Tanflow IAM Suite & PAM - enterprise identity and privileged access security for the modern enterprise. Get a Demo →

Tanflow PAM

Secure. Control. Audit.

Zero-agent Privileged Access Management: a browser-based gateway between your people and your most critical systems - every credential vaulted, every session recorded, every command policed.

PILLAR 01 Zero-Agent Gateway No software on targets, no clients on laptops. A browser reaches SSH, RDP, VNC and databases through one controlled gateway.
PILLAR 02 Credential Vault Privileged credentials are encrypted, rotated and injected into sessions - users connect without ever seeing a password.
PILLAR 03 Command Control Every keystroke inspected against policy in real time: block, demand justification, warn or allow - and record it all.

The privileged access challenge

Privileged credentials are the primary target in modern attacks

80%

of security breaches involve compromised privileged credentials

The root passwords, admin accounts and service credentials that unlock everything else - shared, unrotated and unwatched in most enterprises.

Industry breach analyses, incl. Forrester Research

1compromised credential is enough
0agents needed to close the gap

Shared root passwords

The same superuser credential in a dozen engineers' heads - and in their notes app. Nobody can say who used it last night.

No session visibility

An admin connects to a production database. What did they run? Without session recording, the honest answer is: nobody knows.

Standing privileges

Access granted for one incident, still active a year later. Standing privilege is standing risk.

Unmanaged vendor access

Third-party engineers with VPN credentials and no supervision - the entry point in some of the most damaging breaches on record.

Audit blind spots

The regulator asks for privileged session evidence. The team starts grepping terminal histories and hoping.

The Tanflow answer

Put a recording, policy-enforcing gateway between every human and every privileged target - with nothing to install on either side.

See it live →

Zero-trust access architecture

Five steps between a user and a root shell

No direct network path to targets. Every privileged session flows through the gateway - authenticated, authorised, injected, recorded.

AuthenticateUser signs in to the PAM portal with MFA - or federated SSO via your IdP.
AuthorisePolicy decides which targets, which accounts, which protocols - and when.
InjectThe vault injects credentials into the session. The user never sees a password.
EnforceCommands are inspected in real time against your control policies.
RecordFull session video and command log land in the tamper-evident audit store.
 tanflow-pam - recorded session · prod-db-01 · ravi.k
[10:42:03] ravi.k@prod-db-01:~$ systemctl status mysqld ● mysqld.service - active (running) [10:42:31] ravi.k@prod-db-01:~$ rm -rf /var/lib/mysql ✖ BLOCKED by policy DB-PROD-014 - destructive command on production target [10:42:31] ⚠ session flagged · SOC notified · recording preserved

Protocol coverage

One gateway for every privileged doorway

Web-rendered sessions to your servers, desktops, network devices and databases - from any modern browser.

SSH servers & network
RDP Windows desktops
VNC remote consoles
Kubernetes kubectl exec
MySQL SQL sessions
PostgreSQL SQL sessions
MS-SQL SQL sessions
MongoDB NoSQL sessions
Telnet legacy devices
SFTP file transfer
HTTPS web admin consoles
+ more expanding coverage

Command audit engine

Policy verdicts for every command

Command control isn't just block-or-allow. Four graduated verdicts let you match control strength to risk.

VerdictWhat happensTypical use
BLOCK + TERMINATE Command is stopped, the session is killed instantly, and the SOC is alerted. Destructive operations on production: rm -rf, DROP DATABASE, destructive changes on network devices.
BLOCK + NOTIFY Command is stopped, session continues, administrators are notified. Risky-but-recoverable actions: service restarts, config edits outside change windows.
JUSTIFY User must enter a business justification before the command executes; justification is logged. Sensitive reads: exporting customer tables, accessing payment logs.
ALLOW + WARN Command runs, user sees a caution, event is highlighted in the audit trail. Discouraged patterns you still permit: sudo to shared accounts, legacy tooling.

Deep-dive: Command Control →

Time-based & JIT access

Privilege that expires by itself

Change-window access

The DBA team gets production database access every Saturday 22:00-02:00 - outside the window, the door doesn't exist.

Incident JIT elevation

An on-call engineer requests emergency root for one hour; approval arrives on the approver's phone; access self-destructs at minute sixty.

Vendor time-boxing

A hardware vendor gets RDP to one jump-target for Tuesday's maintenance - recorded, watermarked, and gone by Wednesday.

Deep-dive: Just-in-Time Access →

Enterprise SSO & federation

Plugs into the identity you already have

Tanflow PAM federates with SAML 2.0 identity providers - including the Tanflow IAM Suite, Azure AD / Entra ID, Okta, Keycloak and ADFS - so privileged access inherits your existing authentication and MFA posture.

Tanflow IAM Suite SAML 2.0 Azure AD / Entra ID Okta Keycloak ADFS Google Workspace Any SAML 2.0 IdP

How Tanflow PAM compares

Feature parity, without the legacy baggage

The honest comparison prospects ask us for - against open-source assemblies and legacy on-premises suites.

Capability Tanflow PAM Open-source stack Legacy on-prem PAM
Zero-agent, browser-based access✔ Built-inPartial - assembly required✘ Agents/clients typical
Credential vault with rotation & injection✔ Built-inSeparate tools to integrate✔ Available
Real-time command control (4 verdicts)✔ Built-in✘ Not availablePremium add-on
Full session recording & replay✔ Built-inBasic logging only✔ Available
Just-in-time / time-based access✔ Built-in✘ Manual scriptingComplex to configure
Database session control (SQL/NoSQL)✔ Built-in✘ Not availableLimited coverage
SAML 2.0 SSO federation✔ Built-inDIY integration✔ Available
Scales across the whole organisation✔ Built-inDIY engineeringLimited by licence tiers
Deployment time2-4 weeksMonths of engineering3-6 months typical
Vendor support & accountability24×7 local OEM✘ Community forumsOffshore ticket queues
Total cost of ownershipLow - infra-basedLow licence, high labourHigh licence + services

Deployment & economics

On your infrastructure, in production fast

ModelOn-prem / private cloudRuns entirely inside your perimeter - including air-gapped environments.
Timeline2-4 weeks to liveDiscover targets, vault credentials, set policies, onboard teams.
ScaleEnterprise scaleFrom one team to the entire organisation on a single deployment.
Support24×7 OEM supportDirect line to the engineering team that builds the product.

See command control in action, live

The 30-minute Tanflow PAM demo: vault a credential, record a session, block a command, replay the evidence.