Skip to main content
All systems normal
·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch·142.9M packets classified, last 24h·11 sites online·500+ GB processed today·98.84% uptime, 7d·0 CVEs · current branch
Taurine
Overview/Traffic Classification

We classify
traffic your
firewall can't see.

Encryption broke deep-packet inspection. TLS 1.3, QUIC, and DNS-over-HTTPS hide everything DPI used to rely on. Axon's classifier investigates the packet payload, fingerprints other parts of the flow, and combines those signals into a custom heuristic that runs on a lightweight model (on the edge device) in real time.

The result: applications are identified within the first handful of packets, encrypted or not, without sending raw traffic to the cloud.

Read the QUIC story Book a demo
  • Multi-signal payload + flow
  • Real-time, on-device
  • Adapts per site over time
  • Raw traffic never leaves
console.taurinetech.cloud / traffic / last 12h
live
Axon Traffic Analytics. QUIC dominates the top-apps chart.
The problem

Encryption took DPI's tools away.

Classical deep packet inspection works by reading domain names out of cleartext metadata. In a modern network, almost none of that metadata is cleartext anymore. Most "network management" appliances quietly fall back to guessing.

Blindspot
What DPI loses
TLS 1.3
Encrypted handshake hides the SNI from most DPI tools.
QUIC
UDP-based, fully encrypted, multiplexed. Looks like noise to L7 inspection.
DNS-over-HTTPS
DNS lookups travel inside ordinary HTTPS. Invisible to DNS-based filters.
VPN / proxy traffic
Tunnelled flows defeat domain-based and SNI-based classification.
How Axon classifies

Multiple signals. One custom heuristic. Lightweight enough to run on the edge.

Signal 01Layer 7 · bytes
payload▎ informative
00004a7e3102c41f880e
00087c811392ff426b0a
0010032f19a5bd70c1e2
00185d08fa44019b337e

Packet payload

We look at the parts of the packet payload that remain informative under encryption, and combine them with other observable behaviour to triangulate the application.

Signal 02Flow · statistics
flow▎ pattern lock
t₀t₁t₂t₃

Flow fingerprints

We fingerprint other parts of each flow: characteristics that don't change when the payload is encrypted. These survive QUIC, TLS 1.3, and most circumvention techniques.

Signal 03 · Axon agentOn-device · real-time
inference

Custom on-device heuristic

Signals feed a lightweight AI model that runs directly on the Axon Agent. Classification is real-time, in-line, and doesn't send raw traffic anywhere.

Classifies as
  • instagram
  • googleapis · upload
  • netflix
  • youtube
  • spotify
  • whatsapp
  • apple · push
  • discord · voice
first handful of packets · per flow · no raw traffic leaves the agent
Worked example

Watch "QUIC" become Instagram, Google, and Apple.

When a new site comes online, the global classifier identifies the traffic using pre-trained models. As Axon observes more traffic at your site, any flows are resolved into generic buckets are marked and sent to the cloud for model retraining. The same flow that was "QUIC" in week one is "Instagram" or "Google API" by week three.

Week 01 · global model

Mostly "QUIC".

The top-applications chart is dominated by a single QUIC bar. The global classifier knows what protocol it is, but not yet which apps your users are running over it.

traffic / top applications · global model
live
Top applications chart with QUIC dominating
Week 01 · global model

Specific domains.

You are able to see the top domains for the traffic that is resolved into generic buckets ensuring that you are able to block the traffic to the domains that are not allowed from day one.

traffic / quic drill-down · top domains and clients
live
QUIC drill-down resolving into Instagram and Google domains
Per-site retraining

Models retrain in the cloud, over the private Axon VPN.

The on-device model gets better over time because we retrain it on the telemetry your own fleet produces. Retraining happens in the cloud (on our infrastructure) over the same private Axon VPN that every site is already connected to. Updated models are pushed back to the edge as signed deltas.

  • Telemetry travels inside the private VPN. Never publicly exposed.
  • Models are signed; the Axon Agent verifies the signature before hot-loading.
  • Operators control opt-in for global model contributions on a per-site basis.
CLOUD · MODEL RETRAININGper-site fine-tunesigned delta · ed25519PRIVATE AXON VPNtelemetry up · signed model downAGENT · SITE-1on-device modelhot-loadedAGENT · SITE-2on-device modelhot-loadedAGENT · SITE-3on-device modelhot-loaded▲ telemetry▼ signed modelnever publicly addressable
traffic / categories and top devices
live
Traffic by category. Web 64%, SocialNet 21%, Unspecified 14%.
From flows to decisions

Categories you can act on.

Once flows are classified into applications, Axon aggregates them into categories (Web, Social, Cloud, Streaming, Updates, and more) so policy can be written at the level operators actually think in. "Block social during school hours" is one rule, not fifty.

Custom categories let you split or merge those buckets per site. Tag a flow once, and the next retraining cycle teaches the model your site-specific taxonomy.

Want to see it on your own traffic?

Bring a site online in minutes and let our systems adapt to your traffic.

Book a demo Back to overview