Bastion

Share Access, not Credentials

Securely manage privileged access to databases, Kubernetes clusters, VMs, and cloud infrastructure. Enforce Just-in-Time access, MFA, and SSO on every resource — without sharing a single credential.

See How It Works

SOC2 Type II

Zero Trust

No Agents

98+ Integrations

bastion ~ adaptive-cli

Credentials are the #1 attack vector. Stop sharing them.

Infrastructure credentials shared as plain text on Slack, stored in config files, and passed between teams create massive security blind spots. Once leaked, there is no recall.

61%

of breaches involve compromised credentials — stolen via social engineering or brute force.

40%

of employees share credentials with teammates to collaborate on infrastructure.

74%

of breaches involve the human element, including credential misuse and phishing.

How Bastion Works

From connect to comply in minutes. No agents, no network changes, no credentials exposed.

Connect Your Resources

Register databases, Kubernetes clusters, VMs, and cloud infrastructure with Adaptive. No agents to install, no network reconfiguration — Bastion uses a container-based proxy architecture.

Authenticate with SSO & MFA

Users authenticate through your existing identity provider — Okta, Google, Azure AD, JumpCloud, OneLogin, or any SAML/OIDC provider. MFA is enforced at the infrastructure level.

Access Without Credentials

Bastion provisions ephemeral, scoped credentials on-the-fly with configurable TTLs. Users connect via the Adaptive CLI or their existing client tools — credentials are never exposed.

Audit & Auto-Revoke

Every session, query, and action is recorded with full context — including terminal recordings. Credentials auto-revoke after their TTL expires. Complete compliance trail, zero manual work.

Add PostgreSQL Resource

Host

db-prod-01.internal

Port

5432

Database

production

Username

admin

Password

••••••••••••

bastion.adaptive.dev/login

Connect to db-prod-01

Authenticate to access this resource

Continue with Google

terminal ~ zsh

alice@acme ~ psql

bastion.adaptive.dev/sessions

alice@acme.co

db-prod-01 · ephemeral_a1c

Platform

A unified platform for identity and access

Everything you need to secure access for human, workload, and AI identities — in one place.

FIG 0.1

Privileged Access

Share access, not credentials. Enforce least-privilege with ephemeral, just-in-time credentials across databases, VMs, and K8s.

FIG 0.2

Authorization

Granular roles for human and workload identities. Fine-grained allow/deny policies across every resource.

FIG 0.3

Data Protection

Dynamic data masking and tokenization. Automatically protect PII, secrets, and sensitive data in real time.

FIG 0.4

Audit & Compliance

Identity-based audit trails for every query across every interface. Accelerate SOC-2, HIPAA, and ISO 27001.

FIG 0.5

Activity Monitoring

Real-time database activity monitoring. Detect anomalies, prevent malicious commands, and eliminate blind spots.

FIG 0.6

Workload Identity

Orchestrate secrets for non-human identities. Broker access to third-party tools without exposing credentials.

Capabilities

Enterprise-grade infrastructure access, every capability built in

From ephemeral credentials to data masking — everything teams need to eliminate credential exposure while keeping developers productive.

Zero standing privileges

Just-in-Time Access

Time-bound, approval-based access workflows with configurable TTLs, multi-approver support, auto-approval schedules, and automatic revocation. No standing privileges.

Observability

Session Recording & DAM

Asciinema terminal recording plus Database Activity Monitoring across MySQL, PostgreSQL, SQL Server, and MongoDB.

Data protection

Data Masking & DSPM

Column-level masking with automatic PII detection, schema scanning, and sensitive data classification.

Authorization

Role-Based Access Control

Six specialized roles with workspace-scoped permissions, multi-tenant isolation, and per-resource authorization policies.

Secrets management

Credential Vault & Auto-Rotation

Encrypted credential storage with automated rotation on intervals or cron schedules. Crash-safe with Write-Ahead Log recovery.

Connectivity

98+ Infrastructure Integrations

Databases, Kubernetes, cloud platforms, network appliances, monitoring tools, and ticketing systems. From PostgreSQL to Palo Alto firewalls — Bastion covers your entire stack.

Developer-native

Your IDE. Your terminal. Your trust layer.

No new IDE, no new CLI, no new browser. Plug Adaptive into the agents and shells your team already lives in — Claude Code, Codex, Cursor, kubectl, Chrome — and the trust layer rides along.

Agent harness

Claude Code · Codex · Cursor · OpenCode

trust layer

Every agent, sandboxed in your infrastructure.

Isolate agents in ephemeral environments with fine-grained controls and guardrails, full visibility into every query and command, no secrets exposed, all running in your infrastructure.

Terminal — sandbox/api

claude-code

codex

cursor

opencode

✦Welcome to Claude Code4 agent sessions · all sandboxed

Sonnet 4.6 · sandbox sb_a4f2e9 · type /help for commands

> /review pr 482

⠋ reading 14 files...

✓ 3 suggestions ready

Claude Code Codex

Codex

Cursor

●identity · isolation · auditpolicy v9.2

adaptive — modalities

1# Agent harness — Claude, Codex, Cursor, MCP

2kind: AgentHarness

3runtime: ephemeral-sandbox

4agents: [claude-code, codex, cursor, mcp]

6tools:

7 - bash: { scope: sandbox }

8 - edit: { paths: "./src/**" }

10mcp:

11 servers: [github, linear, postgres-ro]

13guardrails:

14 identity: per-agent

15 isolation: sandboxed

16 deny: ["rm -rf /", "curl | sh"]

17 audit: signed-transcript

19env:

20 AWS_PROFILE: jit-scoped

21 GITHUB_TOKEN: ${secrets.gh_jit}

src>modalities>harness.yaml

Preview · Agent harness

live