Teleport identity-aware proxy dashboard on a desktop monitor overlooking the Toronto skyline at night

MANAGED TELEPORT

Kill the bastion. Kill the static SSH key. Keep the audit trail.

Certificate-based zero-trust access for SSH, Kubernetes, databases, RDP, and cloud consoles — deployed in your cloud, integrated with your IdP, and operated by senior engineers as a dedicated extension of your team.

Talk to a Security Engineer →

What you get

Six capabilities mapped to outcomes you can measure.

Certificate-based access

Short-lived X.509 and SSH certs minted per session from your IdP. No static SSH keys, no shared passwords, no vault rotation playbook to maintain.

One control plane, every protocol

SSH, Kubernetes, Postgres / MySQL / Mongo / CockroachDB, RDP, internal web apps, and AWS / Azure / GCP consoles — all gated by the same RBAC role.

Just-in-time access

Engineers escalate to privileged roles for a bounded window with Slack or PagerDuty approval. Standing prod sudo becomes the exception, not the default.

Session recording + structured audit

eBPF-level SSH session telemetry, full kubectl exec capture, and database query logs streamed to your SIEM. Auditor evidence stops being a screenshot exercise.

Hardware-backed identity

Per-session MFA, WebAuthn / FIDO2, YubiKey enforcement, and PIV / CAC smart-card login. HSM-backed CA keys on Enterprise for FedRAMP and FIPS workloads.

Identity-provider native

SSO into Okta, Microsoft Entra ID, Google, Keycloak, or GitHub. Group-to-role mapping is Terraform-managed, not console-clicked, so policy drift stays visible.

Teleport vs CyberArk / BeyondTrust

Where the line items actually land.

Teleport Enterprise (managed)

Pricing model: per Protected Resource per month, plus Monthly Active Users and Machine Identities. List $24–$40 per resource per month on annual contracts^[6].
Credential model: short-lived certificates, no shared passwords, no vault rotation.
Coverage: SSH, Kubernetes, databases, RDP, web apps, cloud consoles — single control plane^[1][2].
Compliance: FIPS 140-2 BoringCrypto build, HSM-backed CA, FedRAMP control mappings (AC-3, IA-2, AU-2)^[8].
Source: AGPL-3.0 core, modified Apache 2.0 binaries — auditable^[1][3].

CyberArk PAM

Pricing model: per privileged user, per module. Aggregator data: $11,375–$23,400 per user per year on PAM core, $115/user/yr on EPM, $1,000–$1,500 per non-human identity on Secrets Manager^[5].
Credential model: vault-and-rotate. Strong on Windows and legacy estates.
Coverage: deep on Windows / mainframe; modules sold and renewed separately (PAM, EPM, PSM, Secrets Manager, Alero)^[5].
Compliance: mature audit posture, named in some examiner guidance.
Source: closed.

BeyondTrust Privileged Remote Access

Pricing model: per named user. 2023 GSA list price $3,235 per perpetual licence — current subscription pricing custom-quoted^[7].
Credential model: session brokerage with strong third-party / vendor remote access workflow.
Coverage: strong on remote support and vendor access; session-recording UI rated highly by operators^[7].
Compliance: FedRAMP-authorised in their commercial offering.
Source: closed.

Honest read: CyberArk still wins on heavy Windows estates with EPM already operationalised, and BeyondTrust still wins on third-party / vendor remote access. Teleport wins on cloud-native, multi-protocol, machine-heavy estates — which is where most modern infrastructure now lives. Switching from CyberArk? Read the honest Teleport comparison.

Deployment + tuning

Four phases. One team.

Assess

Inventory your access surface — bastions, SSH keys, jump hosts, kubeconfigs, vaulted DB creds. Map your IdP groups to the roles you actually want. Two-week engagement.

Deploy

Stand up Teleport Enterprise in your cloud, HA across two AZs, on a backend we've sized for your retention policy. Wire SSO, audit log shipping, and break-glass.

Tune

Pilot one engineering team with cert-based access in parallel with existing keys. Tighten per-session MFA and Access Request approval routing before broad rollout.

Operate

Quarterly CA-rotation drills. Version pinning and upgrade testing. Audit log retention tiering. Senior engineers on call. Monthly access-posture report.

ROI — mid-tier shape

500 endpoints, 50 admins, annual list comparison.

