Text PJ · 858-461-8054
Operator-honest · Siren-based ranking · 2026-05-11

Claude Code · Devin · Sourcegraph Amp · Cline · OpenHands · Roo Code · Replit Agent · Bolt.new · Lovable · v0 by Vercel.
One question: which one is right for your stage?

Honest 10-way comparison of Autonomous Coding Agents — Enterprise Deployment, Self-Host, Compliance Posture Comparison (SOC 2 · ISO 27001 · On-Prem · Air-Gapped · Admin Controls) across Claude Code · Devin · Sourcegraph Amp · Cline · OpenHands · Roo Code · Replit Agent · Bolt.new · Lovable · v0 by Vercel platforms. No vendor sponsorship. Calling Matrix by buyer persona below — operator's siren-based read on which one to pick when you're forced to pick.

The 10 platforms · what each is actually best at.

Honest read on positioning, ideal customer, and where each one is the wrong call. No vendor sponsorship, no affiliate links — operator-grade signal.

1. Claude Code Anthropic · SOC 2 + enterprise tier · API ToS + zero-retention · trillion-$ vendor

Backed by Anthropic — SOC 2 Type II, ISO 27001, GDPR processor terms, HIPAA-eligible API endpoints, zero-data-retention enterprise contracts. Anthropic's compliance posture inherits the trillion-$ AI lab's full enterprise program. Claude Code uses Anthropic's API endpoints, so the data-handling story is Anthropic's data-handling story. Enterprise tier offers admin controls + audit logs + custom contract terms. No self-host option — Claude Code requires Anthropic API connectivity.

✓ Strongest atAnthropic enterprise compliance umbrella (SOC 2 + ISO 27001 + HIPAA-eligible), zero-data-retention API endpoints, enterprise admin controls + audit logs, trillion-$ vendor brand defensibility, MCP-native enterprise tool integration.
✗ Wrong forFully air-gapped requirements (no self-host — Cline + OpenHands win), shops that refuse Anthropic data processors (Cline + local Ollama wins).
Pick Claude Code if: Anthropic's enterprise compliance umbrella + zero-data-retention is enough for your auditor.

2. Devin Cognition AI · SOC 2 + enterprise tier · hosted-only · enterprise procurement story

Cognition's enterprise tier ships SOC 2 Type II + zero-data-retention contracts + admin dashboards + named CSM + procurement-grade SLAs. The category-defining autonomous agent vendor with the most mature enterprise procurement story of the pure-play autonomous-agent vendors. Hosted-only — Devin runs in Cognition's cloud, no on-prem option. Best enterprise procurement defensibility among the autonomous-agent-pure-play vendors.

✓ Strongest atSOC 2 Type II + zero-data-retention, enterprise admin dashboards + audit logs, named CSM + procurement-grade SLAs, brand defensibility (Cognition is well-funded + well-known), hosted async agent management.
✗ Wrong forSelf-host / on-prem requirements (Cline + OpenHands + Amp win), fully air-gapped (no on-prem option), shops that refuse Cognition data processors.
Pick Devin if: enterprise procurement requires the brand-defensible pure-play autonomous-agent vendor with hosted SOC 2 + zero-retention.

3. Sourcegraph Amp Sourcegraph · SOC 2 + ISO 27001 + on-prem option · code-graph stays in tenant

Sourcegraph Enterprise can be fully self-hosted in your VPC or on-prem — the code graph never leaves your environment, BYOK the model endpoint (Anthropic, OpenAI, AWS Bedrock, Azure OpenAI, or your own). The right enterprise autonomous agent pick for monorepo enterprises with strict data-residency or BYOC requirements. Decade-old Sourcegraph enterprise sales motion = procurement already familiar.

✓ Strongest atSelf-host (VPC + on-prem) for autonomous agent, BYOK model endpoint (Bedrock / Azure / Anthropic / OpenAI / on-prem), code-graph stays in tenant, enterprise SOC 2 + ISO 27001, decade-old enterprise sales motion.
✗ Wrong forSolo devs (overkill), shops without ops capacity to run Sourcegraph, fully air-gapped DoD with no cloud egress at all (depends on chosen model).
Pick Amp if: you need enterprise self-host + BYOK model + code-graph that never leaves your VPC.

