UC Launch Spring 2026 Cohort — Private Beta Open

Zero-Trust Runtime for AI Agents

Ship AI agents into production without failing your SOC 2 or HIPAA audit. Framework-agnostic. Sub-agent level cryptographic identity. Open standards.

Any FrameworkAny Agentic PatternSub-Agent SPIFFE IdentityA2A ProtocolSandboxed ExecutionSOC 2 & HIPAA Ready
Start Building Watch Demo
terminal

$ hexr build my_agent.py --tenant acme-corp

✓ Detected: CrewAI orchestrator + 3 sub-agents

✓ SPIFFE identities assigned per process

$ hexr deploy --namespace production

✓ Live in 47 seconds

Per-Process

SPIFFE Identity

< 50s

Source → Production

4 Models

SaaS to Air-Gapped

Not locked to AWS. Not limited to pods. Not another wrapper.

Built on Open Standards

SPIFFE
CNCF
Kubernetes
OpenTelemetry
Envoy
OPA

See Hexr in Action

Three demos, one platform. Choose your view.

hexr build → hexr push → hexr deploy

Watch a full agent deployment from source to production (build, push, deploy) in under a minute.

Purpose-Built Capabilities. One Platform.

Every capability is interconnected: identity flows into policy, policy governs the gateway, the gateway feeds observability. No bolted-on integrations.

Per-Process Identity

Unique SPIFFE IDs per process inside containers, not just pods. Pure userspace, no kernel modifications.

CLI Pipeline

Source-to-deployment in three commands. Auto-generates container images, K8s configs, identity mappings from your code.

Framework Detection

AST-based engine detects agents across any Python framework: CrewAI, LangChain, Strands, or custom. Zero configuration.

Two-Stage Identity

Build-time markers + runtime attestation. Every agent holds a cryptographic identity before executing any logic.

Credential Cache

Three-tier JIT delivery: in-process (sub-ms) → distributed cache (1-3ms) → STS exchange. AWS, GCP, Azure.

Policy Engine

OPA Rego policies at every service boundary. Fail-closed enforcement. GitOps-driven. Full decision audit logging.

A2A Protocol

Purpose-built agent-to-agent communication. Durable task state, cooperative cancellation, real-time streaming, all over mTLS. Our own protocol, not a wrapper.

Vault

SPIFFE-native secrets. Zero API keys. AES-256-GCM encryption. Tenant + agent + path isolation via OPA.

LLM Observability

Complements existing LLM observability tools by adding the identity layer they lack. Per-process SPIFFE-attributed traces, per-agent cost tracking, and full OpenTelemetry spans any platform can consume.

Gateway

Converts OpenAPI v3 specs to MCP tools automatically. SPIFFE-authenticated tool invocations with semantic search.

Agent Detection & Response

Behavioral baselines via sliding-window analysis. Z-score anomaly detection. Lateral movement and privilege escalation tracking.

Deployment Models

One codebase, four targets: Fully Managed SaaS → Hybrid → Enterprise (BYOCA) → Air-Gapped. Progressive migration.

Topology Analysis

AST-based pattern detection at build time. Orchestrated, hierarchical, peer-to-peer, or mixed topologies identified automatically from source.

Sandbox & Browser Tools

Isolated execution via gVisor/micro-VMs for untrusted code. Headless Chromium automation. No credential leakage. Resource-limited.

Identity Graph

Real-time visualization of agent relationships, trust chains, and communication paths. Instant attack surface mapping.

Audit-Ready Policies

Pre-built OPA/Rego templates mapped to SOC 2, HIPAA, NIST, PCI DSS, ISO 27001, and EU AI Act. Deploy entire frameworks in one click.

Policy Staging

Three-stage rollout: Preview, Observe, Block. Test policies against live traffic, catch false positives, then enforce. Instant rollback.

One Codebase. Four Ways to Deploy.

Same agent code runs everywhere, from our managed cloud to your classified network.

SaaS

Best for startups and prototyping

Hexr-managed infrastructure. Fastest time to value. Zero operational overhead.

The Honest Comparison

Feature-for-feature against the alternatives. No hand-waving.

DimensionAWS AgentCoreRiptidesHexr
Vendor Lock-inAWS onlyCloud-agnosticCloud-agnostic
Air-Gapped Deploy
Identity GranularityPod-levelProcess (kernel)Process (userspace)
Kernel ModificationsNoRequiredNo
Framework SupportAnyLimitedAny Python
Sub-Agent Identity
Multi-Cloud CredentialsAWS onlyYesAWS + GCP + Azure
Open StandardsProprietaryProprietarySPIFFE, OPA, OTel
A2A Protocol
UC LaunchSpring 2026 Cohort

Join the Private Beta

Open standards. No lock-in. Production-grade from day one.

No credit card required. Early access for qualified teams.