Browser
Open your browser. No plugin, no VPN, no RDP client. The full session including recording runs in the browser over HTTPS.
Every connection goes through VaultPAM — authenticated, authorised, recorded. Nothing reaches your infrastructure directly.
All traffic flows through VaultPAM — nothing reaches your infrastructure directly.
Browsers, native RDP and SSH clients. Whoever connects, from wherever — every request enters through the same front door.
Authentication, authorisation and recording happen here. Nothing reaches your infrastructure directly; every path is brokered.
Servers, databases, jump hosts. Reached only through VaultPAM, only with injected credentials the user never sees.
Whether your team uses a browser, native RDP client, or SSH terminal — every session passes through the same authentication, authorisation, and recording pipeline.
Open your browser. No plugin, no VPN, no RDP client. The full session including recording runs in the browser over HTTPS.
Use any standard RDP application. VaultPAM brokers the session through its gateway — MFA, RBAC, and recording apply exactly as in the browser.
Use any terminal emulator. Connect to VaultPAM’s SSH gateway, not the target directly. Full audit trail, same policy.
Five steps — every time, for every session, for every protocol.
OWASP Top 10, SQL injection, XSS — before any application logic runs.
TOTP, hardware keys (YubiKey, Touch ID), or your existing SSO provider. No session without it.
The user’s role and target permissions are verified before any session is opened.
Credentials are retrieved from the encrypted vault and injected into the session — the user never sees the password.
Every session is recorded in full — tamper-evident, audit-grade, stored exclusively in the EU.
The VaultPAM Connector runs inside your network and initiates an outbound-only encrypted tunnel to VaultPAM Cloud. Your firewall never needs an inbound rule opened.
All connector traffic uses mutual TLS (mTLS) — both sides present certificates. Short-lived certificates rotate automatically. If a renewal fails, the connector fails closed: it stops forwarding traffic rather than falling back to an unverified connection.
The connector is stateless and crash-safe. If it restarts it re-authenticates and reconnects automatically — no manual intervention.
Docker container or Kubernetes pod. No firewall rules to open. Pull the image, set your enrolment token, start. First session in under 30 minutes.
The VaultPAM sandbox gives you a fully working environment with no installation required. VaultPAM automatically deploys the connector and three target systems — RDP desktop, SSH terminal, VNC desktop — inside an isolated namespace that belongs exclusively to your organization.
No other tenant can see or access your sandbox. Credentials are generated uniquely per organization at activation time. Activate in under 60 seconds. 14 days included, extendable twice.
| Resource | Status |
|---|---|
| RDP desktop (Windows) | Included |
| SSH terminal (Linux) | Included |
| VNC desktop (Linux) | Included |
| Pre-configured connector — deployed automatically | Included |
| Unique credentials per organization | Included |
| Isolated namespace — private to your org | Included |
EU-hosted · GCP Warsaw, Poland · connector deploys in 5 minutes