a guess. The proposed RADIUS-side fix is reasonable but it requires controller-side state that a lot of WLC setups in the field don't track yet. If you run a real campus or a stadium or any large public space, this is going to bite you eventually, and the only way out is changing how supplicant, AAA, and controller agree on identity. APNIC's direct-to-device and LEO ambitions is the broader satellite/edge story for anyone tracking where access keeps going.

Signals Worth Watching

The cloud-defaults-are-quietly-changing pattern isn't going anywhere. Whatever you assumed about idle timeouts, source ports, DNS TTLs, or conntrack behavior — re-check those assumptions on the newest instance families. PQC is migrating into firmware, secure boot, and supply chain attestation, which is going to be a multi-year coordinated migration with a lot of partial states in between. Agentic AI is no longer a "model API" story, it's a network-principal story, and the IAM blast-radius decisions made now will determine the next class of incidents. Dashboards keep lying at the wrong level of abstraction for the bugs that actually hurt; PCAPs aren't optional if you actually want to debug below the socket. And RADIUS-plus-wifi-identity is quietly the access-layer problem that nobody fully solved.

What I'd Actually Do

If I was running a network team this month, here's the short list. Audit long-idle TCP behavior on Nitro V6 and set keepalives where they're missing — don't wait for the first incident. Document where in your campus your PQC migration starts and where it can't reach yet, and put a number on the gap so it becomes a budget item, not a vibe. Treat agentic systems as network principals with their own IAM blast radius. Calibrate BGP leak alerting against the ephemeral-leak baseline, otherwise you'll burn out on noise. Re-read Code Orange and ask which of your config-change paths actually have a bounded blast radius by construction, not by hope. And if your wifi policy still assumes stable MAC addresses, it's time to fix that.

The teams that move fastest this year are going to be the ones with clean inventory, observability below the socket, and explicit blast-radius models for every autonomous component. The ones who struggle will treat each of those as a separate procurement.

What I'm Watching For In June

Three things. First, public postmortems for the Nitro V6 timeout change — they're coming, and the patterns will tell you more about your own exposure than any benchmark. Second, how vendors handle the gap between "we announced PQC" and "we shipped PQC across the whole fleet." The early honest disclosures will tell you who actually understands the migration vs. who's press-releasing it. And third, whether any of these agentic "gateway" products turn into real enforcement points, or just dashboards with extra steps.

This Month in Networking - Apr 2026

Sruthik I — Sun, 03 May 2026 20:16:56 +0000

AI Fabrics, Quantum-Safe Tunnels, and Cloud Policy

April was a good reminder that networking is not standing still.

The big themes were not abstract. They showed up in very practical places:

data centers trying to keep up with AI workloads
cloud networks becoming more private and policy-driven
routing security getting more attention
VPNs and firewalls preparing for post-quantum cryptography
wireless and edge access becoming business-critical
operations tools moving closer to automation and AI-assisted troubleshooting

If you are new to networking, read this as a map of where the field is going.

If you already work in the space, the useful question is: which of these shifts will hit your environment first?

What Moved This Month

Three things stood out.

First, AI is putting real pressure on physical network design. Cisco wrote about direct-liquid-cooled switching for AI-era data centers, scaling networks for AI without forklift upgrades, and AI-heavy media fabrics with NVIDIA. Network World also looked at NVIDIA's AI strategy, while Light Reading tracked how AI is pushing telecom costs.

Second, trust moved deeper into the network. Cloudflare made post-quantum IPsec generally available. Cisco published a quantum-safe architecture and a secure firewall roadmap.

Third, cloud networking kept moving away from "just connect things" and toward explicit policy. AWS added Client VPN attachment to Transit Gateway, showed centralized ingress inspection in Cloud WAN, and Microsoft pushed Azure toward private subnets by default.

That is the shape of April: more traffic, more private paths, more automation, and more security decisions happening inside the network.

1. AI Is Now A Network Design Problem

AI workloads are not only about GPUs.

Those GPUs need to talk to each other very fast. That means switches, optics, cables, cooling, telemetry, and clean failure domains all matter.

The useful AI networking signal this month was very physical:

Cisco's post on data center cooling for the AI era is interesting because cooling is now part of network planning, not just facilities planning.
Cisco's piece on scaling networks for AI without a forklift upgrade gets closer to the real enterprise problem: most teams cannot rebuild everything at once.
Cisco and NVIDIA's AI-driven media fabric points at another pattern: specialized workloads are starting to need specialized network behavior.

