Hopr Connect
for Trusted Workloads Operating Anywhere

Animated graphic of machine identity trust

70% of enterprises are unable to realize the business value of multi-cloud due to multi-cloud complexity.

Complexity and security challenges with Kubernetes implementation confronts enterprises operating in multiple environments

"This is a great security tool that any DevOps practitioner will love."
Drew Malone, Solution Engineer and DevOps/Infrastructure veteran
Hopr named in Gartner’s
”Emerging Tech: Security —
The Future of Cyber Is Automated Moving Target Defense”

Hopr Connect
for Application Networking Across Identity Domains

Graphic comparison of isolated workload networks using identity domaines
Connecting application and service workloads across identity domains doesn't need to be complicated and costly.
By 2026, 90% of enterprises will extend their capabilities to
multi-cloud environments. Each identity domain across Kubernetes, data center, and cloud environments creates connection barriers that add complexity and cost.

Easy, Affordable, and Secure
Service and Application Networking

Graphic icon of a multi-mesh of nodes interconnected with Hopr Connect
Easily connect across Kubernetes and identity environments.
Workloads connect at either Layer 4 or Layer 7 across legacy identity boundaries.
Configure and deploy with ease.
Low-friction configuration and deployment with DevOps-friendly YAML.
Reduce architectural overhead.
Eliminate reliance on costly external services and complexity of cert-based solutions.
Extend service mesh beyond the cluster.
Simply interconnect to endpoints outside the service mesh.
Connect with external Organizations, too.
Verified-trust connections with external organizations such as suppliers and partners.

Lightweight Endpoint Protection

Hopr Connect protects endpoints with a lightweight and easily-deployed Workload Security Proxy (WoSP).

Identity Manager

Receives an initial Machine Alias ID (MAID) credential on initial trust at deployment and then manages and rotates the credential frequently based on the host workload’s activity.

Secrets Manager

The 'secrets manager' holds the CHIPS™ algorithm library and secrets generator. The CHIPS™ algorithm runs at the start of a connection with another workload.

WoSPs for Two Types of Connections

Hopr Connect enables high-trust, ultra-secure, on-demand connections inside
an organization’s security architecture and with external organizations.

Internal Connections

A WoSP that protects workloads for Hopr Connect internal to an organization’s trusted security environments where identically configured WoSPs are possible.

Gateway Connections

A WoSP for workloads that communicate internally with othr trusted workloads and also with external third party workloads via Hopr Connect Gateway.
Learn About Connect Gateway
Graphic icon of two connected containerized workloads

Try Our Tech

We offer a FREE plan so that you can use Hopr Connect to evaluate it for your use case with no time limit. Deploy Hopr WoSPs with your containerized apps and perform up to 5,000 communication sessions per month at no charge.

Onboarding is self-serve and WoSP config and deployment is a simple DevOps process.

Hopr’s AMTD Platform

A SaaS “Control Plane” for deployed Hopr WoSPs and host Workloads
verifies MAID trust at every connection and logs communication sessions.
Screen capture of a hopr Connect dashboard
Runtime visibility of workload connections and volume, alerts,
and notifications are available in a client dashboard.
Additional visibility of WoSP-workload operation in the customer environments
is available from Envoy proxy observability features and WoSP logging.

Premium Features

five gold stars in a circular pattern
Enhanced Fault Tolerance
This feature improves the fault tolerance of a basic WoSP by allowing configuration to define alternate CHIPS™ algorithms should the initial algorithm fail.
This feature allows assignment of CHIPS™ algorithms for use with specific IP ports to micro-segment applications and services.
Custom MAID Rotation
This feature allows configuration of the default MAID rotation parameters of number of connections and time cycle.
Custom CHIPS™ Algorithms
This feature allows the configuration of a custom algorithm for use in a Hopr WoSP.

Want more detail? Learn from our FREE resources.

We curated a collection of white papers, videos, and webinars in our ‘Discovery’ library. The resources are FREE with an email. We also have public resources available from the site navbar menu.
Get Free Discovery Resources

Compare Alternatives



Access requires verification  of two rotating credentials
Existing solutions cannot isolate and reject misuse of stolen credentials.
Comprehensive encryption over the entire route between workloads.
Cert-based TLS/mTLS is not assured everywhere  and gaps expose data.
Identity trust is verified frequently to build a chain of trust in the workload ID
Automated certificates are issued without trust vetting. The chain of trust ends with the cert manager.
‍Simple, DevOps friendly YAML config and deployment.
Existing solutions require complicated and error-prone configuration and testing to connect across identity domains.
Cloud native pricing and self-contained identity and secrets management lowers costs.
Existing solutions rely on multiple external services with high costs per workload

Product FAQ

Must all Hopr Connect WoSPs be configured with the same algorithm?

Hopr WoSPs whose workloads need to inter-operate must use the same CHIPS™ algorithm. A premium feature allows WoSP configuration for micro-segmentation using multiple algorithms assigned to different ports.

How is the end-to-end encryption performed?

Hopr's Synchronous Ephemeral Encryption (SEE™) protocol builds a secure 'tunnel' between workloads using the symmetric key produced by CHIPS™ at each workload. There is no key exchange.

At what layer of the OSI network stack do WoSPs encrypt message traffic?

By default, encryption-decryption occurs at Layer 4, the Transport layer. Every IP packet (message headers and bodies) is individually encrypted and decrypted. Layer 7 (application layer) encryption is configurable.

Does Hopr Connect replace the API keys use for an application?

No. API keys are still passed within messages sent to an API endpoint, but they are only used for identification purposes by the API. They are protected because they are encrypted and  cannot be sniffed in transit.

How does Hopr Connect block malicious traffic?

Connection attempts from untrusted workloads fail SEE™ protocol decryption, even if they are also TLS encrypted. They are immediately logged and discarded.

Does Hopr Connect protect North-South and East-West traffic?

Yes. Hopr Connect protects all ingress and egress access to workloads located anywhere. Whether messages are N-S or E-W does not affect Hopr Connect due to its decentralized identity and secrets management capability.