Get Hopr Sidecars for free and experience simpler DevSecOps and stronger security via AWS Marketplace

Hopr Sidecars that Prevent Attacks Inside the Network

Cloud native Automated Moving Target Defense (AMTD) that prevents attacks on enterprise workloads, APIs, and data.

Animated graphic depicting moving targets in XTRA

But XTRA can.

It begins with Verified Trust

Verified identity trust is essential to secure East-West and North-South endpoints and traffic within the enterprise. Other features are built on that foundation.

Graphic diagram of containerized workloads with envoy-XTRA sidecar
Workload identity is verified
We verify a rotating workload identity credential at the start of each session to ensure the two workloads are trusted.
CHIPS™ technology for key generation
Codes Hidden In Plain Sight (CHIPS™) technology enables two sidecars to build identical secrets anywhere in the cloud.
SEE™ communication channels.
Synchronous Ephemeral Encryption (SEE™) builds new end-to-end encrypted communication channels at each session.
High frequency credential rotation.
Identity and secret credentials rotate at every session between two trusted workloads.
Keys vanish after each session.
Encryption keys are ephmeral and never stored. Every session produces a new secret credential.
Integrated with Envoy proxy.
Sidecars leverage the listeners, filters, and routing of Envoy for easy deployment with containerized workloads.

Four easy steps to threat prevention

Say goodbye to the pain of PKI identity management, expiring certificates, finicky mTLS configurations, costly secrets stores, credential theft, and malicious attacks on your workloads.
Graphic  front view illustration of a motorcycle sidecar attached to an app icon
Register and obtain a Sidecar

Once an enterprise is registered with Hopr, DevOps staff are trusted with access to Hopr's container repository and Help Center for onboarding.

An abstract profile graphic of a motorcycle sidecar with the envoy-hopr logo on it.
Configure your sidecar

DevOps staff configure Sidecars with a specific CHIPS™ algorithm to enable encrypted communication with other workloads using identical sidecars.

Abstract graphic of a containerized workload with an envoy-Hopr sidecar
Integrate and test with a workload

A YAML file pulls a Sidecar container image and deploys it alongside its host workload. On first use, the Sidecar identity is registered with Hopr.

Graphic illustration of two containerized workloads in live operation
Go live!

Hopr's cloud native AMTD protection is immediate every time to workloads within the network communicate, whether they operate on-premises, in a commercial cloud, or in a multi-cloud.

graphic icon of a gear, malicious attacks, and an API object

Learn The Details About Hopr's Cloud Native AMTD

Learn the details about Hopr's AMTD and why it does more than prevent attacks. The six-page paper explains how Hopr's cloud native AMTD prevents attacks, assures identity trust, protects data-in-transit everywhere, and prevents the delivery of malware.
Read the Paper

Watch a 3:15 (min:sec) video demonstrating Hopr Sidecars at work protecting workloads from untrusted connections

Hopr Features Produce Advantages

A comparison of Hopr features for internal workloads versus four competitor products



Rotate credentials at high frequency for a moving target defense.
Only one other competitor identifies key reuse as a problem for enterprises. But keys are rotated infrequently.
Reject all malicious traffic at each workload.
Other competitor products rely on detection to block malicious traffic from reaching a workload.
SEE™ communication channels protect messages over the entire communication route.
Only one other competitor product provides an end-to-end encryption capability.
Eliminates the "secret zero" problem. Secrets vanish after use and are not stored.
Only one other competitor uses ephemeral secrets that eliminate the secret zero problem.
Workloads build their secrets at each session and use them for encryption rather than authentication.
No other competitors build secrets that rotate at a high frequency.
Low-friction adoption. Simple addition of a Sidecar requires no change to existing Apps and APIs.
All other competitors require layers of API integration and add complexity to APIs or require external appliances.
Abstract Graphic of workload, XTRA sidecar, and YAML file icons

Try Our Tech

Experience the simple effectiveness of Hopr's cloud native AMTD in your own environment and use case. Sign up for our Free Forever plan.

Onboarding is fast and DevOps deployment is simple.

Sidecar FAQ

What is Envoy Proxy?

Envoy proxy is open source software developed by the Cloud Native Foundation. It performs many networking functions for workloads using a sidecar pattern. Hopr sidecars add a custom filter to Envoy.

Must all enterprise sidecars be configured with the same algorithm?

Only sidecars whose workloads need to inter-operate to perform a service must use the same CHIPS algorithm. Other enterprise workloads/sidecars may be configured with different algorithms for micro-segmentation of enterprise services.

How is the end-to-end encryption performed?

It is symmetric encryption that is made possible by two workloads building an identical key using a CHIPS algorithm. The key is never exchanged or exposed to theft.

At what layer of the ISO network stack do sidecars encrypt message traffic?

The encryption-decryption occurs at Layer 4, the Transport layer. Every IP packet (message headers and bodies) is individually encrypted and decrypted.

Do Hopr Sidecars replace the API keys I use?

No. API keys are still used within messages sent to an API endpoint, but they serve an identification purpose only at the endpoint. They are not needed for security, but are protected because they encrypted in the message so they cannot be sniffed in transit.

How do the sidecars block malicious traffic?

Synchronous Ephemeral Encryption ensures decryption is only successful if messages arrived from trusted workloads that share the same CHIPS algorithm. All other messages, even if they are TLS encrypted, fail decryption and are discarded before they each a workload (or API) endpoint.

Do sidecars protect North-South and East-West workload traffic?

Yes. Hopr sidecars protect all ingress and egress access to enterprise workloads whether or not they are in the same containerized infrastructure or external to it. The only requirement is that the workloads be managed within the enterprise.

What load balancer is used for encrypted message traffic

Hopr Sidecars may be configured to encrypt egress messages at either Layer 4 or Layer 7 to allow for use of either a Network Load Balancer (NLB) or an Application Load Balancer (ALB) depending on the enterprise architecture.

Don't see your question above?
Schedule a FREE discovery call.

Discover How AMTD is a Winning Defense

Schedule a 15-minute discovery call with one of our experts to discuss your use case and learn how Hopr's automated moving-target defense can prevent cyber attacks on your business.
Schedule a Call
Gartner, Emerging Tech: Security — The Future of Cyber Is Automated Moving Target Defense, Lawrence Pingree, Carl Manion, et al.., 28 February 2023. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.