There was also a more grounded operator angle from ipSpace. Ivan Pepelnjak wrote about generating partial device configurations with netlab, using a multi-vendor leaf-spine lab as the example.

That matters because AI-ready networks still need boring discipline:

repeatable topology builds
correct address plans
predictable BGP behavior
configuration templates that do not create surprise
labs that match the real design closely enough to catch mistakes

The takeaway: AI readiness is not a product label. It is a combination of capacity, cooling, observability, and operational repeatability.

2. The Internet Core Is Still Worth Watching

The Internet is held together by routing systems, registries, DNS, and a lot of operational trust.

BGP is the routing protocol that lets networks tell each other, "I can reach this prefix." When that trust is weak, bad routes, leaks, outages, and hijacks become easier.

April had several useful updates here:

APNIC covered ReAct, a mitigation approach for reflection DDoS attacks. The important detail is that it considers asymmetric routing, where traffic going out and traffic coming back may not use the same path.
APNIC also highlighted Pacific routing security, with PITA 31 set as a deadline for practical implementation.
APNIC noted that Google hit 50% IPv6. That does not mean IPv4 is gone, but it does mean IPv6 is no longer a side topic.
RIPE Labs introduced the reg-nr: attribute in the RIPE Database, making resource holders easier to identify.
RIPE Labs also wrote about real-time routing analysis using RIS Live and BGPlay APIs.
ipSpace shipped netlab 26.04, with EXOS support, BGP prefix origination improvements, and better static route support.

None of this is flashy. It is more important than flashy.

Internet resilience improves through small, repeated upgrades: better routing visibility, better registry data, better lab tooling, and more operators treating IPv6 and RPKI as normal work.

3. Cloud Networking Is Becoming More Intentional

A VPC or VNet is like your private network inside a cloud provider. The hard part is not creating it. The hard part is deciding who can reach what, through which path, and under whose policy.

April's cloud networking updates were all about that.

AWS had three strong signals:

Route 53 IAM condition keys help teams delegate DNS changes more safely across accounts.
Client VPN native Transit Gateway attachment removes the need for a dedicated hosting VPC pattern and keeps source IP visibility cleaner.
Centralized ingress inspection in AWS Cloud WAN addresses a real enterprise question: where should inspection happen when networks span many accounts and VPCs?

Microsoft's Azure posts pointed in the same direction:

Private subnets by default in Azure Virtual Networks makes explicit outbound access the default behavior for new deployments.
Azure VNet Data Gateway gives Power BI, Power Platform, and Fabric a managed path to private Azure resources.
The Container Network Insights Agent for AKS brings network troubleshooting closer to Kubernetes workloads.

The direction is clear: cloud networking is becoming policy work.

The best cloud network designs will not just have neat diagrams. They will have clear ownership, explicit egress, auditable DNS, controlled inspection points, and troubleshooting data close to the workload.

4. Security Is Moving Into The Network Plane

April's security stories were really networking stories.

The biggest one was Cloudflare's post-quantum IPsec GA. IPsec is widely used for site-to-site VPNs. Post-quantum support matters because long-lived encrypted traffic may need protection against future cryptographic attacks.

The practical detail: Cloudflare is using hybrid ML-KEM and says it tested interoperability with Cisco and Fortinet. That makes the story more useful than a pure research announcement.

Cisco pushed the same theme from the platform side:

From Strategy to Architecture explains Cisco's quantum-safe direction.
The Secure Firewall roadmap shows that post-quantum planning has to reach firewalls, firmware, chipsets, and communication planes.

There was also movement around secure access and AI governance:

Packet Pushers covered Zenarmor's zero-trust secure access pitch, with useful skepticism around SASE positioning.
Palo Alto Networks wrote about securing and governing AI agents through an AI Gateway inside Prisma AIRS.

Simple version: security tools are being judged more by where they enforce policy, what network context they understand, and how well they fit into operations.

5. Network Operations Is Becoming Software Work

Automation is not new in networking.

What is changing is where automation is being applied.

This month was less about "generate a config" and more about "help me understand what broke."

