A Networking Proxy That Defends

Worried about a large attack surface?
Concerned with a risk of insider threats?
Experiencing repeated losses and attacks from compromised credentials?

Hopr's Workload Security Proxy (WoSP) is a first-of-its-kind proxy that rigorously defends application networks with an Automated Moving Target Defense.
Artistic graphic of a flying red dart towing a red and gray bullseye target through the clouds
Hopr Connect explain it like I'm five graphic 1
Hopr Connect explain it like I'm five graphic 2
Hopr Connect explain it like I'm five graphic 3
Hopr Connect explain it like I'm five graphic 4
Hopr Connect explain it like I'm five graphic 5
Hopr Connect explain it like I'm five graphic 6
Hopr Connect explain it like I'm five graphic 7
Hopr Connect explain it like I'm five graphic 8
Hopr Connect explain it like I'm five graphic 9
Hopr Connect explain it like I'm five graphic 10
Hopr Connect explain it like I'm five graphic 11

Preemptive Threat Disruption

Static access credentials allow threats the time they need to discover, exploit, and abuse access to applications and devices (i.e., workloads).

Hopping workload access credentials at a high frequency frustrates and disrupts threat attempts to discover these valuable targets.
Compare Features
API Threat Protection Icon
01
Threats Monitor Message Traffic

Threats are attracted to credentials, such as identity and secrets, used in authorization and authentication when workloads start to communicate. Credential theft, credential stuffing, and man-in-the-middle attacks are common, and persistence allows them to discover and steal valuable credentials.

motorcycle with sidecar
02
Threats Exploit Static Credentials

Threats rely on knowing that static credentials seldom change. And they use this advantage to collect credentials and plan attacks that give them greater access (lateral movement) to more valuable data and resources held by an enterprise. Credential-based attacks produce significant damage and data loss.

app with sidecar
03
Threats Cannot Exploit Hopping Credentials

Hopr hops (rotates) the access credentials for trusted workloads at a high frequency, and only other trusted workloads can know the correct access credentials needed to start a communication session (such as an API call and response.)

app with sidecar tested
04
Threats Attempts are Immediately Discovered

Hopr's AMTD leaves threats frustrated and exposes them to detection. Attempts to access a trusted workload are immediately recognized, logged, and rejected. The logs provide Security Teams with immediate discovery of threats and compromised static credentials (such as stolen API keys).

"Hopr has a timely solution that is well-positioned for a long run."

Global IAM Research Analyst

"This is awesome"

DevOps Engineer

"There is nothing like this in the entire world"

CISO, Global Data Services Provider

"This is very clever. Just what industry needs."

VP Healthcare Analyst, Global IT Research Firm

Decentralized Credential Management

High frequency hopping of workload access credentials is performed within a WoSP located at each Application or Device workload. WoSPs contain patented technology that decentralizes Identity and Secrets management.
Graphic illustration of the decentralized identity manage and secrets manager in a WoSP

Identity Manager

A Hopr WoSP receives an initial Machine Alias ID (MAID) credential at deployment, and then manages and rotates the credential frequently based on the host workload’s communication sessions.

Secrets Manager

Secrets are built 'on demand' from one or more CHIPS™ algorithms. The same algorithm in each WoSP runs at the start of a communication session and generates identical secrets at each  workload.
Hopr's Unique Workload Security Proxy

Zero Trust, Cloud Native AMTD

WoSPs are small lightweight proxies that are easily and quickly deployed with host containers. They add high frequency credential hopping to traditional container networking capabilities. But they also provide Zero Trust access control to their host container (application or device). WoSPs can be easily deployed with legacy VMs, or in modern container systems such as Kubernetes.

With WoSPs

WoSPs bind to host containers and control network communication and workload access with Zero Trust principles.

Without WoSPs

Authorization and authentication using static workload credentials is not able to meet Zero Trust principles.

Patented Innovations Create Magic

hidden in plain sight

Codes Hidden In Plain Sight (CHIPS™)

A novel technology that uses algorithms to generate identical ephemeral secrets at two workloads at the same time regardless of their location.

Synchronous Ephemeral Encryption (SEE™)

A protocol that uses the CHIPS™ secrets to build end-to-end-encrypted communication channels between workloads, without a key exchange.

Machine Alias ID (MAID™)

A dynamic machine identity credential that enables frequent trust verification of each workload identity and also builds a chain of trust in the workload.

"Hopr has a timely solution that is well-positioned for a long run."

Global IAM Research Analyst

"This is awesome!"

DevOps Engineer

"There is nothing like this in the entire world"

CISO, Global Data Services Provider

"This is very clever. Just what industry needs."

VP Healthcare Analyst, Global IT Research Firm

Hopr's WoSP Produces
Peer-to-Peer,
Bi-directional,
Ultra-secure Communications

Abstract graphic of two workload sharing data securely with Hopr WoSPs and an AMTD
Each peer-to-peer communication session is identity-trust-verified, quantum-proof, and protected by AMTD
Abstract graphic icon of a containerized workload with rotating credentials.
Abstract graphic of a workload with a green certificate emblem
Verify identity trust
Initial trust of a workload identity occurs at deployment of a Hopr “sidecar” with it's host workload and the identity is verified at each communication session.
hidden in plain sight
Sidecars build their secrets
CHIPS™ technology enables two sidecars to build identical symmetric keys whenever a new communication session begins. Secrets remain in the sidecar.
icon image of a padlock with code symbols
Complete end-to-end encryption without a key exchange
Hopr's SEE™ protocol builds end-to-end encrypted communication channels without a key exchange. Only trusted messages reach their endpoints.
Abstract graphic icon of a workload   connected to Hopr algorithm
Automated High Frequency Credential Rotation
Workload identities and secrets rotate automatically at a high frequency to prevent discovery, theft, and misuse for a cloud native automated moving target defense (AMTD).
abstract graphic of a workload deflecting two attacks
Discard untrusted messages
All messages that fail decryption on arrival at a sidecar are immediately logged and discarded. They never reach the intended endpoint.
abstract graphic of three interconnected workloads
Workload Identity Chain of Trust
Workload identities develop an immutable chain of trust based on their history of communication sessions with other workloads.

