
Announcing the TP-Link integration for Sia

Today we are shipping the TP-Link integration for Sia. SIA, Scogo's IT-operations agent, now brings up and verifies TP-Link enterprise gear from a single instruction, across three surfaces: browser automation, CLI, and API via MCP. We proved it on roughly a thousand branch routers, configured site to site on real ER605 hardware, with no engineer driving the web UI. One instruction in. A configured, verified router out.
The news is bigger than one vendor.
We are building toward one agent that configures, verifies, and governs every device in your estate. Any OEM, any product, the whole estate, on the record. TP-Link is the first vendor we are putting our name behind. It will not be the last, and we are shipping each one the same way: proven at fleet scale before we announce it.
So read this as more than a feature. We are not adding another console to your stack. We are taking them away. Every integration we ship is one more class of gear your team stops clicking through by hand, and one more reason the work moves to Sia and stays there.
This post is for the people who run these networks: the L1 techs onboarding hardware, the L2 engineers chasing tunnels that won't come up, the L3 architects who own the fleet. Here is what just changed for you.
Why branch networks resisted automation this long
Branch network gear is repetitive to configure and unforgiving to get wrong.
A regional retailer, a bank, a logistics chain: they all have the same shape. Hundreds or thousands of near-identical sites, each needing the same router brought up the same way. Login, WAN, internet check, site-to-site IPSec VPN, LAN, DHCP. Miss one value and a branch goes dark.
The web UIs make it worse, not better. TP-Link's standalone firmware (the ER605 LuCI interface, for example) is a dense jQuery app. Element IDs renumber between page loads. Key settings hide behind an "Advanced" toggle. The session token never sits in the URL.
We tried the obvious shortcut first. Point a general-purpose LLM at the live UI and let it click. One run burned through millions of tokens and still didn't finish cleanly. Clicking a hostile UI by hand does not scale to a fleet, whether the hand is human or model.
So we stopped clicking. Then we built the thing that does scale, and we ran it across a thousand routers to be sure.
How Sia drives TP-Link
Three ways in, one engine behind them.
Browser automation. Sia opens a real Chrome, logs in, and drives the device's own web UI, including the parts no public API exposes.
CLI.
sia browser,sia run, recipes, and secret brokering, scriptable into the tooling you already run.API via MCP. The same capabilities exposed as tools to any MCP-compatible agent or orchestrator, so Sia plugs into the automation you already have.
The piece that makes a fleet practical is record once, replay everywhere.
You configure one golden unit by hand. Sia captures the device's own authenticated configuration calls and turns them into a parameterized recipe. Per-site values become variables. Credentials become secret placeholders that never touch a log.
Then you replay that recipe across every other site from a one-row-per-site CSV. No per-device clicking. No per-device LLM cost. The same config, applied identically, every time.
Built for people who have been burned by automation
Every rollout runs through verification gates with explicit stop codes: WAN_NO_IP, VPN_DOWN, LAN_RECONNECT_FAILED. If a gate fails, Sia stops, reports exactly what it saw, and changes nothing further.
It never factory-resets. It never reuses another site's values. It never prints a PSK or an admin password.
This is automation with a seatbelt, not click-and-pray. It is the difference between a demo and something you let near a thousand production sites.
What you can automate, by tier
The integration targets TP-Link's enterprise lines: the ER-series gateways , JetStream switches, and EAP/Omada access points. Here it is mapped to how NetOps actually divides the work. BTW, SIA is intelligent and is not hardwired with any model type, you just throw any TP-Link device at it , which has a web / CLI / API surface, SIA has got you covered.
