Skip to content

Roadmap

Where Subnomic is headed

A transparent look at what's shipped, what we're building now, and what's further out. Directions, not promises.

Shipped In progress Planned
Shipped

Foundation

  • Zero Trust SSH — outbound agent tunnel; reach any host with port 22 closed to the world.
  • Session recording & replay — keystroke-by-keystroke capture, scrub and replay for audits.
  • Granular RBAC — least-privilege roles mapping users to hosts and actions.
  • Real-time metrics — live CPU, RAM, disk, processes and network with history and alerting.
Shipped

Container & cluster resource management

  • Docker resource management — browse, inspect and exec into containers, manage images and volumes; policy-checked and recorded, no Docker socket exposed.
  • Kubernetes resource management — view and manage pods, deployments and workloads, exec into pods and roll deployments — no kubeconfig leaves your cluster.
  • Granular RBAC for resources — the same least-privilege roles govern who can view or change each container and cluster resource.
Shipped

Beyond SSH: databases & internal apps

  • Zero Trust database access — reach Postgres, MySQL, Redis and Mongo through the agent; every query recorded and RBAC-scoped, with no database credentials handed out.
  • Internal app & service access — open internal dashboards and web apps over the same outbound tunnel — no VPN, no inbound ports.
  • Kubernetes API proxy — full kubectl through Zero Trust, governed by RBAC and recorded — not just pod exec.
Shipped

Access control, approvals & guardrails

  • Approval workflows — just-in-time access requests with reviewer sign-off and automatic expiry.
  • Break-glass access — a logged emergency path with heightened audit and instant approver notification.
  • Live session monitoring & takeover — watch an active session in real time, then inject input or terminate it.
  • Command & query guardrails — allow/deny lists and approval gates for database queries and interactive SSH commands, with secrets redacted from recordings.
Shipped

Passwordless identity & 2FA

  • Passkeys / WebAuthn — FIDO2 sign-in bound to a hardware root of trust — no passwords to phish or reuse.
  • Two-factor authentication — TOTP with recovery codes for accounts that still use a password.
  • Scoped API keys — tenant-scoped keys for automation and CI, governed by the same RBAC.
Shipped

Search & command palette

  • ⌘K command palette — jump to any server, resource, database or app from one keystroke.
  • Full-text search — instant, permission-scoped results across your whole workspace.
Shipped

Scheduled tasks

  • Scheduled commands & jobs — queue a command, script or service update to run on a host at a chosen time, once or on a recurring schedule.
  • Recorded & governed — every scheduled run is RBAC-scoped and captured for audit, just like a live session.
Shipped

Detection & compliance

  • Anomaly detection — behavioral alerts on unusual sessions: off-hours access, new hosts, mass file or data operations.
  • Compliance evidence packs — turnkey SOC 2, ISO 27001, HIPAA and PCI exports with access reviews on demand.
  • Tamper-evident audit — cryptographically signed logs you can stream to Slack, PagerDuty, a SIEM or a webhook.
Shipped

Agentic access

  • Agentic access for MCP — scoped, time-boxed, auditable access for AI agents and MCP tooling.
  • AI session summaries — every recording distilled into a plain-language summary of what changed.
  • Subnomic AI assistant — ask “who touched prod last week?” and get an answer across sessions and commands.
Planned

Platform & reach

  • Windows agent — bring Zero Trust RDP and WinRM to Windows fleets alongside Linux and macOS.
  • Mobile approvals — approve or deny just-in-time access requests from your phone.
Planned

Identity & SSO

  • SSO & SAML — sign in through your identity provider — no separate Subnomic passwords.
  • SCIM provisioning — auto-provision and de-provision users and roles as your directory changes.

Have a feature request? Get in touch — roadmap priorities are shaped by what teams ask for.