The Story
The Dissertation
That Became a Company
The problem with enterprise networks is not that they are complicated. It is that nobody really knows
what they are doing at any given moment. A packet hits a router, takes a path through forty devices,
passes through firewall rules nobody has looked at in three years, and either arrives or doesn't. When
it doesn't, the outage hunt begins. Peyman Kazemian decided this was a mathematics problem disguised as
an engineering headache.
At Stanford, working under Prof. Nick McKeown - the same group that helped birth OpenFlow and
software-defined networking - Kazemian developed what he called Header Space Analysis. The idea was
precise and provocative: treat the set of all possible packet headers as a mathematical space.
Model every router, switch, and firewall as a geometric transformation in that space. Then, instead
of running packets through a network and watching what happens, you reason about the entire space of
possible behaviors - before any packet ever moves.
"Header Space Analysis: Static Checking for Networks" landed at NSDI 2012 - and quietly set off a
decade-long cascade of implications.
The paper introduced a framework that was, as its authors put it, "general and protocol-agnostic."
It did not care whether you were running MPLS, NAT, ACLs, or some combination of all three. It could
identify reachability failures, forwarding loops, and traffic isolation violations by static analysis
alone - the way a compiler flags bugs before you ever run code. A tool called Hassel translated real
Cisco router configurations into the math.
The following year, Kazemian returned to NSDI with a follow-up: NetPlumber. Where Header Space Analysis
was static, NetPlumber was real-time - a policy checking system that updated its analysis as the network
changed, running continuous verification at line speed. By 2013, Kazemian had his PhD and something
rarer: a research program that solved an actual industry problem.
From Dissertation to Deployment
Kazemian, David Erickson, Nikhil Handigol, and Brandon Heller had all been running OpenFlow deployments
at Stanford. They were not theorizing about network problems - they were fighting them, in production,
in real time. The four co-founded Forward Networks on July 23, 2013, immediately after graduation.
The company went into stealth and stayed there for three years.
During that period, Kazemian also worked at Google and Ericsson, and created and taught SDN Academy
courses. He was not retreating from the industry - he was studying it from the inside, learning where
the real pain lived before shipping a product to address it.
Forward Networks emerged from stealth in November 2016 with $16 million from DFJ and Andreessen Horowitz
in its pocket. The pitch was simple: Forward Enterprise builds a mathematically accurate digital twin
of your entire network - every device, every configuration, every path - and lets you query it like
a database. Before you push a change, you verify it. Before an auditor asks a question, you already
know the answer.
The Mathematics of Network Trust
What separates Header Space Analysis from prior network verification approaches is not cleverness - it
is rigor. Traditional network monitoring watches traffic. HSA models behavior. Rather than sampling what
packets do, it formally describes what packets can do, across every possible input. The difference matters
enormously in security contexts: an attacker does not follow the expected traffic pattern.
The framework represents packet headers as points in a high-dimensional binary space. Network devices
become transfer functions - mathematical objects that map header spaces to header spaces. Composing these
functions across a network topology produces a complete model of reachability. A firewall misconfiguration
that opens a path from the internet to a production database shows up as a reachable region in header
space - no packet required.
Forward Networks's commercial platform extends this foundation into cloud and multi-vendor environments,
adding AI-enhanced query capabilities and supporting more than 30 network vendors. The customer list now
includes PayPal, Ubisoft, Telstra, Goldman Sachs, and a range of U.S. government agencies. Fortune 50
companies trust it for compliance auditing; federal agencies use it for security posture management.
The claim - 80% reduction in audit time - is the kind of number that gets CISOs on calls.
Twelve Years and a Test-of-Time Award
In 2024, the USENIX NSDI conference gave Kazemian, George Varghese (UCSD), and Nick McKeown the
Test-of-Time Award for the original Header Space Analysis paper. The award goes to research that has
had the most lasting impact over a decade or more. The irony is not subtle: the work won a
"test-of-time" award while the company built on it was busy selling to enterprise networks in 2024.
The paper did not just survive the decade - it drove an entire commercial category.
The January 2023 Series D - $50 million led by MSD Partners, alongside Section 32, Omega Venture Partners,
Goldman Sachs Asset Management, Threshold Ventures, and Andreessen Horowitz - brought Forward Networks
total funding past $140 million. The round closed after a six-month process, in a market that had turned
cold for enterprise SaaS. The company's 96% retention rate and 139% ARR growth were the argument.
Background: From Tehran to Stanford
Kazemian completed his undergraduate degree in Electrical Engineering at Sharif University of Technology
in Tehran in 2007 - one of the most selective technical universities in Iran. He then moved to Stanford,
joining the McKeown Group, the research lab that was simultaneously building OpenFlow and helping define
what software-defined networking would become. He was in the room where it happened, and he had his own
contribution to make to it.
The combination - mathematical rigor from an elite engineering program, exposure to systems research
at the frontier of networking, and direct experience running production SDN deployments - produced
someone who understood both the theoretical and operational dimensions of network verification. That
intersection is exactly what Forward Networks's technology lives in.
What Forward Networks Actually Does
Think of Forward Enterprise as a flight simulator for your network. You import device configurations
and operational state. The platform builds a mathematical model - a digital twin - that accurately
reflects what your network will do to any given packet. You can then query this model: "Can a host
on this segment reach this database?" "Does this change introduce a new attack path?" "Which devices
have configurations that deviate from our standard baseline?"
The twin updates as the network changes. When you push a config change, the model updates and re-runs
all your verification checks. When an auditor needs a compliance report, the platform generates it
from current network state - not from a documentation spreadsheet that may be months out of date.
The platform also identifies attack surface exposure, tracks vulnerability locations, and automates
change control workflows.
In an era where enterprise networks span on-premises hardware, multiple cloud providers, and dozens
of vendor ecosystems, the value of a single mathematically consistent model becomes hard to overstate.
Kazemian's dissertation showed it was possible. Forward Networks is showing, at scale, that it is
practical.