4. Cline Open-source · MIT-licensed · BYOK · local Ollama option

Open-source MIT-licensed VS Code agent — fully self-hosted by definition (runs on your machine), BYOK any model endpoint, point at local Ollama / vLLM for fully on-device inference with zero vendor in the data path. The most defensible enterprise posture for regulated industries that need autonomous agents with zero code-leakage risk. Trade-off: no commercial entity to sign with, no SLA, no enterprise support contract.

✓ Strongest atFully self-hosted by definition, BYOK any provider (Anthropic / OpenAI / Bedrock / Azure / local Ollama / vLLM), MIT-licensed inspectable, zero vendor telemetry, regulated-industry + fed-adjacent friendly.
✗ Wrong forEnterprise procurement that requires a vendor entity with SLA (no commercial entity to sign with), teams without ops capacity to wire models.
Pick Cline if: zero vendor lock-in + full self-host + BYOK is your enterprise deployment requirement.

5. OpenHands Open-source · MIT-licensed · fully self-hostable platform

Fully self-hostable autonomous agent platform (Docker / VPS / on-prem / air-gapped) with BYOK model substrate — the open-source enterprise alternative to Devin. Point at any model endpoint (cloud or local), run the platform inside your VPC or on-prem datacenter. The right enterprise pick for regulated industries that want hosted-agent UX without vendor cloud in the data path.

✓ Strongest atFully self-hostable platform (Docker + Kubernetes ready), BYOK any model endpoint, fully air-gapped capable with local model, MIT-licensed inspectable, regulated-industry + research deployment friendly.
✗ Wrong forTeams without DevOps capacity to run the platform, commercial SLA buyers (no vendor entity), production teams wanting first-party support.
Pick OpenHands if: you need hosted-agent UX with zero vendor cloud in the data path and you have ops capacity to self-host.

6. Roo Code Open-source · Cline fork · same self-host + BYOK posture

Inherits Cline's enterprise deployment posture — fully self-hosted MIT-licensed VS Code agent, BYOK any model, local Ollama option. Same enterprise compliance + self-host story as Cline plus Architect / Coder mode separation for explicit cognitive-mode workflows. The right pick for regulated teams that want Cline's deployment posture with multi-mode agent personas.

✓ Strongest atCline-fork inheritance (fully self-hosted MIT-licensed + BYOK), Architect / Coder mode separation, per-mode model routing, MCP tool integration, regulated-industry friendly.
✗ Wrong forEnterprise procurement requiring vendor entity with SLA, teams wanting single-prompt agent flow (Cline wins on simplicity).
Pick Roo Code if: Cline's enterprise deployment posture + multi-mode agent persona separation matches your needs.

7. Replit Agent Replit · SOC 2 + Replit Teams · hosted-only cloud-native

Hosted-only inside Replit's cloud — SOC 2 Type II at the Replit org level, Replit Teams admin controls, no self-host option. Your code + runtime + database + deploy target all live inside Replit's environment. Enterprise tier exists but the category-positioning is hobbyist + learner + prototyping, not enterprise regulated. Privacy posture fine for greenfield prototyping; wrong tool for regulated production code.

✓ Strongest atSOC 2 Type II at org level, Replit Teams admin controls, hosted environment for non-regulated prototyping, Replit's existing dev-tools enterprise relationships.
✗ Wrong forHIPAA / PCI / PHI code, on-prem / air-gapped requirements, IP-sensitive production codebases, regulated enterprise procurement.
Pick Replit Agent if: privacy is not a regulatory concern and you want fastest greenfield prototyping inside Replit's hosted env.

8. Bolt.new StackBlitz · hosted-only · browser WebContainers runtime

Hosted by StackBlitz with browser-runtime WebContainers — your code lives in your browser tab + StackBlitz's hosted env. SOC 2 posture inherits StackBlitz's compliance program. No self-host option, no on-prem. Privacy posture fine for greenfield AI-native web app prototyping; wrong tool for regulated production code or anything that needs to stay on your infra.

✓ Strongest atBrowser-runtime WebContainers (code lives in your browser tab), StackBlitz's hosted env, fast greenfield prototyping deployment, hackathon-grade compliance posture.
✗ Wrong forHIPAA / PCI / PHI code, on-prem / air-gapped requirements, IP-sensitive production codebases, regulated enterprise procurement.
Pick Bolt.new if: privacy is not a regulatory concern and you want browser-runtime AI-native prototyping.