See the WoSP in operation

Click the image at left to watch a 3:36 (min:sec) recorded demo of Hopr WoSPs protecting workload endpoints, end-to-end encrypting messages, and refusing access from untrusted connections.
Learn How It Works

Networking workloads across environments can be simple

Networking application, service, and device workloads across clusters, cloud environments, and organizational domains is complicated, time-consuming, and error-prone when using conventional methods. Hopr's WoSP is easily configured and quickly deployed by DevOps. And, compared with conventional methods, it lowers cyber risk, reduces costs, and strengthens compliance.
API Threat Protection Icon
01
Get Hopr WoSPs

Register with Hopr to receive access to our WoSP container repo, license, and key. Complete self-serve onboarding through the Hopr Help Center (yes it’s that simple!).

An average DevOps can complete this step in a less than a day

motorcycle with sidecar
02
Edit a YAML file

We provide DevOps with YAML templates and instructions to get started. DevOps edit a handful of configuration values.

They select a specific CHIPS™ algorithm to achieve identical secrets generation with other trusted workloads.

app with sidecar
03
Deploy to production

The YAML is run in the CD pipeline and a WoSP is pulled, configured, and deployed with a host workload.

Some simple tests verify proper operation before live operation begins.

Once live, all Zero Trust and AMTD capabilities are immediately effective.

app with sidecar tested
04
Monitor operations

WoSPs not only disrupt threats, but they also expose them. Threat access attempts are immediately recognized, logged, and rejecting. Logs are available to customer security teams via common observability tools such as Prometheus or Grafana.

Cloud Native AMTD Advantages

Alternate to British "Keep Calm and Carry On" poster. Keep Calm and Automate Security
Ultra-secure communications
Symmetric keys remain within WoSPs where they are built. They are never exposed to theft of misuse in a key exchange.
Increase cost and IT efficiency
Decentralized identity and secrets management reduces cost of centralized IAM services and reduces cost of application security engineering.
Strong workload endpoint protection
The SEE™ protocol ensures only trusted messages reach endpoints, MITM attacks are prevented, and untrusted connections are rejected.
High-trust workload connections
Workload identity trust is verified at each connection by confirming the rotating identity and secret.
Protects the business ecosystem
Hopr WoSPs work with public-facing endpoints to connect to third parties using a "Kerberos for the cloud" protocol.
Protection across all environments
WoSPs protect endpoints across all container and VM environments without federating complex external IAM services.
Graphic icon of two connected containerized workloads

Try Our Tech

We offer a FREE Hopr WoSP trial so you can evaluate it for your use case. Deploy Hopr WoSPs with your containerized apps and perform up to 5,000 communication sessions for one month at no charge.

Onboarding is self-serve and WoSP config and deployment is a simple DevOps process.

Technical FAQ

What synchronizes key generation to ensure identical secrets are produced?

Synchronous Ephemeral Encryption (SEE™) is a patented protocol that is self-synchronizes connections between endpoints. Synchronization occurs at the start of a connection without a key exchange.

What happens when identical WoSPs do not build identical secrets?

Without successful decryption, a received message will fail. This could happen due to timing differences in credential rotation. If this occurs with a trusted workload, then we re-build the secret and re-send the message.

Is the CHIPS™ algorithm in a WoSP safe?

The "CHIPS™ algorithm" is highly variable and unique. Algorithms in a WoSP can number in the hundreds-of-thousands. It is unlikely that threat actors will guess or find your particular algorithm within the library of very large number of algorithms.

At what layer of the network stack is encryption performed?

Hopr Connect can be configured to encrypt data at either layer 4 or layer 7 of the OSI network stack. Layer 4 supports network load balancers (NLB) and layer 7 supports application load balancers (ALB). Both WoSPs in a connection must use the same layer for encryption.

How does SEE™ differ from mTLS?

SEE™ builds comprehensive end-to-end encrypted connections over the entire route between trusted workloads.

mTLS is not supported everywhere in the cloud an may terminate at "identity domain boundaries" between workloads where PKI certificates lose their acceptance and trust.
‍
mTLS in the cloud also relies on automated PKI certificates which lack verification of workload trust when issued. And each certificate issued is an entirely new identity.

Does the CHIPS algorithm provide enough dynamism in the seed for the key?

There is a significant amount of dynamism (variability) in the seed elements used in CHIPS algorithms. It begins with a vast number of URLs where dynamic information can be found, and increases with the many possible locations at an URL.

It increases further because algorithms have many possible structures to alter or modify the dynamic elements. This includes nearly two-dozen variables, each of which has many possible values.

Is the encryption used in Hopr Connect quantum safe?

Yes, symmetric encryption (used by Hopr Connect) is expected to be quantum safe for about a decade after quantum computing breaks asymmetric encryption. Hopr Connect uses a FIPS 140-2 and -3 cryptographic library. AES256 and is quantum resistant. An additional degree of quantum resistance is provided by the short lifetime of SEE™ keys, bringing it closer to being quantum safe.

How much overhead does Hopr Connect add to the operation of Client-Server API calls?

The overhead added occurs only when connections begin. Hopr Connect adds 2 messages to the overall message count for each workload.

If two workloads were to interact in a session of 100 API calls and responses, then the additional overhead for the security provided by Hopr Connect would be 4%.

Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.