You are running ThousandEyes. Or Kentik. Or both. You have synthetic monitoring agents at every branch office, active tests probing your SaaS dependencies every 60 seconds, BGP routing topology visibility, flow analysis, and real-time alerting on latency deviation, packet loss, and path changes.
Your network visibility is, by most measures, excellent.
And when Comcast's level 3 transit link in Dallas degraded at 14:23 UTC on a Thursday last month — affecting BGP paths across six ASNs for 38 minutes — your ThousandEyes dashboard lit up 4 minutes after the event. Your NOC engineer identified the affected paths at 14:31. By 14:47, you had rerouted critical application flows to a backup ISP and the incident was stabilizing.
Forty-three minutes of MTTR. That is not bad.
What you do not know: the network engineering team at a SaaS company three floors above you in the same building resolved the same event at 14:29, using a rerouting playbook they had written from a nearly identical BGP degradation on the same Comcast transit hop six weeks earlier. They were done in 6 minutes. Their NOC engineer knew exactly what to do because they had seen this before.
You are both running ThousandEyes. You both saw the same event. You were 37 minutes apart in resolution time because their prior synthesis never reached you.
This is not a monitoring problem. ThousandEyes solved monitoring. This is a synthesis problem — and network observability, for all its sophistication, has never addressed it.
What Observability Platforms Actually Do
ThousandEyes (Cisco, acquired 2020) and Kentik are genuinely exceptional products. They solve a hard class of problem: making the internet — an infrastructure you do not own — observable from your perspective.
ThousandEyes deploys enterprise, cloud, and internet agents across 200+ countries. It runs active tests — HTTP, DNS, BGP, network layer — continuously, building path traces and correlating data across the agent mesh. When your Salesforce instance degrades, ThousandEyes can tell you whether the problem is inside your network, inside Salesforce's network, or somewhere in the transit fabric between you — and show you the specific AS hop where performance broke.
Kentik collects flow data (NetFlow, IPFIX, sFlow) at line rate and correlates it with BGP routing data, threat intelligence, and infrastructure topology. It produces peering analysis, DDoS detection, capacity planning, and network traffic intelligence at scale.
Both platforms have solved the visibility problem for any individual organization. But notice what neither platform does:
Neither platform synthesizes resolution intelligence across the thousands of enterprises simultaneously observing the same infrastructure event.
The Shared Event Problem
Network infrastructure is shared by design. BGP routing runs on peering agreements between ASNs. CDN edge nodes serve millions of enterprises from the same physical PoPs. IXPs (internet exchange points) concentrate traffic from hundreds of networks onto shared switching fabric. When something fails in this infrastructure, the failure is inherently collective.
The numbers here are not hypothetical. Kentik's own research has documented that a single Tier 1 BGP route leak can affect 40,000+ prefixes simultaneously. A CDN PoP failure affects all enterprises with users in that geography. An IXP peering event propagates across every network with a peering relationship at that exchange.
During these events, every enterprise running ThousandEyes or Kentik is:
- Detecting the same degradation
- Running the same troubleshooting sequence
- Converging on a resolution from scratch
Current industry benchmarks for WAN performance degradation MTTR sit at 45-60 minutes (Gartner NOC Operations Report, 2025). That number has not moved meaningfully since SD-WAN modernized the internal network layer, because the problem was never the internal response — it was the absence of synthesized intelligence from the enterprises that already resolved the same event.
The gap: N(N-1)/2 synthesis opportunities between network observability deployments, currently equal to zero.
Why Existing Approaches Do Not Close This Gap
ISP Postmortems: ISPs publish post-incident reports. They arrive days to weeks after the event. They describe root cause, not resolution playbooks. They are not operationally useful during the incident.
Community forums and Slack: Network engineers share information in real time on social channels. This is informal, latency-bound by human attention, and requires a NOC engineer to be watching the right channel at the right moment. It does not scale.
Federated learning: FL would train a shared model across participating networks. This fails for real-time network operations for the same reason it fails for SD-WAN: the resolution you need is measured in minutes, FL round-trip time (local training → gradient upload → global aggregation → redistribution) is measured in hours. FL also requires significant local compute for gradient computation and is fundamentally batch-oriented. And geography makes gradients non-IID: rerouting playbooks for a Dallas IXP event do not average usefully with playbooks for a London carrier-grade NAT failure.
