Comparison

expacti vs. the field

Traditional privileged access tools tell you what happened after the fact. expacti prevents things from happening without explicit human approval — before execution.

Teleport
Access control + session recording
Teleport manages who can access what, with session recordings and audit logs. It doesn't control what they do once they're in.
expacti
Real-time per-command approval
expacti intercepts every command before execution and requires explicit human approval. Access control plus a real-time safety gate.

The core difference: reactive vs. preventive

Teleport is excellent at access management: certificate-based authentication, role-based access policies, session recording, and audit logs. If you want to know who connected to prod-server-1 at 2:43 AM and what their session looked like, Teleport gives you that.

What Teleport doesn't do is stop a command from executing. Once a user or agent has access to a server, they can run anything within their OS-level permissions. Teleport will record it; it won't prevent it.

The gap: An AI agent with Teleport access to production can still run DROP TABLE users or rm -rf /var/data. You'll have a perfect recording of it happening. expacti would have blocked it and asked you first.

These tools are complementary, not competitive. Teleport handles identity and access; expacti handles per-command gates. Teams with strict security requirements often use both.

Capability Teleport expacti
Access control
Certificate-based SSH authvia SSH CA
RBAC for server access
Per-command approval gateBlock execution until human approves
Whitelist engineExact, glob, regex patterns
Visibility
Session recording
Audit log
Real-time reviewer viewLive terminal feed to reviewer during session
Risk scoring per command
Anomaly detectionBasic
AI agent support
SDK for AI frameworksLangChain, Vercel AI, etc.
Designed for automated agentsNon-human principals, approval loops
Setup & cost
Self-hosted option
Free tierOSS core
Setup complexityMedium–HighLow–Medium
Enterprise pricing$$$Custom
Use expacti when

You need to control what an AI agent or automated script does, not just where it can connect. You want a human-in-the-loop for high-risk commands, with a whitelist for routine work.

Use Teleport when

Your primary need is identity-based access control and certificate management across a large fleet. Teleport's OSS core is excellent for managing human access to infrastructure.

See expacti in action

Interactive demo — no signup, no install. See a command intercepted, reviewed, and approved in real time.

▶ Interactive demo Start free
HashiCorp Boundary
Identity-based access for dynamic infrastructure
Boundary manages access to targets using identity providers. It's focused on secure connectivity to ephemeral infrastructure — not on what happens during a session.
expacti
Command-level approval inside the session
expacti works after access is granted — gatekeeping every command before it executes. Pairs naturally with Boundary's access control layer.

Different layers of the same security stack

Boundary is positioned as a zero-trust access layer: dynamic host catalogs, short-lived credentials, identity-based targeting. It solves the problem of "who can access this resource" and "how do they connect to it."

Like Teleport, Boundary doesn't control what happens inside a session. A user (or agent) that connects via Boundary can do whatever their target-side permissions allow.

In practice: Use Boundary to control which agents can connect to which targets. Use expacti to control which commands those agents can run once connected. The two layers are independent and complementary.

If you're in a HashiCorp-heavy stack (Vault, Terraform, Consul, Boundary), expacti adds the missing layer that none of those tools provide: a real-time, per-command approval gate.

Capability Boundary expacti
Access control
Identity-based access to targetsVia SSH proxy
Dynamic host catalogs
Per-command approval gate
Whitelist + TTL rules
Audit & compliance
Access event audit log
Session content recordingEnterprise only
SOC 2 compliance reports
AI & automation
SDK for AI agent frameworks
Approval queue for automated agents
Ecosystem
Terraform provider
Kubernetes integration
HCP (managed cloud) optionSaaS + self-host
Free tierOSS

Add the missing layer to your Boundary setup

expacti plugs directly into SSH-based workflows. Try it in 10 minutes.

▶ Interactive demo Start free
CyberArk
Enterprise PAM suite
CyberArk is the enterprise standard for Privileged Access Management: credential vaulting, session isolation, session recording, and extensive policy controls. Designed for regulated industries.
expacti
Lightweight real-time command gate
expacti gives you real-time per-command control with a fraction of the complexity and cost. Designed for modern teams with AI agents and automated workflows.

