Hopr Korvette-SE
The WoSP for Multi-cloud

Did you know? A Corvette is a small, fast, defensive naval vessel that historically served to carry messages between larger naval vessels in a fleet. We spell our Korvette with a 'K' in recognition of its value to Kubernetes systems.
Blue and black graphic logo for the Korvette-SE Workload Security Proxy

The Korvette-SE is a Workload Security Proxy that is designed to operate as a 'sidecar' and as an 'edge' proxy.

“I love how much easier Hopr is than making mTLS work across environments. And I'm confident that the full communication route is secure, too! This is a great security tool that any DevOps practitioner will love."
Drew Malone, Solution Engineer and DevOps/Infrastructure veteran

Today's multi-cloud networking is a complicated, error-prone process with a vulnerable outcome

70%

of Multi-Cloud Enterprises ...
Reported that they were unable to realize the business value of multi-cloud due to multi-cloud complexity.

80%

of API attacks occur on public-facing endpoints
Third party API keys are frequently stolen and used by threat actors to exploit APIs at more lucrative enterprises.

90%

of FinTech API attacks were authenticated
Indicating that attackers were able to obtain and abuse high value authentication credentials and bypass API security.
The Korvette-SE enables seamless multi-cloud application networking, and blocks all  access attempts by untrusted external third parties.

Key Features and Advantages of the Korvette-SE WoSP

Korvette-SE WoSPs have all of the features and advantages of the Korvette-S WoSP, plus the following  "Kerberos for the Cloud" features that protect cloud edge workloads operating with trusted third parties.
Hover over each Feature card below to see the Advantage gained.
IDENTITY TRUST OF EXTERNAL WORKLOADS
The Korvette-S includes a decentralized hopping identity credential (the MAID™) that is verified for trust at the start of a communication session with another workload.
If the MAID™ verification fails, security teams receive an immediate alert and can determine the appropriate action.
HOPR'S THIRD PARTY TRUST ADVANTAGE
Identity trust verification is an important Zero Trust principal not met by conventional identity solutions.
Frequent identity trust verification is an advantage over conventional workload identity certificates (which are static keys) whose trust is only assumed when creating a communication session.
graphic icon representing rotating access control for a containerize workload
SEAMLESS MULTI-CLOUD
NETWORKING
Access to any application or device workload operated by the enterprise is controlled by access credentials that hop at a high frequency. These credentials can only be known by other trusted enterprise workloads and they can only be known at the time a communication session starts.
HOPR'S ACCESS CONTROL ADVANTAGE
Frequently hopping workload access credentials disrupts  attempts by threat actors to steal and abuse them to gain unauthorized  access to workloads. Hopping access credentials gives cyber defenders an advantage over sophisticated threat actors.
graphic red and white icon of threat access denied
DECENTRALIZED AND DISTRIBUTED GATEWAY
Attempts by malicious or untrusted workloads to access a trusted workload are discovered, logged, and rejected without a response to the workload attempting access.
Logs of untrusted access attempts are available to customer security teams for use in Security Incident Event Management tools.
HOPR'S THREAT REJECTION ADVANTAGE
Recognizing threat activity is slow and error prone with detection and response tools. But Hopr's WoSP immediately discover and stop all threat attempts to access a trusted workload. The risk of unauthorized access is significantly reduced.
graphic red and white icon of threat access denied
PUBLIC API THREAT  PROTECTION
Insider threats are prevented from moving laterally and gaining additional access to workloads. Malicious workloads within an environment are unable to communicate with trusted workloads and are isolated. Attempts to exfiltrate data from trusted workloads is preempted.
HOPR'S INSIDER THREAT  ADVANTAGE
Threat actors may bypass perimeter defenses, avoid detection, and move laterally to extend their control and attacks. But they will confront an insurmountable defense at each workload and become isolated and unable to access other workloads or moving laterally to exploit other valuable enterprise assets.

“The Kerberos security pattern is well-proven. What Hopr has developed is a novel implementation of Kerberos that will enhance the protection of cloud workloads.”