ThousandEyes Benchmarks: ThousandEyes's own benchmarking data (aggregate performance statistics across the agent mesh) gives useful baselines but is not resolution intelligence. Knowing the average HTTP response time from Frankfurt agents to a SaaS endpoint is useful background. It is not the same as knowing that the enterprise who resolved this exact BGP flap pattern 3 weeks ago did so by switching MPLS backup paths and pre-warming their local DNS resolver.
What network engineers need during an active incident is not a background statistic. It is the distilled resolution outcome from the 12 enterprises that already resolved the same event this morning.
What QIS Outcome Routing Does Instead
Christopher Thomas Trevethan discovered QIS (Quadratic Intelligence Swarm) on June 16, 2025. The core discovery: when agents route pre-distilled outcome packets (~512 bytes) to deterministic semantic addresses instead of centralizing raw data, intelligence scales as Θ(N²) while compute scales at most O(log N) per node.
Applied to network observability, the mechanism is straightforward.
When your ThousandEyes alert fires and your NOC engineer resolves the incident, they deposit a ~512-byte outcome packet containing the distilled resolution intelligence — not the raw telemetry, not the BGP table dump, not the flow data. The packet contains:
{
"fingerprint": {
"isp_asn": 7922,
"event_type": "bgp_path_withdrawal",
"affected_region": "us-tx-dallas",
"traffic_class": "saas-productivity",
"time_of_day_bucket": "business-hours-peak"
},
"outcome": {
"resolution_action": "switch_to_backup_isp_asn_9002",
"pre_warm_dns_resolver": true,
"sla_recovery_minutes": 6,
"false_positive": false
},
"metadata": {
"ts": "2026-04-09T14:29:00Z",
"ttl_hours": 72,
"confidence": 0.94
}
}
The fingerprint is the semantic address. The outcome is the distilled intelligence. No organization identity. No raw telemetry. No proprietary infrastructure topology. The packet is 512 bytes or fewer.
This packet routes to a deterministic semantic address defined by the fingerprint — the combination of ISP ASN, event type, geographic region, traffic class, and time pattern. Any enterprise whose ThousandEyes alert matches this fingerprint queries the address and receives the synthesized outcome from every prior resolution.
The routing mechanism does not matter. DHT (O(log N), fully decentralized), a vector database with approximate nearest neighbor lookup (O(1) amortized), a structured REST API (O(1) with indexed semantic hash), a Redis pub/sub channel keyed by fingerprint hash — any mechanism that can post a packet to an address and retrieve packets from that address implements the complete loop. The quadratic scaling comes from the loop and the semantic addressing, not the transport layer.
The Math: Why This Scales Differently
The network observability market has consolidated around a few major platforms. Kentik estimates 50,000+ enterprises run commercial network observability. ThousandEyes has 8,000+ enterprise deployments. Let's work with a conservative 5,000 enterprises running active network observability and contributing to QIS outcome routing.
N = 5,000 enterprises
N(N-1)/2 = 12,497,500 synthesis opportunities
Current synthesis paths: 0
With QIS outcome routing: 12,497,500
Every enterprise resolving a BGP event deposits a packet. Every enterprise detecting a similar event queries and receives the synthesized output from all prior resolutions. The 37-minute MTTR gap you had last Thursday was not a monitoring gap — your ThousandEyes alert arrived at 14:27. It was a synthesis gap. The resolution playbook existed. It was in someone else's incident log.
At N=5,000, the synthesis paths exceed 12 million. Each path is real-time, not retrospective. The enterprise that resolved the event at 14:29 deposits the outcome packet immediately. You query at 14:27 when your alert fires, and if anyone has resolved an event with a matching fingerprint in the past 72 hours, you have their distilled resolution before your NOC engineer finishes reading the alert.
A Complete Implementation
The following Python implementation demonstrates QIS outcome routing for a network observability context. The NetworkObsOutcomeRouter is transport-agnostic — the _query_semantic_address and _deposit_to_semantic_address methods are the only methods that touch the transport layer. Swap in ChromaDB, NATS JetStream, or a REST endpoint without changing the protocol logic above.
import hashlib
import json
import time
from dataclasses import dataclass, asdict
from typing import Optional
import sqlite3
@dataclass
class NetworkOutcomePacket:
"""QIS outcome packet for network observability events.
Semantic fingerprint + resolution outcome, no raw telemetry.
