A proxy-driven control plane that ties every privileged session to an identity, an authorization, and a ticket — across AD, Linux, Kubernetes, every major database, and cloud IAM, built on three composable provider layers.
Three independent, swappable, auditable layers. This is what lets one platform speak natively to AD, Linux, Kubernetes, databases, and cloud — without bolt-ons.
How the operator proves identity. SSO, MFA, hardware keys, contextual policy. Pluggable.
JIT identity on the target — AD users, Linux users, K8s service accounts, DB roles, cloud principals. Created at session start, removed at end.
How that identity authenticates. Short-lived ADCS certs, SSH certs, X.509 to the K8s API, cloud STS tokens, time-bound DB credentials.
Each surface is reached through identity-aware protocol mediation — not a thin connector. The mediation layer speaks each system's native protocol and carries identity, role, authorization, and ticket context all the way to the target. That is why the same model holds whether the surface is Oracle, a Kubernetes cluster, or a Windows host: the authorization that issued the ticket stays bound to the action through to the audit record.
First-class support — not screen scraping, not generic SSH.
| Surface | Protocols | JIT Identity | Cert-based Auth | Full Session Capture |
|---|---|---|---|---|
| Windows / Active Directory | RDP, WinRM | ✓ | ✓ ADCS / PKINIT | ✓ |
| Linux servers | SSH | ✓ | ✓ SSH cert | ✓ |
| Kubernetes | kubectl exec, API | ✓ | ✓ X.509 | ✓ |
| Databases (see full list below) | Oracle · SQL Server · Db2 · PostgreSQL · MySQL · MariaDB · MongoDB | ✓ | ✓ | ✓ full SQL |
| Cloud IAM | AWS · Azure · GCP | ✓ | ✓ STS / federation | ✓ |
Every major engine — on-prem and across AWS, Azure, and GCP. Same proxy. Same JIT identity model. Same audit trail.
| Environment | Supported databases |
|---|---|
| On-Prem | Oracle Database · Microsoft SQL Server · IBM Db2 LUW (Linux · AIX · Windows) · PostgreSQL · MySQL · MariaDB · MongoDB |
| AWS | Amazon RDS for Oracle · Amazon RDS for SQL Server · Amazon RDS for PostgreSQL · Amazon Aurora PostgreSQL · Amazon RDS for MySQL · Amazon Aurora MySQL · Amazon RDS for MariaDB · Amazon DocumentDB |
| Azure | Oracle Database@Azure · Azure SQL Database · Azure SQL Managed Instance · Azure Database for PostgreSQL · Azure Cosmos DB for PostgreSQL · Azure Database for MySQL · Azure Cosmos DB for MongoDB |
| GCP | Google Cloud SQL for SQL Server · Google Cloud SQL for PostgreSQL · AlloyDB · Google Cloud SQL for MySQL |
| Multi-cloud / SaaS | MongoDB Atlas · MariaDB SkySQL |
Coverage on every engine includes JIT database identities, certificate-based or short-TTL credential issuance, proxy-enforced sessions, and full SQL-level query capture.
Operators find the asset they need in the Veqtorix catalog and pick how they want to work. Every path enforces the same JIT identity, the same proxy, the same recording — so the operator's tool of choice never costs you control.
Browser-based RDP, SSH, or SQL. Zero install. Fully recorded.
veq connect <asset> opens a session in the operator's terminal. Scriptable, brokered through the proxy.
Download a short-lived ticket and connect with the tool you already use — PuTTY, mstsc, SSMS, Toad, DBeaver, pgAdmin, MongoDB Compass, kubectl. The proxy enforces.
# The catalog → ticket → native tool path operator opens Veqtorix catalog │ ├─ searches for asset e.g. prod-db-finance ├─ picks role policy enforced at proxy └─ chooses "Download session ticket" │ ▼ Veqtorix issues: • short-lived certificate / wallet / kubeconfig • proxy endpoint to point the tool at • session TTL (e.g. 60 minutes) │ ▼ operator opens SSMS / Toad / PuTTY / DBeaver / mstsc and connects through the proxy — JIT identity created, full session recorded, identity torn down at disconnect.
DBAs and sysadmins keep their tooling. That is the difference between PAM that gets deployed and PAM that gets reverted.
Veqtorix integrates with the change-management system you already run — ServiceNow, Jira Service Management, BMC Remedy — as the authorization layer for privileged access. The CR ticket is the source of truth. No parallel approval graveyard inside the product.
# When a role requires authorization operator requests access to prod-db-finance │ ▼ Veqtorix queries ServiceNow (or your CR system) │ ├─ is there an active change ticket? ├─ does it cover this server / asset? ├─ does it cover this user? └─ are we inside the approved time window? │ ▼ all four → access granted, JIT identity issued, session recorded any one fails → access denied, denial logged against ticket lookup
Your existing change tickets — with the policies, approvers, and SLAs already around them — become the authorization layer for privileged access. One source of truth. One audit answer.
The proxy captures every session in full — that is one reason the proxy exists. After it ends, the platform compares actual activity against the authorizing change ticket. Schema change on a service-restart ticket? You see the deviation in the report, with the recording attached, before the auditor does. Informational, not blocking.
Every privileged session flows through a Veqtorix proxy. The target system never sees a user-held credential. The auditor never has to trust a client agent.
# What actually happens, on every session operator ──▶ [ Veqtorix proxy ] ──▶ target │ ├─ enforces policy at protocol layer ├─ injects short-lived credential ├─ records keystrokes / queries / commands ├─ signs the session record └─ tears down identity on disconnect
For SOX, PCI, HIPAA — every privileged query, every JIT identity, every session, across every engine and environment listed above. End-to-end.
# Auditor question "Who altered the customers table on prod-db-postgres in the last 90 days?" # Veqtorix answer ▸ User: jane.doe@bank.example ▸ JIT account: jit-jdoe-7f3a (existed 09:00 → 10:00 UTC, 2026-04-12) ▸ Path: proxy-east-1 ▸ Statement: ALTER TABLE customers ADD COLUMN ssn VARCHAR(11); ▸ Auth: cert-based, ADCS-issued, 30-min TTL ▸ Recording: available · cryptographically signed