Get This Tool
Hezo
Summary
Give an AI agent your API keys and it will eventually use them somewhere you didn't intend — that's the failure mode Hezo is built around.
Hezo runs a hierarchy of agents — CEO, Coach, Captain, workers — each isolated in its own Docker container, with your secrets never passed directly into agent context. Instead, an egress proxy swaps placeholders for real credentials only when the destination host matches an allowed list, and every substitution lands in an append-only audit log. The Coach agent reviews completed work and writes learned rules back onto workers, so repeated mistakes get corrected without you editing prompts by hand. The ceiling appears when you need agents to hit destinations outside the allowed-host list, or when your workflow requires branching logic the org-chart model doesn't express — at that point you're editing configuration that the docs describe but don't walk you through in depth.
Bottom line: Pick this when your team needs self-hosted agent execution with hard budget caps and secret isolation; plan a different architecture when your workflows require dynamic egress to arbitrary hosts or complex conditional branching the fixed org-chart cannot accommodate.
Community Performance Report Card
No community ratings yet. Be the first to rate this tool!
Community Benchmarks Community
Sign in to submit a benchmarkNo community benchmarks yet. Be the first to share a real-world data point.
Pros
Sign in to edit- Secrets never enter agent context — an egress proxy holds and substitutes credentials per allowed host — so a compromised or misbehaving agent cannot exfiltrate your API keys.
- Hard budget caps at the per-agent and per-project level, so a runaway agent stops spending at a threshold you set rather than draining your provider balance overnight.
- The Coach agent writes learned rules back onto workers after each completed ticket, which means repeated errors self-correct without you manually editing prompts between runs.
- Each project runs in its own Docker container with all traffic forced through the proxy, so a bad run's damage is contained to one box and doesn't touch other projects or the host.
- Provider-agnostic model assignment down to the individual agent, so you can route expensive tasks to a capable model and routine tasks to a cheaper one without restructuring the workflow.
Cons
Sign in to edit- The egress proxy blocks requests to any host not on your allowed list — which is the security guarantee — but if an agent's task requires hitting an API you haven't pre-registered, the request fails silently from the agent's perspective, and you're editing proxy configuration to unblock it rather than continuing the work.
- The org chart is fixed at four tiers: CEO, Coach, Captain, workers. Workflows that need dynamic role creation, peer-to-peer agent coordination outside the hierarchy, or branching logic based on what a prior step returned don't map cleanly to this model — teams with those requirements move to a framework that exposes a programmable graph, such as LangGraph or a custom orchestration layer.
- The docs describe configuration but community reports suggest limited depth on edge cases — teams standing this up in a production environment with non-standard network topologies or custom secret backends are largely on their own until the community around the project matures.
Community Reviews
Sign in to write a reviewNo reviews yet. Be the first to share your experience.
About
- Platforms
- Self-hosted (Docker, binary)
- API Available
- Yes
- Self-Hosted
- Yes
- Last Updated
- 2026-06-25T18:24:19.707Z
Best For
Who it's for
- Users wanting full control over AI agent infrastructure
- Teams needing budget controls and audit logs
- Self-hosted environments without cloud dependency
What it does well
- Market research teams
- Competitor analysis projects
- Autonomous task execution with approvals
- Self-improving agent workflows
Integrations
Discussion Community
Sign in to commentNo discussion yet. Sign in to start the conversation.
Compare Hezo
Spotted incorrect or missing data? Join our community of contributors.
Sign Up to ContributeCommunity Notes & Tips Community
Sign in to contributeBe the first to contribute. General notes, observations, gotchas, and tips from people who use this tool day-to-day.
Frequently Asked Questions
- Is Hezo free?
- Yes — Hezo is fully free to use. There is no paid tier.
- Is Hezo open source?
- Yes. Hezo is open source.
- Does Hezo have an API?
- Yes. Hezo exposes a developer API. See the official documentation at https://hezo.ai for details.
- Can I self-host Hezo?
- Yes. Hezo supports self-hosting on your own infrastructure.
- What platforms does Hezo support?
- Hezo is available on: Self-hosted (Docker, binary).
Hours Saved & ROI Stories Community
Sign in to contributeBe the first to contribute. Concrete time/cost savings, with context. e.g. "Cut my code review backlog from 4h to 45m per week."
Curated lists that include this category
Most self-hosted agent frameworks hand you a blank canvas and leave secrets management as an exercise for the reader. Hezo ships as a single binary — installed via curl — and provisions a structured org chart: a CEO agent that scopes projects, a Coach that reviews completed work, Captains that coordinate, and workers that execute. You describe the work to the CEO in plain conversation, it provisions a team in isolated Docker containers, and agents execute on a heartbeat schedule, pausing at budget thresholds and surfacing sensitive actions for your approval before proceeding.
The security architecture is the differentiating feature. Agents see only placeholder tokens in their context — `__HEZO_SECRET_STRIPE__` instead of the real key. An egress proxy intercepts outbound requests and substitutes the real credential only when the destination host matches an allowed list; any other destination is blocked. Keys are encrypted at rest with AES-256-GCM behind a master key that lives in memory only. Git commits are signed host-side with your project key. The vendor states the system cannot unlock itself without you present — which matters if your threat model includes a compromised agent trying to exfiltrate credentials.
Hezo fits teams that need budget-controlled, auditable agent execution on their own infrastructure without building the security layer themselves — market research pipelines, competitor analysis runs, or any recurring task where you want agents working autonomously but need a clear record of what they touched and what they spent. The org-chart model is fixed: CEO, Coach, Captain, workers. Teams whose workflows require dynamic role creation or multi-step conditional branching that doesn’t map to this hierarchy will find the model constraining before the work is done.
The tool supports Anthropic, OpenAI, Google, Kimi, DeepSeek, Z.ai, and OpenRouter as model providers, with per-agent model assignment — so you can run a cheap model on the worker doing first-pass research and a capable model on the CEO coordinating the project. Budget caps can be set daily, weekly, or monthly, per agent and per project; agents pause when a window is exhausted rather than running over.
