XTRA Beta is now available to enterprises

XTRA Protection for Workloads and Data

Because API attack traffic has doubled in the last 12 months!

hopr Kerberos for the Cloud hero graphic

Stronger Security

Block all malicious traffic with a moving-target defense

Graphic diagram of containerized workloads with envoy-XTRA sidecar
High frequency credential rotation.
Identity and secret credentials rotate at every session between two trusted workloads.
Secrets are built by XTRA Sidecars and remain there.
Secrets are never passed outside the sidecar where they can be discovered and misused.
End-to-end encryption.
Ephemeral symmetric encryption guarantees only messages from trusted workloads are read.
Secrets vanish after each session.
There are no secrets to store and every session produces a new secret credential.
Sidecar configuration provides microsegmentation.
Configuring XTRA Sidecars to use the same CHIPS algorithm isolates those workloads for microsegmentation.
Integrated with Envoy proxy.
XTRA leverages the listeners, filters, and protocols of Envoy for seamless integration with existing workloads and mesh architectures.
graphic icon of a gear, malicious attacks, and an API object

Learn why and how XTRA protection is needed

General purpose API management solutions alone cannot protect API endpoints. A specialty security solution is needed
Read The White Paper

Four easy steps to XTRA protection

Say goodbye to the pain points of PKI identity management, expiring certificates, mTLS configurations, costly secrets stores, credential theft, and malicious attacks on your workloads.
Graphic  front view illustration of a motorcycle sidecar attached to an app icon
Register and obtain a Sidecar

Once an enterprise is registered with Hopr, DevOps staff are trusted to register enterprise workloads and obtain an XTRA 'sidecar' (a container image file from Hopr's repository).

An abstract profile graphic of a motorcycle sidecar with the envoy-hopr logo on it.
Configure your sidecar

DevOps staff configure XTRA Sidecars with a specific CHIPS algorithm to enable it to communicate with other trusted enterprise workload. Additional Envoy configuration settings are possible, too.

Abstract graphic of a containerized workload with an envoy-Hopr sidecar
Integrate and test with a workload

DevOps staff load the XTRA Sidecar container image alongside its registered workload. On first use, the  Sidecar builds an ephemeral secret and connects to Hopr to verify operation and trust of the workload.

Graphic illustration of two containerized workloads in live operation
Go live!

XTRA's moving-target defense is fully autonomous operating with each pair of workloads at every session, whether they operate on-premises, in a commercial cloud, or in a hybrid-cloud environment.

Abstract graphic showing four main components of the XTRA sidecar

Try Our Beta

Apply to participate in our XTRA beta program. XTRA uses CHIPS technology to protect trusted workloads and data.

It's free, and participating enterprises receive benefits that include a bespoke, self-paced, and collaborative experience.
Apply Now

XTRA Features Deliver Advantages

A comparison of XTRA's features versus four competitor products

XTRA Feature


Rotate credentials at high frequency for a moving target defense.
hover or click to flip over
Only one other competitor identifies key reuse as a problem for enterprises. But keys are rotated infrequently.
Reject all malicious traffic at each workload.
hover or click to flip over
Two competitor products may have some capability to block malicious traffic from reaching a workload.
Symmetric end-to-end encryption protects messages over the entire communication route.
hover or click to flip over
Only one other competitor product provides an end-to-end encryption capability.
Eliminates the "secret zero" problem. Secrets vanish after use and are not stored.
hover or click to flip over
Only one other competitor uses ephemeral secrets that eliminate the secret zero problem.
Workloads/APIs build their ephemeral secrets at each session and use them for encryption rather than authentication.
hover or click to flip over
No other competitors build secrets that rotate at a high frequency.
Low-friction adoption. Simple addition of a Sidecar requires no change to existing Apps and APIs.
hover or click to flip over
All other competitors require layers of API integration and add complexity to APIs or require external appliances.
image of computer code for hopr's "Codes Hidden in Plain Sight" technology

Watch a recorded demonstration

Click the button below, provide your email address, and watch a 3:13 (min:sec) recorded demonstration of how Hopr's CHIPS technology protects an interaction between two workloads.
Watch the Video


What does XTRA mean?

XTRA is an acronym for eXceptionally Tamper Resistant APIs. The name reflects the net effect of the many security features provided by Hopr's CHIPS technology when used to protect enterprise workloads and data.

What is Envoy Proxy?

Envoy proxy is open source software developed by the Cloud Native Foundation. It performs many networking functions for workloads using a sidecar pattern. XTRA Sidecars add a custom filter to Envoy.

Is XTRA for enterprise workloads only or can it be used with 3rd-party workloads?

XTRA is for trusted enterprise workloads only. Enterprise workloads are centrally managed and trusted so they are able to share a CHIPS algorithm with trust and low risk. The verification and trust of external third-party workloads is under development by Hopr.

Must all enterprise sidecars be configured with the same algorithm?

Only sidecars whose workloads need to inter-operate to perform a service must use the same CHIPS algorithm. Other enterprise workloads/sidecars may be configured with different algorithms for micro-segmentation of enterprise services.

How is the end-to-end encryption performed?

It is symmetric encryption that is made possible by two workloads building an identical key using a CHIPS algorithm. The key is never exchanged or exposed to theft.

At what layer of the ISO network stack does XTRA encrypt message traffic?

The encryption-decryption occurs at Layer 4, the Transport layer. Every IP packet (message headers and bodies) is individually encrypted and decrypted.

Does XTRA replace the API keys I use?

No. API keys are still used within messages sent to an API endpoint, but they serve an identification purpose only at the endpoint. They are not needed for security, but are protected because they encrypted in the message so they cannot be sniffed in transit.

How does XTRA block malicious traffic?

Because of XTRA's encryption-decryption approach and high-frequency secrets rotation, only trusted workloads are able to read encrypted messages. All other traffic fails decryption and is blocked from ever reaching the workload (or API endpoint).

Is XTRA used for North-South and East-West workload traffic?

Yes. XTRA protects all ingress and egress access to workloads whether or not they are in the same containerized infrastructure or external to it. The only requirement is that the workloads be managed within the enterprise.

What load balancer is used for XTRA's encrypted message traffic

Because XTRA encrypts message packets (both headers and message bodies), encrypted traffic must use a Network Load Balancer (NLB). If you require an ALB, then please contact us to discuss your use case.

Don't see your question above?
Schedule a FREE discovery call.

Discover a winning defense

Schedule a 15-minute discovery call with one of our experts to discuss your needs and learn if Hopr's moving-target defense can enhance the protection of your critical business services.
Schedule a Call