The Zero-Trust Platform for AI Agents
Framework-agnostic. Pattern-agnostic. Sub-agent level cryptographic identity. From source code to production in three commands.
$ hexr build my_agent.py --tenant acme-corp
✓ Detected: CrewAI orchestrator + 3 sub-agents
✓ SPIFFE identities assigned per process
$ hexr deploy --namespace production
✓ Live in 47 seconds
Not locked to AWS. Not limited to pods. Not another wrapper.
Built on Open Standards
See Hexr in Action
Three demos, one platform. Choose your view.
hexr build → hexr push → hexr deploy
Watch a full agent deployment from source to production — build, push, deploy — in under a minute.
14 Interconnected Innovations. One Platform.
Every capability is purpose-built and interconnected — identity flows into policy, policy governs the gateway, the gateway feeds observability. No bolted-on integrations.
Per-Process Identity
Unique SPIFFE IDs per process inside containers — not just pods. Pure userspace, no kernel modifications.
CLI Pipeline
Source-to-deployment in three commands. Auto-generates container images, K8s configs, identity mappings from your code.
Agent Discovery
AST-based engine detects agents across any Python framework — CrewAI, LangChain, Strands, or custom. Zero configuration.
Two-Stage Identity
Build-time markers + runtime attestation. Every agent holds a cryptographic identity before executing any logic.
Credential Cache
Three-tier JIT delivery: in-process (sub-ms) → distributed cache (1-3ms) → STS exchange. AWS, GCP, Azure.
Policy Engine
OPA Rego policies at every service boundary. Fail-closed enforcement. GitOps-driven. Full decision audit logging.
A2A Protocol
Purpose-built agent-to-agent communication. Durable task state, cooperative cancellation, real-time streaming — all over mTLS. Our own protocol, not a wrapper.
Vault
SPIFFE-native secrets. Zero API keys. AES-256-GCM encryption. Tenant + agent + path isolation via OPA.
LLM Observability
Complements existing LLM observability tools — we add the identity layer they lack. Per-process SPIFFE-attributed traces, per-agent cost tracking, and full OpenTelemetry spans any platform can consume.
Gateway
Converts OpenAPI v3 specs to MCP tools automatically. SPIFFE-authenticated tool invocations with semantic search.
Agent Detection & Response
Behavioral baselines via sliding-window analysis. Z-score anomaly detection. Lateral movement and privilege escalation tracking.
Deployment Models
One codebase, four targets: Fully Managed SaaS → Hybrid → Enterprise (BYOCA) → Air-Gapped. Progressive migration.
Coordination Analysis
Graph-based pattern detection at build time. Orchestrated, hierarchical, peer-to-peer, or mixed — auto-detected from source.
Sandbox & Browser Tools
Isolated execution via gVisor/micro-VMs for untrusted code. Headless Chromium automation. No credential leakage. Resource-limited.
One Codebase. Four Ways to Deploy.
Same agent code runs everywhere — from our managed cloud to your classified network.
SaaS
Best for startups and prototyping
Hexr-managed infrastructure. Fastest time to value. Zero operational overhead.
The Honest Comparison
Feature-for-feature against the alternatives. No hand-waving.
| Dimension | AWS AgentCore | Riptides | Hexr |
|---|---|---|---|
| Vendor Lock-in | AWS only | Cloud-agnostic | Cloud-agnostic |
| Air-Gapped Deploy | |||
| Identity Granularity | Pod-level | Process (kernel) | Process (userspace) |
| Kernel Modifications | No | Required | No |
| Framework Support | Any | Limited | Any Python |
| Sub-Agent Identity | |||
| Multi-Cloud Credentials | AWS only | Yes | AWS + GCP + Azure |
| Open Standards | Proprietary | Proprietary | SPIFFE, OPA, OTel |
| A2A Protocol |
