UC Launch Spring 2026 Cohort — Private Beta Open

Zero-Trust Runtime for AI Agents

Ship AI agents into production without failing your SOC 2 or HIPAA audit. Framework-agnostic. Sub-agent level cryptographic identity. Open standards.

Any FrameworkAny Agentic PatternSub-Agent SPIFFE IdentityA2A ProtocolSandboxed ExecutionSOC 2 & HIPAA Ready
Start Building Watch Overview

90-second platform overview with narration

Per-Process

SPIFFE Identity

< 50s

Source → Production

4 Models

SaaS to Air-Gapped

Not locked to AWS. Not limited to pods. Not another wrapper.

Built on Open Standards

SPIFFE
CNCF
Kubernetes
OpenTelemetry
Envoy
OPA

How It Works

Three perspectives, one platform. Pick a topic.

Source to production in under 50 seconds. Three CLI commands, per-process cryptographic identity, and live observability — the complete runtime pipeline.

Purpose-Built Capabilities. One Platform.

Every capability is interconnected: identity flows into policy, policy governs the gateway, the gateway feeds observability. No bolted-on integrations.

Per-Process Identity

Unique SPIFFE IDs per process inside containers, not just pods. Pure userspace, no kernel modifications.

CLI Pipeline

Source-to-deployment in three commands. Auto-generates container images, K8s configs, identity mappings from your code.

Credential Cache

Multi-level cache: in-process (<1ms), distributed cluster (1-3ms), cloud exchange. Proactive background refresh. Per-process isolation. Zero-latency hexr_tool() calls.

Policy Engine

OPA Rego policies at every service boundary. Fail-closed enforcement. GitOps-driven. Full decision audit logging.

A2A Protocol

Purpose-built agent-to-agent communication. Durable task state, cooperative cancellation, real-time streaming, all over mTLS. Our own protocol, not a wrapper.

Vault

SPIFFE-native secrets. Zero API keys. AES-256-GCM encryption. Tenant + agent + path isolation via OPA.

LLM Observability

Complements existing LLM observability tools by adding the identity layer they lack. Per-process SPIFFE-attributed traces, per-agent cost tracking, and full OpenTelemetry spans any platform can consume.

Framework Detection

AST-based engine detects agents across any Python framework: CrewAI, LangChain, Strands, or custom. Zero configuration.

Gateway

Converts OpenAPI v3 specs to MCP tools automatically. SPIFFE-authenticated tool invocations with semantic search.

Agent Detection & Response

Behavioral baselines via sliding-window analysis. Z-score anomaly detection. Lateral movement and privilege escalation tracking.

Deployment Models

One codebase, four targets: Fully Managed SaaS → Hybrid → Enterprise (BYOCA) → Air-Gapped. Progressive migration.

Sandbox & Browser Tools

Isolated execution via gVisor/micro-VMs for untrusted code. Headless Chromium automation. No credential leakage. Resource-limited.

Identity Graph

Real-time visualization of agent relationships, trust chains, and communication paths. Instant attack surface mapping.

Topology Analysis

AST-based pattern detection at build time. Orchestrated, hierarchical, peer-to-peer, or mixed topologies identified automatically from source.

Audit-Ready Policies

Pre-built OPA/Rego templates mapped to SOC 2 Type II, NIST 800-53, ISO 27001, PCI DSS, and EU AI Act. Deploy entire frameworks in one click.

Policy Staging

Three-stage rollout: Simulate, Audit, Enforce. Test policies against live traffic, catch false positives, then enforce. Instant rollback.

One Codebase. Four Ways to Deploy.

Same agent code runs everywhere, from our managed cloud to your classified network.

SaaS

Best for startups and prototyping

Hexr-managed infrastructure. Fastest time to value. Zero operational overhead.

The Honest Comparison

Feature-for-feature against the alternatives. No hand-waving.

DimensionAWS AgentCoreRiptidesHexr
Vendor Lock-inAWS onlyCloud-agnosticCloud-agnostic
Air-Gapped Deploy
Identity GranularityPod-levelProcess (kernel)Process (userspace)
Kernel ModificationsNoRequiredNo
Framework SupportAnyLimitedAny Python
Sub-Agent Identity
Multi-Cloud CredentialsAWS onlyYesAWS + GCP + Azure
Open StandardsProprietaryProprietarySPIFFE, OPA, OTel
A2A Protocol
UC LaunchSpring 2026 Cohort

Join the Private Beta

Open standards. No lock-in. Production-grade from day one.

No credit card required. Early access for qualified teams.