Enterprise power vs. developer-friendly simplicity

CyberArk is the right tool for large enterprises with strict regulatory compliance requirements (HIPAA, PCI-DSS, FedRAMP). It has decades of development, extensive integrations, and proven enterprise deployment patterns. It's also expensive, complex to deploy, and built for human privileged users — not AI agents.

The AI agent gap: CyberArk was designed in an era when privileged access meant a human admin logging into a server. It doesn't have a concept of a non-human agent submitting commands for approval. Its session controls are designed around credential vaulting and session isolation, not real-time per-command gates with an LLM-friendly SDK.

Cost reality: CyberArk's enterprise licensing typically starts at $50K+/year. expacti's Pro plan is $29/month — $348/year. For teams that need real-time command approval but not a full PAM suite, the comparison isn't close.

For teams that already have CyberArk for human access, expacti handles the AI agent layer that CyberArk doesn't address. They cover different principals with different tooling.

Capability CyberArk expacti
Core controls
Credential vaultingSecure storage of secrets, rotation
Session isolationJump host / proxy layer
Per-command approval gateLimited
Whitelist-driven automation
AI & modern automation
SDK for AI coding agents
GitHub Actions integration
LangChain / Vercel AI support
Approval queue with mobile push
Compliance
Session recording
SOC 2 / ISO 27001 reports
SAML SSO / SCIM
Practicality
Self-hosted option
Setup timeWeeks–monthsMinutes–hours
Starting cost$50K+/yearFree / $29/mo
Free tier

Enterprise-grade control, developer-friendly setup

Start free, set up in 10 minutes, protect AI agents that CyberArk wasn't built for.

Start free ▶ See demo
Bastion / Jump host
Logging-only access gateway
A bastion host funnels SSH traffic through a single point for network control and session logging. It records traffic but doesn't inspect or gate individual commands.
expacti
Active command interception
expacti inspects every command at the PTY level, checks against the whitelist, and holds non-whitelisted commands for human review before they execute.

Passive logging vs. active gating

A bastion host is a network architecture pattern, not a security product. It gives you a single entry point (good for firewall rules), SSH traffic logs (useful for audits), and possibly session recordings if you've added tooling like ttyrec or asciinema.

None of that stops a command from executing. The bastion sees the traffic and passes it through. By the time you check the logs, the data is already deleted.

The 3 AM problem: An AI agent running overnight issues DELETE FROM events WHERE created_at < NOW() - INTERVAL '90 days'. A bastion logs it. expacti blocks it and sends you a push notification with a risk score of 85/100.

If you already have a bastion, expacti slots in as the next layer. You don't need to remove the bastion; you add expacti behind it to gate commands on critical target servers.

Capability Bastion host expacti
Single entry point (network control)
SSH session loggingWith setup
Per-command approval gate
Whitelist engine
Risk scoring
Anomaly detection
Reviewer dashboard (real-time)
Slack / Teams approval
Mobile push notifications
Compliance reports (SOC2, ISO27001)
AI whitelist suggestions
SDK for AI agent frameworks
Setup complexityLow (just SSH)Low–Medium
CostServer cost onlyFree / $29/mo

Turn your bastion into an active control point

expacti deploys alongside your existing SSH infrastructure in minutes.

Start free ▶ See demo

How the tools compare at a glance

All of these tools play in the "privileged access" space. The critical distinction is when they intervene in the access lifecycle.

Feature Bastion Teleport Boundary CyberArk expacti
Core security model
Prevents commands before execution Limited
Real-time human approval loop
Whitelist-driven automation
Session recording With setup Enterprise
Audit log Basic
Identity-based access control
AI agent support
SDK for AI frameworks
GitHub Actions integration Limited
Notifications
Slack approval buttons Enterprise
Mobile push (PWA)
Practicality
Free tier OSS OSS
Setup time Hours Days Days Weeks+ Minutes

The key insight: these tools address different moments

Before access: Boundary, Teleport, CyberArk credential vaulting — control who can connect.

During access: expacti — control what they can do once connected.

After access: All of them (session recording, audit log) — understand what happened.

expacti is the only tool in this list designed for the during layer: active, real-time command interception with a human in the loop. That's the gap the AI agent era created, and that none of the traditional PAM tools were built to fill.

Try the layer that's been missing

Free tier, 10-minute setup. See what it looks like to have a human in the loop for every command.

▶ Interactive demo Start free