TELEPORT ZERO TRUST ACCESS
End Infrastructure
Complexity Chaos
Teleport gives your engineering teams and machine identities secure, identity-driven access to servers, databases, Kubernetes clusters, cloud consoles, internal applications, and MCP servers — without VPNs, passwords, or static credentials.
TRUSTED BY LEADERS
ENGINEERING NEEDS IAM AT SCALE
Why Access Breaks
The modern threat landscape easily exploits credentials. Infrastructure complexity impedes engineers. At engineering scale, status quo identity and access models create security gaps, cumbersome audits, and cognitive overload for engineers.
Static credentials spread everywhere
VPNs and bastion hosts widen the attack surface
Standing privileges accumulate and persist
Device posture is unknown or ignored
Audit trails are fragmented or incomplete
Teleport Zero Trust Access
Improve resiliency, accelerate engineers
Teleport unifies identities and secures access for your entire infrastructure with:
Cryptographically-secured user, machine, and agent identities
Secretless authentication
Ephemeral privileges that expire
Session recording and audit trail
Eliminate secrets with cryptographic identity
Remove static credentials to eliminate the risk of credential theft and reuse, the #1 source of data breaches. Teleport locks down attack surfaces with cryptographic, phishing-resistant identities assigned to all users, machines and workloads, devices, resources, and AI (agents and LLMs).
User identities
Authenticate users without passwords leveraging biometric devices. Add Teleport as a security layer on top of your identity provider or use Teleport's SSO.
Machines & workloads
Issue and govern identities for your CI/CD automation systems, service accounts and microservices, and agentic AI and LLMs leveraging HSM and KMS.
Devices
Assign identities to enrolled TPM-equipped client devices (laptops, workstations, YubiKeys, and more).
Infrastructure
Assign a cryptographic identity to every application, server, database, and cloud resource. Supports SSH, RDP, databases, K8s, clouds, Model Context Protocol (MCP) and more.
Unify access control
Break access silos with a unified inventory of all infrastructure resources, eliminating the need for different access paths, passwords, shared secrets, vaults, or VPNs.
Teleport maintains a self-updating inventory of trusted computing resources, including servers, clouds, databases, Kubernetes clusters, web apps, MCP servers, and Git repositories, and enrolled client devices including laptops, workstations, YubiKeys, and more.
Reduce attack surface with ephemeral privileges
Enforce the practice of least privileged access and lower the operational overhead of managing privileges or enforcing policy.
Teleport replaces passwords, SSH keys, API tokens, and database credentials with ephemeral privileges, granted through short-lived certificates for all resources. These are bound to biometric devices and secure enclaves via Teleport's built-in certificate authority for X.509 and SSH certificates.
Eliminate VPN complexity with Teleport VNet
Teleport VNet connects identities to internal, non-browser TCP resources without VPNs, port forwarding, or custom DNS entries using familiar tools and workflows — eliminating exposure to the public internet.
Gain complete auditing and session visibility
Collect all events generated by humans, machines, and agents across your entire infrastructure in one place and export to any SIEM or threat detection platforms (including Teleport Identity Security) for further analysis.
Identity-Based Audit Events: Collect structured, detailed audit events for each session with identity, application and protocol data.
Dual Authorization: Require approval by multiple authorized team members for highly privileged actions (e.g., FedRAMP AC-3 & SOC 2).
Interactive Session Controls: Record, replay, join, and moderate interactive sessions for SSH and Kubernetes.
Session Sharing & Moderation: Require your highly privileged sessions to always include a moderator to prevent production and security incidents.
Live Sessions View: View every active authenticated connection across your entire infrastructure. Interfere if needed.
Session Recording & Playback: Record sessions for detailed review of who accessed what and what took place.
Accelerate Compliance: Teleport secures controls for FedRAMP, SOC 2, ISO 27001, HIPAA, PCI DSS 4.0, NIS2, DORA, and more.
REDUCING INFRASTRUCTURE COMPLEXITY
Unify identity and access across all infrastructure resources
Teleport secures access for users, machines, and agents across cloud, code, and applications:
Servers
Databases
Kubernetes
Cloud consoles
Web apps
MCP servers
GitHub
BROAD STAKEHOLDER VALUE
Built for modern engineering teams
Security and platform engineering
- Enforce Zero Trust for identity, device, and access
- Eliminate credential and device risk
- Dramatically reduce attack surface
- Automate compliance enforcement
DevOps and SRE
- One workflow for everything
- No more managing SSH keys, VPNs, or bastions
- Fast onboarding/offboarding
- Faster incident response
Compliance and risk
AI teams
- Unified humans, machines & agents
- Unified access controls
- Built-in agentic AI and MCP security
- No technology silos
- Rapid innovation
Discover how GoTo, Indonesia’s largest digital platform, uses Teleport to modernize privileged access for faster engineering and reduced complexity across multi-cloud environments.
