NetStacks: An Open-Source AI-Powered SSH Terminal That Thinks With You

Most network engineers have the same daily toolkit: a general-purpose terminal emulator, a password manager, a browser tab for vendor documentation, a spreadsheet of device IPs, and maybe a drawing tool for topology diagrams. Each tool is fine on its own. Together, they create a workflow held together with muscle memory and Alt-Tab.

NetStacks is an open-source desktop terminal designed specifically for network engineering. It combines SSH, Telnet, and SFTP sessions with an encrypted credential vault, a network-aware AI assistant, Jinja2 configuration templates, topology visualization, and integrations with tools like NetBox, LibreNMS, and Netdisco — all in a single application.

This post walks through what it does, how the AI features work, and why it's open source.

The Problem with General-Purpose Terminals

PuTTY, SecureCRT, iTerm2, and Windows Terminal are all solid tools. But none of them know anything about networking. When you paste show ip bgp summary output into a terminal, the terminal sees text. It doesn't know that the State/PfxRcd column showing Active means a BGP peer failed to establish. It can't tell you that a route-map without a permit statement is an implicit deny-all. It won't warn you that you're about to paste a write erase into a production router.

Network engineers also accumulate credentials for dozens — sometimes hundreds — of devices. SSH keys, passwords, SNMP community strings, API tokens. These live in password managers that don't understand session profiles, or worse, in plaintext files and shell history.

NetStacks was built to close these gaps: a terminal that understands the protocols you work with, stores credentials securely, and uses AI to actually help with the domain-specific work network engineers do every day.

What NetStacks Does

Multi-Protocol Terminal with Session Management

At its core, NetStacks is a tabbed terminal emulator supporting SSH, Telnet, and SFTP. You can split panes horizontally and vertically, group tabs by site or function, and broadcast commands across multiple sessions simultaneously — useful for deploying a config change to every switch in a rack or running show version across a fleet.

Sessions are organized with folders, tags, and smart filters. If you're migrating from SecureCRT, there's a direct import for your existing session database. You can also bulk-import devices from CSV or sync your inventory straight from NetBox.

Other terminal features that matter for network work:

• Configurable syntax highlighting — color-code interface statuses, error counters, BGP states, whatever patterns you care about
• Snippets and custom commands — reusable command blocks with variable substitution, so you type once and apply everywhere
• Jump host and tunnel support — ProxyJump chains, local port forwards, and dynamic SOCKS proxying, configured per-session
• Session recording — full terminal recordings with command indexing, searchable history, and text transcripts for compliance and training
• Live session sharing — share a terminal session with a teammate for real-time collaborative troubleshooting
• Find bar and command palette — search within terminal output and access any action via keyboard
• SFTP file browser — drag-and-drop file transfers with progress tracking, integrated alongside your terminal sessions

Encrypted Credential Vault

NetStacks includes a local credential vault for SSH passwords, private keys, API tokens, and SNMP community strings. Credentials are encrypted at rest using a key derived from your master password. The cryptographic primitives are published as a separate open-source library (netstacks-crypto) so they can be audited independently.

Key points about the vault:

• Everything stays local. No cloud sync, no third-party key management service.
• Credentials are bound to session profiles, so connecting to a device auto-fills authentication without copy-pasting from a separate password manager.
• The vault supports biometric unlock on macOS (Touch ID) and Windows (Windows Hello) for convenience without sacrificing the master password requirement on first unlock.
• All persistent state — sessions, credentials, topologies, history — lives in a single SQLite database file. Backing up NetStacks means backing up one file.

Network-Aware AI Assistant

This is the feature that separates NetStacks from a general-purpose terminal with an AI chatbot bolted on.

The AI assistant ships with vendor-specific knowledge packs for Cisco IOS/IOS-XE/NX-OS, Juniper JunOS, and Arista EOS. These aren't generic prompt templates — they encode platform-specific operational knowledge. The Cisco pack knows that NX-OS is feature-gated (you need feature ospf before configuring OSPF). The Juniper pack knows the commit model and rollback workflow. The routing pack understands BGP path selection order, OSPF LSA types, and EIGRP feasibility conditions.

What the assistant can actually do:

• Read your terminal output and explain what's happening. Paste a BGP neighbor table and it will identify which peers are established, which are stuck in Active, and suggest troubleshooting steps specific to the platform you're on.
• Suggest commands based on device type, session context, and what you're trying to accomplish. It knows the difference between show ip route on IOS and show route on JunOS.
• Generate configuration snippets using the correct syntax for the target platform, including common gotchas (like the implicit deny on a Cisco route-map without a permit statement).
• Help troubleshoot by walking through diagnostic workflows — checking adjacency states, verifying next-hop reachability, analyzing path selection.