9. Lovable Lovable Inc · hosted-only · Supabase + deploy integration

Hosted by Lovable with Supabase integration + built-in deployment — your code + auth + DB + deploy all live in Lovable's environment. SOC 2 posture maturing. No self-host option, no on-prem. Privacy posture fine for designer-friendly greenfield work; wrong tool for regulated production code.

✓ Strongest atHosted env with Supabase + auth + DB + deploy integration, designer-friendly full-stack deployment, fast greenfield-to-production deployment.
✗ Wrong forHIPAA / PCI / PHI code, on-prem / air-gapped requirements, custom-runtime / non-web targets, regulated enterprise procurement.
Pick Lovable if: privacy is not a regulatory concern and you want designer-friendly hosted full-stack deployment.

10. v0 by Vercel Vercel · SOC 2 + Enterprise tier · ship-to-Vercel native

Hosted by Vercel — inherits Vercel's SOC 2 + ISO 27001 + Enterprise compliance program. Component-grade generation context = limited code leakage surface (you're sending component prompts + receiving component code, not your whole repo). Enterprise tier with admin controls. No self-host option but Vercel's enterprise compliance program is the deepest in the greenfield-agent tier.

✓ Strongest atVercel SOC 2 + ISO 27001 enterprise compliance umbrella, component-grade limited code-leakage surface, Vercel Enterprise admin controls, ship-to-Vercel native deployment.
✗ Wrong forNon-Next.js stacks, full-stack apps with custom backends, on-prem / air-gapped requirements, regulated enterprise procurement of full-stack agents.
Pick v0 if: you're on Vercel + Next.js + shadcn/ui and Vercel's enterprise compliance umbrella is enough for component-grade AI generation.

The Calling Matrix · siren-based ranking by who you are.

Most comparison sites refuse to forced-rank because their revenue depends on staying neutral. SideGuy ranks because it doesn't take vendor money. Here's the call by buyer persona.

💼 If you're a Startup with proprietary code but no regulatory burden

Your problem: Your IP matters but you're not regulated. You want enterprise-tier privacy controls (your code doesn't train future models) but you don't need full self-host. Hosted agents with SOC 2 + zero-retention work.

  1. Claude Code — Anthropic SOC 2 + ISO 27001 + zero-retention enterprise tier + trillion-$ vendor brand
  2. Devin — Cognition enterprise tier with SOC 2 + zero-retention + named CSM + procurement story
  3. Sourcegraph Amp — Sourcegraph enterprise SOC 2 + on-prem option if you outgrow hosted
  4. Cline — if zero vendor lock-in matters but no regulatory mandate — FREE OSS + BYOK
  5. Replit Agent — if greenfield prototyping is the actual use case — Replit Teams admin
If forced to one pick: Claude Code — Anthropic's enterprise compliance umbrella + zero-retention is the safest hosted autonomous agent default for non-regulated startups.

🏛 If you're a VP Engineering at 50-500 dev mid-market enterprise (formal procurement)

Your problem: Real procurement process. Need SOC 2 + ISO 27001 + admin dashboards + license management + brand defensibility for the security-questionnaire phase. Procurement here often crosses both autonomous agents + IAM compliance posture — see the related IAM Compliance Posture axis for the identity-side procurement story.

  1. Devin — Cognition enterprise tier = brand-defensible pure-play autonomous-agent vendor with SOC 2 + named CSM
  2. Sourcegraph Amp — Series D + decade-old enterprise customer list + on-prem option + procurement familiar
  3. Claude Code — Anthropic enterprise = trillion-$ vendor compliance umbrella, MCP-native enterprise integration
  4. Cline — if procurement values self-host + zero vendor lock-in over commercial SLA
  5. OpenHands — open-source self-host if procurement requires zero vendor cloud in the data path
If forced to one pick: Devin + Sourcegraph Amp — Devin for hosted async procurement defensibility, Amp for on-prem code-graph option. Two vendors, full enterprise coverage.

