Case studies — Zsub in practice

Two organizations,
one network model

Zsub scales from a founding team to a governed enterprise without changing the underlying protocol. These two cases show what that looks like in practice — and how it compares to reaching for Tailscale instead.

Case 01

Meridian Labs

12-person biotech startup — founding team, a handful of engineers, external collaborators

The organization

Meridian Labs is twelve people: three co-founders, five engineers, a regulatory affairs specialist, an operations lead, and two external research collaborators on ongoing contracts. They handle sensitive compound data, communicate with contract research organizations, and are preparing for their first IND filing. They need internal network security that they don't have to think about constantly — but they also can't afford the kind of drift where a departing contractor still has access to something three months later.

For a team this size, Zsub's governance structure is as light as they want to make it. The CTO generates the anchor and mints the config in an afternoon. There is no board multisig, no quarterly ceremony — just a founder who holds the root key and is accountable for what the network says. That is a choice, and an appropriate one for twelve people who all know each other.

Meridian Labs — trust hierarchy

Anchor

CTO — holds the anchor. Mints the config. Single keyholder; a second founder co-signs if the team decides they want that later.

governance root

Founders

CEO, CSO — attested directly by the anchor. The CSO heads the research chain; the CEO has exec-level access to everything.

role=exec

Engineering

5 engineers — attested by the CTO directly. No intermediate manager layer needed at this size.

dept=eng

Research

CSO + regulatory affairs — attested by the CSO. Access to compound data, regulatory documents, CRO communications.

dept=research

Operations

Operations lead — attested by CEO. Access to financials, vendor contracts, HR records.

dept=ops

Collaborators

2 external researchers — attested by the CTO with 7-day renewable credentials, scoped to shared research data only. Trust does not flow through them.

status=contractor

Setup

The CTO spends an afternoon on the config. The lexicon is small — Meridian doesn't need a 30-property vocabulary. Five properties cover everything they need.

// NetworkConfig — Meridian Labs
// Signed: CTO anchor key. Valid 180 days.

network     "meridian"
expiry      2026-01-15T00:00:00Z
anchors     [ cto_key ]

lexicon
  dept      eng · research · ops · exec
  role      ic · lead · exec
  status    active · contractor
  clearance standard · restricted
  handle    (variable string)

challenge policies
  "internal"    status=active
  "research"    dept∈{research,exec} + status=active
  "compound"    dept=research + status=active
                // + parallel chain: clearance=restricted
  "collab"      status=contractor
                // shared data room only; no internal access

With the config minted, rollout is one all-hands meeting. The CTO has everyone install the client, generates seeds on a SeedSigner for anyone who doesn't have one, and spends fifteen minutes going around the room doing taps. Engineers tap the CTO. The CSO taps the CTO. The ops lead taps the CEO. The collaborators tap the CTO and get scoped credentials. By the time the meeting ends, the network exists.

Servers — a small compute instance and a data store — are provisioned the same afternoon. The CTO installs the client, establishes the peering relationship, and attests the machines into the engineering org. Challenge requirements go on the service keys. That's the deployment.

What Meridian gets

The access boundaries follow directly from the org structure Meridian described in the config. Researchers can reach compound data; engineers cannot. The ops lead can reach financials; she cannot reach the lab. External collaborators can reach the shared data room and nothing else. None of this required writing rules — it followed from who people are and where they sit.

When one of the external collaborators wraps up their engagement, the CTO stops renewing their 7-day attestation. Their access expires at the end of the current window without any deprovisioning step. When the regulatory affairs specialist joins full-time and moves from contractor to employee, the CTO issues a new attestation with status=active and the appropriate clearance. The old contractor attestation expires. Done.

How this compares to Tailscale

Getting started

Tailscale's SSO login path is fast if you already have Google Workspace or Okta configured. Meridian probably does. For initial setup, Tailscale is modestly simpler — the config afternoon and seed generation ceremony have no direct equivalent. But it's an afternoon, not a project.

ACL authoring

Tailscale requires an ACL file that segments access between research, engineering, and ops. It's not complex for twelve people — but it is something to write, maintain, and keep in sync as the team grows. Zsub doesn't have an ACL file. The org structure and the access structure are the same thing.

External collaborators

Tailscale handles external users through guest access or device approval flows tied to their identity provider. It works, but the scoping is coarser than Meridian needs. Zsub's contractor attestation is narrower by construction — the collaborators literally cannot produce the chain fields that internal services require.

Vendor dependency

Tailscale controls Meridian's network coordination. If Tailscale has an outage, changes pricing, or is acquired, Meridian has a problem. For sensitive compound data and an IND filing in process, that dependency is worth taking seriously. Zsub has no coordination server. The network is the relationships between the participants.