Trusted by teams building critical infrastructure.
Teleport is a strategic technology partner as they help our joint customers to scale their AWS resources in a secure manner. With Teleport’s Identity-Native Infrastructure Access solution, DevOps Engineers get a frictionless experience managing infrastructure that doesn’t require secrets while implementing zero trust architecture in AWS.
Benjamin GardinerSenior Partner Solutions Architect AWS Startups
We use Teleport Access Requests in combination with Auth0 to easily manage access to our infrastructure. Prior to Teleport, we manually managed SSH keys and a bastion machine and it was an organizational nightmare.
Dylan StamatCTO
We used to go through multiple steps just to access cloud resources, and now it happens almost instantly. Our engineers are really happy with the significant improvement in their workflow.
Pradithya Aria PuraPrincipal Software Engineer
Teleport’s vision for Infrastructure Identity is a game-changer for securing hybrid infrastructure.
Steven DickensHyperFRAME
With Teleport, we were even able to close the Kubernetes API without losing access for our engineers or automation tools. That alone was a huge win.
Olga DaminovaInfrastructure Security Engineer, Rush Street Interactive
Teleport allows us to comply with the regulatory hurdles that come with running an international stock exchange. The use of bastion hosts, integration with our identity service and auditing capabilities give us a compliant way to access our internal infrastructure.
Brendan GermainSystems Reliability Engineer
The Infrastructure Identity solution from Teleport offers a glimpse into the future of more secure, more resilient, and higher-velocity enterprise computing.
Dr. Ed Amoroso CEO & Lead Analyst
Teleport has made obtaining a FedRAMP-Moderate ATO that much more achievable via their FIPS 140-2 endpoints, ease in integration with our SSO and MFA , and the view into audit logs of remote connection sessions provide the appropriate insight for Continuous Monitoring.
Jeff GillSenior Director of Engineering
Over the many years of using Teleport, it's been an essential piece of my infrastructure to help secure access, and centralize my infrastructure into one dashboard, without having to jump around… I'm not sure how I could go without it.
Ready to Teleport?
Additional Resources
Teleport Zero Trust Access
Discover how Zero Trust Access works, including key concepts, use cases, and more.
Rush Street Interactive Levels Up Cloud Security
Learn how Rush Street Interactive eliminated standing access and open SSH ports while accelerating access provisioning 3x with Teleport.
Securing Identity in the Age of AI: A Buyer’s Guide to Teleport
Discover how Teleport solves AI identity risks with a platform built for the realities of AI-powered infrastructure.
Frequently Asked Questions
What is Teleport Zero Trust Access?
Teleport Zero Trust Access is an identity-native infrastructure access platform that replaces passwords, SSH keys, API tokens, and static credentials with short-lived X.509 certificates bound to cryptographic identity. It enforces the core zero trust principles - verify explicitly, use least privilege, assume breach - for every connection to servers, databases, Kubernetes clusters, cloud consoles (AWS, GCP, Azure), internal web applications, and MCP servers. Every session is authenticated against role-based policies, scoped to a specific resource, and recorded in a tamper-proof audit trail tied to a verified identity - not an IP address.
How is Teleport different from a VPN?
A VPN grants broad network access after authentication - once connected, a user can reach anything on that network segment, with no resource-level controls and no session attribution. Teleport is an identity-based access platform that grants access to specific resources - a single server, database, or Kubernetes cluster - using short-lived certificates tied to a verified identity. Each connection is a separate authenticated, authorized, and recorded request. Because access is scoped to resources rather than network segments, a compromised session can't be used to move laterally across the environment. Teleport also eliminates the operational overhead of managing VPN configurations, firewall rules, and bastion hosts, replacing them with a single access policy applied consistently across every environment. For the same connectivity experience without a VPN tunnel, see Teleport VNet.
What is Teleport VNet, and how does it replace VPNs?
Teleport VNet intercepts DNS requests for any TCP application or SSH server enrolled in Teleport and proxies connections through Teleport's identity and access controls, handling certificate-based authentication transparently in the background. Engineers connect to internal services by hostname - the same experience as a VPN - without a separate tunnel, internal IP management, custom DNS entries, or firewall reconfiguration. Unlike a VPN, every connection through VNet is individually authenticated, authorized against the user's current role and device posture, and recorded. There are no DNS reconfigurations required, and VNet works consistently across cloud, on-prem, and hybrid environments without per-environment setup.
How does Teleport implement Zero Trust Network Access (ZTNA)?
