What We're Working On

Every SPIFFE ID, certificate, and mTLS handshake at Riptides originates in the Linux kernel and begins with a single question: can we prove who this workload really is? This post explores how process-level evidence becomes the foundation of verifiable trust across the system.

Most zero trust ends at the perimeter; ours begins at the kernel. Riptides brings attestation, cryptographic SPIFFE-based identity, and policy enforcement directly from the Linux kernel, eliminating implicit trust from the inside out. We verify workloads, not just connections, enforcing identity and policy the moment they come alive.

At Riptides, we issue identities directly to workloads in the kernel and use OPA policies to secure and orchestrate their communication. These policies govern socket connections in real time, allowing us to enforce fine-grained, identity-aware decisions at the moment workloads talk to each other. We pioneered running OPA-compiled WASM in the kernel itself - a novel but unsustainable approach that we ultimately replaced with a more pragmatic user-space design.

Managing short-lived cloud credentials across AWS, GCP, Azure, and OCI is messy. Every provider has its own exchange flow, refresh logic, and config sprawl. We built and released tokenex, an open source Go library that gives you a single, consistent API to fetch & refresh short-lived credentials across clouds.

Static secrets are a liability and credentials are breached every day. With SPIFFE as the foundation, workload identity without stored secrets delivers cryptographic, ephemeral trust for the post-credential era. Riptides takes this further with kernel-native enforcement, making identity automatic, process-bound, and truly seamless.

Let us to demonstrate how Riptides eliminates the need for static credentials on Google Cloud by leveraging SPIFFE-based workload identities, kernel-level enforcement, and identity federation into GCP’s Workload Identity Federation. Using a demo AI chat assistant that combines Google Vertex AI and the Geocoding API, it shows how credentials can be provided dynamically at runtime - either as ephemeral credential files or injected directly into outbound requests - without ever storing service account keys. The approach enables short‑lived, automatically rotated tokens tied to verifiable workload subjects, reducing credential sprawl, strengthening zero-trust security, and ensuring fine‑grained auditability.

Static secrets are a supply-chain’s Achilles’ heel. Shai-Halud exploits this by harvesting and validating tokens from repos, CI, and developer machines; Riptides turns the tables by moving identity off disk and injecting credentials on-the-wire, making stolen files useless.

OAuth2 is evolving beyond human consent into a universal model for secure workload identity. Learn how SPIFFE and emerging OAuth2 standards form the foundation for safe, auditable agentic AI.

In this blog post, we take a closer look at the cryptography that powers Riptides, the non-human identity fabric for workloads and AI agents. We break down the fundamentals of symmetric and asymmetric cryptography, explain how key exchange and digital signatures work, and compare RSA with Elliptic Curve Cryptography (ECC). To ground theory in practice, we share performance benchmarks demonstrating how ECC delivers faster handshakes and stronger security, making it the natural choice for Riptides.

Riptides brings secretless, on-the-wire credential injection to non-human clients. Instead of storing long-lived credentials, workloads receive short-lived credentials dynamically and transparently at runtime, they are injected and automatically refreshed. In this post, we demonstrate the approach using Amazon’s Product Agent Review app on Bedrock — but the same pattern applies across any cloud or service provider, reducing risk and simplifying non-human identity management.

We’ve released libsigv4, a lightweight and portable C implementation of AWS SigV4 signatures, built for kernel-based and embedded environments. It requires zero allocations, supports pluggable crypto backends, and depends on minimal system headers. Designed to integrate seamlessly with your own HTTP parsing, it’s an ideal fit for constrained platforms that need to communicate securely with AWS.

Debugging kernel-space memory bugs is one of the most challenging tasks in systems programming. Fortunately, the Linux kernel comes with a rich toolbox of debugging features that can detect memory errors, race conditions, and invalid accesses - long before they cause a crash.

Cloud-native federation isn’t enough for secure, per-workload identity. AWS, GCP, and Azure support external IDPs, but today’s federation approaches fail to meet the needs of modern, large-scale non-human identities. They lack isolation, granularity, and still depend on brittle credential management. In this post, we explain why that's a problem and how Riptides solves it with zero secrets, SPIFFE-based identity, real-time credential issuance, and multicloud support. No code changes. No shared secrets. Just secure, automatic identity for every workload.

Deep dive into how we turn low-level kernel signals to trust, using Linux kernel telemetry to secure non-human identities with real-time, behavioral context.

Even in a service mesh, mTLS can't protect you if any process can hijack your identity. See how attackers can exploit this gap and how to close it. We believe that real zero trust starts inside the kernel.

