What exactly is Hermes?

Hermes is a self-hosted AI agent that takes action on your behalf: running commands, browsing the web, handling files, and managing code. Managed Hermes Agent is me deploying it on infrastructure I've hardened and then running that infrastructure for you, so the agent does the work and you never touch the server side.

What happens if the agent gets prompt-injected?

I design for that, because it's a question of when, not if. The agent's code runs in a rootless container on a separate sandbox server that holds no production secrets and has no public network access. A successful injection lands the model in a box it can do very little from, with no route to the server that holds your tokens and no easy way to ship data out. So a bad day stays a small one: you wipe the sandbox and rebuild it.

What can the agent connect to, like Slack, GitHub, or internal tools?

Whatever you approve, and nothing you don't. Out of the box it reaches the chat tool your team uses and the code hosts you point it at, such as GitHub or a self-hosted Git server. Internal tools and private dashboards are added deliberately, each with its own narrowly scoped credentials that live on the gateway and never inside the sandbox where the agent's code runs.

Can I require approval before the agent takes risky actions?

Yes. We decide which actions count as high-stakes when we scope the deployment, and those get set up to wait for a human go-ahead instead of running on their own. Routine work happens unattended; the dangerous moves pass through a checkpoint you control.

What does the monthly fee include?

Deployment and ongoing management of the whole environment: security patching, container health, version updates tested before they reach production, backup verification with monthly restore drills, the network perimeter, and a direct line to me when something needs a human. You run the agent; I keep the infrastructure healthy.

Whose servers does it run on, and where are they hosted?

Yours. You own the infrastructure and the data on it, and you choose the host and the region, which means you choose the data residency too. My own reference deployment runs on Hetzner in Germany, but the architecture isn't tied to any single provider.

How does my team reach the agent?

Through the chat tools you already use. Hermes connects to almost any messaging platform, including Slack, Microsoft Teams, Telegram, WhatsApp, Signal, Discord, and Google Chat, so there's no separate interface to learn. You message it the way you'd message a colleague.

Is this a fit for EU-based or privacy-sensitive teams?

It's a strong fit. Because everything runs on servers you choose, your data stays on infrastructure you control, in the region you pick, instead of being shipped to a third-party SaaS that trains on it. I won't wave around compliance badges I don't hold, but self-hosting on your own EU servers removes most of the data-residency headache before it starts.

What happens if I stop the engagement?

You keep everything: the servers, the data, the agent, and the backups, along with the keys to all of it. Nothing is locked to me, and the handover notes are yours, so another engineer can pick up where I left off.

Can I see how it's built before I commit?

Yes. The reference architecture is public. I've written up the full design, and the hardened compose files and runbook live in an open companion repository, so you can read exactly how the gateway and sandbox split, how the backups are scoped, and how the network is locked down before we ever talk.

Expert Implementation

Managed Hermes Agent

From 249€/mo

I deploy Hermes, an AI agent that does real work: running commands, driving a browser, handling files, and shipping code. Because an agent that capable can also be turned against you, I build it to be contained, with your tokens on one server and the code it runs locked in a sandbox on another. You own the servers; I deploy, harden, and run the whole thing.

Apply for this Implementation

The Problem

Why an AI agent deserves the discipline of a payment service, not a chatbot demo

AI agents that can run commands and touch your systems are genuinely useful and genuinely dangerous, and most people deploy them like they’re harmless. A container with default settings, a public port, the model’s tokens sitting right next to the code it executes. It works in a demo. It keeps working right up until the model reads a poisoned web page or a malicious instruction buried in a document and does exactly what it was told.

The Managed Hermes Agent is the opposite of that. It’s a real action-taking agent, deployed on infrastructure I’ve built around the assumption that it will eventually be turned against you, and then run by me so the hard parts stay handled.

See it before you buy it. The full architecture is public. I’ve documented the design in Hermes Agent Deployment: Secure AI Agent Infrastructure, and the hardened compose files, the SSH wrapper, and the backup runbook live in the open companion repo at github.com/wnstify/hermes-agent. Read exactly how it works, then decide.

Built to be attacked

The single most important decision in this setup is splitting the agent across two servers.

