Request a Consultation
Teleport identity-aware proxy dashboard on a desktop monitor overlooking the Toronto skyline at night

MANAGED TELEPORT

Kill the bastion. Kill the static SSH key. Keep the audit trail.

Certificate-based zero-trust access for SSH, Kubernetes, databases, RDP, and cloud consoles — deployed in your cloud, integrated with your IdP, and operated by senior engineers as a dedicated extension of your team.

Talk to a Security Engineer →

What you get

Six capabilities mapped to outcomes you can measure.

Certificate-based access

Short-lived X.509 and SSH certs minted per session from your IdP. No static SSH keys, no shared passwords, no vault rotation playbook to maintain.

One control plane, every protocol

SSH, Kubernetes, Postgres / MySQL / Mongo / CockroachDB, RDP, internal web apps, and AWS / Azure / GCP consoles — all gated by the same RBAC role.

Just-in-time access

Engineers escalate to privileged roles for a bounded window with Slack or PagerDuty approval. Standing prod sudo becomes the exception, not the default.

Session recording + structured audit

eBPF-level SSH session telemetry, full kubectl exec capture, and database query logs streamed to your SIEM. Auditor evidence stops being a screenshot exercise.

Hardware-backed identity

Per-session MFA, WebAuthn / FIDO2, YubiKey enforcement, and PIV / CAC smart-card login. HSM-backed CA keys on Enterprise for FedRAMP and FIPS workloads.

Identity-provider native

SSO into Okta, Microsoft Entra ID, Google, Keycloak, or GitHub. Group-to-role mapping is Terraform-managed, not console-clicked, so policy drift stays visible.

Teleport vs CyberArk / BeyondTrust

Where the line items actually land.

Teleport Enterprise (managed)

  • Pricing model: per Protected Resource per month, plus Monthly Active Users and Machine Identities. List $24–$40 per resource per month on annual contracts[6].
  • Credential model: short-lived certificates, no shared passwords, no vault rotation.
  • Coverage: SSH, Kubernetes, databases, RDP, web apps, cloud consoles — single control plane[1][2].
  • Compliance: FIPS 140-2 BoringCrypto build, HSM-backed CA, FedRAMP control mappings (AC-3, IA-2, AU-2)[8].
  • Source: AGPL-3.0 core, modified Apache 2.0 binaries — auditable[1][3].

CyberArk PAM

  • Pricing model: per privileged user, per module. Aggregator data: $11,375–$23,400 per user per year on PAM core, $115/user/yr on EPM, $1,000–$1,500 per non-human identity on Secrets Manager[5].
  • Credential model: vault-and-rotate. Strong on Windows and legacy estates.
  • Coverage: deep on Windows / mainframe; modules sold and renewed separately (PAM, EPM, PSM, Secrets Manager, Alero)[5].
  • Compliance: mature audit posture, named in some examiner guidance.
  • Source: closed.

BeyondTrust Privileged Remote Access

  • Pricing model: per named user. 2023 GSA list price $3,235 per perpetual licence — current subscription pricing custom-quoted[7].
  • Credential model: session brokerage with strong third-party / vendor remote access workflow.
  • Coverage: strong on remote support and vendor access; session-recording UI rated highly by operators[7].
  • Compliance: FedRAMP-authorised in their commercial offering.
  • Source: closed.

Honest read: CyberArk still wins on heavy Windows estates with EPM already operationalised, and BeyondTrust still wins on third-party / vendor remote access. Teleport wins on cloud-native, multi-protocol, machine-heavy estates — which is where most modern infrastructure now lives.

Deployment + tuning

Four phases. One team.

01

Assess

Inventory your access surface — bastions, SSH keys, jump hosts, kubeconfigs, vaulted DB creds. Map your IdP groups to the roles you actually want. Two-week engagement.

02

Deploy

Stand up Teleport Enterprise in your cloud, HA across two AZs, on a backend we've sized for your retention policy. Wire SSO, audit log shipping, and break-glass.

03

Tune

Pilot one engineering team with cert-based access in parallel with existing keys. Tighten per-session MFA and Access Request approval routing before broad rollout.

04

Operate

Quarterly CA-rotation drills. Version pinning and upgrade testing. Audit log retention tiering. Senior engineers on call. Monthly access-posture report.

ROI — mid-tier shape

500 endpoints, 50 admins, annual list comparison.

Managed Teleport Enterprise

  • 500 Protected Resources × $30 / month × 12~$180,000 / yr (list)
  • Typical Vendr-observed discount at deal size~29% off list[6]
  • Net platform line, Cloud-hosted Enterprise~$128,000 / yr

CyberArk PAM equivalent

  • 50 admins × $20,800 / user / yr (25–99 user band)~$1,040,000 / yr (list)
  • Endpoint Privilege Manager add-on (50 users × $115)~$5,750 / yr[5]
  • Net platform line before negotiation~$1,045,750 / yr

Methodology: Teleport per-resource pricing from Vendr's published $24–$40 / resource / month range with the median ~29% discount they observe across 150 deals[6]. CyberArk per-user pricing from the CheckThat.ai aggregator volume bands[5]. Both are list-quoted — CyberArk in particular rarely transacts at list and aggressive multi-year negotiations close the gap meaningfully. Excludes ThinSky managed-service fees, MWI (machine identities), and professional services on either side. Currency in USD.

FAQ

The questions CISOs actually ask.

We already have a bastion plus HashiCorp Vault. Why a third tool?

Bastion-plus-Vault works well until your fleet is multi-cloud, multi-protocol, or runs Kubernetes. Vault rotates DB credentials cleanly, but it does not record sessions, does not gate kubectl exec, and does not unify audit across SSH, RDP, and DB. Teleport replaces the bastion and adds the protocols Vault never covered. If you only need DB credential brokerage and one bastion, Teleport is overkill — we'll tell you that.

What happens during break-glass when Teleport itself is down?

The recommended pattern is a small number of pre-issued long-TTL local accounts with hardware-key-only login, audited out-of-band, locked in a physical safe. With Auth running HA across two AZs on a managed backend, the blast radius is the same shape as your IdP outage plan — and the operational answer is the same plan. We document it as part of every deployment.

Does Teleport actually cover FedRAMP / FIPS workloads?

Teleport Enterprise ships a FIPS 140-2 build compiled with BoringCrypto, supports HSM-backed CA keys, and provides FedRAMP control mappings (AC-2, AC-3, IA-2, AU-2) in their compliance docs. Teleport itself is not on the FedRAMP marketplace as an authorized SaaS — it provides the access-layer controls inside a FedRAMP-bounded environment. If you specifically need a FedRAMP-authorized SaaS at the access layer, that is a different conversation and we will say so.

Open-source means we own the on-call pager.

True if you self-deploy and self-manage. Managed delivery — ours or anyone else's — covers version pinning, CA rotation, audit log shipping, IdP integration, and quarterly policy review. Open-source removes the licence cost. It does not remove the operational cost. The honest framing is: you are paying for the engineers who know how to run this, not for the software.

Per-user pricing on CyberArk is bad. Is per-resource on Teleport actually cheaper at our shape?

It depends on your machine-to-human ratio. Teleport's MAU plus Protected Resources plus Machine Identity model rewards estates with many resources and few admins. CyberArk's volume bands at 250+ users can undercut Teleport at certain admin-heavy ratios. We model both shapes against your actual headcount and resource count before recommending — we do not pretend the answer is always Teleport.

Stop renewing CyberArk on autopilot.

30-minute call with a senior security engineer. We'll model your access surface against Teleport's per-resource math and tell you honestly whether a migration pays back.

Model my migration →