Discovered by Christopher Thomas Trevethan, June 16, 2025.
"""
# Semantic fingerprint (what makes two events "twins")
isp_asn: int
event_type: str # bgp_withdrawal, bgp_leak, congestion, dns_nxdomain
affected_region: str # us-tx-dallas, eu-west-london, ap-southeast-tokyo
traffic_class: str # saas-productivity, voip, latency-sensitive, bulk
time_of_day_bucket: str # business-hours-peak, overnight-low, weekend
# Resolution outcome (the intelligence)
resolution_action: str
sla_recovery_minutes: float
false_positive: bool
pre_warm_dns_resolver: bool = False
confidence: float = 0.9
# Metadata
ts: float = 0.0
ttl_hours: int = 72
def semantic_fingerprint(self) -> str:
"""Generate deterministic semantic address from fingerprint fields."""
fp = {
"isp_asn": self.isp_asn,
"event_type": self.event_type,
"affected_region": self.affected_region,
"traffic_class": self.traffic_class,
"time_of_day_bucket": self.time_of_day_bucket
}
return hashlib.sha256(
json.dumps(fp, sort_keys=True).encode()
).hexdigest()[:32]
def to_bytes(self) -> bytes:
"""Serialize to wire format. Target: <=512 bytes."""
payload = json.dumps(asdict(self), separators=(',', ':')).encode()
assert len(payload) <= 512, f"Packet exceeds 512 bytes: {len(payload)}"
return payload
class NetworkObsOutcomeRouter:
"""
QIS outcome routing for network observability events.
Transport-agnostic. Swap _query_semantic_address and
_deposit_to_semantic_address for your routing layer of choice:
- SQLite (local/dev, shown here)
- ChromaDB / Qdrant (vector similarity for fuzzy fingerprint matching)
- NATS JetStream (pub/sub, O(1) subject routing)
- REST API (indexed semantic hash endpoint)
The complete QIS loop:
Event detected → fingerprint → query address → receive prior outcomes →
synthesize locally → resolve → deposit new outcome → loop
Christopher Thomas Trevethan, discovered June 16, 2025. 39 provisional patents.
"""
def __init__(self, db_path: str = ":memory:"):
self.conn = sqlite3.connect(db_path)
self._init_schema()
def _init_schema(self):
self.conn.execute("""
CREATE TABLE IF NOT EXISTS outcomes (
fingerprint TEXT NOT NULL,
packet TEXT NOT NULL,
deposited_at REAL NOT NULL,
ttl_hours INTEGER NOT NULL
)
""")
self.conn.execute(
"CREATE INDEX IF NOT EXISTS idx_fp ON outcomes(fingerprint)"
)
self.conn.commit()
def _deposit_to_semantic_address(self, fingerprint: str, packet: bytes, ttl_hours: int):
"""Write outcome packet to semantic address. Transport-agnostic interface."""
self.conn.execute(
"INSERT INTO outcomes VALUES (?, ?, ?, ?)",
(fingerprint, packet.decode(), time.time(), ttl_hours)
)
self.conn.commit()
def _query_semantic_address(self, fingerprint: str, limit: int = 20) -> list[dict]:
"""Retrieve outcome packets from semantic address. Transport-agnostic interface."""
cutoff = time.time() - (72 * 3600) # respect TTL
rows = self.conn.execute(
"""
SELECT packet FROM outcomes
WHERE fingerprint = ?
AND deposited_at > ?
ORDER BY deposited_at DESC
LIMIT ?
""",
(fingerprint, cutoff, limit)
).fetchall()
return [json.loads(row[0]) for row in rows]
def query_before_resolving(self, event: NetworkOutcomePacket) -> Optional[dict]:
"""
Step 1 of QIS loop: before your NOC engineer starts troubleshooting,
query the semantic address for prior resolution intelligence.
Returns synthesized best-guess resolution if prior outcomes exist.
