Heron is a passive network analyzer that reconstructs what your AI agents are actually doing. Zero SDKs. Zero proxy. Hook eBPF to see TLS-encrypted LLM calls and identify which agent process made them.
Hey PH! 👋 I'm sharing Heron today on behalf of the engineering team at Netis.
We built Heron because our team got tired of our AI agent loops looking like 200 OK in the logs while the actual agent was stuck replaying the same tool call for 47 seconds straight.
What Heron does: Heron is a passive analyzer that reconstructs what your AI agents are actually doing — from the network traffic itself. No SDK, no proxy, nothing in the request path. It captures LLM traffic (OpenAI, Anthropic, Gemini, vLLM, SGLang, Ollama…), parses the wire protocol, and stitches multi-call interactions into agent turns you can actually debug.
What's new in v0.7.0 (just shipped): 🌌 OpenTelemetry Native — We completely aligned our architecture with OTel standards. Agent turns are now traces, and LLM calls are now spans.
🔥 eBPF capture discoverability — hook SSL_read/SSL_write to see TLS-encrypted agent traffic as plaintext, with process attribution (which agent process made which call). No proxy, no TLS terminator.
📊 We discovered that ~73% of Claude Code's Opus turns in our production capture were hidden security-monitor sidecars — Heron now filters them automatically so you see real agent work, not housekeeping noise.
🧬 One-click SFT trajectory export — turn your production agent traffic into fine-tuning training data without re-running anything.
Built in Rust, ships as a single binary with the React console embedded. Apache-2.0. Would love your feedback!
eBPF for agent observability is such a smart call. Going passive means I don't have to wrap or instrument anything, which is honestly the part that always scares me about adding monitoring to a live product.
The eBPF SSL_read/SSL_write uprobe approach to read TLS-encrypted agent traffic as plaintext is the clever part here, since it sidesteps the SDK and proxy tax entirely. Before pointing it at production I'd want to know where the reconstructed plaintext (prompts/completions that can carry secrets or PII) actually lives, does it stay on the local host as part of the single binary, or get shipped off-box anywhere? And since uprobes hook a known libssl, how does it handle agents on statically-linked Go (crypto/tls) or Rust/rustls that never call SSL_read/SSL_write, silent miss or is there a fallback capture path?
Debugging AI agent behavior has been painful for our team because we're always working backward from logs after something breaks. The passive observability angle here is interesting — if it captures what's happening without requiring changes to the agent code, that removes a real barrier to adoption. Does Heron work with cloud-hosted agents or only local/on-prem setups?
The one-click SFT trajectory export is the part I didn't see coming. Turning production agent traffic into fine-tuning data without re-running anything is a genuinely useful shortcut, especially if you're running high-volume agent loops and want to improve model behavior from real usage. Does it have any mechanism to strip sensitive content from prompts before export, or is that left to the user?
Passive observability for agents is a serious missing layer. The useful question is not just what the agent answered, but what it touched, fetched, mutated, or failed to see before it answered.
The eBPF plaintext reconstruction is impressive. The flip side is you now hold a store of decrypted prompts and responses, which in production often carry PII, secrets, or customer data, plus a one click path to turn that into training data. How do you handle access control and redaction on the captured payloads, so the observability layer doesn't quietly become your most sensitive data store?
Seeing TLS encrypted LLM calls without proxies sounds impressive I'd to understand the technical boundaries and what information remains inaccessible due to encryption or process isolation.
If I've got a swarm of agent processes all calling out to the same LLM endpoint from one box, how do you disambiguate which process initiated which call at the eBPF layer, is it PID tracking through the syscall, or are you also correlating with something at the process tree level?
What's the performance impact of running Heron alongside a live agent in production?
About Heron on Product Hunt
“Wireshark for AI Agents: passive eBPF observability”
Heron launched on Product Hunt on June 25th, 2026 and earned 105 upvotes and 22 comments, placing #16 on the daily leaderboard. Heron is a passive network analyzer that reconstructs what your AI agents are actually doing. Zero SDKs. Zero proxy. Hook eBPF to see TLS-encrypted LLM calls and identify which agent process made them.
Heron was featured in Open Source (68.6k followers), Developer Tools (515.4k followers), Artificial Intelligence (473.1k followers) and GitHub (41.3k followers) on Product Hunt. Together, these topics include over 218k products, making this a competitive space to launch in.
Who hunted Heron ?
Heron was hunted by Vincent Wu. A “hunter” on Product Hunt is the community member who submits a product to the platform — uploading the images, the link, and tagging the makers behind it. Hunters typically write the first comment explaining why a product is worth attention, and their followers are notified the moment they post. Around 79% of featured launches on Product Hunt are self-hunted by their makers, but a well-known hunter still acts as a signal of quality to the rest of the community. See the full all-time top hunters leaderboard to discover who is shaping the Product Hunt ecosystem.
Want to see how Heron stacked up against nearby launches in real time? Check out the live launch dashboard for upvote speed charts, proximity comparisons, and more analytics.
Hey PH! 👋 I'm sharing Heron today on behalf of the engineering team at Netis.
We built Heron because our team got tired of our AI agent loops looking like 200 OK in the logs while the actual agent was stuck replaying the same tool call for 47 seconds straight.
What Heron does: Heron is a passive analyzer that reconstructs what your AI agents are actually doing — from the network traffic itself. No SDK, no proxy, nothing in the request path. It captures LLM traffic (OpenAI, Anthropic, Gemini, vLLM, SGLang, Ollama…), parses the wire protocol, and stitches multi-call interactions into agent turns you can actually debug.
What's new in v0.7.0 (just shipped): 🌌 OpenTelemetry Native — We completely aligned our architecture with OTel standards. Agent turns are now traces, and LLM calls are now spans.
🔥 eBPF capture discoverability — hook SSL_read/SSL_write to see TLS-encrypted agent traffic as plaintext, with process attribution (which agent process made which call). No proxy, no TLS terminator.
📊 We discovered that ~73% of Claude Code's Opus turns in our production capture were hidden security-monitor sidecars — Heron now filters them automatically so you see real agent work, not housekeeping noise.
🧬 One-click SFT trajectory export — turn your production agent traffic into fine-tuning training data without re-running anything.
Built in Rust, ships as a single binary with the React console embedded. Apache-2.0. Would love your feedback!
🦩 Try it: curl -fsSL https://raw.githubusercontent.com/Netis/heron/main/install.sh | sh ⭐ GitHub: https://github.com/Netis/heron