Managed Teleport Enterprise

500 Protected Resources × $30 / month × 12~$180,000 / yr (list)
Typical Vendr-observed discount at deal size~29% off list^[6]
Net platform line, Cloud-hosted Enterprise~$128,000 / yr

CyberArk PAM equivalent

50 admins × CyberArk PAM per-user list (aggregator-reported bands vary widely by module mix)~$250,000 – $1,040,000 / yr (list, source-dependent)
Endpoint Privilege Manager add-on (50 users × $115)~$5,750 / yr^[5]
Net platform line before negotiation~$255,750 – $1,045,750 / yr

Methodology: Teleport per-resource pricing from Vendr's published $24–$40 / resource / month range with the median ~29% discount they observe across 150 deals^[6]. CyberArk per-user pricing from the CheckThat.ai aggregator volume bands^[5]. Both are list-quoted — CyberArk in particular rarely transacts at list and aggressive multi-year negotiations close the gap meaningfully. Excludes ThinSky managed-service fees, MWI (machine identities), and professional services on either side. Currency in USD.

FAQ

The questions CISOs actually ask.

We already have a bastion plus HashiCorp Vault. Why a third tool?

Bastion-plus-Vault works well until your fleet is multi-cloud, multi-protocol, or runs Kubernetes. Vault rotates DB credentials cleanly, but it does not record sessions, does not gate kubectl exec, and does not unify audit across SSH, RDP, and DB. Teleport replaces the bastion and adds the protocols Vault never covered. If you only need DB credential brokerage and one bastion, Teleport is overkill — we'll tell you that.

What happens during break-glass when Teleport itself is down?

The recommended pattern is a small number of pre-issued long-TTL local accounts with hardware-key-only login, audited out-of-band, locked in a physical safe. With Auth running HA across two AZs on a managed backend, the blast radius is the same shape as your IdP outage plan — and the operational answer is the same plan. We document it as part of every deployment.

Does Teleport actually cover FedRAMP / FIPS workloads?

Teleport Enterprise ships a FIPS 140-2 build compiled with BoringCrypto, supports HSM-backed CA keys, and provides FedRAMP control mappings (AC-2, AC-3, IA-2, AU-2) in their compliance docs. Teleport itself is not on the FedRAMP marketplace as an authorized SaaS — it provides the access-layer controls inside a FedRAMP-bounded environment. If you specifically need a FedRAMP-authorized SaaS at the access layer, that is a different conversation and we will say so.

Open-source means we own the on-call pager.

True if you self-deploy and self-manage. Managed delivery — ours or anyone else's — covers version pinning, CA rotation, audit log shipping, IdP integration, and quarterly policy review. Open-source removes the licence cost. It does not remove the operational cost. The honest framing is: you are paying for the engineers who know how to run this, not for the software.

Per-user pricing on CyberArk is bad. Is per-resource on Teleport actually cheaper at our shape?

It depends on your machine-to-human ratio. Teleport's MAU plus Protected Resources plus Machine Identity model rewards estates with many resources and few admins. CyberArk's volume bands at 250+ users can undercut Teleport at certain admin-heavy ratios. We model both shapes against your actual headcount and resource count before recommending — we do not pretend the answer is always Teleport.

Is Teleport a real CyberArk alternative — or just a different shape of privileged access management?

Both, honestly. Teleport is a fully credentialed CyberArk alternative for cloud-native estates: it covers privileged access management across SSH, Kubernetes, databases, RDP, web apps, and cloud consoles from one control plane, with short-lived certificates instead of vault-and-rotate. Where CyberArk is still ahead is heavy Windows estates with EPM already operationalised. For multi-cloud, container-heavy, machine-identity-heavy environments — the shape most 2026 infrastructure has — Teleport replaces CyberArk's PAM core and the bastion next to it.

What does "managed Teleport" actually include vs running Teleport ourselves?

The licence to Teleport Enterprise is the same line either way. Managed delivery covers the operational layer: HA deployment across two AZs, sized backend for your retention policy, SSO and audit log shipping, quarterly CA rotation drills, version pinning and upgrade testing, monthly access-posture reporting, and a senior security engineer on the pager. You keep the platform in your cloud and own the data; we operate it.

What managed Teleport includes

The line items, written out.

Managed Teleport is the Teleport Enterprise platform plus the operational layer it needs to run in production privileged access management mode — in your cloud, not ours, with your audit data never leaving your boundary. Every line below is in the engagement scope by default.