Senior Director, Global Technology Analyst

Kerberos for the Cloud
The Hopr Protocol Powering the Korvette-SE WoSP

Secure East-West and North-South traffic with a zero trust
automated moving-target defense

A graphic illustration of the Kerberos for the Cloud protocol with two Korvette-SE WoSPs
Kerberos is a well-proven security design pattern
Decentralized API gateways
Korvette-SE WoSPs turn public-facing workloads into decentralized gateways capable of routing data from third parties to other trusted internal workloads with Korvette-S WoSPs.
Disable stolen API keys
Korvette-SE WoSPs immediately recognize untrusted access attempts and enable security teams to discover stolen API keys. Stolen keys are immediately renderer useless to threat actors.
Guranteed trust at every connection
Hopr is the identity trust verifier in a Kerberos for the Cloud protocol between two Korvette-SE WoSPs. Identity trust verification of each workload is mandatory before enabling their connection.
Cross-organization application networking
Partners and suppliers and others in a digital ecosystem of separate organizations can participate in an application network by using Korvette-SE WoSPs with their public-facing workloads.

The Kerberos for the Cloud Protocol

Korvette-SE WoSPs perform the Kerberos protocol when connecting with WoSPs across clusters, segments, clouds, or domains.  The protocol ensures that identity trust of each workload is verified before they initiate a session using the SEE™ protocol. Two workloads have deployed deployed Korvette-SE WoSPs that are configured for their 'home' environment (different environments).
Try our Beta version
Learn more
graphic icon of Hopr Connect Gateway for APIs
01
An initiating Korvette-SE WoSP connects with a Trust Verifier

When a Korvette-SE WoSP needs a session with a third party Korvette-SE WoSP (outside of its home environment), the initiating Korvette-SE sends an encrypted message to Hopr's Trust Verifier, requests a session, and identifies the other workload.

Abstract graphic icon of a workload connected to Hopr algorithm
02
The Trust Verifier selects a one-time CHIPS™ algorithm

The Hopr Trust Verifier decrypts the initiating WoSP's message, verifies its MAID™, and learns the identity of the second workload. If initiator's identity trust is verified, the Trust Verifier provides the initiating Korvette-SE with a one-time CHIPS™ algorithm ID for the requested session.

graphic icon of Hopr Connect Gateway for APIs
03
The initiating WoSP encrypts and sends a message to a second WoSP

Upon receiving the one-time CHIPS™ algorithm ID from the Trust Verifier the initiating Korvette-SE WoSP generates a key and encrypts its first message to the second Korvette-SE WoSP and sends it to that WoSP.

graphic icon of Hopr Connect Gateway for APIs
04
The Trust Verifier verifies the second WoSP

Upon receipt of an encrypted message from the initiating WoSP, the receiving Korvette-SE WoSP communicates with the Trust Verifier and identifies the initiating WoSP. The Trust Verifier verifies the  MAID™ credential of the second WoSP and provides it with the same one-time CHIPS™ algorithm ID.

graphic icon of Hopr Connect Gateway for APIs
05
A Trusted Communication Session

The second Korvette-SE WoSP runs the one-time CHIPS™ algorithm and decrypts the message from the initiating Korvette-SE. Both WoSPs use their identical keys (from the one-time CHIPS™ algorithm ID) for their direct peer-to-peer session until either party closes the session, at which time the keys and CHIPS™ algorithm ID vanish.