🏥 If you're a Healthcare / finance dev with regulated code (HIPAA / PCI / GDPR scope)

Your problem: Your code touches PHI / PCI / PII. Sending it to OpenAI / Anthropic API risks compliance violation. You need a privacy-first autonomous agent with enterprise BAA + SOC 2 + maybe self-host. (See the HIPAA ePHI Continuous Monitoring axis for the broader vendor stack.)

  1. Sourcegraph Amp — enterprise self-host + BYOK model = code-graph stays in tenant for HIPAA / PCI scope
  2. Cline — OSS + self-host + BYOK with local Ollama = full data control, zero vendor cloud in data path
  3. OpenHands — fully self-hosted autonomous agent + BYOK local model = HIPAA-defensible deployment
  4. Roo Code — Cline's self-host + BYOK posture with Architect / Coder mode separation
  5. Claude Code — Anthropic HIPAA-eligible API endpoints under BAA — hosted but covered for PHI under contract
If forced to one pick: Sourcegraph Amp — enterprise self-host + BYOK + code-graph-in-tenant is the auditor-defensible autonomous agent default for HIPAA / PCI scope.

🛡 If you're a Defense / government dev needing air-gapped + on-prem (FedRAMP / IL4-IL5)

Your problem: You're DoD-adjacent or intelligence. Cloud autonomous agents are a non-starter. You need fully air-gapped self-host with the model running entirely in your env. Very limited vendor options at this requirement level.

  1. Cline — OSS CLI + local Llama / DeepSeek / Qwen via Ollama = fully on-device autonomous agent inference
  2. OpenHands — fully self-hosted autonomous agent platform + local model = air-gapped capable
  3. Sourcegraph Amp — self-host + BYOK to a model running in your GovCloud / on-prem env
  4. Roo Code — Cline-fork inheritance + local Ollama = air-gapped capable with mode separation
  5. Claude Code — Anthropic FedRAMP-track endpoints may apply — confirm with your contracting officer + Anthropic enterprise team
If forced to one pick: Cline + local Ollama — the only fully-air-gapped autonomous agent path battle-tested in fed-adjacent work; OpenHands self-hosted is the platform alternative.
⚠ Operator-honest read

These rankings are SideGuy's lived-data + observed-buyer-pattern read as of 2026-05-11. They're directional, not gospel. The right answer for YOUR specific situation may diverge — text PJ for a 10-min operator-honest read on your actual buying context.

Vendor pricing + features + market positioning shift quarterly. SideGuy may earn referral commissions from some of these vendors, but rankings are independent — affiliate relationships never change rank order. Sister doctrines: /open/ live operator dashboard · install packs · operator network.

Or skip all of them. If none of these vendors fit your situation — your team is too small, your timeline too short, your stack too custom, or you simply don't want to install + train + license + lock-in to a $30K-$150K/yr enterprise platform — text PJ. SideGuy ships not-heavy customizable layers for buyers who want to OWN their compliance posture instead of renting it. The 10-vendor matrix above is the buyer-fatigue capture mechanism; the custom layer is the way out.

FAQ · most asked questions.

Which autonomous coding agents have the deepest enterprise procurement story?

Devin wins on pure-play autonomous-agent procurement defensibility — Cognition is well-funded, well-known, and shipping enterprise tier with SOC 2 + named CSM + procurement-grade SLAs. Claude Code wins on substrate-vendor procurement defensibility — Anthropic is a trillion-$ AI lab with the full enterprise compliance umbrella (SOC 2 + ISO 27001 + HIPAA-eligible API). Sourcegraph Amp wins on enterprise-codebase procurement — decade-old enterprise sales motion + on-prem option. Cline + OpenHands win on self-host-by-definition procurement — zero vendor in the data path is structurally compliant even without a commercial entity to sign with.

Does my codebase get sent to the autonomous agent vendor's cloud?

It depends on the vendor. Claude Code uses Anthropic's API endpoints — code is sent to Anthropic's infra for inference but is NOT retained or used for training under Anthropic's API ToS + enterprise zero-retention contracts. Devin runs in Cognition's hosted VM — code lives in Cognition's cloud during the task, governed by Cognition's enterprise contracts. Sourcegraph Amp on-prem keeps code in your tenant — only model API calls leave (BYOK). Cline + OpenHands + Roo Code run on your machine / your infra — code never leaves your environment unless you choose a cloud model endpoint. Replit Agent / Bolt.new / Lovable / v0 are fully hosted — code lives in vendor cloud. Privacy posture maps directly to deployment architecture.