Teleport Enterprise deployment. Auth and Proxy services HA across two AZs in your AWS / Azure / GCP account, sized to your retention policy. Backend on a managed datastore — no Postgres-on-EC2 babysitting.
Identity-provider wiring. SSO into Okta, Microsoft Entra ID, Google Workspace, Keycloak, or GitHub. Group-to-role mapping in Terraform so policy drift stays diffable.
Certificate authority lifecycle. HSM-backed CA keys on Enterprise, quarterly CA-rotation drills, documented break-glass procedure with hardware-key-only local accounts in a physical safe.
Audit pipeline. SSH session recordings, kubectl exec capture, database query logs, and RDP video shipped to your SIEM (Splunk, Datadog, Sumo, Elastic) in your chosen retention tier.
Patch + upgrade cadence. Version pinning, staged upgrade testing in a non-prod tenant, FIPS 140-2 BoringCrypto build for FedRAMP / FIPS workloads.
Senior on-call + monthly posture report. A senior security engineer on the pager — not a tier-1 queue. Monthly report on access requests, standing roles, audit-log integrity, and policy drift.

Excluded by default and quoted separately: bespoke RBAC modelling for very large IdP estates, Teleport Machine Identity (MWI) onboarding at scale, custom SIEM enrichment pipelines, and FedRAMP-bounded environment hardening. We tell you which line items apply to your shape on the first call.

Teleport vs CyberArk

2026 comparison — the short version.

Both platforms are real privileged access management — they just optimise for different infrastructure shapes. Here is the honest read on Teleport vs CyberArk in 2026, abridged from the longer comparison table above.

Teleport wins when…

Your fleet is multi-cloud (AWS + Azure + GCP) and multi-protocol (SSH, Kubernetes, RDP, Postgres, internal web apps).
Your machine identities outnumber your humans 10:1 or more — CI runners, agents, service accounts, sidecars.
You want short-lived certificates and SSO-driven RBAC instead of vault-and-rotate plus a separate session-recording bolt-on.
You need a CyberArk alternative that fits a cloud-native, container-heavy, GitOps-driven engineering organisation without retraining the team.
Your audit surface includes kubectl exec and database queries — not just SSH and Windows RDP.

CyberArk wins when…

Your estate is heavy on Windows servers, domain admins, and legacy applications that expect vaulted passwords.
Endpoint Privilege Manager (EPM) is already operationalised and producing value on workstation least-privilege.
Examiner guidance or vendor checklists you cannot rewrite explicitly name CyberArk by product.
Your admin-heavy ratio (many privileged users, few protected resources) makes per-user pricing cheaper than per-resource at your volume band.

Switching from CyberArk to Teleport is not always the right call — and we will tell you when it is not. Where it does pay back, the move is usually driven by cloud-native sprawl Teleport models cleanly and CyberArk modules charge separately for. The longer read: why teams are quietly switching from CyberArk to Teleport.

Why teams switch

Why teams switch from CyberArk to Teleport.

The CyberArk-to-Teleport conversation rarely starts with the renewal quote — it starts with a Kubernetes migration that the existing privileged access management tool cannot see into. CyberArk PAM was built for vaulted passwords against named servers; once an estate is producing thousands of ephemeral pods, CI runners, and machine identities a week, the vault-and-rotate pattern stops mapping cleanly to what is actually being accessed. Teams hit that wall, look for a CyberArk alternative that speaks Kubernetes and cloud consoles as first-class protocols, and Teleport is the platform engineers already know.

The second reason is the per-module renewal. CyberArk's PAM core, Endpoint Privilege Manager, Privileged Session Manager, Secrets Manager, and Alero are sold and renewed separately — by the time an estate has all of them, the line items are spread across multiple contract anniversaries and the negotiation surface fragments. Teleport collapses session brokering, recording, secrets, and machine identity into one per-resource line. Whether that is cheaper depends on machine-to-human ratio (see the ROI section), but it is always simpler to forecast and harder for a vendor to ratchet up quietly between renewals.

The third reason is the auditor conversation. Short-lived certificates issued per session from the IdP are easier to explain to a SOC 2 or ISO 27001 assessor than a vault rotation schedule and a session-recording bolt-on stitched together with custom enrichment. Managed Teleport ships that evidence pipeline by default — SSH recordings, kubectl exec capture, database query logs, RDP video — all tagged to the IdP identity and the access request that approved it. The compliance team stops doing screenshots.

Stop renewing CyberArk on autopilot.

30-minute call with a senior security engineer. We'll model your access surface against Teleport's per-resource math and tell you honestly whether a migration pays back.

Model my migration →