Rootshell is the single front door to every server, database, and Kubernetes cluster you run. Engineers ask for access in the moment, get a credential that expires in minutes, and never touch a password. Every keystroke of every session is recorded, indexed, and one click from replay.
$ ssh prod-db-03
rootshell › prod-db-03 is tier-1. requesting just-in-time access…
reason required › rotating expired TLS cert (INC-2291)
approver › @sam-oncall approved in 38s (Slack)
grant › role=db-operator ttl=20m ✓ no standing access
⦿ recording session sess_7f3a91 · keystrokes + tty + file xfer
⦿ guardrail DROP / GRANT ALL / rm -rf → blocked, approver paged
postgres@prod-db-03:~$ \dt billing.* # every command logged
postgres@prod-db-03:~$ exit
rootshell › grant expired · credential revoked · recording sealed
→ replay sess_7f3a91 share clip export to SIEM
$ _The front door for teams that have to prove who touched what
Rootshell sits between your people and your fleet as the only path in. It brokers the credential, enforces the policy, and films the session — so access is least-privilege by default and provable after the fact.
Rootshell holds the keys and never gives them to a human. On connect, the broker mints a short-lived credential — an SSH certificate, a database role, a signed kubeconfig — scoped to one host, one purpose, and a clock. It expires on its own, rotates underneath, and leaves nothing to leak, screenshot, or paste into a wiki.
Each SSH, RDP, database, and kubectl session is captured keystroke-by-keystroke with full terminal output and file transfers. Scrub the replay like a video, jump to any command, and read the timeline of who ran what, where, and when.
Standing admin rights become request-and-approve. An engineer asks for a tier-1 box with a reason, an approver clicks yes in Slack, and the grant evaporates when the work is done.
Name the commands that get blocked, masked, or held for a second approver mid-session. A DROP TABLE on production stops at the keystroke and pages the approver before it ever lands.
Every command across every server is one query away. Find each session that touched a host, ran sudo, or moved a file — in seconds, across months of history.
What pulling the keys out of human hands measures out to
Rootshell speaks the protocols your team already uses. There is no new client to install and no workflow to relearn — engineers run ssh, psql, and kubectl exactly as they do today, and the bastion does the rest invisibly.
Connect with native ssh, your own terminal, psql, an RDP client, or kubectl. Rootshell is the jump host in the middle — no agent on the target, no plugin in your editor.
SSH and SFTP, RDP, PostgreSQL, MySQL, MongoDB, Redis, and the Kubernetes API are proxied and recorded through one gateway with one policy engine.
Single sign-on through Okta, Entra, or Google, with roles and groups synced over SCIM. Access maps to the team someone is already in — no parallel user list to babysit.
Deploy single-tenant in your own VPC or air-gapped on-prem. Credentials, recordings, and forensic timelines stay on infrastructure you control and never reach a vendor cloud.
Standing access leaves you guessing who did what. Rootshell turns every privileged session into evidence — indexed, replayable, and exportable — so the answer to 'prove it' is a link, not a week of grepping logs.
Watch the session back like a screen recording, character by character, with stdout, stderr, and exit codes preserved exactly as they happened.
Every command, sudo, and pipe rendered as a searchable, timestamped list — jump straight to the line that matters instead of scrubbing the whole tape.
Every file that moved in or out of a host, with checksum, size, direction, and the exact moment it crossed the bastion.
Every command a guardrail stopped, masked, or escalated — the destructive query that never ran is logged as plainly as the ones that did.
Each grant tied to the request, the reason given, the approver who signed off, and the minute it expired — the full chain of custody for a connection.
Stream sealed, hash-chained session records straight into your SIEM or object store, ready to hand an assessor without touching the originals.
“We pulled every SSH key off every engineer's machine in a week. Access is request-and-approve now, and the credential dies in twenty minutes — so a stolen laptop isn't a fleet-wide incident anymore. Nobody misses the standing root.”
“An on-call engineer fat-fingered a DROP on what they thought was staging. Rootshell stopped it at the keystroke and paged me before it touched production. That single block paid for the contract.”
“Our SOC 2 access review used to be a two-week archaeology dig across a dozen log sources. Now the auditor asks who touched the billing database in March and I send a link to the replay. The finding closes itself.”
Charging per recorded session punishes you for watching more of your fleet. Rootshell bills for the people who hold access, never for the sessions they leave behind.
For small teams putting a real front door on their servers.
For infra teams that have to prove least-privilege on demand.
For regulated, multi-region, air-gapped infrastructure.
No. They keep using native ssh, their own terminal, psql, RDP clients, and kubectl. Rootshell is the jump host in the middle — it brokers the credential and records the session transparently, so the only thing that changes is that nobody holds a standing key anymore.
Standing admin rights are replaced by request-and-approve. An engineer connects, states a reason, and an approver signs off in Slack or the console. Rootshell mints a credential scoped to that host and purpose with a short TTL — twenty minutes by default — and revokes it automatically when the work is done. No tickets, no shared passwords, no leftover access.
Everything: every keystroke, full terminal output, file transfers over SCP and SFTP, and the commands a guardrail blocked. Each recording is indexed so you can replay it like a video or jump straight to a specific command, and every grant is tied to who requested it, why, who approved it, and when it expired.
Yes. You define the commands that get blocked, masked, or escalated to a second approver while the session is live. A DROP TABLE or rm -rf on a tier-1 host stops at the keystroke before it executes and pages the approver — the dangerous command is logged as plainly as the safe ones.
No. Rootshell runs active-active, and every tier ships a break-glass path: a sealed set of emergency credentials your security team can open under dual approval, with the use recorded and alerted like any other session. The bastion failing never becomes the reason an incident goes unfixed.
Inside your perimeter. Rootshell deploys single-tenant in your own VPC, or fully air-gapped on-prem. Vaulted keys, session recordings, and forensic timelines stay on infrastructure you control and never reach a vendor cloud. You can pin data residency by region.
It is built for it. Rootshell enforces least-privilege access, writes immutable, hash-chained audit logs of every grant and session, and exports sealed records to your SIEM. When an assessor asks who accessed a system and what they did, you answer with a replay link instead of a log-grep marathon.
Stand up the bastion in your own cloud, point it at one server, and watch a recorded session play back before lunch. No agent on your hosts, no standing credentials, no sessions leaving your perimeter.