A Unified Access Platform that can Operate as a Comprehensive ZTNA/BeyondCorp Platform, a Scalable Remote Access VPN, an API/AI/MCP Gateway, an ngrok Alternative, a PaaS-like Platform for Secure as well as Anonymous Access
A Unified Architecture for Client-based and Clientless Access
A Unified Scalable Architecture on top of Kubernetes to Provide both Zero-Config Client-based Access over WireGuard/QUIC with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access
Secretless Access to APIs, SSH, Databases and Kubernetes
Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs
Effortless Passwordless Zero Trust SSH Access without any Changes in your SSH Servers or Clients. Seamless, Secretless SSH Access to Hosts without SSH Servers such as Containers and IoT Fleets via Embedded SSH Servers running within Octelium Clients
Dynamic, Identity-based, L7-aware, Context-aware ABAC Access Control using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA Evaluated on Policy Decision Points.
A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability. Eliminate the Need to Manually Deploy and Scale Proxies or Open Ports in Your Different Upstream Regions and Clouds.
Centralized, Declarative and Programmable Management
Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.
Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.
Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.
Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP
Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.
Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.
Centralized access proxy, auth/certificate authority, audit engine, reverse tunnels, and deployable agents. Self-hosted or Teleport Cloud. Proxy/Auth/Node services can be separated for HA and scale.
Authentication
OpenID Connect
Yes
Yes
SAML 2.0
Yes
Yes
GitHub OAuth2
Yes
Yes
Native FIDO2 / Passkey
Native means implemented by the platform itself, not merely delegated to an external IdP.
Native
Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.
WebAuthn
Native TOTP
Yes
Yes
TPM / Device Trust
Native / hardware-backed
Device Trust
Device trust exists; TPM-specific semantics depend on deployment and edition.
Workload Identity
OIDC assertions / workload identity
Machine & Workload Identity
AI Agent Auth
OAuth2 / bearer / workload identity
Machine ID / MCP access
Anonymous / Public Access
Yes
No
SCIM Provisioning
Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.
SCIM 2.0 compliant
SCIM (enterprise)
Authorization & Policy
Policy Model
ABAC with CEL and OPA-oriented policy patterns.
RBAC with traits, labels, predicates, access requests, and certificate-scoped permissions.
Policy-as-Code
CEL + OPA
YAML roles / Terraform
Per-Request Authz
For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.
Yes
Protocol-dependent
Strong session/protocol controls; not a generalized CEL-style per-request gateway for every request type.
L7-Aware Policies
HTTP, gRPC, K8s, DB, SSH, mTLS-related context
SSH, DB, K8s, RDP/Web/MCP depending on protocol
Zero Standing Privilege / JIT
Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.
Strong
Designed to minimize static privilege through identity/policy-scoped access.
JIT access requests / short-lived certs
Access Requests / Approvals
First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.
Policy-scoped
Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.
First-class
Access Requests with reviewers, Access Lists, and break-glass workflows.
Device Posture
TPM/FIDO2/device attributes
Device Trust
External Signal Integration
Yes
Partial
NIST ZTA Alignment
All data/services as resources
Yes
Yes
Secure communication regardless of network
WireGuard/QUIC and public HTTPS
mTLS / short-lived certs
Per-session / per-request access
Per-request for L7; per-session/connection for tunnels
Per-session and protocol-scoped controls
Dynamic policy using multiple signals
Yes
Yes
Continuous monitoring / verification
OpenTelemetry-native visibility
Audit events and recordings
No implicit trust zone
Identity/policy-mediated
Yes
Assume breach / least privilege
Yes
Yes
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS
L7-aware + secretless credential injection
Application access
gRPC
Native L7 mode
Not a general gRPC gateway
SSH
Secretless / embedded SSH patterns
Cert-based + recording
PostgreSQL
Secretless + query-aware policy/logging
DB access / audit
MySQL
Secretless + query-aware policy/logging
DB access / audit
Kubernetes
Secretless + verb/resource/namespace policy
K8s access / audit
RDP
TCP passthrough
Desktop access / RDP support
DNS
Native private DNS mode
No
mTLS / cert injection
Secretless mTLS / cert injection
Certificate-based identity; not generic secretless mTLS injection
Raw TCP / UDP
TCP and UDP
TCP-oriented app/database/SSH patterns; not general UDP VPN
HTTP Manipulation
With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits
No
Transport & Networking
WireGuard Data Plane
Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.
Kernel / userspace
WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.
No
Not a WireGuard VPN; uses mTLS reverse tunnels.
QUIC Transport
Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.
Full QUIC-based tunneling mode
Experimental
QUIC exists only as experimental/unstable proxy peering; default proxy peering is gRPC.
IPv6 Support
Dual-stack
Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.
Yes
Embedded SSH
Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.
Secretless embedded SSH
Built-in SSH CA
Provides its own certificate-based SSH (Teleport SSH), not just tunneling external sshd.
NAT Traversal
Via Gateways
Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.
Partial
Reverse-tunnel / proxy model, not a P2P data path.
Visibility, Auditing & Observability
OpenTelemetry-Native
OTLP-native
More precise than saying only product with OpenTelemetry.
No
L7-Aware Access Logs
HTTP/gRPC/K8s/DB/SSH identity-aware logs
Audit events, DB query logs, session activity
SSH Session Recording
Yes
SSH, DB, K8s, desktop/RDP, web depending on edition/config
SIEM Integration
Via OTLP / OTel Collector
Audit log export integrations
Real-Time Streaming
Yes
Partial
Identity in Logs
Yes
Yes
Access Methods
Client-Based VPN / Overlay
WireGuard / QUIC
No
Teleport is not a WireGuard-style VPN.
Clientless Browser Access
Yes
Web apps / desktops
Workload OAuth2 / Bearer
Yes
No
CLI / SDK Access
CLI + gRPC API
tsh, APIs
Private DNS
Yes
No
Dynamic Configuration
Dynamic Upstream Routing
Yes
No
Dynamic Credential Selection
Yes
Partial
Secrets Backend Integration
Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.
Secretless injection
Native secretless credential injection; credentials managed as Cluster resources.
Machine ID / HSM / KMS
Short-lived certs, HSM/KMS-backed CA, and secret integrations reduce static secrets.
GitOps / Declarative Config
Kubernetes-like resources / YAML
YAML / Terraform
Programmable API
gRPC
gRPC / REST / Terraform
SaaS / Public Cloud API Access
Secretless SaaS API Access
Yes
No
AWS API Access
Via HTTP/API credential injection pattern
Partial
GCP / Azure API Access
Via same API gateway pattern
Partial
Generic SaaS API Access
Any HTTP API with supported auth injection
No
AI / MCP / Agent Compatibility
AI / LLM Gateway
Yes
No
MCP Gateway / MCP Access
MCP-oriented gateway/access patterns
First-class
MCP server access with tool-level RBAC, query-level audit, JIT, and workload identity.