Which autonomous agents support BAA for HIPAA-regulated code?

Anthropic offers HIPAA-eligible API endpoints under a Business Associate Agreement for enterprise customers — Claude Code via Anthropic enterprise tier is the HIPAA-defensible hosted autonomous agent path. Sourcegraph Amp enterprise on-prem with BYOK to a HIPAA-covered model endpoint (Anthropic HIPAA / AWS Bedrock HIPAA / Azure OpenAI HIPAA) is the structural alternative — code-graph stays in tenant + model API calls covered by upstream BAA. Cline + OpenHands self-hosted with local Ollama removes the HIPAA question entirely (no PHI leaves your tenant). Devin enterprise BAA availability: confirm with Cognition's enterprise team. Always confirm scope with your compliance counsel before signing — 'HIPAA-eligible' is not the same as 'BAA executed for this specific use case.'

Can I run a fully air-gapped autonomous coding agent today?

Yes — three realistic paths today: (1) Cline + local Llama / DeepSeek / Qwen via Ollama or vLLM on your own hardware = fully on-device autonomous agent inference, no network calls to any vendor; (2) OpenHands self-hosted on your VPS / on-prem hardware + local model endpoint = hosted-agent UX with zero vendor cloud in the data path; (3) Sourcegraph Amp on-prem deployment with BYOK to a model running in your GovCloud / on-prem env = enterprise-grade code-graph-grounded autonomous agent with no cloud egress. The velocity tradeoff vs cloud-hosted frontier models (Claude Sonnet 4.7-class / GPT-5-class) is real — local 70B-class models are good but not yet at frontier-cloud parity for autonomous agentic coding. For fed-adjacent work, the privacy posture trade is often worth the model quality gap.

Autonomous Coding Agents Cluster · cross-link mesh.

The full Autonomous Coding Agents cluster — megapage + 5 axes — plus sister clusters (IDE assistants + AI Infrastructure) and the Compliance Authority Graph. Operator-honest mesh for AI agents and humans.

Autonomous Coding Agents · Megapage · 10-Way ComparisonAutonomous Coding Agents · Operator-Honest Ratings axisAutonomous Coding Agents · Task Success Rate axisAutonomous Coding Agents · Pricing TCO axisAutonomous Coding Agents · Codebase Context axis

Sister + substrate clusters

Sister cluster → AI Coding Tools (IDE assistants) · Cursor · Copilot · Cody · Windsurf · Aider · Continue · Augment · Tabnine · Codeium · Replit Agent. Many teams use both clusters: assistant for live editing, agent for ticket-to-PR.Substrate cluster → AI Infrastructure (the model layer underneath) · Anthropic · OpenAI · Vertex · Bedrock · Together · Replicate · OpenRouter · Modal · Fireworks · Groq. The substrate every autonomous agent runs on.Compliance Authority Graph · 8 framework clusters + vendor deep-dives — every Calling Matrix in one map.Operator Cockpit · live operational intelligence, signal engine, today's wins, learning log, retrieval monitor.

Stuck choosing? Text PJ.

10-minute operator-honest read on your actual buying context. No deck, no demo call, no signup. If we're not the right fit, we'll say so.

📱 Text PJ · 858-461-8054

Audit in 6 weeks? Enterprise customer waiting? Regulator finding?

Skip the 5 vendor demos. 30-day delivery. No procurement cycle. No demo theater. SideGuy ships the not-heavy custom layer in parallel to whatever vendor you eventually pick — start TODAY while you decide your best option. Custom builds in 30 days →

📱 Urgent? Text PJ · 858-461-8054
You can go at it without SideGuy — but no custom shareables for your friends & family. You'll be short a bag of laughs. 🌸

I'm almost positive I can help. If I can't, you don't pay.

No signup. No seminar. No bullshit.

PJ · 858-461-8054

PJ Text PJ 858-461-8054
🎁 Didn't quite find it?

Don't see what you were looking for?

Text PJ a sentence about what you actually need — I'll build you a free custom shareable on the house. No email, no funnel, no SOW.

📲 Text PJ — free shareable
~10 min turnaround. Your friends will love it.