Get a DemoIdentity Behavior & Context
See exactly what every identity did, and why.
Real-time behavior monitoring across humans, machines, and AI — with full session context, risk signals, and timeline clarity — to act in minutes, not hours.
WHAT YOU CAN'T SEE, YOU CAN'T STOP
Investigation used to take hours.
Now it takes minutes.
Security teams today stitch together logs from Okta, AWS, GitHub, and infrastructure by hand. Teleport unifies the full identity chain into one timeline — with context already attached.
 Teleport Identity Behavior & Context | Traditional Log Analysis
|
|---|---|
One unified identity chain from IdP through cloud, code, and infrastructure access | Identity logs live in Okta, AWS CloudTrail, GitHub, and Kubernetes — each needing a separate query |
AI-generated session summaries surface what happened, what was unusual, and what to check | Reconstructing a session means parsing raw logs — hours of manual work per incident |
Every agent action — prompts, queries, tool calls, data touched — logged with full identity context | AI agent and MCP tool sessions produce no structured audit record at all |
50+ identity vulnerability types monitored continuously — alerts fire in real time | Anomaly detection requires custom SIEM rules that lag weeks behind new threat patterns |
One-click identity lock terminates all active sessions across every Teleport-managed resource | Locking a compromised user means manual revocation across every connected system |
OUTCOMES
Realtime visibility and intelligence
Gain Visibility
100%
of identity activity — human, machine, and AI — in one timeline
0
sessions invisible to your security team
Accelerate Response
Minutes
to investigate a security incident vs. hours of log correlation
50+
identity vulnerability types with realtime continuous detection
Reduce Risk
1-click
to lock an identity and terminate all active sessions everywhere
0
manual revocation steps across connected systems
AI Session Summaries with Timeline & Risk
Read summaries, not logs.
Teleport generates a plain-language summary of every session — SSH, Kubernetes, database, cloud console, and agentic AI — highlighting access events, commands, and anomalies, with full identity timeline context.
Surface key actions and commands without manual log review
Flag risk signals — volume anomalies, privilege escalations, off-hours access
Lock identities (human or machine) to prevent new connections
Inspect identity timeline across auth, cloud, and infra
Accelerate forensics with AI-generated incident narrative
Identity Context for Detection & Response
Context your SIEM doesn't give you.
Response time to detected threats depends on context — what does an identity typically access, what's anomalous? Teleport surfaces that context instantly, alongside the controls to act: lock the identity, terminate the session, kill the agent.
Continuous monitoring of 50+ identity vulnerability types
Real-time detection of privilege escalation, lateral movement, and anomalous access
1-click identity lock across SSH, K8s, DB, & cloud sessions
Structured audit export to SIEM and SOAR workflows
CLI for Agents — Advanced Insights
Query behavior like a database.
Access Graph allows security and platform engineers to explore complex questions about who can access what, trace lateral movement paths, and investigate privilege chains — without writing custom SIEM logic.
SQL Editor for querying identity-to-resource relationships in real time: roles, groups, permissions, and access paths
CLI-native workflow for engineers who don't want a dashboard
Graph Explorer for visual traversal of identity-to-resource relationships
Crown Jewels designation for monitoring of the most critical assets
Key Capabilities
AI Session Summaries
Plain-language summaries of every session — human, machine, or AI agent — with risk signals and identity timeline context.
Access Graph & SQL Editor
Visual and query-based exploration of real-time identity-to-resource relationships across your entire infrastructure.
Identity Chain Observability
Unified view tracing every identity across Okta, GitHub, AWS, and infrastructure access — correlated in one timeline.
50+ Anomaly Detections
Continuous monitoring for privilege escalation, lateral movement, standing privileges, unmanaged keys, and more.
1-Click Identity Lock
Immediately terminate all sessions and block new connections for any identity — human, machine, or AI agent.