Examples:

AWS showed automated network incident response with AWS DevOps Agent, reasoning across routes, attachments, and security groups.
Microsoft put the Container Network Insights Agent into public preview for AKS network troubleshooting.
Cisco wrote about unified AI-ready network operations, AI-powered RRM, and simpler access control.

The caution came from ipSpace's "State of Network Automation with Urs Baumann". The uncomfortable point: many automation lessons from ten years ago still apply.

That is a good warning.

AI-assisted operations will help only if the basics are clean:

reliable inventory
accurate topology data
clear source of truth
tested templates
change control that people actually follow
telemetry that explains state, not just noise

Bad data plus automation just creates faster confusion.

6. Wireless And Edge Are Now Strategic

Wireless is not just "Wi-Fi in the office" anymore.

It carries retail systems, mobile devices, IoT, guest access, warehouse operations, cameras, collaboration tools, and sometimes backup connectivity for entire sites.

April's useful signals:

Cisco wrote about AI-RRM, where radio-resource management gets more automated.
Cisco also covered wireless trends retail IT teams cannot ignore.
NetBeez tested MPTCP with iPerf3, showing how traffic can use multiple paths for better resilience.
Light Reading tracked access-network moves like T-Mobile and Starlink blended broadband, VodafoneThree choosing Ericsson and Nokia for 5G, and Verizon's FWA/fiber shift.

The pattern: access networks are becoming hybrid by default.

Fiber where possible. Wireless where useful. Satellite where necessary. Monitoring and policy over all of it.

Signals Worth Watching

Post-quantum networking is leaving the lab. VPNs and firewalls are now part of the conversation.
AI networking is becoming physical. Cooling, switching, optics, and operations are one design problem.
Cloud networking is becoming more private by default. Teams need explicit egress and clear ownership.
BGP, IPv6, RPKI, and registry quality remain core Internet hygiene.
Agentic troubleshooting is coming, but it will reward teams with good data models first.
Wireless and edge access are becoming part of business continuity, not just convenience.

Operator's Take

My read: the useful work is in the layers people often postpone.

Clean up route ownership.

Know who controls DNS.

Make cloud egress explicit.

Document where inspection happens.

Treat IPv6 and routing security as normal work.

Build labs that look like production.

Do not ask AI to automate a network you cannot already explain.

That last point matters. The best teams will use automation and AI to speed up good operations. They will not use them to hide poor design.

What To Watch In May

Watch where post-quantum networking shows up next: VPNs, firewalls, branch hardware, and migration guides.

Also watch AI data center networking beyond the hype cycle. The interesting parts are cooling, Ethernet fabrics, optics, observability, and funding models that do not require replacing everything at once.

Finally, keep an eye on cloud private access and agentic troubleshooting. Those two areas are quietly becoming the daily workbench for network engineers.

Plexus: A WiFi Graph RAG for Network Troubleshooting

Sruthik I — Sat, 25 Apr 2026 15:09:46 +0000

WiFi troubleshooting has a confidence problem.

Ask a chatbot what's causing client disconnections and it'll give you an answer that sounds right. But infrastructure troubleshooting isn't a trivia game — the cost of a confident wrong answer is an engineer wasting hours chasing the wrong fix.

I built Plexus, a private WiFi troubleshooting assistant specifically to solve this. Every answer it produces is grounded in retrieved evidence from a curated domain knowledge corpus. If the evidence is weak, the answer says so. The first cut — available now for trials — is focused on knowledge querying: ask a WiFi or networking question and get back a source-safe, evidence-grounded answer. Public users do not see private source names, page references, chunk IDs, or citations; those stay in internal traces for debugging and evaluation.

It's a private project — this post covers the design, not the data.

The Problem

WiFi troubleshooting is not just a search problem. A good answer usually depends on several kinds of evidence:

The user's question and operational context.
Protocol behavior and failure modes that are easy to confuse.
Incident artifacts — packet captures, logs, timeline signals.
Confidence boundaries: what the system knows, what it inferred, and what still needs validation.

A normal chatbot blends real evidence with plausible guesses and presents them at the same confidence level. That's dangerous in infrastructure troubleshooting. So Plexus was built around one strict rule: important technical claims should be grounded in retrieved evidence where possible, and uncertainty must be surfaced — not hidden.

System Map

At a high level, Plexus has three big areas:

An online app core for API/UI requests, routing, retrieval, answer generation, and RCA workflows.
Stores and services for lexical search, vector retrieval, graph relationships, workflow execution, and inference.
An offline indexing and release pipeline that prepares the private knowledge corpus into serving indexes.

