One privileged access gateway platform
Ixiea is not a point tool. It is the control plane for how humans, vendors, and workloads reach production. Brokering, recording, MFA, and audit evidence share one policy engine.
Gateway
Choke point
MFA
Login + SSH
Recording
Screen + keys
Audit & evidence
Logs · playback · export
Sessions enter once. Every layer enforces together.
Days to first brokered session
Helm or Compose deploy, not a six-month agent rollout
One gateway for every protocol
SSH, RDP, databases, and Kubernetes through one policy engine
Exportable audit evidence
Session metadata, command logs, and recordings for GRC and SIEM review
Self-hosted control plane
Run on your infrastructure, no mandatory SaaS lock-in
Platform modules
Four capabilities, one policy engine
Access Gateway
Broker SSH, RDP, databases, and Kubernetes through one identity-bound control plane.
Session Recording
Keystroke, screen, and file capture at the gateway, bound to named identities.
Multi-Factor Authentication
Gateway-enforced MFA for web login, SSO, and SSH, OTP, passkey, SMS, and more.
Audit & Evidence
Session playback, command audit, login logs, and SIEM-ready exports for compliance review.
Complete PAM coverage
Gateway-first delivery, full privileged-access toolkit
Ixiea leads with a single enforcement choke point. Underneath is the same PAM surface area buyers expect, authentication, authorization, account governance, and audit, without a separate agent on every target.
Authentication
LDAP and Active Directory, SAML, OIDC, OAuth, and CAS for primary login, plus gateway MFA for web, SSO, and SSH.
Authorization
RBAC, just-in-time grants, login ACLs, command filter rules, and ticket-based approvals before connect or command execution.
Account management
Discover accounts on assets, rotate passwords on schedule, push credentials to targets, and broker secrets at connect time.
Audit & monitoring
Session recording and playback, live session oversight, command and login logs, and syslog or SIEM forwarding.
Why teams choose the platform model
Gateway-first enforcement
Every privileged path terminates at Ixiea. MFA, policy, and recording happen at the choke point, not on targets operators control.
Identity-bound by default
Entitlements follow people and workloads from your IdP. No shared accounts, no orphan keys, no standing vendor tunnels.
Evidence auditors recognize
Structured exports feed GRC tools and SIEMs. Reviewers get playback and metadata in one pass, not a folder of correlated syslog.
Your infrastructure, your data
Run the control plane on-prem or in your cloud. Open-source tier available. No mandatory SaaS lock-in.
Product guides
Architecture, deployment, and protocol deep-dives
Conceptual guides for architects and security leads, separate from operational documentation. Start with architecture and your first session, then explore authorization and protocol paths.
Platform architecture
Ixiea control plane: core API, protocol connectors, recording pipeline, and audit store.
PlatformDeployment models
Standalone, active/standby, horizontal scale, and multi-region gateway, when each fits.
QuickstartYour first privileged session
Fifteen-minute path from install to a brokered, recorded, identity-bound session.
PlatformSession authorization model
How users, targets, accounts, protocols, and time windows combine into enforceable grants.
PlatformCommand & connection control
Graduated enforcement for commands and connections, permit, block, approve, mask, or alert at the gateway.
CapabilityIdentity-bound policy
Entitlements follow people and roles from your IdP, not network location or shared accounts.
Learn more
What is a privileged access gateway?
Session brokers sit between identities and targets, enforcing policy, injecting credentials, and recording activity. They are the modern replacement for bastion fleets and vault checkout workflows.
Ready to evaluate?
See the platform on your architecture
Walk through gateway brokering, recording, and audit exports in a working session, or browse the illustrated product flow first.