What is Riptides?

Riptides is a workload security platform that gives every process in your infrastructure a cryptographic identity — and then uses that identity to enforce mTLS, control access between services, and deliver cloud credentials without storing secrets in code or config.

It works at the kernel level, so applications don’t need to be modified, instrumented, or rebuilt. A daemon runs on each node and loads policy into a kernel module that intercepts TCP connections, performs mutual TLS handshakes, and injects credentials into outbound requests — transparently.

The problem it solves

Most infrastructure security relies on network perimeter controls (VPCs, security groups, firewalls) or application-managed secrets (API keys in environment variables, credentials in Vault with sidecar proxies). Both approaches have the same weakness: once a workload is running inside the perimeter, it is implicitly trusted regardless of what it actually is.

Riptides replaces perimeter trust with workload identity:

• Who is this process? — the kernel module attests identity using process metadata (command name, Kubernetes labels, namespace, cgroup). Attestation happens below the application layer, so a compromised app cannot spoof its identity.
• Is it allowed to talk to that service? — policy defined as Kubernetes custom resources controls which identities can connect to which services.
• What credentials does it need? — credential bindings deliver short-lived, rotated cloud credentials (AWS, GCP, Vault) directly to the kernel, without the application ever seeing a long-lived secret.

How it compares

	Riptides	Service mesh (Istio/Linkerd)	Vault + sidecar
Identity enforcement layer	Kernel	Sidecar proxy	Application
App changes required	None	None	Often
mTLS	Yes	Yes	No
Secretless credentials	Yes	No	Partial
Works on bare metal / VMs	Yes	Limited	Yes

Riptides is not a replacement for a service mesh in all cases — if you need advanced traffic management (canary routing, retries, circuit breaking), a service mesh may be a better fit. Riptides is the right choice when you need strong workload identity, secretless credentials, or mTLS on bare metal and VM environments where sidecars are impractical.

Core components

Control plane — Hosted and operated by Riptides. You manage all resources (WorkloadIdentities, Services, CredentialSources) through it using kubectl and the Riptides CRDs. You don’t deploy or manage the control plane yourself.

Daemon — Runs on each node (as a Kubernetes DaemonSet or a systemd service on VMs). It watches the control plane for policy changes and loads them into the kernel module. The daemon handles certificate signing and credential delivery.

Kernel module — Loaded by the daemon on startup. It intercepts TCP connections at the socket level to enforce mTLS and inject credentials. No application changes needed.

What you can do with Riptides

• Transparent mTLS — enforce mutual TLS between any two workloads without changing application code or deploying sidecars
• Secretless cloud credentials — workloads call external APIs and cloud services without managing long-lived secrets; credentials are injected at the kernel level and rotated automatically
• Secret manager integration — bind secrets from any secret store to workload identities without static tokens, sidecars, or application-side SDKs
• Cross-cluster identity federation — workloads in different clusters, clouds, or on-premises environments trust each other’s identities via a shared trust domain
• Zero-trust messaging and data planes — extend mTLS and identity-based access control to brokers, queues, databases, and other infrastructure components without modifying producers or consumers

Getting access

Register for a free account to get started, or contact info@riptides.io for a production plan. Once you have your access details, head to the Getting Started guide.