The online path starts with a FastAPI application. Requests from the web UI, chat interface, or CLI/admin path go through a query service that decides what kind of work is needed.

The critical design choice: retrieval is not a single vector search call. Plexus combines multiple retrieval shapes and builds an evidence pack before generation ever begins.

The Knowledge RAG Core

This is the heart of Plexus and what's live in the trial.

You ask a WiFi or networking question in the chat interface. Before anything gets retrieved, the query goes through a question classifier that uses embedding similarity against class prototypes — reference, compare, troubleshooting, advanced troubleshooting — combined with structural pattern signals (regex markers for "what is/explain" vs "why/fail/diagnose" vs "compare/differ/tradeoff"). The question class isn't cosmetic. It drives both answer policy and retrieval behavior: simple knowledge questions get concise explanations, while troubleshooting questions can use cause-and-next-check workflows.

Alongside that, a domain intent parser extracts WiFi-domain signals from the query: security protocols (WPA2, WPA3, SAE, OWE, PMF), frame types (EAPOL, Probe, Auth, Association), WiFi generations (802.11r, 802.11k, ax, be), vendor hints, AP roles. These feed directly into retrieval.

Three Retrieval Modes

Plexus operates in two primary retrieval modes, switchable at runtime without restart:

Traditional mode runs dense vector search (Qdrant) and lexical search (SQLite FTS) in parallel. Their ranked lists are merged, duplicate chunks across document editions are collapsed, and the top candidates can be expanded with page- or section-adjacent neighbors from the same source.
The ranked lists from Qdrant and SQLite FTS are merged using Reciprocal Rank Fusion (RRF) to normalize the scores. To ensure exact string matches (like specific error codes or MAC vendor prefixes) aren't diluted by the dense retriever's semantic confidence, we pass the merged top-K candidates through a cross-encoder model for final reranking. Quality penalties are then applied to demote junk chunks (glossaries, boilerplate, answer keys) before they hit the evidence pack.

Graph mode adds Neo4j to the picture. This is where it gets interesting.

Graph RAG: Entity-Aware Retrieval

During offline indexing, entities are extracted from the knowledge corpus — protocol concepts, configuration states, failure modes, vendor behaviors — and imported into Neo4j as nodes with RELATES_TO weighted edges and community memberships.

At query time, Plexus resolves anchor terms from the parsed intent (protocol names, security methods, frame identifiers) to entity nodes via full-text index. It then traverses outward in one of three submodes, selected based on question class and query signals:

Local: entity → directly mentioned chunks → neighbor entities via RELATES_TO → their chunks. Best for specific, concrete questions.
Drift: local traversal + community expansion. Plexus follows entities into their community cluster and pulls chunks from co-clustered entities. Useful for broader symptom-to-cause problems where the answer lives in a nearby concept, not the exact entity.
Global: community-first traversal. Matches communities by full-text search against the query, then pulls chunks from member entities. For corpus-wide thematic questions.

The immediate danger with 'Drift' and 'Global' traversals is graph decay—as firmware updates and new standards emerge, old entity relationships become stale. To counter this, Plexus enforces a temporal decay penalty on edges during traversal, ensuring that newer corpus ingestion overwrites or heavily down-weights deprecated protocol behaviors, keeping the graph grounded in current reality

Graph results don't replace traditional retrieval — they're hybridized. Both lists are merged via RRF and jointly reranked. A chunk that surfaces from both graph and traditional retrieval gets a relevance boost. A graph-only chunk with zero lexical overlap against the question gets penalized — the graph can hallucinate relevance when entity connections are indirect.

The Compatibility Lane

WiFi has a class of question that's particularly hard: compatibility. "Does WPA3-SAE interoperate with WPA2 clients on 802.11ax?" requires understanding security method × generation × vendor interactions simultaneously. A single query against a single retrieval surface rarely reaches the right evidence.

The intent parser detects compatibility signals — security protocols, WiFi generations, vendor hints — and when they're present, a parallel retrieval lane fires. It generates a set of targeted sub-queries, one per compatibility axis combination, and runs dense + lexical retrieval for each concurrently. Results are pooled, deduped, and reranked into a compatibility evidence segment that merges with the main evidence pack.

