We build security.
We do not lie.

It started with a weekend

Our tech teams were tired of slow VPNs. We picked a "Zero Trust" SaaS. We just wanted our LDAP security groups — the same ones running across all our Kerberized environments — to drive the access policies. Their connector couldn't speak LDAP, so we built an OIDC bridge.

It worked. It also meant our internal traffic, our private DNS, and our TLS all flowed through someone else's infrastructure — giving the vendor broader access to our network than we were willing to accept.

"Zero Trust" — as long as you fully trust them.

We ripped it out. Security and network access should be sovereign.

The bridge became a proxy. The proxy needed auth — so we built an identity provider. The identity provider needed certificates — so we built a CA. The CA needed distribution — so we built a cluster. Then came the SSH bastion, the WAF, SPIFFE-based workload identity, threshold signing and a threshold CA — the key never exists on any single node, query-level SQL access control, and a control plane with X3DH forward secrecy and hybrid ML-KEM post-quantum key exchange. All of it running cloud-native on one of our Kubernetes clusters.

Since we're here — what if?

That weekend never ended.

The same mess everywhere

A reverse proxy from one vendor. A bastion from another. An identity provider from a third. A certificate authority from a fourth. A WAF bolted on top. And another vendor just to glue some of them together. Six vendors, six consoles, six places where a user exists — and six gaps between them where nobody is really looking.

A user gets disabled in the directory. The proxy doesn't know yet. The bastion still has an active session. The VPN hasn't synced. That window is the breach.

We stopped trying to glue them together.

One identity, everywhere

The identity provider is the proxy is the bastion is the CA. One process, one user directory, one policy engine.

Underneath, a distributed control plane — Cluster RPC over NATS/JetStream, X3DH forward secrecy, AES-256-GCM — keeps every node in sync. Every change propagates cluster-wide within seconds.

Disable a user once — every HTTP session, every SSH connection, every VPN tunnel, every SQL session terminates. Cluster-wide. Not because we poll. Because every node already knows.

By operators, for operators

We've been paged at 3 AM to debug a certificate chain across three vendors while someone asks "is it the proxy or the IdP?" We built the product that makes that question impossible.

Config as code — TOML, CRDs, or Terraform. Administration via MCP and CLI — Hexon exposes an MCP server, any compatible AI tool works natively. Because when we run infrastructure we don't want more UI to learn — we need our terminal back.

Trust as architecture

In the cluster, no single node holds a signing key. In the company, no single person holds all the answers. We built both the same way — distribute trust, verify everything, assume any part can fail.

We hold ourselves to the same standard we hold our software and our infrastructure. Transparency is the default. Dishonesty is the one thing we don't tolerate — not in our systems, not in our team. If you build security, you have to live it first.

Barcelona

Hexon is headquartered in Barcelona. The team is distributed — same architecture we build. Multiple regions, one identity, quorum-based decisions.

We operate in alignment with B Corp principles — because building security infrastructure carries responsibility. The same transparency we demand from our systems, we apply to how we operate as a company.