Modern, Open Source, Self-Hosted Alternative to StrongDM

A Unified Access Platform that can Operate as a Comprehensive ZTNA/BeyondCorp Platform, a Scalable Remote Access VPN, an API/AI/MCP Gateway, a PaaS-like Platform for Secure as well as Anonymous Access

A Unified Scalable Architecture on top of Kubernetes to Provide both Zero-Config Client-based Access over WireGuard/QUIC with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access

Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs

Effortless Passwordless Zero Trust SSH Access without any Changes in your SSH Servers or Clients. Seamless, Secretless SSH Access to Hosts without SSH Servers such as Containers and IoT Fleets via Embedded SSH Servers running within Octelium Clients.

A PaaS-like Platform to Effortlessly Deploy, Scale and Secure Access to Containerized Applications of any Kind.

Access Control at the Application-layer (L7) (e.g. HTTP paths and methods, Kubernetes namespaces and verbs, PostgreSQL queries, etc...) using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA

A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability. Eliminate the Need to Manually Deploy and Scale Gateways or Open Ports in Your Different Upstream Regions and Clouds.

Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.

Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.

OpenTelemetry-ready Layer-7 Aware, Real-Time Visibility and Auditing to Your Log Management and SIEM Providers

Dynamically Route to different Upstreams such as Multiple Databases/APIs or Same Database/API with Multiple Credentials Mapping to Different Permissions and Accounts based on Identity and Context.

Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.

Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.