Network Security Access Policy That Can Prevent Incidents

Imagine if you could ensure connectivity and network access policy invariants are maintained for your entire network - multi-vendor, cloud, and on-premise - before making any change to the network. Invariant uses the Batfish offline digital twin system to predict the impact of changes to ACL, OSPF, BGP, VLAN and more.

Invariant is designed for rapid onboarding and offers incremental value as you use the system more. It supports a wide range of network device vendors (including AWS network devices) and offers flexible pricing options.

Fast Facts

Invariant can check your work right from your command line.

Invariant requires no access to your network and only needs up-to-date device configuration files (e.g. show config).

Invariant in 3 steps.

You can create an Invariant account right now. Follow this outline to unlock Invariant’s powerful analysis capabilities.

Step one

Collect Network Device Configs

  • You may already have a script that collects network device configs in a single folder or version control repository. Tools like Rancid, Oxidized, Nornir, Netmiko can help.
  • You only need to collect start-up configuration information. You do not need to run “show routes” or other commands.
  • You do not need to grant Invariant any access to your network or install any local agent.
Step two

Run Invariant

  • Create an account and download the Invariant CLI.
  • Create a folder named “configs” and copy your device configs into it.
  • Type “invariant login” then “invariant run” to get started.
Step three

Dive deep

  • Invariant will produce various fact tables about your network.
  • Your initial run will include connectivity analysis and inconsistent traffic analysis.
  • Build out critical flow policies and access control policies using YAML. Invariant will search deeply for any case where a critical flow could be denied or dropped or an access control policy could be violated.
Step four

Monitor and protect

  • Invariant can monitor a git repository containing your network device configs.
  • Easily update policies using YAML-based network definitions.
  • Build automation around the Invariant CLI.

Discover the possibilities of invariant

From network automation to security and compliance. Below you'll discover how Invariant can fit into your into your organisation.

Digital Twin

Easily create a digital twin of your entire network including both on-premise and cloud.

Multi-vendor + Cloud

We support multiple vendors including Cisco, Juniper, AWS, Palo Alto and more!

No Setup Time

Invariant only needs your network configurations to get started.

Invariant is a vendor-agnostic system that understands network config files for Cisco, Juniper, Palo Alto, other on-premise network vendors, and AWS. It is not tied to any particular vendor.

Invariant validates critical flows and connectivity in your network using a detailed digital model created from those config files. You can run any proposed change to your network configs through Invariant to gain confidence that some unforeseen issue is not about to lead to an accident that impacts your business.

As opposed to other solutions, there is no need to set up new servers or provide access to new services. Invariant only needs copies of your network configuration files to create a detailed model of your network. You can get significant value from Invariant on “day zero”.

Network Security Policy

Our policy language allows for coarse and fine grained control across the entire network.

Delegate Authority

Maintain central policies while delegating some authority.

Track Historical Changes

Invariant allows you to look back at previous snapshots to determine when your network got out of compliance.

Invariant unlocks an entirely new way to manage risk and enforce policy in perimeter-based network security access control. It understands your real network as it exists today and you can get started immediately - you do not need to set up new servers, rewrite ACLs, or give any network credentials to Invariant.

Invariant’s network security policies apply to the whole network. You can create rules that encapsulate and protect ingress and egress for specific VLANs or subnets, or you can explicitly identify traffic that should never be permitted in the network. You can use Invariant policies to create zone-zone rules or protect VLANs from exposure to the internet.

Invariant security policies are designed with delegation in mind. Your central network security team can define broad policy for the network while VLAN-specific details can be managed in separate files.

Policy enforcement can occur before any change goes out. Invariant does not need changes to be deployed, it can analyze proposed changes directly. It can also take into consideration the impact of changes to the network itself, for example if a network interface is added to a VLAN and that interface has an out-of-date ACL, Invariant will spot the issue.

Policy checks can also be made on historical network snapshots, and these snapshots are cheap to capture, so you can track down exactly when a problem was introduced.

CLI, SDK, and API provided

Use our provided tools to help automate your network.

DevOps workflows

Support a DevOps workstyle via github integration.

We conceived of Invariant with network automation at the forefront. Every action you can take can be controlled via our CLI, SDK, or API. This gives all the power to our users to integrate Invariant into their daily workflows. 

Invariant can be used as a standalone CLI tool for a network operator to validate their changes before doing manual pushes. It can also be used as part of a CI/CD pipeline that tests multiple teams policies and critical flows for compliance across a complex hybrid network. The 

Invariant is designed with network automation in mind. You can use it as a protection tool, or a source of information.

Easily incorporate Invariant into your automation workflow. Block or flag changes that would break a critical flow:

` invariant show critical_flows_violations --json ‘

Block or flag changes that would violate network access policy:

` invariant show policy_violations --json ‘

Block or flag changes that would introduce an inconsistent traffic flow (accepted or not depending on the path taken through the network):

` invariant show subnet_multipath --json ‘

Observe connectivity probe status changes:

invariant show probes --json > current-probe-status.json
diff current-probe-status.json expected-probe-status.json

Use Invariant to collect facts about the network and use that in your automation workflow.

` invariant show policy_violations --json ‘

Building on great foundations

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.


Sample text


Sample text


Sample text


Sample text

Invariant was initially conceived as a synthesis of two open-source projects: the Batfish digital twin and Aerleon, a fork of Capirca ACL generator. The Invariant team has its roots in open source network automation with Capirca and Aerleon.

Aerleon lets users write ACLs using its vendor-agnostic ACL meta-language and generate a wide range of vendor ACLs.

Invariant natively supports Aerleon network and service definition files. The Invariant policy authoring experience is similar to writing an Aerleon policy as it also uses these network and service definitions.

Simplify your network security. Start today.

Invariant is designed for rapid onboarding and offers incremental value as you use the system more. Create your account today.