The Korvette-SE Shines in Secure
Multi-cloud Application Networking

Graphic of Korvettes in an application network with a third party
Multiple Identity Regimes or Enterprises
Identity regimes partition workloads by identity authorities, but this creates seams between  clusters, segments, sub-domains, on-premises clouds, and commercial clouds. These seams are vulnerable and impede communications. The Korvette-SE enables seamless communication.
Trust Among Third Party Enterprises
Business agilty and market opportunity drives enterprises to participate in ecosystems and share data among third parties, but trust is a concern. The Korvette-SE ensures the identity trust of segmented and third party workloads.
Preventing External API Attacks
Threats love to target public facing API endpoints and steal API keys. They rely on the long-lived keys to attack APIs and bleed-off sensitive data or to attack API logic to inject malicious code.
Trust But Verify, Then Share Data
Security begins with identity trust verification, but this is very difficult to do across organizations. Hopr's Korvette-SE ensures that trust is verified before workloads connect and before they share any data.
Networking at the Application Layer
Korvette-SE works at the application layer to simplify secure networking and segmentation at the highest layer of the stack. It does not interfere with lower level identity and security protocols.

How Hopr WoSPs protect app networks with AMTD

Hopr WoSPs are small, lightweight proxies that easily build secure networks of applications and devices across clouds, segments, and clusters. Read our white paper to learn about the WoSP's features, advantages, and benefits.
Read the Paper

Korvette-SE Benefits

Improved Security Posture Against External Threats
Cloud Native AMTD with identity trust verification protects trusted edge workloads and their data from unauthorized access.
Configure and deploy with ease.
Low-friction configuration and deployment with DevOps-friendly YAML and CI/CD tools.
Reduce architectural overhead.
Reduces the need for costly external services and the complexity of cert-based solutions. Also reduces human configuration errors.
Immediate discovery of threat activity
Rejection of all unauthorized attempts to access trusted edge workloads. Untrusted access attempts are immediately discovered and rejected.
Confidential and tamper-proof public API access
Strong confidentiality and integrity of data in transit across the public Internet, and access control at public-facing edge workloads are essential to defeat threats.

Frequently Asked Questions

Do the other enterprises that work with our edge applications need to have Korvette-SE WoSPs to exchange data with the Korvette-SE WoSPs deployed with our edge applications?
When the Korvette-SE is communicating with third party edge workloads external to their cloud environment is the trust and security obtained the same as it is for connections that are internal sidecar connections within a cloud environment?
Do Korvette-SE WoSPs need to be identically configured for workloads within a cluster, segment, or cloud or can they be configured differently and still work.
Graphic icon of two connected containerized workloads

Try Our Tech

We offer a FREE Hopr WoSP trial so you can evaluate it for your use case. Deploy Hopr WoSPs with your containerized apps and perform up to 5,000 communication sessions for one month at no charge.

Onboarding is self-serve and WoSP config and deployment is a simple DevOps process.
Try for Free

Available Premium Features

The Korvette-SE can be customized for enterprises with critical use cases needing a tailored solution.
five gold stars in a circular pattern
Enhanced Fault Tolerance
This customization improves the fault tolerance by defining alternate CHIPS™ algorithms should the initial algorithm become inoperable.
Micro-segmentation
This customization uses different CHIPS™ algorithms assigned to different IP ports to micro-segment workload data sharing.
Custom MAID Rotation
This customization tailors the configuration of the default MAID hopping cycle.
Custom CHIPS™ Algorithms
This customizes the CHIPS™ algorithm for use in a Hopr WoSP.
Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Case StudiesHow It WorksUnique FeaturesAMTD ProductsPricingContact usSecurityWeb Retriever OSSAboutPrivacy policiesTerms of service
Hopr builds technology solutions for on-demand, Zero Trust, future-proof, and seamless networking of applications and devices within and across all cloud environments.

With Hopr, application networks and data are protected by a Cloud Native Automated Moving Target Defense (AMTD) that preemptively disrupts cyber threats before they can attack.

Hopr's innovations are packaged in a first-of-its-kind Workload Security Proxy (WoSP). WoSPs deliver AMTD for containerized workloads, enforce zero trust at every transaction, seamlessly connect across clusters, clouds, and data boundaries, and immediately discover and reject threat attempts to access a trusted workload.
copyright 2021-2025 | Hopr Corporation
CHIPS™, MAID™, and SEE™ are trademarks of Hopr Corporation
CHIPS™ and MAID™ technologies and the SEE™ protocol
are protected by US Patents and patents pending.