About Heron
Heron is a passive network analyzer. It reconstructs AI agent actions directly from network traffic without SDKs or proxies. The tool uses eBPF to capture TLS-encrypted LLM calls, attributing them to specific agent processes. Built in Rust, it ships as a single binary.
Review
Debugging AI agent loops often requires parsing vague logs to find stuck processes. Heron approaches this by capturing wire protocols and stitching multi-call interactions into debuggable agent turns. This review examines its current capabilities and operational boundaries.
Key Features
- eBPF capture discoverability: Hooks SSL_read and SSL_write to view TLS-encrypted agent traffic as plaintext with process attribution.
- OpenTelemetry Native architecture: Maps agent turns to traces and LLM calls to spans.
- Sidecar filtering: Automatically excludes security-monitor sidecars from trace data.
- One-click SFT trajectory export: Converts captured production agent traffic into fine-tuning training data.
Pricing and Value
Heron is released under the Apache-2.0 license and is open-source. There are no paid tiers or hosted telemetry paths mentioned in the current documentation. Users run the single binary on their own infrastructure, storing data locally in an embedded DuckDB file or a configured ClickHouse backend.
Pros
- Captures LLM traffic for multiple providers without modifying the request path.
- Attributes network calls to specific process IDs using eBPF.
- Stores reconstructed data locally by default, avoiding external cloud telemetry transfers.
Cons
- Lacks native support for agents using Go crypto/tls or Rust rustls, requiring traffic to be captured after TLS termination for those runtimes.
- Requires manual review of Supervised Fine-Tuning trajectory exports, as automatic PII and secret redaction remains on the product roadmap.
- Not well suited for teams running fully managed third-party SaaS agents where they lack access to the underlying host, network path, or TLS boundary.
Heron fits engineering teams managing their own cloud infrastructure who need to debug agent loops. It requires operators comfortable with Linux eBPF and self-hosted observability stacks. Opaque managed SaaS platforms require alternative logging solutions.
Open 'Heron' Website
Your membership also unlocks:








