Transparent Pricing
Replace your access stack. Pay per user, not per tool.
Stop paying for separate VPN, bastion, database tunneling, and access gateway licenses. One platform, one price, one audit trail.
14-day free trial
No credit card required
Deploy in minutes
Solo — for individual users
Secure SSH, VPN, and full audit trail — everything a solo engineer needs.
$9
/month
Start Free Trial
Team
For teams of any size
$15
per user / month, billed annually
Everything in Solo, plus:
Multi-user organisation
RDP, Database & Web App access
SAML/OIDC SSO & Teams RBAC
VPN Access (5 peers)
Audit log export, API & Terraform
Network & resource discovery
Basic alerting & notifications (Email, Slack, Discord, Teams)
200 resources, 30-day retention
No JIT access or approval workflows
No Kubernetes, gRPC, or Telnet access
No dedicated gateways or SIEM
No command filtering
Most Popular
Professional
For growing teams
$22
per user / month, billed annually
Everything in Team, plus:
Just-in-Time access & approval workflows
SOC 2 compliance reports & log forwarding
Real-time compliance posture dashboard
Advanced alerting & all notification channels
Security policies (reauth, idle timeout, MFA)
Session risk analysis & endpoint posture
VPN split tunnel & custom DNS (10 peers)
500 resources, 60-day retention
No Kubernetes, gRPC, or Telnet access
No dedicated gateways or SIEM
No session monitoring or ITSM
No cloud entitlement management (CIEM)
Business
For security-first organizations
$39
per user / month, billed annually
Everything in Professional, plus:
Kubernetes, gRPC, Telnet & container access
Cloud entitlement management (CIEM)
Dedicated gateways & gateway failover
SIEM integration & data masking
Machine identity (service accounts)
Live session monitoring (four-eyes)
ITSM integration (ServiceNow, Jira)
Access review campaigns
Command filtering & blocking (SSH/DB)
VPN mesh network & exit nodes
Custom recording & customer storage (BYOS S3)
Unlimited resources, 180-day retention
Dedicated support channel
Approximate — final total on Stripe Checkout
What You Get
Everything you need to replace your current access stack
Every plan includes Zero Trust controls, session recording, and a unified audit trail. No add-ons, no surprises.
SSH & terminal access
RDP & VNC remote desktop
Database query gateway
Internal web app proxy
Built-in VPN (WireGuard)
Full session recording
SSO & MFA enforcement
Unified audit trail
Role-based access policies
Plan Details
Find the right fit for your team
Compare exactly what each plan includes — so you can pick the one that matches your security and compliance needs.
| Feature | Solo | Team | Professional | Business | Enterprise |
|---|---|---|---|---|---|
| Pricing & Limits | |||||
| Per-user price (monthly / annual) | $9 | $19 / $15 | $29 / $22 | $49 / $39 | Custom |
| Users | 1 (single-user org) | Multi-user (per-seat) | Multi-user (per-seat) | Multi-user (per-seat) | Multi-user (per-seat) |
| Resources included | 15 | 200 | 500 | Unlimited | Unlimited |
| Session retention / storage | 14 days / 2 GB | 30 days / 100 GB | 60 days / 250 GB | 180 days / 500 GB | 1 year / 2 TB+ |
| Access Types | |||||
| SSH access | |||||
| RDP, Database & Web App access | |||||
| Kubernetes, gRPC & Telnet access | |||||
| VPN Access (WireGuard) | |||||
| Session & Recording | |||||
| Session recording & playback | |||||
| Keystroke logging & clipboard controls | |||||
| File transfer audit & risk analysis | |||||
| Identity & Access | |||||
| Basic SSO & MFA enforcement | |||||
| SAML/OIDC SSO & Teams RBAC | |||||
| Just-in-Time access & approval workflows | |||||
| Live session monitoring (four-eyes) | |||||
| ITSM / ticketing integration | |||||
| Access review campaigns | |||||
| SCIM provisioning | |||||
| Machine identity (service accounts) | |||||
| Compliance & Audit | |||||
| Audit logs & export | View only | ||||
| SOC 2 & compliance reports | |||||
| Real-time compliance posture dashboard | |||||
| SIEM integration | |||||
| HIPAA support | |||||
| Infrastructure | |||||
| Data Residency (EU, US, Asia) | |||||
| Customer-managed gateway | |||||
| Dedicated gateways | |||||
| Gateway failover (offline access) | |||||
| Dedicated deployment managed by OnePAM | |||||
