Every connection authenticated by SPIFFE identity. Automatic mutual TLS at the kernel level — no code changes, no sidecars, no proxies.
The pen tester got a foothold on one workload and reached the database in three hops. The finding: "Lateral movement unrestricted within network segment. No mutual authentication between services." IP-based security gives you the illusion of segmentation without actual identity.
Two workloads on the same subnet look identical to a firewall. An attacker who compromises one inherits all of its network-level access.
Pod selectors and CIDR blocks don't prove who is connecting — they prove where traffic originates. When a pod moves, the policy may not follow.
Sidecar proxies provide mTLS, but they run in user space. Misconfigured iptables rules let traffic bypass the sidecar. When the sidecar crashes, the workload falls back to plaintext — silently.
Most service-to-service communication uses one-way TLS at best. The server proves its identity; the client does not. Any process that can reach the endpoint is implicitly trusted.
Deploy the Riptides agent. Your workloads get identity automatically — no code changes, no config. Every connection is encrypted and mutually authenticated. Applications send plaintext; the network carries encrypted, authenticated traffic.
Install the agent and enable permissive mode. All existing traffic continues to flow while Riptides maps every connection by identity. No enforcement yet — just visibility.
When both sides have Riptides, connections are automatically encrypted and mutually authenticated. Applications send plaintext; the kernel handles the rest. No code changes, no certificate management.
Control which workloads can talk to each other using identity-based policies — not IP addresses. Only explicitly allowed identities can connect. Switch to enforce when ready.
Move from "network segmentation" to "SPIFFE identity on every connection." The pen tester's lateral movement path no longer exists.
Keys are generated and stored exclusively in kernel space. No process, memory dump, or debug tool can extract them.
Connections without a matching policy are blocked before the application sees them. No implicit trust, no fallback to plaintext, no way to bypass from user space.
Start with PERMISSIVE mode — accepts both plaintext and mTLS. Monitor connection telemetry. Switch to MUTUAL to enforce. No cutover weekend.
Two workloads on the same subnet cannot communicate unless explicitly allowed by identity. Lateral movement after breach is contained to the compromised identity — not the network segment.
Database connections and Kafka/RabbitMQ traffic authenticated with mTLS. The database sees a verified identity on every connection — no passwords, no shared certificates.
When combined with identity federation, the same mTLS model extends across clusters, clouds, and organizational boundaries.
| Network-Based Security | Riptides | |
|---|---|---|
| Identity model | IP addresses, CIDR blocks | Cryptographic workload identity |
| Authentication | None (trust the network) | Mutual TLS on every connection |
| Lateral movement | Unrestricted within zone | Blocked unless explicitly allowed |
| Private key protection | Application manages keys | Keys in kernel memory only |
| Enforcement | Sidecar proxy (user-space, bypassable) | Kernel module (cannot bypass) |
| Code changes | Proxy config, iptables rules | None |
| Identity portability | Tied to IP / pod selector | Follows workload across infra |
| Audit posture | "We have network segmentation" | "Every connection is cryptographically authenticated" |
Kernel-level identity and enforcement. No code changes. Deploy in minutes.