Heron
Passive eBPF observability for AI agents, no SDKs or proxies needed.
What it does
Heron is a passive network analyzer that reconstructs what AI agents are actually doing by watching LLM traffic on the wire. It uses eBPF to capture TLS-encrypted LLM calls and identifies which agent process made them. No SDKs, no proxy, no sidecar — Heron sits off the request path and assembles multi-step agent turns (tool calls, planner loops, etc.) from raw bytes.
Who it is for
Heron is for developers and ops teams running AI agents in production — especially those using Claude Code, OpenAI Codex, Hermes, OpenClaw, or custom agents. It helps debug issues like stalled tool calls, planner loops, and unexpected model substitutions that standard logs miss.
Why it matters
Agent code that looks fine on paper often fails in production. Logs show 200 OK but runs take 9 seconds with retries. Heron provides a single passive evidence chain that can't break the call when the observer fails, and it assembles the agent narrative — tool call → tool result → planner → next tool — into addressable turns. It gives ops teams eight metrics (TTFT, E2E latency, TPOT, call rate, token throughput, active calls, error rate, cache hit ratio) aggregated per model and route.
Launch signal
Heron is open source (Apache-2.0) and available on GitHub. The website includes a quickstart that lets users replay a .pcap file in 30 seconds with no live capture or privileges. The project is built in Rust on Tokio and Axum, with a React console served on localhost:3000.
Brand and naming
The name "Heron" evokes a bird that watches patiently from the water's edge — fitting for a passive observer that sits on the network wire. The tagline "Agent observability from the network wire" clearly positions it as a Wireshark-like tool for AI agents. The brand is technical and developer-focused, with a clean, minimal design.
Founder
Vincent Wu
Related
Get more like this in our weekly newsletter.