What it won't do (by design):

NetStacks enforces a set of non-negotiable safety rules that are hardcoded into every AI interaction:

• It will never execute destructive commands (write erase, reload, request system zeroize) without explicit human approval
• It will never fabricate CLI output or invent interface names — if it doesn't know the exact syntax for a platform, it says so
• It will never bypass change management or approval workflows
• It verifies changes after execution and reports failed verification immediately
• It always identifies itself as AI in logs, audit trails, and session recordings

Credential sanitization:

Before any terminal output or context reaches the AI model, it passes through a configurable sanitization layer. This layer can redact:

• IPv4 and IPv6 addresses
• MAC addresses
• Hostnames and FQDNs
• Usernames in configuration context
• SNMP communities, passwords, and API keys (always redacted, not configurable)
• Custom patterns you define via regex

You control what gets scrubbed. If you're comfortable sending IP addresses to your LLM provider but not hostnames, you configure that. Credentials are always stripped — that's not optional.

Bring your own model:

NetStacks supports OpenAI, Anthropic, and Ollama as LLM providers. If you run a self-hosted model via Ollama, nothing leaves your network. You can also connect external tool servers via the Model Context Protocol (MCP) to extend what the AI agent can do.

Methods of Procedure (MOPs)

For change management, NetStacks supports structured Methods of Procedure with risk classifications, rollback instructions, platform guidance, and multi-approver workflows. You define the steps, the approval threshold, and the AI autonomy level for each procedure. Approvers can review, comment, and approve or reject before execution begins.

This is the kind of workflow that usually lives in a separate ticketing system or a Word document. Having it integrated with the terminal that actually executes the changes reduces the gap between "approved plan" and "what actually happened."

Python Scripting

NetStacks includes a script editor with Python support. Scripts use PEP 723 inline metadata for dependency management, so you declare what packages you need in the script file itself. The runtime uses uv for fast, deterministic package resolution — it downloads and manages the Python toolchain automatically.

This is useful for automation tasks that go beyond what templates and MOPs cover: custom audit scripts, data collection, API-driven provisioning, or anything where you need a real programming language.

Topology Visualization

NetStacks discovers network topology through multiple methods — SNMP neighbor tables, LLDP/CDP data, CLI neighbor commands, and Nmap fingerprinting — and renders it as an interactive 2D or 3D visualization. Layouts can be force-directed or hierarchical. Devices show real-time status, and you can double-click any device in the topology to open an SSH session directly.

If you use NetBox, Netdisco, or LibreNMS, NetStacks can pull inventory and topology data from those systems and merge it with its own discovery results.

The topology also supports visual traceroute — run a traceroute and watch the path light up across your topology map.

Architecture and Performance

NetStacks is built with Tauri (Rust backend + web frontend), not Electron. The difference matters for a tool you keep open all day — it launches fast, uses less memory, and doesn't spin up a full Chromium instance per window. The Rust backend handles SSH, credential management, SNMP, discovery, AI integration, and all local processing. The frontend is a React application that communicates with the backend over a local WebSocket.

All data is stored locally in a single SQLite database. There's no external service dependency for core functionality. No telemetry, no phone-home, no usage analytics.

Open Source, Not Open Bait

NetStacks Terminal and the Local Agent are open source under Apache 2.0. The source is on GitHub. Every feature described in this post ships to every user. There's no "Community Edition" with half the features stripped out, no "upgrade to unlock SFTP," no feature gate that kicks in after 30 days.

The commercial side of NetStacks is a separate product — a Controller for teams and enterprises that need:

• Centralized credential management where passwords never touch engineer laptops
• RBAC with 12+ granular permissions
• SSO/SAML/LDAP/OIDC authentication
• Full audit logging and compliance reporting
• Multi-user session sharing and proxied SSH connections
• Plugin system for alerts, incidents, ITSM integration, and deployments

If you're a solo engineer or a small team where everyone manages their own credentials, the open-source Terminal is the complete product. The Controller exists for organizations with compliance requirements and shared infrastructure — it's a different product for a different use case, not a paywall around features you need.

Who This Is For

If you SSH into network devices as part of your job — routers, switches, firewalls, load balancers — and you've wished your terminal understood what you were looking at, NetStacks is worth trying. It's especially useful if you:

• Manage credentials for dozens or hundreds of devices and want them encrypted and organized
• Work across multiple vendors (Cisco, Juniper, Arista) and want AI assistance that knows the difference
• Need to generate configs from templates without setting up a separate automation pipeline
• Want topology visibility without deploying a dedicated NMS
• Need session recordings for compliance or knowledge sharing
• Are looking for a modern, open-source alternative to SecureCRT or PuTTY that's built for networking

NetStacks is a daily driver for the hands-on-keyboard work that network engineers still do every day — connecting to devices, running commands, troubleshooting issues, making changes, and documenting what happened.

Getting Started

Signed installers for macOS, Windows, and Linux are available at netstacks.net/download. You can also build from source — the repo includes build docs for all three platforms.

The quick-start path:

1. Install and launch NetStacks
2. Set a master password for the credential vault
3. Add a device (manually, CSV import, SecureCRT import, or NetBox sync)
4. Connect

Full documentation is at netstacks.net/docs. The source code is on GitHub.

If you have questions, drop them in the comments — happy to go deeper on any of the features covered here.