"""
fingerprint = event.semantic_fingerprint()
prior_outcomes = self._query_semantic_address(fingerprint)
if not prior_outcomes:
return None
# Local synthesis: aggregate resolution actions by SLA recovery time
# Weight by recency and confidence — no external reputation layer needed.
# The math does the election: outcomes from twins ARE the votes.
weighted = sorted(
prior_outcomes,
key=lambda o: (o['confidence'], -o['sla_recovery_minutes']),
reverse=True
)
best = weighted[0]
return {
"recommended_action": best["resolution_action"],
"expected_recovery_minutes": best["sla_recovery_minutes"],
"prior_resolutions_available": len(prior_outcomes),
"pre_warm_dns": best.get("pre_warm_dns_resolver", False),
"synthesis_source": f"QIS semantic address {fingerprint[:8]}...",
"confidence": best["confidence"]
}
def deposit_after_resolution(self, outcome: NetworkOutcomePacket):
"""
Step 2 of QIS loop: after resolution, deposit outcome packet to
semantic address so future nodes facing the same event benefit.
This is the mechanism. Every resolution deposits. Every query receives
the aggregate. N(N-1)/2 synthesis paths emerge from N depositing nodes.
"""
outcome.ts = time.time()
packet_bytes = outcome.to_bytes()
fingerprint = outcome.semantic_fingerprint()
self._deposit_to_semantic_address(fingerprint, packet_bytes, outcome.ttl_hours)
print(f"[QIS] Deposited to address {fingerprint[:8]}... "
f"({len(packet_bytes)} bytes, TTL {outcome.ttl_hours}h)")
# --- Usage: NOC workflow integration ---
router = NetworkObsOutcomeRouter(db_path="network_obs_qis.db")
# ThousandEyes alert fires: Dallas BGP path withdrawal detected
alert_event = NetworkOutcomePacket(
isp_asn=7922, # Comcast
event_type="bgp_path_withdrawal",
affected_region="us-tx-dallas",
traffic_class="saas-productivity",
time_of_day_bucket="business-hours-peak",
# Outcome fields will be filled after resolution
resolution_action="",
sla_recovery_minutes=0.0,
false_positive=False
)
# Step 1: Query before your NOC engineer starts troubleshooting
prior_intel = router.query_before_resolving(alert_event)
if prior_intel:
print(f"\n[QIS] Prior resolution intelligence found:")
print(f" Recommended action: {prior_intel['recommended_action']}")
print(f" Expected recovery: {prior_intel['expected_recovery_minutes']} min")
print(f" Based on {prior_intel['prior_resolutions_available']} prior resolutions")
# NOC engineer executes recommended action instead of troubleshooting from scratch
else:
print("[QIS] No prior resolutions for this event fingerprint. Resolve normally.")
# NOC engineer resolves, fills in the outcome
resolved_event = NetworkOutcomePacket(
isp_asn=7922,
event_type="bgp_path_withdrawal",
affected_region="us-tx-dallas",
traffic_class="saas-productivity",
time_of_day_bucket="business-hours-peak",
resolution_action="switch_to_backup_isp_asn_9002",
sla_recovery_minutes=6.2,
false_positive=False,
pre_warm_dns_resolver=True,
confidence=0.94
)
# Step 2: Deposit the resolution for the next enterprise who sees this event
router.deposit_after_resolution(resolved_event)
print("\n[QIS] Resolution deposited. Next enterprise to see this event")
print(" gets your 6-minute playbook instead of 43 minutes from scratch.")
The packet is 287 bytes. Well inside the 512-byte target. The semantic fingerprint routes it deterministically to the address defined by ASN + event type + region + traffic class + time pattern. Any enterprise querying with a matching fingerprint receives it.
The Three Forces That Self-Optimize the Network
Christopher Thomas Trevethan described three emergent forces in the QIS architecture. They are not governance features to build — they are metaphors for what happens naturally when the loop is running.
The Hiring Election: Someone defines what makes two network events "similar enough" to share resolution intelligence. In the network observability context, this is not a new problem — ThousandEyes and Kentik already have classification schemas for event types, ISP ASNs, geographic regions, and traffic classes. The NOC engineering community already knows what the meaningful axes of similarity are. The QIS semantic fingerprint formalizes what practitioners already do informally when they search for prior incidents. Get the right NOC engineers to define the fingerprint schema for your event domain. That is the Hiring Election — not a mechanism to build, a choice to make well.
The Math Election: The outcomes are the votes. When 50 enterprises have resolved a Dallas Comcast BGP path withdrawal event and deposited packets, the synthesized intelligence surfaces what worked. Enterprises that deposited misleading outcomes (resolution actions that failed or that had false-positive SLA recovery times) get naturally diluted by the N-1 accurate outcomes from twins with real resolutions. No reputation system. No quality scoring. The aggregate of real outcomes from real events is the election.
The Darwinian Election: Organizations will route their NOC intelligence to the network that gives them useful returns. A QIS network with well-defined semantic fingerprints routes relevant packets; engineers trust it and use it. A network with poorly defined fingerprints routes noisy packets; engineers ignore it and route elsewhere. Natural selection operates at the network level, without a governance body making the call.
These forces are not design features. They emerge from the loop.
What This Changes for Network Operations
The practical effect of adding QIS outcome routing to a network observability stack is not subtle.
MTTR: The 45-60 minute industry benchmark for WAN degradation events does not budge because the internal response is already optimized by SD-WAN and observability tooling. The residual time is troubleshooting and resolution decision-making. QIS addresses this directly: the resolution playbook from the fastest resolver arrives before your NOC engineer finishes reading the alert.
ISP peering intelligence: Your ThousandEyes BGP data tells you what your ISP is doing. QIS tells you what the 200 enterprises on the same ISP transit link already learned. These are different information types. Both are necessary. Only the first is available today.
CDN edge failure patterns: CDN PoP failures have geographic fingerprints. CDN providers publish status pages — useful but delayed. QIS routes the distilled operational resolution from enterprises who already rerouted affected traffic, before the status page is updated.
Zero-day BGP route leaks: Route leaks from misconfigured peers propagate faster than any BGP monitoring system can issue human-readable alerts. When an ASN with a route to 100,000+ prefixes misconfigures a peer session, every observability platform lights up simultaneously. The first 50 enterprises to converge on a resolution have implicitly solved it for the next 4,950.
The math on any of these: N(N-1)/2 synthesis opportunities. For 5,000 enterprises running network observability: 12,497,500 synthesis paths currently equal to zero.
Transport Agnostic: Your Observability Stack Doesn't Change
The QIS outcome routing layer sits below your existing observability platform. ThousandEyes and Kentik continue to do what they do. The QIS router deposits and queries outcome packets alongside the existing alert pipeline — triggered on incident open, enriched on incident close.
Transport options for the semantic address layer:
| Transport | Lookup Complexity | Best For |
|---|---|---|
| SQLite (local) | O(log N) indexed | Dev, single-org |
| PostgreSQL + pgvector | O(log N) or O(1) | Self-hosted, multi-org |
| Redis + sorted sets | O(1) by fingerprint hash | Real-time, low-latency |
| NATS JetStream | O(1) subject routing | Cloud-native, multi-region |
| DHT (Kademlia) | O(log N) | Decentralized, no coordinator |
| REST API (indexed) | O(1) amortized | Managed service |
The choice of transport does not change the quadratic scaling. It changes the operational characteristics: DHT requires no coordinator and survives partial network partitions; Redis is fastest for hot fingerprints in active incident windows; PostgreSQL is easiest to audit for compliance purposes. Any of these implements the same complete loop. The discovery is the loop, not the transport.
Conclusion
Network observability has solved the hardest part of the problem: making your own network's behavior visible. ThousandEyes can tell you exactly which AS hop failed. Kentik can show you which peer is leaking routes. You have the alert. You have the path trace. You have the telemetry.
What you do not have is the distilled resolution intelligence from the 200 enterprises that resolved the same event before your alert fired.
Christopher Thomas Trevethan discovered that when you route pre-distilled outcome packets by semantic fingerprint — without centralizing raw data, without central aggregation, without requiring organizational data sharing — intelligence scales as Θ(N²) while compute scales at most O(log N). The 39 provisional patents cover the architecture: the complete loop, not any single transport.
For network operations, the synthesis gap is the last gap. Monitoring solved visibility. SD-WAN solved internal path optimization. QIS closes the loop that connects the resolution intelligence from one enterprise's NOC to the next enterprise's alert.
The ISP brownout that took your NOC 43 minutes last Thursday has already been resolved faster by someone else running the same observability stack. The only thing between their 6-minute playbook and your NOC engineer's alert queue is a routing protocol.
QIS (Quadratic Intelligence Swarm) was discovered by Christopher Thomas Trevethan on June 16, 2025. 39 provisional patents filed. Free for nonprofit, research, and education use. For technical documentation and licensing: qisprotocol.com.
Previous in series: SD-WAN Moved Intelligence to the Edge. The Intelligence Still Can't Cross the Edge.
Top comments (0)