A no-compromise cloud service for zero trust access

Our cryptographic multi-root trustless access protocol allows us to offer you a cloud service for remote access, without needing privileged access to your targets. So you can simplify your life without having to compromise on security.

Zero trust in the cloud

For Linux

BastionZero integrates directly into your SSH workflows without VPNs, SSH keys or open SSH ports.

For Kubernetes

BastionZero integrates with your k8s workflows, adds SSO, MFA + policy control, and logs your kubectl commands and exec.

For Webservers

With BastionZero, your users can access internal applications that are invisible to the public internet, without requiring a VPN.

For Databases

BastionZero integrates with your DB workflows, allowing fine-grained visibility and control into who is looking at and touching your sensitive data.

Zero Trust Access via SSO + MFA

BastionZero automatically integrates with your existing SSO, so you can easily control users’ access to your targets in any cloud or on-prem environment via SSO. An additional independent MFA to BastionZero’s cloud service ensures that your targets are secure even if your user SSO is compromised.

Multiple roots of trust

BastionZero splits control of your targets between two independent roots of trust: your Single Sign On (SSO) and our cloud service. No one can access your infrastructure without the consent of both roots of trust. That means you can outsource remote access to our cloud service, without worrying that our cloud service will create a point of compromise for your infrastructure.

Centralized policy management

You can write fine-grained policies that control access to your targets via a single web console or API endpoint. BastionZero makes it easy to control exactly which user can assume which role/account on which target, across all your different clouds and environments.

Centralized logging

BastionZero’s cloud service logs who accessed which role/account on a target, along with what they did to the target. We support your forensics and compliance requirements by providing searchable command logs along with session recordings. And we even log what your users are doing inside kubectl exec.

BastionZero QuickStart: Deploy in seconds

Install the zli
The zli pulls a list of your targets from your existing SSH config
Authenticate to your SSO
This automatically creates your BastionZero account.
Autodiscover your targets
The zli deploys the bz-agent to your targets, which then phone home to the BastionZero service.
Add the BastionZero charts repository to helm
Install bctl-agent chart
Autodiscover the cluster!
The bz-container phones home to our cloud service. Users can connect to the cluster via kubectl or our zli!
Add to our repo to helm
This configures a open-source bz-container on your cluster
Set up SSH config on your local machine
Start the tunnel
Access with your db client
Set up local port forwarding
Start an SSH tunnel to your DB
Access without changing your existing DB workflow

BastionZero autodiscovers your targets

No more open ports or VPNs

Each target phones home to the cloud service via a secure TLS websocket. That way, BastionZero can discover targets that are invisible to the public Internet. The target is locked down (even without a VPN) because it does not accept incoming connections.

No more long-lived credentials

Configuring long-lived credentials for short-lived targets or infrastructure as code can be tricky to manage and secure. But with BastionZero, no keys are required. Instead, your targets phone home and are autodiscovered by BastionZero as they spin up.

See it for yourself.

Sign up for a demo.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.