// Product / QHx Core

Workload trust for mixed mission infrastructure.

QHx Core installs into Kubernetes and gives workloads cryptographic identity, secure inter-workload communication, policy realization, and notarized evidence. It is the first operational surface for a model built to span containers, VMs, bare metal, and edge systems.

View architectureRequest a demo →

// What it is

The unit of trust is the workload, not the host.

QHx secures the relationships between workloads. It establishes who is running, where it is running, what flow is permitted, how traffic is protected, and what evidence should remain.

  • Workload identityEvery workload gets a SPIFFE-aligned identity at startup, rotated continuously, so a stolen credential cannot outlive the process that held it.
  • Transparent communicationQHx Proxy carries existing HTTP and TCP traffic through workload-bound tunnels, so applications stay applications.
  • Policy realizationLabels, flowspecs, and cluster policy turn into admission decisions and proxy configuration, not into hand-built sidecars.
  • Cryptographic modernizationAlgorithm choice lives in policy, so a namespace can move to ML-DSA or hybrid ML-KEM without touching workload code.

Components

Each component has a narrow job.

The platform remains auditable because each component has a narrow role.

01

QHx Manager

Supervises QHx resources and realizes policy across the cluster.

02

QHx Agent

Runs on each node to provide local QHx services.

03

QHx PKI Server + Agent

Issue workload-bound credentials from node and workload evidence.

04

QHx Proxy

Secures application-layer traffic between workloads.

05

QHx Attestor

Verifies node evidence before identity is granted.

06

QHx Notary

Creates request evidence that can be verified offline.

// Production operations

What it actually takes to run this.

The architecture is one thing. Operating it under load, with rotation, recovery, and capacity planning intact, is another. QHx is built to be operated, not just deployed.

  • Continuous SVID rotationShort-lived credentials rotate automatically before expiry. No application restarts. No manual intervention.
  • Coordinated CA rotationTrust bundle updates and CA key rotation propagate through the Manager without service interruption.
  • Datastore as bottleneckSVID issuance throughput is bounded by datastore write latency. PostgreSQL is the recommended production datastore for durability and horizontal read scaling.
  • Recovery postureCA keys and registration entries must be backed up. Datastore loss without backup forces full re-attestation of every node and workload.
  • Operational signalsIssuance latency, rotation success rate, and attestation failure rate are the primary metrics. Standard observability stacks integrate.