hoop.dev @hoopdotdev

An error in access philosophy has not only slowed down engineering teams for years, but actually created greater risk. Teams that barricade production environments may check the box architecturally, but when the secure path costs five steps and the workaround costs one, engineers will always pick the workaround. Nobody wants to bypass controls, but peope have deadlines and it's usually security that's in the way. The key insight is to make the secure path faster and easier than the workaround. When access is passwordless and security is applied invisibly, in the path of execution, the secure path becomes the default choice. We shipped the hoop.dev tunnel so the secure path would be the one engineers pick without thinking. Native tools, no credential to paste, and identity attributed through the IdP. The log will stop showing shared accounts the day the friction disappears. See the PR or ⭐️ the repo: github.com/hoophq/hoop

Andrios Robert: security is non‑negotiable for many organizations. Less-regulated businesses might get away with weaker posture, but healthcare, public companies and firms handling PII must secure data or risk going out of business. Regulation keeps expanding — emails, SSNs, addresses now require protection #Security #CyberSecurity #HoopDev #Compliance #PII #DevSecOps .

This is right, credential choice is a provisioning decision. But most of the real failures happen at runtime, after the agent is in. Identity federation ties each query back to the human who prompted it, and the masking, guardrails, and intent checks run on every query no matter which credential is behind them. Enforcement applies while the query runs, not just when the agent connects. That's what makes it safe to run in production, not just in a demo.

Most "AI security" posts tell you not to connect agents to your data. This is how you do it without getting rolled back next quarter. How to Connect Your AI Agents to BigQuery hoop.dev/blog/how-to-co…

Nobody copies a prod database credential into an env var just because they're careless. They do it because the secure path means process friction and missed deadlines. But when the workaround becomes the primary access path, the audit log is a useless record of shared service accounts and unattributable actions. We built hoop.dev so the secure path would be the one engineers pick on their own: - Access is self-service and frictionless - Engineers continue using the tooling they already use - Raw credentials are never seen, used, or accessed - The session is bound to a real identity through SSO via your IdP. Pave the secure path, and nobody goes off-road. Read all about it here 👇 hoop.dev/blog/secure-da…

Our AI agents are out of control. A security lead at a leading payments platform said that to us, word for word. The agent didn't hallucinate or break. It acted within its allowed limits. No one noticed a problem until it chose to use its wide permissions. The log told him what the agent did. But it only lands after the row was pulled from the database, after the model read the SSN. Accurate, and retroactive. True control means being able to enforce policy after the agent takes action but before the request lands. That's runtime enforcement. By enforcing policy on traffic instead of inputs, you can calibrate response to risk. For example, a quick read on unregulated data goes through easily. A write to production is reviewed by an agent. Then, it gets sent to a human. Every access event is logged. Risk doesn't live in request, it lives in the runtime. What actually happens. Getting control over your agents means governing what they do, not just what you give them access to. You don't make an agent safe by giving it less to do. You make it safe by controlling what lands. hoop.dev/blog/every-mcp…

Your audit log has two kinds of entries. The ones tied to a real person, and the ones tied to a service account that fifteen people share. When auditors ask who ran the migration, you can answer the first kind in seconds. The second kind takes a week, a Slack thread, and a best guess. As AI coding agents move into production, every agent action lands in the second column by default. Today we ship MCP OAuth. Hoop's MCP endpoint speaks OAuth 2.1 with any compliant identity provider, so the AI agent authenticates through the same Okta, Auth0, Entra ID, or Google Workspace your humans use. Every command the agent runs is tied to the human user it is working for. Same group memberships. Same access scopes. Same revocation flow. This closes the loop on yesterday's user MCP launch. The agent runs as the human. The human is governed by your IdP. Now the agent is too. Same auth as your humans. Now extended to AI.

How Can AI agents Securely Authenticate to MCP servers? We just shipped a simple solution to persistent credentials, complex IAM policy, and unauditable access patterns. hoop.dev/blog/how-ai-ag…

There are two ways to run AI coding agents in production. 1. Give the agent a service account with broad access. The agent runs, but nothing in the audit log says who asked for what. 2. The agent runs as the human user who started the session. Same permissions. Same policies. Same approval gates. The audit log shows the person, with the agent attributed. Option two shipped today. Hoop's user MCP server. Open source. MIT. Free for small teams. Read More: hoop.dev/blog/how-ai-co…

