OPEN SOURCE

The code that touches your data is code you can read.

Hoop’s gateway is open source under MIT. The protocol parsers, the control engine, the plugin system, the CLI. Every component that intercepts, inspects, and acts on your data in transit is on GitHub. Audit it. Extend it. Self-host it.

Star on GitHub →Get started free →

Open Source Gateway

1Kstars goal

Wire protocols

PostgreSQL

MySQL

SSH

Kubernetes

HTTP/gRPC

Gateway

Active controls

Mask PII

Block DDL

Approve

Record

Analyze

Contributors

619/ 1K goal

Stars

Forks

MIT

License

WHY OPEN SOURCE

Security software should be verifiable, not just trusted.

You wouldn’t deploy a black-box proxy between your engineers and your production databases. Neither would we.

Inspect everything

The gateway parses your wire protocols, inspects your queries, and applies controls to your data in transit. That code should not be a black box. Every line is on GitHub. Read it, audit it, verify it.

Extend anything

Build custom plugins for masking patterns, guardrail rules, runbook templates, and integrations. The plugin system is open. Your security team writes the rules, not ours.

Trust by verification

Security products that ask you to trust them are asking the wrong question. We ask you to verify. The gateway is the same code in our managed service and your self-hosted deployment. No proprietary forks.

ARCHITECTURE

What’s open. What’s commercial. No ambiguity.

The gateway (everything on the data path) is open source. The commercial layer adds AI capabilities, the web UI, and enterprise integrations.

Open source gateway

MIT

Protocol parser

PostgreSQL, MySQL, MongoDB, SSH, Kubernetes, HTTP wire protocol parsing

Gateway engine

Connection routing, session management, TLS termination

SSO and IdP integration

OIDC and SAML. Okta, JumpCloud, Azure AD, any provider. Free.

Plugin system

Masking, guardrails, runbooks, webhooks, and custom extensions

CLI

hoop connect, hoop exec, hoop admin — full command-line interface

Session recording

Full session capture, storage, and replay

Audit logging

Every action, identity, timestamp, and outcome

Commercial platform

Built on the open source core

AI-powered masking

ML models for context-aware PII detection beyond regex

AI session analysis

LLM-based risk scoring, anomaly detection, behavioral analysis

Web UI

Developer portal, admin console, session browser

IdP group sync

Automatic group sync via OAuth 2.0 for role-based access

Managed hosting

Hoop-hosted control plane with your self-hosted gateway

Enterprise support

SLA, guided onboarding, private Slack channel

$0No SSO tax

SSO is included in the open-source license. Not behind an enterprise paywall.

Every product in this space charges extra for SSO. We don’t. Connect Okta, JumpCloud, Azure AD, Google Workspace, or any OpenID Connect and SAML-compatible identity provider. In the open-source version. For free. Identity is a security primitive, not a revenue lever.

OktaJumpCloudAzure ADGoogle WorkspaceAuth0OneLoginKeycloakAny OIDCAny SAML

COMMUNITY

Build with us. Every contribution makes access safer.

From masking patterns to protocol parsers, every contribution directly strengthens the security posture of every organization running Hoop.

Protocol supportAdvanced

Add new wire protocols. Cassandra, Redis, gRPC are on the roadmap.

Masking patternsBeginner

Contribute detection patterns for domain-specific data types.

Guardrail rulesIntermediate

Build and share guardrail rule templates for common scenarios.

Runbook templatesBeginner

Publish runbook templates for database operations, K8s, ops tasks.

IntegrationsIntermediate

Build plugins for notification systems, SIEMs, ticketing tools.

DocumentationBeginner

Improve guides, add examples, translate docs.

GET STARTED

From clone to first session in 10 minutes.

Clone the repo, deploy the gateway, connect your identity provider. The quickstart gets you to a working deployment faster than reading most vendor evaluation docs.

View on GitHub →Get started free →

$ git clone https://github.com/hoophq/hoop/hoop
$ cd hoop && make deploy
✓ Gateway deployed
✓ OIDC connected
✓ Policies applied
$ hoop connect postgres://prod-db
✓ Connected. Masking active. Session recorded.