Tanflow IAM Suite & PAM - enterprise identity and privileged access security for the modern enterprise. Get a Demo →

Tanflow PAM · Capability

Command Control

A firewall for keystrokes: every command in a privileged session is inspected against policy before it executes.

Overview

Stop destructive commands before they execute

Session recording tells you what happened. Command control changes what happens. The Tanflow command audit engine parses terminal and SQL input in real time and applies one of four graduated verdicts - from silent allowance to instant session termination.

Real-time inspection

Commands are parsed in-line at the gateway - pattern, target, account and time-of-day all feed the policy decision.

Four graduated verdicts

BLOCK + TERMINATE, BLOCK + NOTIFY, JUSTIFY, and ALLOW + WARN - matched to the risk of the operation, not one blunt switch.

SQL-aware policies

Understands database sessions: block DROP/TRUNCATE on production, demand justification for bulk SELECTs on sensitive tables.

Network device safeguards

Policy rules for switches, routers and firewalls reached over SSH or Telnet: block configuration wipes and disruptive commands before they execute.

Policy groups & inheritance

Author policies once, apply them across connection groups - production vs. staging, OT vs. IT, vendor vs. employee.

Justification workflow

Sensitive commands pause for a typed business reason; the reason is stored beside the command in the audit trail.

Why it matters

Outcomes you can put in front of an auditor

  • Destructive commands on production physically cannot execute
  • Fat-finger incidents become blocked events, not outage postmortems
  • Vendor sessions constrained to exactly the commands their job needs
  • Justifications turn grey-area access into documented decisions
  • Command-level evidence exceeds what most regulators dare to ask for

Part of Tanflow PAM

This capability is built into Tanflow PAM - the zero-agent privileged access platform that deploys in 2-4 weeks on your infrastructure.

Explore the full platform →

FAQ

Common questions

Does command inspection add latency to sessions?

Inspection happens in-line at the gateway with negligible overhead - policies are evaluated in microseconds, imperceptible at human typing speed.

Can users bypass control with aliases or scripts?

Policies match on expanded command semantics and can restrict script execution and shell escapes themselves - and everything, bypass attempts included, is recorded.

See Command Control in action

A focused demo against your environment and your compliance requirements.