Tanflow PAM · Capability
Command Control
A firewall for keystrokes: every command in a privileged session is inspected against policy before it executes.
Overview
Stop destructive commands before they execute
Session recording tells you what happened. Command control changes what happens. The Tanflow command audit engine parses terminal and SQL input in real time and applies one of four graduated verdicts - from silent allowance to instant session termination.
Commands are parsed in-line at the gateway - pattern, target, account and time-of-day all feed the policy decision.
BLOCK + TERMINATE, BLOCK + NOTIFY, JUSTIFY, and ALLOW + WARN - matched to the risk of the operation, not one blunt switch.
Understands database sessions: block DROP/TRUNCATE on production, demand justification for bulk SELECTs on sensitive tables.
Policy rules for switches, routers and firewalls reached over SSH or Telnet: block configuration wipes and disruptive commands before they execute.
Author policies once, apply them across connection groups - production vs. staging, OT vs. IT, vendor vs. employee.
Sensitive commands pause for a typed business reason; the reason is stored beside the command in the audit trail.
Why it matters
Outcomes you can put in front of an auditor
- Destructive commands on production physically cannot execute
- Fat-finger incidents become blocked events, not outage postmortems
- Vendor sessions constrained to exactly the commands their job needs
- Justifications turn grey-area access into documented decisions
- Command-level evidence exceeds what most regulators dare to ask for
Part of Tanflow PAM
This capability is built into Tanflow PAM - the zero-agent privileged access platform that deploys in 2-4 weeks on your infrastructure.
Explore the full platform →FAQ
Common questions
Does command inspection add latency to sessions?
Inspection happens in-line at the gateway with negligible overhead - policies are evaluated in microseconds, imperceptible at human typing speed.
Can users bypass control with aliases or scripts?
Policies match on expanded command semantics and can restrict script execution and shell escapes themselves - and everything, bypass attempts included, is recorded.
See Command Control in action
A focused demo against your environment and your compliance requirements.