What you need
A Linux VM or Kubernetes cluster for the control plane, one SSH target reachable from the gateway connector, and an IdP (Okta, Azure AD, or local accounts for lab). Helm or Docker Compose handles the install; no agents on targets.
Quickstart
Your first privileged session
This narrative walks from a fresh install to a brokered SSH session with recording and audit metadata — the minimum path to prove value before a wider rollout.
01
Deploy control plane
Helm or Compose install
02
Register connector
Gateway joins the estate
03
Onboard SSH target
Asset, no agent required
04
Create grant
Group → asset → SSH
05
Connect & verify
Recording + audit metadata
Identity-bound from step one
Pilot to first session in under fifteen minutes.
What success looks like
An operator authenticates with their own identity, requests or uses a grant to the target, completes MFA at connect time, and works in a normal SSH client — while Wardengate records the session and writes structured metadata you can search and export.
Step by step
Five steps to a brokered session
- 01
Deploy the control plane
Install with Helm or Docker Compose following the getting-started guide. Verify the API and admin console are reachable. Create your organization and connect your IdP — or enable local admin for lab use.
- 02
Register a gateway connector
Deploy a connector node in the same network as your SSH target. The connector registers with the control plane and advertises supported protocols. Health checks confirm it is ready to broker.
- 03
Onboard your first target
Add the SSH host as an asset — hostname, port, and optional account mapping. Tag it by environment (prod, staging) for policy scoping. No agent install on the target.
- 04
Create an authorization grant
Bind your operator group to the asset with SSH allowed. For lab, a standing grant is fine; production should use JIT with approvers. The grant is the only path to the target — not VPN or security group membership alone.
- 05
Connect and verify evidence
Open your SSH client through Wardengate (CLI or web terminal). Complete step-up MFA. Run a few commands, disconnect, then open the session audit view — confirm recording playback, command log, identity attribution, and export-ready metadata.
Operational docs
Ready to deploy? Continue in documentation
Related guides
Keep reading
Platform architecture
Layered control plane: gateway connectors, policy engine, recording pipeline, and audit store.
Deployment models
Standalone, active/standby, horizontal scale, and multi-region gateway — when each fits.
Session authorization model
How users, targets, accounts, protocols, and time windows combine into enforceable grants.
Command & connection control
Block, approve, or mask high-risk commands and connections before they execute.
Ready to evaluate?
See the platform on your architecture
Walk through gateway brokering, recording, and audit exports in a working session — or start with the interactive demo.