| Network Access | |||||
| Network access peers per user | 1 | 5 | 10 | Unlimited | Unlimited |
| Split tunneling & custom DNS | |||||
| VPN mesh network | |||||
| Notifications & Alerting | |||||
| Basic notifications (Email, Slack, Discord, Teams) | Email only | ||||
| Advanced integrations (PagerDuty, Opsgenie, webhooks) | |||||
| Basic alerting (endpoint online/offline) | |||||
| Advanced alerting (anomaly, threshold, risk) | |||||
| Escalation policies | |||||
| Alert rules limit | 2 | 10 | 50 | 200 | Unlimited |
| Security Policies | |||||
| Re-authentication & idle timeout policies | |||||
| Max concurrent sessions & MFA enforcement | |||||
| Team-level policy overrides | |||||
| Advanced Features | |||||
| API access | |||||
| Query logging & Terraform provider | |||||
| Access policies | |||||
| Data masking | |||||
| Command filtering & blocking | |||||
| Network & resource discovery | |||||
| Cloud entitlement management (CIEM) | |||||
| Endpoint posture & continuous verification | |||||
| Support | |||||
| Support level | Priority Email | Priority & Dedicated | SLA & Dedicated | ||
FAQ
Common questions before you switch
OnePAM replaces your VPN, bastion/jump host, SSH key manager, database tunnel, and separate audit-logging tools — all in one platform.
Instead of stitching together OpenVPN + SSH CA + pgAdmin + manual access logs, you get a single pane with identity-based access, session recording, and a unified audit trail across every protocol.
Solo is a flat $9/month for a single-user org — ideal for individual engineers.
Team ($19/user/month), Professional ($29/user/month), and Business ($49/user/month) are billed per seat; add or remove members anytime.
Enterprise uses custom pricing with dedicated support.
Annual billing saves up to 20%. No hidden fees — you only pay for active seats.
A user is any person with an active account who can authenticate and access resources through OnePAM.
Service accounts and API integrations do not count. Deactivated users are not billed. You can scale up or down at any time.
Sign up and get full Professional-tier access for 14 days. No credit card required.
Connect your infrastructure, invite your team, and experience SSO, session recording, and compliance controls immediately.
At the end of the trial, pick the plan that fits — or cancel with no commitment.
Those tools solve part of the problem — Teleport focuses on SSH/K8s, StrongDM on database proxying, Tailscale on networking.
OnePAM covers SSH, RDP, VNC, databases, Kubernetes, web apps, and VPN in one product, at a lower per-user price, with built-in session recording and audit trails.
One vendor, one invoice, one audit trail.
Solo includes Google login.
Team and above support full SAML 2.0 and OIDC — Okta, Azure AD, OneLogin, Ping Identity, and any standards-compliant provider.
Your team signs in with existing credentials; no separate passwords to manage.
Retention scales with your plan: Solo 14 days (2 GB), Team 30 days (100 GB), Professional 60 days (250 GB), Business 180 days (500 GB), Enterprise up to 1 year (2 TB+).
Every session — SSH, RDP, database query, web app — is recorded automatically. No configuration needed.
Yes. Upgrade, downgrade, or cancel at any time from your dashboard. Downgrades take effect at the next billing cycle.
There are no cancellation fees and no lock-in contracts on any plan.
Yes. Enterprise customers get a fully managed, isolated OnePAM instance with dedicated infrastructure for data residency and network isolation.
Contact the sales team to discuss requirements.
Yes. OnePAM includes a built-in WireGuard-powered VPN on every paid plan. Unlike traditional VPNs, every connection is identity-aware — authenticated, authorized, and logged.
For protocols like SSH, RDP, databases, and web apps, users connect directly through the browser with no client install needed.
Professional adds split tunneling and custom DNS. Business adds exit nodes, mesh networking, and traffic metadata logging.
Stop duct-taping your access stack together.
Replace VPNs, bastions, and shared credentials with one platform. Full Professional-tier access for 14 days, free. No credit card, no sales call.
SOC 2 aligned • 14-day free trial • Deploy in under 5 minutes