Zero Trust · No open ports · No credentials

Zero Trust access to every server, cluster and database you run

Install one agent and give your team Zero Trust access to every host, database, Kubernetes cluster and internal app — without opening a single inbound port or handing out credentials. Access is granted just-in-time, every session is recorded and replayable, and live CPU, RAM, disk, process and network metrics stream straight to your console.

Get started Book a demo

Lightweight single binary · < 30 MB RSS · Linux & macOS

subnomic — connected to 24 hosts

CPU · web-prod-03

62%

Memory · web-prod-03

11.2 / 16 GB

disk 68% · net 240 Mb/s

Active SSH sessions

3 recorded

rbac: enforced

0

inbound ports opened

0

standing credentials

100%

sessions recorded

<2m

to first host online

SOC 2-ready controls End-to-end encrypted Passwordless sign-in Just-in-time access Session replay Audit logging

Platform

Zero Trust access, observability included

Subnomic replaces bastions, VPNs and shared SSH keys with one secure agent — and streams full server telemetry while it's at it.

Zero Trust SSH

Reach any host through the agent's outbound tunnel — port 22 stays closed to the world. Every connection is verified, scoped and time-boxed before a shell is ever granted.

Session recording & replay

Every SSH session is captured keystroke-by-keystroke and replayable like a video. Search, scrub and review exactly what happened — perfect for audits and incident response.

Granular RBAC

Map users to hosts and actions with least privilege. Decide who can connect where, who can run what, and when access expires — all from one policy model.

Real-time server metrics

Live telemetry from every host, with history and alerting out of the box. Know exactly what your fleet is doing the moment it happens.

CPU load & per-core RAM & swap Disk usage & I/O Top processes Network interfaces

One lightweight agent

A single self-updating binary you install once. It dials out over TLS and needs no inbound firewall changes — access and metrics, all from the same agent.

Zero Trust database access

Reach Postgres, MySQL, Redis and Mongo through the agent — no credentials handed out. Every query is RBAC-scoped, guardrail-checked and recorded for replay.

Internal app access

Open internal dashboards and web apps over the same outbound tunnel — no VPN, no inbound ports. Access is scoped by RBAC and gated by approvals.

Just-in-time access & approvals

No standing access. Users request what they need, reviewers sign off, and grants expire automatically — with a logged break-glass path for emergencies.

Passwordless identity

Sign in with passkeys and WebAuthn (FIDO2) — nothing to phish or reuse. TOTP two-factor with recovery codes covers any account that still uses a password.

Search & command palette

Hit ⌘K to jump to any server, resource, database or app. Full-text search returns permission-scoped results across your whole workspace in an instant.

New · Now available

Databases, internal apps, Docker & Kubernetes — now available

The same Zero Trust agent now reaches far beyond SSH — query Postgres, MySQL, Redis and Mongo, open internal dashboards and web apps, and manage Docker and Kubernetes resources. Everything is governed by RBAC, guardrail-checked and recorded, with no credentials, kubeconfig or Docker socket exposed.

Databases Internal apps Docker Kubernetes

Identity

Unified identity.
No credentials.

Stolen keys, shared passwords and forgotten access tokens cause most breaches. Subnomic removes them entirely. Strong cryptographic identity, privileges that expire on their own, and one model that establishes trusted interactions between humans, machines and AI agents.

01

Cryptographic identity

Every human, machine and agent is bound to a hardware root of trust. There are no passwords, API keys or secrets to phish, leak or reuse — identity is proven by cryptography, not by what someone knows.

02

Ephemeral privileges

Access is granted just-in-time and expires automatically. With no standing privileges, there's nothing for an attacker to harvest and the lateral attack surface collapses toward zero.

03

Agentic control

The same identity and access model extends to AI agents and MCP tooling. Autonomous workloads get scoped, auditable, time-boxed access — never a long-lived key — so automation stays safe by default.

Risk reduced to zero by design. No open ports to scan. No credentials to steal. No standing access to escalate. What doesn't exist can't be breached.

Your server

Subnomic agent

no listening ports

outbound TLS encrypted

Subnomic

Control plane

policy + audit

The agent always initiates the connection. Attackers have no port to reach — even if they know your IP.

Security

Secure access without the attack surface

Most breaches start with an exposed port or a leaked SSH key. Subnomic removes both. Access flows through the agent's outbound tunnel, scoped by policy and logged end to end.

No inbound ports. Nothing to port-scan, nothing to brute-force.
Full session recording. Replay any SSH or command session for audit and incident review.
Granular RBAC. Roles map users to hosts, namespaces and actions with least privilege.
Encrypted everywhere. TLS in transit, and sensitive data encrypted at rest.

FAQ

Frequently asked questions

Take control of your fleet

Spin up Zero Trust access to your servers, databases, clusters and internal apps in minutes — free to start. Or book a demo to see it in action.