L1: routine, high-volume onboarding
Task | What Sia does |
|---|---|
Factory-fresh onboarding | Creates the admin account, sets hostname, time/NTP, DNS |
WAN bring-up | DHCP / PPPoE / static, then verifies the link is live |
LAN + DHCP | Subnet, scope, reservations, IP-MAC binding |
Wi-Fi provisioning | SSID + PSK rollout across an EAP fleet |
Switch basics | Port enable/disable, PoE toggle, VLAN assignment |
Housekeeping | Firmware check/upgrade, config backup/restore, reboot, password rotation |
Health checks | WAN status, client count, PoE budget, link state |
L2: configuration and troubleshooting
Task | What Sia does |
|---|---|
Site-to-site IPSec VPN | Policy, Phase 1, Phase 2, then confirms the tunnel is actually up (shipping today) |
Remote-access VPN | OpenVPN / L2TP client and server setup |
Routing & segmentation | Inter-VLAN routing, static routes, 802.1Q trunks, link aggregation |
Security | Firewall rules, ACLs, port forwarding, NAT, DMZ |
Traffic | QoS, bandwidth control, captive portal / guest networks |
Diagnostics | Ping and traceroute across the tunnel, tunnel-status verification, log capture |
L3: design, scale, and governance
Task | What Sia does |
|---|---|
Fleet rollout | Record one golden config, replay across N sites from a CSV |
Multi-site VPN | Hub-and-spoke and mesh provisioning at scale |
Standardization | Golden-config management, drift detection, compliance audits |
Zero-touch workflows | Ticket → configure → verify → close, wired into your ITSM |
Change discipline | Templated deploys with per-site variables, secret brokering, verification gates, clean stop-on-failure |
Controller orchestration | Omada adoption and provisioning workflows |
Site-to-site IPSec VPN is generally available today, proven on real ER605 hardware at fleet scale. The rest of the matrix is what the same three surfaces, browser, CLI, and MCP, are built to drive, and what we are rolling out next.
The flagship: a verified VPN site, end to end
Here is the deployment that shipped, exactly as it runs. Watch a full site come up on real ER605 hardware, from a factory-fresh router to a verified tunnel, with no engineer touching the web UI. The step-by-step below annotates what you are seeing.
No cuts, no speed-up on the parts that matter. One instruction in, a configured and verified router out.
Now the same deployment, step by step.
Log in. Sia opens the router, creates the admin account on a factory-fresh unit or logs in, and lands on the dashboard.
WAN. Sets Dynamic IP, waits for a WAN address, retries if needed.
Verify internet. Pings
8.8.8.8and a hostname, which proves DNS too.Replay the config. Re-issues the recorded IPSec, LAN, and DHCP calls for this site's variables, deterministically, in seconds.
Reconnect. The LAN-IP change drops the laptop's link. Sia renews the lease, moves into the new subnet, and re-points to the router's new address. This is the detail most demos quietly skip.
Verify the tunnel. Confirms Phase 1 and Phase 2 are Connected and that traffic crosses the tunnel.
Report. Prints a deployment checklist: WAN, internet, LAN, VPN policy, both phases up.
The operator's entire job is to hand Sia the site details. The PSK and admin password live in the OS keychain and are referenced by name. They never appear in the prompt, the transcript, or the logs.
What this does to the work
The work does not disappear. It moves up a level.
Instead of an L1 tech walking a checklist per site, an agent executes the checklist and an engineer reviews exceptions.
Instead of an L2 engineer reverse-engineering why a tunnel won't form, the agent reports the exact failing gate.
Instead of an L3 architect hoping every site matches the standard, the standard is the recipe, applied identically and verified.
Rollouts get faster and config drift gets rarer, because the same recipe enforces the same standard at every site. Engineers spend their time on the hard cases instead of the repetitive ones.
Why we are naming OEMs one at a time
TP-Link is one box. The estate is everything else: the firewalls, the switches, the access points, the servers, the cloud accounts, the storage, the service desk. Scogo already reaches across that estate through Agent Fabric. What we are doing now is going vendor by vendor and proving Sia can drive each one to fleet scale, then putting our name on it.
That is the whole strategy, stated plainly. Every named integration takes a class of gear off your team's hands and makes Sia the place that work runs. We would rather earn that one proven OEM at a time than claim a logo wall we cannot stand behind.
TP-Link is first. We are already working the next ones, and we will announce them the same way: at fleet scale, on real hardware, or not at all.
Availability
The TP-Link integration is in Sia now, with site-to-site IPSec VPN generally available and the broader task matrix rolling out. We deliver Sia as part of the Scogo platform to enterprise customers, so there is no public download.
If you run TP-Link enterprise gear at scale, branch routers, switches, or access points, we want to put it in front of your fleet. If you run a different vendor and want to be early on the next integration, tell us which one.
Autonomous where it is safe, governed where it matters, on the record everywhere.

Written by
Karan Singh
Co-founder & CTO
Published on