Managing driver builds for every major Linux distribution, kernel version, and architecture can be challengeing.

The ToolShell SharePoint 0-day shows how easily attackers move laterally once inside - even without escalated privileges. Riptides stops this by enforcing per-process mTLS, posture checks, SPIFFE-based identity, and fine-grained policy controls, effectively blocking unauthorized communication and dramatically reducing the risk of lateral movement.

This blog post illustrates how to build a complete end-to-end telemetry pipeline—from kernel space to Prometheus, using Linux tracepoints, eBPF, and OpenTelemetry (OTEL). We start with a custom kernel module that emits tracepoint events, then stream those events to user space using an eBPF ring buffer. Finally, we transform the raw events into structured Prometheus metrics with OTEL. The post includes a working open-source example and highlights practical debugging techniques using ftrace. This post builds on our ongoing Riptides telemetry series.

From x.AI to Docker Hub, API keys keep leaking. Static secrets are a ticking time bomb in today’s dynamic cloud world. Discover how kernel-native identity can eliminate this risk for good.

Today’s workload identity systems are overengineered, inefficient, and fundamentally misplaced. Relying on userspace constructs like sidecars and proxies have worked at smaller scale — but they break under modern infrastructure demands. Worse, they detach identity from the actual workload, assigning it instead to a neighboring process. That’s not just a design flaw — it’s a security risk, opening the door to lateral movement, identity confusion, and broken trust boundaries. It's time to decouple security from proxies and issue identity at the source: the Linux kernel.

Learn how to securely manage and federate non-human identities across AWS, GCP, and Azure using external OIDC-compliant identity providers. This post explains why traditional static credentials fall short, explores the benefits of federated ID tokens, and provides practical guidance on establishing trust and seamless multi-cloud access for modern cloud-native workloads.

Agentic workload security is becoming increasingly important in today’s AI-driven world. This post explores how Riptides secures communication between agents and MCP servers using kernel-level mTLS, SPIFFE-based identity, and zero-trust policies—protecting against token leaks, impersonation, and other risks without requiring changes to application code.

X.509 certificates remain a core building block for establishing trust between services, even in today’s dynamic, machine-driven environments. This post explains how X.509 works, where it falls short, and how modern frameworks like SPIFFE make it practical for non-human identity at scale.

MCP (Model Context Protocol) is quickly becoming a foundational standard for enabling tool-augmented LLMs to interact with external systems. As the agentic ecosystem matures, so does the need for robust security, trust boundaries, and scalable identity. At Riptides, we’re focused on securing this new wave of agent driven interaction, especially where untrusted tools and dynamic decision making collide.

Insights from Identiverse 2025: why workload identity, SPIFFE, and in-kernel enforcement are key to securing modern infrastructure, without compromising operational efficiency.

Why settle for surface-level metrics? At Riptides, we’re pushing kernel telemetry to the next-level high-performance, with enrichment and correlation alongside user space data.

At Riptides, we believe that the future of secure, scalable computing starts in the kernel. By moving critical identity management and mutual TLS (mTLS) operations into the Linux kernel, we eliminate the need for disparate authentication mechanisms in user space.

We're excited to join the identity community this June to showcase how we’re rethinking non-human identity from the ground up.

In our previous post, we’ve explored how to define tracepoints inside the kernel to gain deep visibility into system behavior. But tracing is only half the challenge—getting that data to user-space efficiently is the real test. In this post, we dive into the mechanics of streaming kernel events using eBPF and ring buffers, why we chose this path over character devices or netlink, and how we're building a high-performance telemetry pipeline that’s both modular and safe.

AI agents are autonomous, but their security shouldn’t be an afterthought. This blog explores how SPIFFE provides strong identity for agents, why today’s authentication patterns fall short, and how Riptides delivers secure, automatic, kernel-level credentials that developers never need to manage.

We can all agree that in today’s modern infrastructure, the significance of non-human identities has grown dramatically. Automatically provisioning identities for services has become a critical responsibility for security and infrastructure teams.

As modern infrastructure becomes more dynamic and distributed, securing service-to-service communication requires moving beyond static credentials to cryptographically verifiable workload identities using standards like SPIFFE and x509 certificates.

Reinventing Non-Human Identities with Kernel TLS: How Riptides is Shaping the Future of Secure, Dynamic Applications

The Riptides Platform is a comprehensive solution for securing workload-to-workload communication, built on a foundation of identity.

In modern digital infrastructure, non-human identities have exploded in both number and significance. But what is even a non-human identity?