Every advantage has a cost. A positive feedback loop also needs a negative one to become sustainable. Name the tradeoff; find the equilibrium.
H2 Labs is a European technology and social lab serving clients worldwide. We build defensive security and run principled experiments, with software you host yourself and a human in the loop where it matters.
We build sovereign software: free and open for individuals, with subscriptions for the enterprises and institutions that want support, updates, and someone accountable on the other end. That is what keeps the lights on, and it all answers to one rule: build things people can actually own and trust.
Security that defends, not exploits. Threat models in the design review, not the post-mortem. Tools you can audit, run yourself, and keep running after the vendor is gone.
We publish the middle of the work: the detour, the dead end that taught us something, the moment a hunch became a decision. Measure, then decide. Failure is data.
These are constraints, not slogans. They decide what we will and will not ship.
Your data and your tools stay yours. No dependency dressed up as convenience.
It works on infrastructure you control, under your jurisdiction, on your terms.
On anything that matters, a person stays in the loop and has the final word. The machine proposes; people decide.
We don't phone home. What runs on your machine is not a sensor for ours.
The software keeps running if the subscription ends. Enterprises pay for support, updates, and accountability, never for permission to use what they already have.
European engineers, European legal frameworks, clients anywhere. Where we stand is our decision; where you run is yours.
These run today, built on the principles above. Beyond them we do custom implementations, and we start by understanding your needs before building or recommending anything.
A sovereign personal agent: one Zig binary, memory that never resets, channels we own.
platformThe self-hosted app platform this site runs on: every app a folder, no build step.
confinementLandlock, egress allowlists, sandboxes that fail closed: the layers under the agent.
accessSingle-packet authorization: invisible until asked. Under it: triageIO fleets (each isolated, self-hosted), hardware-key SSH, OpenStack.
We write about the flow, the experience, the learnings, not the clean final answer. Read the iteration logs, the security notes, and the essays.
An assistant built for the people in your life, not your task list. Its real trick is a memory that never resets. Updated as the system evolves, including what a memory wipe actually feels like.
methodologyAI agents produce clean, test-passing code where the tests came from the same place as the bugs. What replaces coverage and review as quality signals: mutation testing, properties, fuzzing, and a second model.
defensive securityEveryone filters inbound; almost no one filters outbound. A compromised dependency, a manipulated agent, or an SSRF payload all exploit the same gap. Default-deny outbound closes the other half of the firewall.
Technology & social labs
Not just systems, but the economics around them: who pays for software, what it takes to truly own it, and the human side of the machines we build.