Teleport implements zero trust network access by issuing short-lived X.509 certificates for every connection, requiring each session to be explicitly authenticated and authorized before reaching any resource. There are no standing privileges, no implicit network trust, and no static credentials to steal or reuse. Access is scoped to individual resources - not network segments - using role-based policies that factor in identity, device posture, and context. Every session is recorded and attributed to a verified identity. Teleport applies these ZTNA principles uniformly across servers, databases, Kubernetes, cloud consoles, and internal applications from a single control plane, rather than enforcing zero trust at the network layer only.
How does passwordless authentication work in Teleport?
Teleport supports passwordless authentication via WebAuthn hardware keys (YubiKey, Touch ID, Windows Hello) and biometric devices. When a user authenticates through their identity provider or directly via Teleport's SSO, they are issued short-lived X.509 certificates tied to their verified identity and enrolled device - these expire automatically at the end of the session, leaving no persistent credentials to steal, rotate, or accidentally expose. Machine identities, CI/CD pipelines, and AI agents authenticate through the same certificate-based model via Teleport's tbot agent, eliminating API tokens and long-lived SSH keys from automation workflows entirely.
What infrastructure resources does Teleport Zero Trust Access protect?
Teleport Zero Trust Access secures connections to Linux and Windows servers (SSH and RDP), databases (PostgreSQL, MySQL, MongoDB, CockroachDB, and more), Kubernetes clusters, AWS/GCP/Azure cloud consoles, internal web applications, MCP servers, and GitHub repositories - all from a single control plane. Resources are enrolled in Teleport and maintained in a self-updating inventory with auto-discovery, so new infrastructure is protected as it spins up without manual configuration. See the full list of supported protocols and resources.
How does zero trust access prevent lateral movement?
Traditional VPNs and bastions grant broad network access after a single authentication event - a compromised credential gives an attacker the same reach as a legitimate engineer, with no additional barriers to moving across the environment. Teleport's zero trust model eliminates implicit network trust entirely: every connection requires a separate authenticated request using a short-lived certificate scoped to one specific resource. There are no standing privileges and no persistent credentials to harvest. Even if a session is compromised, the blast radius is contained to that one resource and that one session, with a full session recording available for forensic review.
Does Teleport Zero Trust Access support compliance frameworks like SOC 2, FedRAMP, and PCI DSS?
Yes. Teleport enforces the access controls required by SOC 2, FedRAMP, ISO 27001, HIPAA, and PCI DSS 4.0 by default - least privilege access, session recording, MFA, and a complete audit trail - rather than as configuration add-ons. Every privileged session is recorded with full identity attribution, dual authorization can be required for sensitive actions, and structured audit logs are exportable to SIEM platforms. This significantly reduces the manual evidence-gathering work that typically precedes an audit and supports continuous compliance monitoring rather than point-in-time prep.
How does Teleport apply zero trust to machine identities, workloads, and AI agents?
Most zero trust implementations focus on human users and leave machine identities - CI/CD pipelines, service accounts, microservices, and AI agents - relying on static API tokens, SSH keys, and long-lived secrets that are difficult to rotate and easy to compromise. Teleport extends the same certificate-based zero trust model to non-human identities through Teleport Machine & Workload Identity. The tbot agent issues short-lived certificates to machines and workloads under the same policy engine and RBAC controls as human users, with full audit logging and just-in-time access. For AI agents and LLMs accessing infrastructure resources via MCP, Teleport governs and records their sessions the same way it governs engineer access - with automatic expiry and no persistent credentials.
How does Teleport compare to other zero trust access tools like Tailscale and Google IAP?
Both Tailscale and Google IAP solve narrower problems than zero trust infrastructure access and hit meaningful limitations at scale.
Tailscale builds a WireGuard-based encrypted mesh network that improves on traditional VPNs for device connectivity - but it still operates at the network layer. Once a device is on the tailnet, access is governed by IP-based ACLs rather than per-resource identity policies. There is no native session recording, no identity-attributed audit trail, and no just-in-time access to individual resources. A compromised device on the tailnet still has broad network reach.
Google IAP is a GCP-native proxy that handles authentication for web applications running on Google Cloud. It works well within that boundary, but it doesn't extend to SSH, databases, Kubernetes, or on-prem infrastructure, can't govern non-human identities with the same policy engine, and produces no session recordings or structured audit logs. Teams running multi-cloud or hybrid environments have to layer additional tools to cover the gaps.
Teleport operates at the identity and resource layer across all environments - issuing short-lived certificates per connection, enforcing least privilege against role-based policies, recording every session, and applying the same controls to humans, machines, and AI agents regardless of whether the target resource is on GCP, AWS, Azure, or on-prem. See the full comparisons: Teleport vs. Tailscale and Teleport vs. Google IAP.