Skip to main content
VaultPAM
00 How it works

see exactly how vaultpam works. no black boxes.

Every connection goes through VaultPAM — authenticated, authorised, recorded. Nothing reaches your infrastructure directly.

01 System architecture

Three zones. One security model.

All traffic flows through VaultPAM — nothing reaches your infrastructure directly.

01

The user zone

Browsers, native RDP and SSH clients. Whoever connects, from wherever — every request enters through the same front door.

02

VaultPAM — the broker

Authentication, authorisation and recording happen here. Nothing reaches your infrastructure directly; every path is brokered.

03

Your infrastructure

Servers, databases, jump hosts. Reached only through VaultPAM, only with injected credentials the user never sees.

EVERY PATH BROKERED BLOCKED — NO BROKER VAULT PAM BROWSER RDP SSH RDP-PROD SSH-BASTION DB-MASTER VAULTPAM THREE ZONES FIG.01 EU-WAW · NIS2
Fig. 01 User zone → broker → infrastructure. No node reaches infrastructure directly.
02 Access methods

Three ways to connect. One security model.

Whether your team uses a browser, native RDP client, or SSH terminal — every session passes through the same authentication, authorisation, and recording pipeline.

2.1 · HTTPS

Browser

Open your browser. No plugin, no VPN, no RDP client. The full session including recording runs in the browser over HTTPS.

2.2 · RDP/TLS

Native RDP client

Use any standard RDP application. VaultPAM brokers the session through its gateway — MFA, RBAC, and recording apply exactly as in the browser.

2.3 · SSH/TLS

Native SSH client

Use any terminal emulator. Connect to VaultPAM’s SSH gateway, not the target directly. Full audit trail, same policy.

03 Security pipeline

What happens inside VaultPAM.

Five steps — every time, for every session, for every protocol.

01

WAF filters every request

OWASP Top 10, SQL injection, XSS — before any application logic runs.

02

MFA is enforced

TOTP, hardware keys (YubiKey, Touch ID), or your existing SSO provider. No session without it.

03

RBAC checks access

The user’s role and target permissions are verified before any session is opened.

04

Credentials retrieved from vault

Credentials are retrieved from the encrypted vault and injected into the session — the user never sees the password.

05

Session recorded end-to-end

Every session is recorded in full — tamper-evident, audit-grade, stored exclusively in the EU.

rdp-prod-01 · m.kowalski 09:41:02 REC C:\Users\Admin> whoami Administrator C:\Users\Admin> net user User accounts for \\PROD-01 Administrator Guest svc-deploy C:\Users\Admin> RECORDED 00:04:12 00:14:32
SHA-256: 7f3a…e1c2 WRITE-PROTECTED · EU-WAW SOC 2 READY
Fig. 02 Every session is recorded end-to-end. The recording is write-protected from the moment it is sealed — including from VaultPAM operators.
04 The connector

No inbound ports required.

The VaultPAM Connector runs inside your network and initiates an outbound-only encrypted tunnel to VaultPAM Cloud. Your firewall never needs an inbound rule opened.

All connector traffic uses mutual TLS (mTLS) — both sides present certificates. Short-lived certificates rotate automatically. If a renewal fails, the connector fails closed: it stops forwarding traffic rather than falling back to an unverified connection.

The connector is stateless and crash-safe. If it restarts it re-authenticates and reconnects automatically — no manual intervention.

Deploy in 5 minutes

Docker container or Kubernetes pod. No firewall rules to open. Pull the image, set your enrolment token, start. First session in under 30 minutes.

05 Sandbox

Not ready to deploy a connector yet?

The VaultPAM sandbox gives you a fully working environment with no installation required. VaultPAM automatically deploys the connector and three target systems — RDP desktop, SSH terminal, VNC desktop — inside an isolated namespace that belongs exclusively to your organization.

No other tenant can see or access your sandbox. Credentials are generated uniquely per organization at activation time. Activate in under 60 seconds. 14 days included, extendable twice.

your sandbox includes14 days · no CC required
ResourceStatus
RDP desktop (Windows)Included
SSH terminal (Linux)Included
VNC desktop (Linux)Included
Pre-configured connector — deployed automaticallyIncluded
Unique credentials per organizationIncluded
Isolated namespace — private to your orgIncluded

EU-hosted · GCP Warsaw, Poland · connector deploys in 5 minutes

Ready to see it
in action?