This lane runs alongside the primary retrieval path, not instead of it.

Evidence Packs and Two-Pass Generation

The flow is intentionally boring and auditable — and that's a feature, not a limitation.

Retrieved chunks don't go directly to the prompt. They're assembled into a typed evidence pack — each entry carries internal identity, retrieval path, provenance, and relevance signals. Diversity enforcement helps the pack span distinct sources before it's trimmed to the final window. The public response does not expose those private details, but operators can inspect them later by request ID.

Generation happens in two passes:

Answer generation: the model produces a response grounded in the evidence pack.
Verification and cleanup: a separate grounding pass checks whether technical claims are supported. Unsupported claims are flagged, and public responses are cleaned so private source details and citations are not returned to users.

If verification finds weak evidence coverage, Plexus surfaces that explicitly — "here's what the evidence suggests, but confidence is limited." For common in-scope WiFi concepts, it can also use expert synthesis when retrieved evidence is partial; that state is tracked internally instead of being hidden.

Offline Indexing and Release Gate

Plexus is only as good as the indexes behind it. Poor indexing is a silent production bug — the model keeps producing fluent text, but grounded in weaker evidence, and nothing in the output tells you retrieval degraded.

The pipeline handles extraction, normalization, chunking, metadata enrichment, embedding generation, and index publishing for the lexical, vector, and graph backends. Then validation checks run before any index is promoted to the online path.

That gate was added after a hard lesson early in the build. Embedding model drift caused retrieval quality to degrade silently. Plexus kept producing fluent answers, but they were grounded in stale, misaligned chunks. We caught it during a manual review — nothing in the output had signaled the problem. Adding offline evaluation before promotion was the fix. Now degradation shows up as a failed gate before it reaches users.

RCA: The Enterprise Extension

The knowledge chat is the first-cut release. The RCA engine is what comes next.

RCA is a separate problem from Q&A. Incident analysis needs to ingest packet and log artifacts, normalize them into structured observations, build an event timeline, generate candidate hypotheses, and ground those hypotheses against the knowledge corpus. Stuffing raw artifacts into a prompt is not a workflow — it's a guess.

Plexus has an RCA path designed around durable execution, per-tenant incident state, audit trails, and async workers. In the full enterprise shape, that means Temporal-style workflow orchestration, a persistent RCA store, structured reports, trace access, and explicit runtime health gates. That path has been implemented and evaluated separately from the public knowledge-chat trial, but broader RCA availability is intentionally gated behind its own quality and operations checks.

The enterprise stack is intentionally gated behind the knowledge RAG foundation. Plexus's knowledge corpus is what makes the RCA evidence credible. You can't have a trustworthy incident report without a trustworthy retrieval layer underneath it.

Tech Stack

Plexus's backend is Python with FastAPI for the API layer and Typer for CLI/admin workflows. Retrieval uses SQLite FTS, Qdrant, and Neo4j each in their respective roles. Inference runs locally via Ollama or through AWS Bedrock depending on deployment configuration. The current public trial uses Google sign-in through Cognito, a small lifetime question quota, DynamoDB-backed quota/feedback/history metadata, CloudFront/S3 for the static UI, and a lightweight backend runtime for the query path. The RCA architecture is designed for durable execution and structured analysis rather than mixing raw artifacts into prompt text. Instead of dumping a 500-line spanning tree log or a raw PCAP dump into the context window, the execution pipeline parses the artifact into a strict, deterministic schema first. The LLM only sees the distilled state.
{ "event_type": "802.11_auth_failure", "client_mac": "a1:b2:c3:...", "ap_bssid": "d4:e5:f6:...", "reason_code": 15, "timing_delta_ms": 120, "inferred_state": "4-way handshake timeout" }

This prevents the model from getting lost in the noise and allows the workflow to execute deterministic logic before leaning on the LLM for reasoning.

The specific tools matter less than the structural separations:

API and routing are separate from retrieval.
Retrieval is separate from answer generation.
RCA parsing is separate from RCA reasoning.
Offline indexing is separate from online serving.
Evaluation gates sit before release, not after user-facing failures.

Each boundary makes one layer independently testable and replaceable without touching the others.

Lessons From The Build

The biggest lesson: a useful troubleshooting RAG system needs more product discipline than model integration. The model is one component. The harder parts are the evidence pipeline, retrieval quality, answer grounding, and knowing when to say "the evidence isn't strong enough."

