DATA SECURITY IN TRANSIT

Your most sensitive data is in transit right now. Can you see it?

Hoop sits between your engineers, AI agents, and infrastructure. Every query, every command, every session passes through one gateway, where you can mask sensitive data, block dangerous operations, and approve risky actions before they execute.

See your hidden risk →Get started free →
5,000+databases protected in a single deployment
<5msadded latency per query
CNCFmember · open source core
hoop

Trusted by engineering teams at

THE BLIND SPOT

You protect data at rest. Data in motion is your blind spot.

Queries, commands, and pipelines move sensitive data across your infrastructure every second. Most security tools can’t see any of it.

NATIVE CLIENT SUPPORT

Your tools. Your workflow. The gateway is invisible.

DBeaver, DataGrip, psql, kubectl, Lens, SSH. Your team keeps using the tools they already know. The data arrives already masked. No plugins, no browser extensions, no proprietary UI.

DBeavercustomers @ prod-db
nameemailssnphone
Sarah Chen[email protected]284-19-7653+1 415-892-3041
Marcus Webb[email protected]531-77-0294+1 212-555-8817
Elena Ruiz[email protected]719-42-8106+44 20-7946-0958
James Okafor[email protected]603-88-1542+1 650-331-7720
4 rows returned · masked by hoop gateway
Terminal— psql
prod-db=> SELECT name, email, ssn FROM customers LIMIT 3;
name | email | ssn
-------------+----------------------+-------------
Sarah Chen | [email protected] | 284-19-7653
Marcus Webb | [email protected] | 531-77-0294
Elena Ruiz | [email protected] | 719-42-8106
(3 rows) · masking: active
Lens— Pod Logs
[INFO] User login: [email protected] from 192.168.1.42
[INFO] Payment processed: card 4532-XXXX-XXXX-7821 amount $142.50
[WARN] Failed auth: [email protected] · 10.0.3.88
streaming · 3 fields masked
Terminal— ssh prod-server
$ cat /var/log/app/users.csv
id,name,email,ssn
1,Sarah Chen,[email protected],284-19-7653
2,Marcus Webb,[email protected],531-77-0294
3,Elena Ruiz,[email protected],719-42-8106
file output · 9 fields masked

HOW IT WORKS

One gateway. Every protocol. Real-time control.

One gateway parses every wire protocol in real time. Four capabilities no other tool provides.

Data Masking

Identify and redact sensitive data in transit before it reaches the client. PII, PHI, financial data, credentials. One rule covers thousands of resources. No schema required.

Learn more →
Guardrails

Define dangerous operations and block them before they execute. DROP TABLE, rm -rf, unauthorized deletes. Prevention, not detection.

Learn more →
AI Analysis

Real-time analysis of session content. Classify risk levels, detect anomalies, flag unusual access patterns. Your security team sees what is actually happening in transit.

Learn more →
Runbooks

Automated response workflows triggered by session events. Escalate, notify, remediate. Connect Hoop to Slack, PagerDuty, Jira, or any webhook.

Learn more →

LAYERED ACCESS CONTROL

Seven layers between your data and exposure.

Every access level adds controls. From automatic masking on read, to runbook-only mode where no human touches production directly.

Active controls
AI Data MaskingAutomatic
Just-in-time sessionsTime-bound
Peer approvalRequired
Written justificationMandatory
Leader / DBA approvalMulti-step
Query guardrailsActive
AI session analysisScanning
Runbook-only modeEnforced
Read + MaskingSensitive fields hidden. No approval needed.Read UnmaskedRaw data, peer approval, time-bounded.Sensitive ReadJustification + full audit trail.Standard WriteLeader approval, guardrails active.Sensitive WriteAI risk analysis on every query.Structural ChangeOnly pre-approved CI/CD actions.Runbook OnlyNo manual sessions. Automation only.CRITICALDATA

AI ACCESS GOVERNANCE

AI agents inherit your engineers’ access. They shouldn’t inherit the risk.

Agents connect to production with broad human credentials. Hoop applies real-time controls, routing risky actions for human approval via Slack or Teams, one command at a time.

