Priced by Engineers, for Engineers

Unified secure access for every protocol. Simple plans, predictable pricing.

Team includes all core protocols. Professional adds JIT access and compliance. Business unlocks Kubernetes, gRPC, SIEM, and advanced infrastructure controls.

14-day free trial

No credit card required

Built-in VPN Access

Save up to 20%

Every protocol in one platform

Identity-first Zero Trust controls

Unified audit trail across sessions

Solo — for individual users

SSH access, VPN, session recording, and audit logs for a single-user org.

$9 /month

Start Free Trial

Team

For teams of any size

$15

per user / month, billed annually

200 resources 30-day retention Multi-user

Start Free Trial

Everything in Solo, plus:

Multi-user organisation

RDP, Database & Web App access

SAML/OIDC SSO & Teams RBAC

VPN Access (5 peers)

Audit log export, API & Terraform

Network & resource discovery

Basic alerting & notifications (Email, Slack, Discord, Teams)

200 resources, 30-day retention

No JIT access or approval workflows

No Kubernetes, gRPC, or Telnet access

No dedicated gateways or SIEM

No command filtering

Professional

For growing teams

$22

per user / month, billed annually

500 resources 60-day retention Multi-user

Start Free Trial

Everything in Team, plus:

Just-in-Time access & approval workflows

SOC 2 compliance reports & log forwarding

Real-time compliance posture dashboard

Advanced alerting & all notification channels

Security policies (reauth, idle timeout, MFA)

Session risk analysis & endpoint posture

VPN split tunnel & custom DNS (10 peers)

500 resources, 60-day retention

No Kubernetes, gRPC, or Telnet access

No dedicated gateways or SIEM

No session monitoring or ITSM

No cloud entitlement management (CIEM)

Business

For security-first organizations

$39

per user / month, billed annually

Unlimited resources 180-day retention Multi-user

Start Free Trial

Everything in Professional, plus:

Kubernetes, gRPC, Telnet & container access

Cloud entitlement management (CIEM)

Dedicated gateways & gateway failover

SIEM integration & data masking

Machine identity (service accounts)

Live session monitoring (four-eyes)

ITSM integration (ServiceNow, Jira)

Access review campaigns

Command filtering & blocking (SSH/DB)

VPN mesh network & exit nodes

Custom recording & customer storage (BYOS S3)

Unlimited resources, 180-day retention

Dedicated support channel

Core Features

Core protocols with clear tiering

Solo includes SSH. Team and Professional add RDP, VNC, databases, and web apps. Business and Enterprise add Kubernetes, gRPC, and Telnet — all with Zero Trust controls.

SSH Access

RDP Access

Database Access

Web App Access

Kubernetes Access (Business+)

gRPC Proxy (Business+)

Telnet Access (Business+)

VPN Access

Session Recording (all protocols)

SSO Integration

Unified Audit Logs

MFA Enforcement

Comparison

Compare plans

See what's included in each tier at a glance.

Feature	Solo	Team	Professional	Business	Enterprise
Pricing & Limits
Per-user price (monthly / annual)	$9	$19 / $15	$29 / $22	$49 / $39	Custom
Users	1 (single-user org)	Multi-user (per-seat)	Multi-user (per-seat)	Multi-user (per-seat)	Multi-user (per-seat)
Resources included	15	200	500	Unlimited	Unlimited
Session retention / storage	14 days / 2 GB	30 days / 100 GB	60 days / 250 GB	180 days / 500 GB	1 year / 2 TB+
Access Types
SSH access
RDP, Database & Web App access
Kubernetes, gRPC & Telnet access
VPN Access (WireGuard)
Session & Recording
Session recording & playback
Keystroke logging & clipboard controls
File transfer audit & risk analysis
Identity & Access
Basic SSO & MFA enforcement
SAML/OIDC SSO & Teams RBAC
Just-in-Time access & approval workflows
Live session monitoring (four-eyes)
ITSM / ticketing integration
Access review campaigns
SCIM provisioning
Machine identity (service accounts)
Compliance & Audit
Audit logs & export	View only
SOC 2 & compliance reports
Real-time compliance posture dashboard
SIEM integration
HIPAA support
Infrastructure
Data Residency (EU, US, Asia)
Customer-managed gateway
Dedicated gateways
Gateway failover (offline access)
Dedicated deployment managed by OnePAM
Network Access
Network access peers per user	1	5	10	Unlimited	Unlimited
Split tunneling & custom DNS
VPN mesh network
Notifications & Alerting
Basic notifications (Email, Slack, Discord, Teams)	Email only
Advanced integrations (PagerDuty, Opsgenie, webhooks)
Basic alerting (endpoint online/offline)
Advanced alerting (anomaly, threshold, risk)
Escalation policies
Alert rules limit	2	10	50	200	Unlimited
Security Policies
Re-authentication & idle timeout policies
Max concurrent sessions & MFA enforcement
Team-level policy overrides
Advanced Features
API access
Query logging & Terraform provider
Access policies
Data masking
Command filtering & blocking
Network & resource discovery
Cloud entitlement management (CIEM)
Endpoint posture & continuous verification
Support
Support level	Email	Email	Priority Email	Priority & Dedicated	SLA & Dedicated

SOC 2 Aligned

GDPR Ready

Zero Trust Architecture

Why We're Different

View Trust Center

FAQ

Frequently asked questions

How does per-user pricing work?