Most MCP servers running in production today are unsupervised proxies. The agent shows up with a token. The server forwards what the agent asks for. The audit log, if there is one, lives in the agent's runtime , not yours. Treat MCP like any other wire protocol and the problem disappears. The agent connects through your policy engine, authenticated as a proxied identity. Every action evaluated against the same rules you already wrote for SSH, kubectl, psql. Approvals fire. Sessions recorded. One audit log. What we shipped is an MCP gateway with the same enforcement primitives we ship for every other transport. There's nothing separated out AI-specific in the policy engine. There doesn't need to be. The interesting question for 2026 isn't whether you adopt MCP. It's whether your MCP traffic shows up in the same audit trail as everything else. Repo: github.com/hoophq/hoop Write up: hoop.dev/blog/ai-agents…

AI infrastructure tooling is converging on the wrong architecture. Every MCP gateway, every agent IAM, every "AI security" platform is selling a separate set of rules for agents. New identities, new policies, and a new audit log that doesn't match your real one. But agents aren't entirely a new kind of user. They're a new way for users you already manage to reach your systems. The question isn't how to secure agents. That's the vendor's question. The real question is where the agent connects in. Connect it at your API edge (what every MCP server does today) and you've built a second governance system. Writes go to a different log. Your approval workflows don't fire. The DROP TABLE you'd block from a human goes through from the agent. Connect it through your policy engine and the agent inherits everything. Same audit log. Same approvals. Same RBAC, ABAC, break-glass. The transport is new. The governance should not be. "AI security" is going to fold into infrastructure access within 18 months. Teams that built it that way keep their compliance posture and their pace. Everyone else spends next year tearing out a parallel system they didn't need.

There's nothing wrong with using AI Agents in production workloads. It's the present and the future. The only mistake is relying on the model-side guardrails, which are like strongly worded suggestions to an LLM. If you're deciding on the feasibility of production AI use, you shouldn't be deterred by this incident, just make sure you have server-side, deterministic guardrails that extend into live access. We can help.

JER @lifeof_jer

2 months ago

x.com/i/article/2048…

1K 1K 5K 7.2M 6K

Startup Engineer: 50% Time → Manual PCI Work Engineer at billion-dollar startup wasted half his time on manual security. hoop.dev fixes this. #PlatformEngineer #ManualWork #hoopdev #PCICompliance #Fintech #StartupEngineer

hoop.dev: The Claude Code Gateway Today, on product hunt, we launched the Claude Code Gateway. When Claude Code makes API call it makes carries the same permissions as the developer who is running it. No approval step, no audit trail, no masking on what comes back. We built an HTTP reverse proxy that sits at the protocol layer between Claude Code and your infrastructure. Every call gets: - RBAC enforcement - JIT approval workflows - Command-level logging - Real-time PII redaction Ant that's before it touches a database, server, or cluster. Support our launch! producthunt.com/products/hoop-…

Google Docs Security for Production = Happy Devs No access requests killing flow state. hoop.dev = invisible security confidence like Google Docs. Devs work faster, happier. #DeveloperFlow #InvisibleSecurity #hoopdev #DevOps #FlowState #SecureLikeGoogle

Secure Access Must Be User-Friendly to Work Unfriendly security = devs bypass controls. hoop.dev gives autonomy + frees platform teams from 50% copy-paste waste. #UserFriendlySecurity #DeveloperAutonomy #hoopdev #DevOps #PlatformEngineering #SecurityPosture

Invisible Proxy: Deploy Security to 1000+ Devs in 2 Weeks No interface changes, no training. One toggle → server-side proxy protects. Velocity preserved. #InvisibleProxy #DeveloperInterface #hoopdev #DevOps #NoTraining #DeploymentSpeed

81% Better Developer Retention = Huge Cost Savings Happy devs stay. 81% retention boost with tools they actually want. Save HR/training costs, keep experienced talent. #DeveloperRetention #DeveloperHappiness #hoopdev #EngineeringRetention #DX #TalentRetention

Security Slows Delivery? DevSecOps Principles That Fix It Security = self-defeating friction. Webinar reveals principles + market data for secure systems that speed delivery. #DevSecOps #SecureCode #hoopdev #SoftwareDelivery #DeveloperAutonomy #SecurityFriction

Security Tools Slow Devs? hoop.dev Invisible Proxy = Instant Speed Security compliance without dev friction. SSO auto-injects, same IDEs, 1000+ devs deployed in 2 weeks. Zero training needed. #SecurityTools #DeveloperSpeed #hoopdev #InvisibleProxy #DevOps #DeveloperVelocity