See agent controls →
$ claude "payments returning 503s, diagnose" ⟡ Connecting via Hoop read-only profile... ⬡ hoop | profile: readonly-prod | cluster: prod-us-east ⬡ hoop | kubectl get pods -n payments ⟡ Found 3/5 pods in CrashLoopBackOff ⟡ Root cause: OOMKilled, memory limit 256Mi ⟡ Proposed fix: kubectl set resources deploy/payments --limits=memory=512Mi ⬡ hoop | Write command detected. Routing... ⬡ Revised: rollback to stable image kubectl set image deploy/payments payments=payments:v2.3.1 ⬡ hoop | Approved. Deploying... deployment.apps/payments updated to v2.3.1 ⟡ Rollout complete. 5/5 pods running. ⬡ hoop | Audit: 4 cmds, 1 rejected, 1 approved ⬡ hoop | Replay: app.hoop.dev/sessions/7f3a91c2
Agent approval flow
H
Hoop access request
from claude-agent via #infra-approvals
Pending
Command
kubectl set resources deploy/payments --limits=memory=512Mi --requests=memory=256Mi
prod-us-eastnamespace: payments
Agent reasoning
3/5 pods OOMKilled at 256Mi. Increasing memory limit to 512Mi to restore service.
Approve
Reject

MEASURE WHAT MATTERS

Give your risk team numbers they’ve never had.

Every session flows through the gateway. For the first time, you can measure and report on data-in-transit risk. The metrics your CISO and board actually care about.

ARCHITECTURE

Deploy in your network. Connect your IdP. Define your rules.

Protocols supported: PostgreSQL, MySQL, MSSQL, MongoDB, Kubernetes, SSH, HTTP/gRPC, RDP, and more.

01

Deploy the gateway

Deploy Hoop in your cloud (AWS, GCP, Azure, on-prem). One deployment covers all protocols. No schema discovery. No agents on endpoints.

02

Connect your identity provider

Connect via OIDC. Every session is authenticated with short-lived tokens. No standing credentials, no static certificates.

03

Define your policies

Mask PII in database responses. Block destructive commands. Require approval for production writes. Rules apply instantly across all connected resources.

postgres
$ hoop connect postgres:prod
Connected to postgres:prod
Session sess_01jkx7r2nb4f
Auth OIDC · token expires in 8h

BUILT FOR

Organizations where data in motion is the business.

Hoop is most valuable where sensitive data flows constantly and the cost of a breach, a leak, or a bad command is existential.

Financial services moving money, trades, and client data across systems every second
Healthcare organizations handling PHI across distributed infrastructure
Public companies with SOX, SOC2, and audit requirements they cannot afford to fail
Any organization deploying AI agents against production infrastructure

ENTERPRISE READY

SOC 2 Type II. Self-hosted. Air-gapped. Production-proven.

Hoop runs entirely inside your infrastructure. The AI models that power data masking, session analysis, and risk classification deploy on your hardware. No data leaves your network. No third-party AI services. No external dependencies to approve with security, legal, or procurement.

Multiple companies listed on the New York Stock Exchange run Hoop in production today. The platform has passed critical security validations, annual penetration tests, and enterprise vendor assessments. We run Hoop on Hoop: every session our own team executes goes through the same gateway, the same guardrails, the same audit trail.

Certified

SOC 2 Type IIGDPR compliantAnnual pen-testsCNCF memberOpen-source core

Generates evidence for

HIPAAPCI-DSSSOXNIST 800-53ISO 27001FedRAMPHITRUSTCCPALGPDGLBAFISMANERC CIP

Deployment

100% self-hosted

Gateway, control plane, and AI models on your infrastructure

Air-gapped compatible

Zero external calls. Runs in classified and restricted environments

On-prem and bare metal

Not cloud-specific. Kubernetes, Docker, VMs, or bare metal

Self-hosted AI models

One-click deploy. No third-party AI APIs. No data exfiltration risk

Trusted by NYSE-listed companies in production. We run Hoop on Hoop.

Your data is in transit right now. Unprotected.

We’ll connect to your environment and surface risks your current tools can’t see. No commitment. Just visibility.

See your hidden risk →Get started free →