Solo is a single-user organisation at $9/month — ideal for individuals managing their own servers. Team ($19/user/month), Professional ($29/user/month), and Business ($49/user/month) are multi-user organisations billed per seat — add as many team members as you need. Enterprise uses custom pricing for large-scale deployments with dedicated support and compliance. For example, a team of 10 on the Professional plan costs $290/month. Annual billing saves up to 24% (Team drops to $15/user/month, Professional to $22/user/month, Business to $39/user/month). All plans include a 14-day free trial. No hidden fees — you only pay for the seats you use.

What counts as a "user"?

A user is any person with an active account who can authenticate and access resources through OnePAM. Service accounts and API-only integrations do not count as users. Deactivated users are not billed.

What is a "resource" in OnePAM?

A resource is any target you want to provide access to: an SSH server, database instance, web application, RDP host, Kubernetes cluster, gRPC service, or Telnet device. Each unique connection target counts as one resource. For example, 5 SSH servers + 3 databases + 2 K8s clusters = 10 resources. Solo includes SSH. Team adds RDP, VNC, database, and web app access. Business and Enterprise add Kubernetes, gRPC, and Telnet. Each plan includes a resource allowance (Solo: 15, Team: 200, Professional: 500, Business: unlimited, Enterprise: unlimited).

How does the 14-day free trial work?

Start with full access to Professional tier features for 14 days. No credit card required. Connect your resources, invite your team, and experience JIT access, compliance reports, and security policies immediately. At the end of the trial, choose the plan that fits your needs.

How does OnePAM compare to Border0 or Teleport?

OnePAM offers the same Zero Trust access capabilities at a competitive price point. Our Team plan starts at $19/user/month ($15 with annual billing) with per-seat pricing and generous included limits. Our Professional plan adds JIT access and compliance at $29/user/month ($22 annually). Our Business plan with SIEM, dedicated gateways, and advanced infrastructure is $49/user/month ($39 annually) with unlimited resources. Enterprise uses custom pricing with dedicated support and full compliance. Same security, same features, better price.

What SSO providers do you support?

Solo includes Google login. Team and above add full SAML 2.0 and OIDC support for enterprise identity providers like Okta, Azure AD, OneLogin, Ping Identity, and others.

How long are sessions recorded and stored?

Session retention varies by plan: Solo includes 14 days (2 GB storage), Team includes 30 days (100 GB), Professional includes 60 days (250 GB), Business includes 180 days (500 GB), and Enterprise includes up to 1 year (2 TB+).

What databases does OnePAM support?

OnePAM supports PostgreSQL, MySQL, MongoDB, Redis, Microsoft SQL Server, and other common databases. Access is browser-based with full query logging. Business tier adds data masking for sensitive columns.

Do you offer dedicated deployment?

Yes! Enterprise customers get a dedicated OnePAM instance fully managed by our team, with isolated infrastructure for data residency and network isolation. Contact our sales team to discuss dedicated deployment requirements.

Does OnePAM include network-level access?

Yes! OnePAM includes built-in VPN access powered by WireGuard on every paid plan. Solo includes 1 peer per user, Team includes 5, Professional includes 10, and Business/Enterprise include unlimited peers. Unlike traditional VPNs, OnePAM's VPN is identity-aware — every connection is authenticated, authorized, and logged. Professional adds split tunneling and custom DNS. Business adds traffic metadata logging, mesh networking, and exit nodes. Enterprise also includes dedicated IPs and compliance-grade controls. For protocols like SSH, RDP, VNC, Kubernetes, Telnet, databases, and web apps, users can also connect directly through the browser when supported.

SSH, RDP, VNC, Kubernetes, gRPC, Telnet, databases & web apps — all in one platform.

Team starts with all core protocols, Professional adds JIT access and compliance, and Business unlocks Kubernetes, gRPC, SIEM, and advanced infrastructure. Start with the full Professional tier free for 14 days — no sales call required. No credit card required.

Start Free Trial Why We're Different

Built to SOC 2 standards • 14-day free trial • No credit card required