Case 02

Arcturus Systems

200-person B2B SaaS company — engineering, GTM, finance, legal, and a board that takes governance seriously

The organization

Arcturus Systems is a 200-person B2B software company with the structure you'd recognize: Engineering, Product, Sales, Finance, Legal, HR, and an IT/Security team that does the practical work of running the network. At this scale, access management has real organizational weight — a terminated employee who still has access is a liability, a contractor who can reach systems they shouldn't is an audit finding, and the people who administer access are themselves an attack surface.

Arcturus has chosen a governance structure that reflects their maturity. The anchor is a board-level multisig — three board members plus the CEO must co-sign any NetworkConfig. This is a deliberate organizational choice, not something the protocol requires. It means that changing the network's fundamental structure requires the same group of people who would authorize any other significant corporate action. The quarterly signing cadence is a scheduled governance event, not an IT task.

Arcturus Systems — trust hierarchy

Anchor

Board multisig — including CEO. Mints and signs the NetworkConfig quarterly. No individual can act alone.

governance root

C-Suite

CEO, CTO, CFO, General Counsel, VP People — attested directly by the anchor. Each heads a chain of accountability below them.

role=exec

Engineering

~90 people. CTO → Engineering Managers → Backend (30), Frontend (25), Infra (12), QA (10), Security (5), Data (8). Servers sit here too — under the CTO's accountability, provisioned by IT/Security.

dept=eng

GTM

~50 people. VP Sales → AEs, SDRs. VP Marketing → Content, Demand Gen. Customer Success.

dept=sales / cs

Finance & Legal

~15 people. CFO → Controllers, FP&A. General Counsel → Lawyers, Compliance.

dept=finance / legal

HR & IT/Sec

~20 people. VP People → HR Business Partners, Recruiting. IT/Security (6) — responsible for network operations, but organizationally under the C-suite like everyone else.

dept=hr / itsec

Contractors

~15 active. Attested by IT/Security with scoped, short-lived credentials. Trust does not flow through them.

status=contractor

Getting started

Before anyone installs anything, IT/Security and the board work through the organizational model: who is in the network, what properties matter, what each service will require. This produces a NetworkConfig — an anchor-signed document that every participant holds.

// NetworkConfig — Arcturus Systems
// Signed: board multisig (3-of-4). Valid 90 days.

network     "arcturus"
expiry      2025-09-30T00:00:00Z
anchors     [ board_key_A, board_key_B, board_key_C, ceo_key ]

lexicon
  dept      eng · product · sales · cs · finance · legal · hr · itsec · exec
  role      ic · lead · manager · director · vp · exec
  team      backend · frontend · infra · qa · security · data
  status    active · contractor · leave
  clearance standard · elevated · restricted
  handle    (variable string)
  svc_class gateway · datastore · compute · cache · monitor
  svc_scope global · eng · finance · hr · itsec

challenge policies
  "wiki"        status=active | status=contractor
  "eng"         dept=eng + status=active
  "crm"         dept∈{sales,cs,marketing} + status=active
  "infra"       dept=eng + team=infra + status=active
                // + parallel chain: clearance=elevated
  "payroll"     dept=finance + status=active
                // + parallel chain: clearance=restricted
  "svc-eng"     svc_class=compute + svc_scope=eng

Rollout proceeds top-down through the org over a week of IT-run onboarding sessions, department by department. Each person installs the client, generates their seed, and taps with their manager. The config propagates over that link. The manager issues an attestation offer. By the time IT reaches individual contributors, the chain above them is already in place — their tap completes it.

Board & IT/Sec

Mint the config Board members co-sign the NetworkConfig. IT/Security distributes it to the C-suite as the first participants.

C-Suite

Install, receive anchor attestation Each executive installs the client, generates their seed, receives an attestation placing them at the head of their department chain.

Managers → ICs

Tap down the org Each person taps with their manager. The config arrives. The manager issues an attestation offer. Repeated down every chain until everyone is in the network.

IT/Security

Provision servers Each service host is peered with IT/Security and attested into the engineering org under the CTO. Challenge requirements are set as metadata on the service keys.

The board multisig and quarterly cadence are organizational choices Arcturus made — they are not requirements of the protocol. A company at this size that wanted lighter governance could have the CTO hold the anchor alone, the same as Meridian's CTO does. The protocol accommodates both. What changes between the two cases is the governance structure the organization chooses to put on top, not the underlying network model.

Trust chains

A trust chain is the accumulated record of attestations from the anchor to a person or service. Each hop adds claims about who you are and where you sit in the org. A service checks whether your accumulated claims satisfy its requirements — and either admits you or doesn't.