Crown Jewels Monitoring
Designate your most critical resources for priority alerting and access path monitoring. Know the moment anything changes.
Within fifteen minutes of deployment, we flagged two engineers whose accounts retained super-admin maintainer rights across 1,800 repos — far beyond their intended read-only access.
Teleport customer
as reported by Ben Arent, Director of Product, Teleport
Ready to Teleport?
DIVE DEEPER
Frequently Asked Questions
What identity vulnerability types can Teleport alert on?
Teleport provides 50+ pre-built identity security detections that automatically create alerts for suspicious identity-related activities across your infrastructure, including AWS, GitHub, and Okta
- AWS: Root account activity, CloudTrail/GuardDuty/flow log deletions, EBS encryption changes, public DB snapshots, IAM user creation, credential policy modifications
- GitHub: SAML/MFA/OAuth policy changes, branch protection overrides, repository visibility changes, secret scanning alerts, 26 advanced security feature change sub-types
- Okta: Admin MFA disabled, OAuth token reuse, rate limit violations, API token lifecycle, dormant account access, excessive MFA failures, support-initiated resets
- Teleport: Root SSH sessions, authentication without MFA, unusual failure patterns, role mutations, connector updates, unusual session commands
- Cross-platform: impossible travel detection across GitHub, Okta, and Teleport
How does Teleport correlate identity activity across systems?
Teleport ingests and standardizes audit logs from AWS, GitHub, Okta, and Teleport into a single queryable store. It combines activities from the same identity across platforms, correlates events, and runs an alerting engine that detects irregularities and provides contextual insights during incident response.
How does Teleport generate automated session recording summaries?
After a recorded SSH, Kubernetes, or database session ends, Teleport matches it against configurable policies and sends qualifying recordings to an external inference provider (OpenAI or Amazon Bedrock) for automatic summarization. Policies control which sessions are summarized based on session kind, participants, resource labels, and user traits. AI features are never enabled without explicit consent.
What happens when a compromised identity is locked?
When an identity is locked in Teleport, all existing sessions matching the lock target are immediately terminated and new sessions are rejected while the lock is in force. Supported targets include specific users, roles, servers, desktops, and MFA devices. Locks can be scoped and time-limited for safe rollback.
What does Teleport detect and alert on?
Teleport provides pre-built security alerts for suspicious identity-related activities. These detections monitor events from Teleport and integrated services like AWS, GitHub, and Okta to identify potential security risks, including unusual authentication patterns, privilege escalations, configuration changes, account compromises, or policy violations.
What is the Graph Explorer in Teleport?
The Graph Explorer view in Teleport is a visual interface that illustrates identity-to-resource access patterns, including allow paths, deny paths, temporary actions from Access Requests, and resource groups. Users can filter by right-clicking a role or resource and narrowing to specific paths, and Teleport.
What is the SQL Editor in Teleport?
The SQL Editor is a Teleport feature that provides a SQL-like query interface to explore live identity-to-resource relationships. Users can query to analyze connections between identities, user groups, and actions without building custom SIEM logic.
What are Crown Jewels in Teleport?
Crown Jewels is a Teleport feature that tracks access changes to designated critical resources or users. When a resource is marked as a Crown Jewel, Teleport emits audit events any time its access path changes, displayed in a diff format showing added and removed nodes.
How does Teleport audit AI agents and MCP sessions?
Agents receive the same session recording, RBAC, and locking controls applied to human and machine identities. Teleport secures infrastructure including SSH servers, Kubernetes clusters, databases, or MCP servers when accessed by agents, ensuring all queries, commands, and requests executed by the agent are logged and auditable.
Can Teleport export identity data to existing SIEM or SOAR tools?
Yes, you can export Teleport audit events via HTTP to Splunk, Datadog, Elastic, and Panther. Teleport supports long-term S3 storage with Amazon Athena queries and ingests CloudTrail, EKS audit logs, and data from Okta and GitHub alongside Teleport's own events.