Hoop is an access proxy designed to protect sensitive data by intercepting and sanitizing database queries and system commands before they reach production infrastructure. It sits between users and their databases, SSH servers, Kubernetes clusters, or other critical systems, automatically masking personally identifiable information (PII) like SSNs, credit cards, and phone numbers while blocking high-risk operations such as UPDATE or DELETE without a WHERE clause. Built in Go and deployed via Docker, Kubernetes, or AWS CloudFormation, Hoop enables teams to maintain productivity without compromising security—especially valuable for developers debugging production issues or accessing databases through unfamiliar tools. Its AI-powered context-aware masking ensures accurate redaction without false positives, making it ideal for compliance-driven environments like SOC2, HIPAA, and GDPR.
Unlike traditional access control tools that rely on static rules or regex patterns, Hoop uses machine learning to understand data context, recognizing sensitive information even in complex formats like ‘BUILD-555-1234’ versus actual phone numbers. This makes it uniquely suited for modern DevOps teams managing multi-tenant applications, cloud-native services, or distributed infrastructure where accidental data exposure through screenshots or logs can lead to costly breaches.
What You Get
- AI-Powered Data Masking - Automatically detects and masks sensitive data such as emails, SSNs, credit card numbers, and phone numbers using machine learning that understands context—not just regex patterns. Works across SQL, NoSQL, and text-based outputs.
- Dangerous Command Blocking - Prevents high-risk operations like UPDATE or DELETE without a WHERE clause, DROP TABLE, or other destructive queries in real time with configurable guardrails.
- Full Audit Trail - Logs every query, command, user, and timestamp for compliance and forensic analysis, supporting SOC2, HIPAA, and GDPR requirements.
- Just-in-Time Reviews - Enables real-time approval of risky commands via Slack or Microsoft Teams before execution, reducing human error without slowing down workflows.
- Multi-Database Support - Works with PostgreSQL, MySQL, MongoDB, SQL Server, and Redis without requiring changes to existing applications or clients.
- SSH & Kubernetes Integration - Secures access to Linux servers and containerized environments by proxying SSH sessions and Kubernetes commands with the same masking and blocking rules.
- Web & Native Client Support - Offers both a web-based interface and seamless integration with native database tools like psql, mysql, mongosh, or DBeaver without modifying client configurations.
Common Use Cases
- Building a multi-tenant SaaS dashboard with real-time analytics - Developers can query user databases without risking exposure of PII in screenshots or shared logs, ensuring customer data privacy even during debugging.
- Creating a mobile-first e-commerce platform with 10k+ SKUs - Engineers accessing product databases via SSH or SQL clients are protected from accidental exposure of payment data, customer emails, and inventory details.
- Accidental screenshot of production database → Data breach → Regulatory fine → Reputational damage - Hoop automatically masks all sensitive fields before output is rendered, even if the query is copied into Slack or email.
- DevOps teams managing microservices across multiple cloud providers - Centralized control over database and SSH access ensures consistent security policies regardless of whether the backend runs on AWS, GCP, or on-prem Kubernetes.
Under The Hood
Hoop is a multi-language system designed to provide secure, agent-based access control and proxying for databases, terminals, and cloud services. It integrates components built in Go, Rust, and Clojure to support a wide range of connectivity and security use cases.
Architecture
The system adopts a modular, layered architecture that clearly separates concerns across its various components.
- The codebase is structured into distinct modules such as agent, client, and web application, each with well-defined responsibilities
- Design patterns like strategy and middleware are applied in proxy and connection handling logic to enable extensibility
- Inter-component communication is managed through standardized APIs, gRPC, and HTTP clients with centralized configuration
- The architecture supports cross-platform operation with dedicated implementations for Unix and Windows systems
Tech Stack
The project leverages a diverse tech stack combining backend services in Go and Rust with a Clojure-based frontend.
- The core backend is built using Go and Rust, while the web UI is developed in Clojure with React and Tailwind CSS
- Key dependencies include system-level tools such as SSH, TLS, and database proxies, along with cloud-native integrations like AWS and Kubernetes
- Development workflows utilize Docker for containerization, Makefiles for build orchestration, and Shadow CLJS for ClojureScript
- Testing spans multiple languages with unit tests in Go and Rust, and Karma-based browser testing for the Clojure frontend
Code Quality
Code quality varies across the multi-language codebase, reflecting different development practices and maturity levels.
- Testing efforts are present but not consistently applied across all modules, with limited coverage in core components
- Error handling is implemented but inconsistently across languages and files, leading to potential reliability gaps
- Code style and conventions differ between modules, with some areas showing clear patterns while others lack consistency
- Type annotations are present in key files, contributing to improved maintainability and clarity
What Makes It Unique
Hoop distinguishes itself through its innovative cross-language agent model and extensible proxy architecture.
- The system enables secure, multi-protocol access control by combining agents written in different languages for diverse environments
- Its proxy model supports a wide range of connection types including databases, terminals, and cloud services with extensible middleware
- The architecture allows for seamless integration of system-level tools and infrastructure components like EKS and SSH
- The combination of Go, Rust, and Clojure creates a unique blend that enables both performance and flexibility in access control