A backend engineer

Anchorboard multisig

→

CTO+dept=eng, role=exec

→

Eng Manager+role=manager

→

Priya+role=ic, team=backend

→

Status service+status=active

An infra lead — parallel chains for elevated clearance

Anchor

→

CTO+dept=eng, role=exec

→

Eng Manager+role=manager

→

Dev+role=lead, team=infra

→

Status service+status=active

+ parallel chain issued by IT/Security:

Anchor

→

IT/Security+dept=itsec, role=manager

→

Dev+clearance=elevated

A production server

Servers are not a special case. A machine's trust traces back through the humans accountable for it. There are no service accounts or shared secrets — just another chain in the same hierarchy.

Anchor

→

CTO+dept=eng, role=exec

→

IT/Security+role=manager

→

app-server-07+svc_class=compute, svc_scope=eng

Services and what they require

Service	Who can access	Challenge requirement
Internal wiki	All active employees and contractors	`status=active` or `status=contractor`
Source code	Engineering dept	`dept=eng + status=active`
CRM	Sales, CS, Marketing; exec read-all	`dept∈{sales,cs,marketing} + status=active` or `role=exec + status=active`
Production infra	Infra team with elevated clearance	`dept=eng + team=infra + status=active` and parallel: `clearance=elevated`
Payroll / HRIS	Finance dept only; never contractors	`dept=finance + status=active` and parallel: `clearance=restricted`
App server → eng datastore	Engineering compute (service-to-service)	`svc_class=compute + svc_scope=eng`

There is no ACL file behind this table. A finance employee trying to reach the source code service simply cannot prove they belong there. The access model is a mathematical property of the org.

The moments that matter

A new hire

Leila Osei — backend engineer, day one

Leila generates her seed on a SeedSigner during IT onboarding. Her keys are derived and loaded onto her laptop. Nobody holds a copy.

She taps phones with her manager. A dedicated keypair is established on each side. The current NetworkConfig arrives over that link. She is in the network.

Her manager issues an attestation offer placing Leila in the backend team. Because the manager's own chain already carries the engineering department context from the CTO, Leila's credentials reflect her full place in the org without any extra steps.

The status service sees her HRIS record go active and begins issuing status=active every four hours. She can now reach every service her chain satisfies — and nothing she shouldn't.

A termination

Involuntary offboarding

HR marks the record inactive in HRIS. This is the only required action.

The status service stops issuing status=active. Existing attestations expire within four hours. Every meaningful service closes automatically. No administrator touches a policy.

What changes, and what doesn't

At Arcturus's scale, the difference is most visible not at deployment but over time. A conventional system at 200 people accumulates years of policy drift: groups that reflect an old org structure, permissions that outlived the roles that justified them, access reviews that find things nobody remembers creating. Zsub's access picture at year three looks like the org at year three, because it always has.

Conventional model

Access policy approximates org structure and must be kept in sync manually
Every org change is a maintenance event in the policy layer
Drift is silent — stale permissions look like correct ones
Admins who can modify policy are a privileged attack surface
Offboarding is a checklist of accounts and groups to deprovision
Access reviews routinely find permissions that outlived the roles that justified them

Zsub model

Access is a property of real relationships — the org and the access model are the same thing
Org changes propagate naturally as attestations are renewed or updated
There is no separate policy layer to go stale
Nobody administers access, so nobody can be socially engineered into granting it
Offboarding is one HRIS change; access closes within hours automatically
The access picture at any moment reflects the org at that moment

How this compares to Tailscale

Initial deployment

Tailscale at 200 people is not a five-minute setup. ACL authoring for meaningful segmentation — separating engineering, finance, and sales, scoping contractor access — takes real thought and real time, the same as Zsub's config and lexicon design. The initial effort is comparable. Anyone telling you otherwise is describing their demo, not their production deployment.

Ongoing operations

Tailscale ACL files drift. Groups accumulate. At 200 people over two years, you will find permissions that nobody remembers creating and that no longer reflect the org. Zsub's ongoing operational burden is lower — offboarding is automatic, org changes propagate through re-attestation, and there is no policy layer to audit separately from the org itself.

The admin surface

In a Tailscale deployment, the people who can edit the ACL file can grant access to anything. That's a social engineering target. In Zsub, nobody administers access — the access model is the org, and it changes when the org changes. There is no policy file for an admin to update, get wrong, or be manipulated into editing.

Vendor dependency

Tailscale's coordination servers are in the path of your network. A Tailscale outage, acquisition, or pricing change is Arcturus's problem. Zsub has no coordination dependency. The network is peer-to-peer; the trust is cryptographic. No vendor can revoke it.