Retire the bastion fleet without losing the choke point
Classic SSH bastions reduce attack surface but leak on identity, evidence, and operational scale. Wardengate keeps the single front door — and makes it auditable, policy-driven, and protocol-agnostic.
Bastion pattern vs. gateway
The bastion was a reasonable answer in 2012. In 2026, credentialed attackers, distributed evidence requirements, and multi-protocol estates expose where the pattern stops being enough.
| Capability | Wardengate | SSH bastion fleet |
|---|---|---|
| Access model | Identity-bound policy at a central gateway | Network reachability + SSH keys on each bastion |
| Credential handling | Broker-injected, short-lived credentials | Shared keys, local accounts, sudoers sprawl |
| Session evidence | Recorded at the gateway — tamper-resistant | Optional sidecar on targets; often missing or inconsistent |
| Operational overhead | One control plane to patch and monitor | Per-region, per-VPC bastion fleet to maintain |
| Third-party access | Time-bound, approval-gated, fully attributed | Long-lived VPN + shared jump host accounts |
| Audit readiness | Structured exports mapped to SOC 2 / PCI / ISO | Correlate tickets, syslog, and shell history manually |
| Protocol support | SSH, RDP, VNC, databases, Kubernetes | Typically SSH only; parallel paths for other protocols |
Hidden costs
What bastion fleets actually cost beyond the EC2 line item
Fleet maintenance
Every bastion is an OS to patch, a key inventory to rotate, and a security group to audit. Most estates underestimate how many exist until they inventory.
Evidence reconstruction
Audit season means correlating jump host logs with target syslog and ticketing data. That work is recurring — and billable if consultants do it.
Parallel paths
VPN, vendor tunnels, and break-glass accounts bypass the bastion entirely. You pay for the bastion and still fail the control.
For a deeper threat-model walkthrough, see our SSH bastions in 2026 post.
Ready to consolidate?
Map your bastion estate in one session
Bring your inventory — however incomplete — and we will show you what a gateway cutover looks like for your protocols, compliance scope, and operator workflows.