See exactly how VaultPAM works.

No black boxes. Every connection goes through VaultPAM β€” authenticated, authorised, recorded.

System architecture

Three zones. One unified security model. All traffic flows through VaultPAM β€” nothing reaches your infrastructure directly.

User
🌐 Browser
no plugin
πŸ–₯ Native RDP Client
πŸ’» Native SSH Client
HTTPS 443
RDP/SSH over TLS β†’ Native Client Gateway
VaultPAM Cloud β€” GCP Warsaw (EU)
πŸ›‘ WAF Β· Rate Limiting Β· DDoS Protection
πŸ”‘ Identity Provider
MFA enforced
πŸ”’ RBAC & Session Authorisation
Session Proxies β€” same policy for all access methods
RDP Proxy
SSH Proxy
HTTP Proxy
πŸ” Secrets Vault
OpenBao
πŸ“Ό Session Recording
AES-256-GCM Β· audit-grade
encrypted tunnel Β· outbound from customer
Customer Network
VaultPAM Connector
Outbound-only Β· mTLS Β· auto-rotating certs
Windows RDP
Linux SSH
Web App
Database

Three ways to connect. One security model.

Whether your team uses a browser, native RDP client, or SSH terminal β€” every session passes through the same authentication, authorisation, and recording pipeline.

🌐

Browser

Open your browser. No plugin, no VPN, no RDP client. The full session including recording runs in the browser over HTTPS.

πŸ–₯

Native RDP Client

Use any standard RDP application. VaultPAM brokers the session through its gateway β€” MFA, RBAC, and recording apply exactly as in the browser.

πŸ’»

Native SSH Client

Use any terminal emulator. Connect to VaultPAM's SSH gateway, not the target directly. Full audit trail, same policy.

What happens inside VaultPAM

Five steps β€” every time, for every session, for every protocol.

WAF filters every request

OWASP Top 10, SQL injection, XSS β€” before any application logic runs.

MFA is enforced

TOTP, WebAuthn, or IdP-level via SAML 2.0 / OIDC. No session without it.

RBAC checks access

The user's role and target permissions are verified before any session is opened.

Credentials retrieved from vault

OpenBao (Linux Foundation fork of HashiCorp Vault) β€” never from the database, never visible in the browser.

Session recorded end-to-end

AES-256-GCM per recording, per-object key, audit-grade storage, EU only.

The Connector β€” no inbound ports required

The VaultPAM Connector runs inside your network and initiates an outbound-only encrypted tunnel to VaultPAM Cloud. Your firewall never needs an inbound rule opened.

All connector traffic uses mutual TLS (mTLS) β€” both sides present certificates. Short-lived certificates rotate automatically. If a renewal fails, the connector fails closed: it stops forwarding traffic rather than falling back to an unverified connection.

The connector is stateless and crash-safe. If it restarts it re-authenticates and reconnects automatically β€” no manual intervention.

Deploy in 5 minutes

Docker container or Kubernetes pod. No firewall rules to open. Pull the image, set your enrolment token, start. First session in under 30 minutes.

Not ready to deploy a connector yet?

The VaultPAM sandbox gives you a fully working environment with no installation required. VaultPAM automatically deploys the connector and three target systems β€” RDP desktop, SSH terminal, VNC desktop β€” inside an isolated namespace that belongs exclusively to your organization.

No other tenant can see or access your sandbox. Credentials are generated uniquely per organization at activation time.

Activate in under 60 seconds. 14 days included, extendable twice.

Your sandbox includes:

βœ“RDP desktop (Windows)
βœ“SSH terminal (Linux)
βœ“VNC desktop (Linux)
βœ“Pre-configured connector β€” deployed automatically
βœ“Unique credentials per organization
βœ“Isolated namespace β€” private to your org
Request a Demo

Ready to see it in action?

See VaultPAM in action β€” request a personalised demo with one of our engineers.

Request a Demo