One server is the brain. It holds the model API tokens and the connections to Slack, GitHub, and your other accounts. The other is the hands. It’s where the agent’s code actually runs, inside a rootless container. The brain reaches the hands over a single locked-down channel that drops the agent straight into a working directory inside that container. It never lands on a normal shell on either machine.

So picture the worst case. The model reads a malicious instruction and tries to do harm. It’s confined to an unprivileged container on a server that has no production secrets and no public way in. It has no path back to the brain, nothing worth stealing in reach, and no business being on the host in the first place. The point isn’t to pretend prompt injection will never happen. It’s to make the blast radius boring when it does: a sandbox you wipe and rebuild. That containment is the product.

Nothing the public can reach

Both servers live on a private Tailscale network. There’s no public SSH port to brute-force, no admin panel exposed to the internet, and every service binds to a private address rather than listening to the whole world. The firewall denies inbound traffic by default.

On the way out, a compromised agent’s favorite move is to quietly send your data somewhere or pull down a second-stage payload. So outbound traffic runs through a strict allowlist. The agent reaches the handful of services it’s supposed to and nothing else. Most “secure” AI deployments lock the front door and leave the back door wide open. This closes both.

What the agent can actually do

Containment is worth nothing if the agent is useless, so this is a capable one.

Hermes runs shell commands, drives a real headless browser to navigate sites and pull structured data, reads and writes files, and can stand up its own private, version-controlled code repositories with verified, signed commits. It works the way a careful engineer would, and it keeps a record of what it did. Your team talks to it through almost any chat tool, whether that’s Slack, Teams, Telegram, WhatsApp, Signal, or Discord, so reaching it feels like messaging a colleague rather than logging into yet another tool.

What teams use it for

The security only matters because the agent is doing work worth protecting. In practice that looks like:

Researching vendors, competitors, and technical options, then writing up what it found
Keeping internal docs and runbooks current instead of letting them quietly rot
Running recurring checks against your sites, repos, or servers and flagging what changed
Opening pull requests for small code or content fixes, with signed commits you can audit
Turning sessions, incidents, and decisions into searchable long-term memory
Driving browser workflows that are too fiddly to wire up as a clean API

None of it needs someone babysitting the agent, and all of it stays on infrastructure you control.

Memory that survives

Most agents are goldfish. Close the session and the context is gone, so every conversation starts from zero.

Hermes runs on a dedicated long-term memory layer. It remembers your stack, the decisions you made, and the work in progress, and carries that forward between sessions. The agent gets more useful the longer you work with it, because it isn’t relearning your setup every morning. That memory is backed up on its own schedule and restore-tested like everything else.

Backups you’ve actually restored

Recovery is where most setups quietly fall apart, because nobody tests the backups until they need them.

Here, backups are encrypted and stored off-site, and the keys on the servers are append-only. A server can write new backups but can’t delete old ones, so even a full compromise can’t destroy your recovery path. The delete-capable keys live somewhere else entirely. And once a month, an automated drill restores a real backup into a throwaway database and checks the data is really there by counting the rows. A backup you have never restored is a rumor, and I don’t build on rumors.

How this differs from the Managed AI Suite

If you’ve seen the Managed AI Suite, the fair question is why this costs more for what looks like less. Here’s the honest answer.

The Suite is the broad private-AI environment: chat, automation, structured data, and an agent, all on one managed server you own. It’s the right starting point when you want the whole stack.

Managed Hermes Agent is narrower and stricter. It’s for when the agent itself is the workload, taking real action: running commands, driving a browser, touching code, reaching into business systems. That carries more risk, so it gets more architecture: a second dedicated server for the brain and hands split, scoped tokens, the outbound allowlist, heavier monitoring, and the monthly restore drills. The higher price buys that extra hardening and the second host, not a longer feature list.

If you want the whole private-AI stack, start with the Suite. If the agent is the point, start here.

Who this is for

This is for companies handing an AI agent real access: to code, to data, to systems that matter. If the agent is only answering questions in a chat box, you don’t need this. If it’s running commands, moving data, and acting on your behalf, then it’s an operational workload and it deserves the same discipline as anything else in production.

You own the servers and the data. I deploy the architecture, harden it, and run it, and you reach me directly when something needs a human. If you’d rather start by finding the cracks in what you already run, the Cloud Infrastructure Audit & Hardening is the way in.

The whole thing is documented in the open. Read the full architecture writeup or browse the companion repo on GitHub before we ever talk.