Evidence packs over prompt stuffing. The first version concatenated retrieved chunks directly into the prompt. It worked until context length grew — then the model started blending chunks in ways that were hard to audit and impossible to trace. Switching to a typed evidence pack with explicit internal slots made generation more reliable and made verification possible.

Hybrid retrieval pays off fast. Version one used only vector search. It missed exact string matches: protocol codes, specific error strings, and standards names. Adding FTS alongside vector search improved quality more than another round of prompt tuning would have.

Graph retrieval needs a penalty for speculation. Early graph mode returned chunks from indirectly connected entities that were topically related but not actually relevant to the specific question. A graph-only chunk with weak topical overlap is a speculation, not strong evidence. Penalizing that case made the hybrid retriever more precise.

Public answers should be source-safe. The system still tracks evidence internally, but the public UI should not reveal private corpus details. That forced a useful product boundary: users get concise answers, confidence, and feedback controls; operators get traces, evidence maps, and evaluation data.

Uncertainty signals matter more than you think. Early on, the LLM produced confident-sounding answers even when retrieved evidence was thin. Adding verification and confidence handling made Plexus feel trustworthy rather than just fluent.

Closing

Plexus is live as a private trial: knowledge chat, hybrid GraphRAG retrieval, source-safe answers, Google sign-in, quota protection, and feedback capture. If you work in WiFi infrastructure and want to put it through its paces, the trial is open at app.plexus.pw/chat. The RCA engine is the next broader product surface.

The architecture pattern here is broadly reusable: build a retrieval layer that can explain itself internally, keep generation grounded in evidence, and design incident workflows around structured analysis.

For infrastructure troubleshooting, that difference matters. The goal is not a fluent answer. The goal is an answer an engineer can trust, inspect, and challenge.

Read 3x Faster Without Losing Comprehension: Introducing NovaRead ⚡️📖

Sruthik I — Sun, 12 Apr 2026 13:37:50 +0000

Are you overwhelmed by open tabs, endless documentation, and long research papers? If you're a developer, student, or professional who consumes large amounts of text daily, you know that reading speed is often the productivity bottleneck.

What if I told you that most of your reading time isn't spent processing information, but rather moving your eyes mechanically across the screen?

That changes today. Introducing NovaRead.

The Science is Simple: Stop Moving Your Eyes

Traditional reading is physically demanding for the eyes. When we read a paragraph, our eyes don't move smoothly. Instead, they make tiny, jerky movements called saccades, and they frequently experience regression (jumping backward) when we lose our place.

NovaRead is built on two core scientific principles that solve this problem:

RSVP (Rapid Serial Visual Presentation): Instead of making your eyes scan a page, NovaRead flashes the text to you, one word at a time, in a fixed central position. Your eyes stay entirely still, eliminating the physical delay of eye movement.
ORP (Optimal Recognition Point): Every word has a visual sweet spot. Usually just left of center, this is where your eye needs to land to instantly recognize the word. NovaRead calculates this exact point and highlights it (the bright warning-color letter) right at your focal center.

By delivering the data directly to your brain's processing center, you switch from hearing the words in your head (subvocalization limitation ~150 WPM) to purely visualizing them at light speed.

Meet NovaRead ⚡️

I've crafted NovaRead to be the ultimate Chrome extension for high-performance reading. Here is what we packed inside:

Supercharged Speeds: Read anywhere from a calm 150 WPM up to an intense 1,000+ WPM.
Universal Support: With one click, extract clean text from any web article using our baked-in Mozilla Readability engine. You can also upload PDF and Local TXT files.
Flow State Soundscapes: Ambient background music featuring Lo-Fi beats, Calm Piano, and Electronic focus sounds.
Keyboard-driven Experience: Space to play/pause, Arrow keys to seek and adjust speed, and M to cycle audio.
Premium Aesthetic: Built with a beautiful, distraction-free neo-dark theme featuring glassmorphism and soft glowing highlights.

Privacy First

Unlike many tools out there, NovaRead is built to do one thing securely. It’s entirely local. No text is ever uploaded, and no trackers are used. Your data stays entirely in your browser.

Try It Out!

https://chromewebstore.google.com/detail/mgenomcilldfgkmmomlodknaoklanbhl?utm_source=item-share-cb

Install and start your flash reading experience today! 🚀