Stop running an AI agent like a toy. Tell me what you want it to do, and we’ll scope the deployment on a call.

What You Get

The Webnestify Advantage

Setting up the records is the easy part. Most of the work is in the verification: making sure your real mail still gets through, and that nobody is using your domain who shouldn't be.

An Agent That Takes Real Action

Hermes is not a chat window. It runs shell commands, drives a real browser, reads and writes files, pulls research, and even opens its own signed pull requests. Your team reaches it through almost any chat tool they already use, from Slack and Teams to Telegram, WhatsApp, Signal, or Discord, with nothing new to install or log into.
The Brain and the Hands, Kept Apart

The reasoning and the execution run on separate servers. One holds the model tokens and the chat connections; the other runs the agent's code inside a rootless container with no production secrets and no normal route back to the first machine. If the model is tricked into doing something it shouldn't, the damage is contained to a sandbox you can wipe and rebuild.
Nothing the Public Internet Can Reach

No public SSH port. No exposed dashboard. Both servers sit on a private Tailscale network, every service binds to a private address, and the firewall denies inbound traffic by default. A strict outbound allowlist means a compromised agent can't quietly phone home or ship your data somewhere. There's almost nothing left for an outsider to knock on.
Memory That Compounds

Hermes runs on a dedicated long-term memory layer, so it remembers your stack, your preferences, and what you worked on last week instead of starting cold every session. The second conversation is better than the first, and it keeps improving as you use it.
Backups You've Actually Restored

Encrypted, off-site backups with append-only keys, so even a fully compromised server can't destroy its own recovery path. And every month an automated drill restores a backup and checks the data is really there by counting the rows, so you know recovery works before you ever need it.

How It Works

My Deployment Approach

I handle the technical work so you don't have to read RFCs.

Scope & Threat Model

We map what the agent should do, what it must never touch, and which actions need a human in the loop before they run. Where it lives, what secrets it sees, what it's allowed to reach. The architecture is decided before a single container starts.
Hardened Deployment

I stand up the gateway and sandbox on your servers: rootless Docker, dropped capabilities, pinned image versions, scoped tokens that never sit in the container image, the outbound allowlist, signed-commit setup, and the memory layer. Everything bound to the private network.
Run & Recover

From then on I run it. Monitoring, patching, version updates tested before they touch production, monthly restore drills, and a direct line to me when something needs attention. You use the agent; I keep the environment healthy.

Verified Customer Review

A trustworthy security and web hosting partner

Gibran

zevimedia.com

“A trustworthy security and web hosting partner”

Simon from Webnestify has a lot of knowledge about server setup and security, that was obvious to me from the beginning, but what I personally value most about him is that he is forthright and transparent in what he offers.

Read more Show less

If you are a freelancer or an agency looking to improve your web hosting, website security, or expand your service offerings, I would highly recommend you have a conversation with Simon.

Read on Trustpilot

Your inquiry lands directly with me.

No sales team, no qualifying calls with strangers. You're talking to the person who'll actually do the work.

Email: hello@webnestify.cloud
Office: Bratislava, Slovakia · Operating globally

Frequently Asked Questions

The questions I get asked before clients commit. If yours isn't here, drop it in the form above.

Want to learn more first?

Longer write-ups on this topic live under Cybersecurity & Hardening on the Insights blog.

Run an AI agent you can actually trust with access

Real autonomy, on a foundation built to contain it. From 249€ a month, deployed on your own servers, managed end to end by the person who architected it.

See all solutions Apply for this Implementation

Managed Hermes Agent

Why an AI agent deserves the discipline of a payment service, not a chatbot demo

Built to be attacked

Nothing the public can reach

What the agent can actually do

What teams use it for

Memory that survives

Backups you’ve actually restored

How this differs from the Managed AI Suite

Who this is for

The Webnestify Advantage

An Agent That Takes Real Action

The Brain and the Hands, Kept Apart

Nothing the Public Internet Can Reach

Memory That Compounds

Backups You've Actually Restored

My Deployment Approach

Scope & Threat Model

Hardened Deployment

Run & Recover

A trustworthy security and web hosting partner

Your inquiry lands directly with me.

Inquire about the Managed Hermes Agent Implementation

Message sent.

Frequently Asked Questions

Run an AI agent you can actually trust with access