Zero Trust · No open ports · No credentials

Zero Trust access to every server you run

Install one agent and give your team secure SSH to any host — without opening a single inbound port or handing out credentials. Every session is recorded and replayable, every action is governed by RBAC, and live CPU, RAM, disk, process and network metrics stream straight to your console.

Book a demo Join the waitlist

Lightweight Go agent · < 30 MB RSS · Linux & macOS

subnomic — connected to 24 hosts

CPU · web-prod-03

62%

Memory · web-prod-03

11.2 / 16 GB

disk 68% · net 240 Mb/s

Active SSH sessions

3 recorded

rbac: enforced

0

inbound ports opened

0

standing credentials

100%

sessions recorded

<2m

to first host online

SOC 2-ready controls End-to-end encrypted Self-hostable Session replay Audit logging

Platform

Zero Trust access, observability included

Subnomic replaces bastions, VPNs and shared SSH keys with one secure agent — and streams full server telemetry while it's at it.

Zero Trust SSH

Reach any host through the agent's outbound tunnel — port 22 stays closed to the world. Every connection is verified, scoped and time-boxed before a shell is ever granted.

Session recording & replay

Every SSH session is captured keystroke-by-keystroke and replayable like a video. Search, scrub and review exactly what happened — perfect for audits and incident response.

Granular RBAC

Map users to hosts and actions with least privilege. Decide who can connect where, who can run what, and when access expires — all from one policy model.

Real-time server metrics

Live telemetry from every host, with history and alerting out of the box. Know exactly what your fleet is doing the moment it happens.

CPU load & per-core RAM & swap Disk usage & I/O Top processes Network interfaces

One lightweight agent

A single self-updating binary you install once. It dials out over TLS and needs no inbound firewall changes — access and metrics, all from the same agent.

On the roadmap

Docker & Kubernetes management

The same Zero Trust agent will soon let you inspect containers, exec into pods and roll deployments — all policy-checked and recorded, no kubeconfig or Docker socket exposed.

Docker Kubernetes

Identity

Unified identity.
No credentials.

Stolen keys, shared passwords and forgotten access tokens cause most breaches. Subnomic removes them entirely. Strong cryptographic identity, privileges that expire on their own, and one model that establishes trusted interactions between humans, machines and AI agents.

01

Cryptographic identity

Every human, machine and agent is bound to a hardware root of trust. There are no passwords, API keys or secrets to phish, leak or reuse — identity is proven by cryptography, not by what someone knows.

02

Ephemeral privileges

Access is granted just-in-time and expires automatically. With no standing privileges, there's nothing for an attacker to harvest and the lateral attack surface collapses toward zero.

03

Agentic control

The same identity and access model extends to AI agents and MCP tooling. Autonomous workloads get scoped, auditable, time-boxed access — never a long-lived key — so automation stays safe by default.

Risk reduced to zero by design. No open ports to scan. No credentials to steal. No standing access to escalate. What doesn't exist can't be breached.

How it works

Live in under two minutes

No ports to open, no bastions to maintain. Install, and the host appears in your console with Zero Trust SSH and live metrics ready to go.

  1. 1

    Install the agent

    Run one command. The agent registers itself and dials out over TLS — no inbound ports.

  2. 2

    Stream metrics

    CPU, RAM, disk, processes and network interfaces start flowing to your console instantly.

  3. 3

    Connect securely

    Open Zero Trust SSH sessions that are scoped by RBAC and recorded for replay — every time.

install.sh 
# Install the Subnomic agent on any Linux/macOS host
curl -fsSL https://get.subnomic.com | sh

# Register with your workspace token
subnomic agent register \
  --token $SUBNOMIC_TOKEN \
  --name web-prod-03

✓ outbound tunnel up — 0 inbound ports opened
✓ zero trust ssh ready · session recording on
✓ streaming cpu · ram · disk · net metrics …

Your server

Subnomic agent

no listening ports

outbound TLS encrypted

Subnomic

Control plane

policy + audit

The agent always initiates the connection. Attackers have no port to reach — even if they know your IP.

Security

Secure access without the attack surface

Most breaches start with an exposed port or a leaked SSH key. Subnomic removes both. Access flows through the agent's outbound tunnel, scoped by policy and logged end to end.

  • No inbound ports. Nothing to port-scan, nothing to brute-force.

  • Full session recording. Replay any SSH or command session for audit and incident review.

  • Granular RBAC. Roles map users to hosts, namespaces and actions with least privilege.

  • Encrypted everywhere. TLS in transit, and a self-hostable control plane for full data ownership.

Pricing

Simple, per-host pricing

Start free. Scale as your fleet grows. Cancel anytime.

Starter

For side projects and small teams.

$0/mo

Get started
  • Up to 3 hosts
  • Real-time metrics
  • Zero Trust SSH
  • Secure SSH
  • 7-day session history
Most popular

Team

For growing engineering teams.

${{ billing === 'monthly' ? '12' : '10' }}/host/mo

Book a demo
  • Unlimited hosts
  • Full session recording
  • RBAC & SSO
  • Alerting & integrations
  • 90-day audit retention

Enterprise

For regulated and large fleets.

Custom

Contact sales
  • Self-hosted control plane
  • Custom RBAC & policies
  • Unlimited audit retention
  • SAML/SCIM & SLA
  • Dedicated support

FAQ

Frequently asked questions

{{ item.a }}

Take control of your fleet

Join the waitlist for early access, or book a demo to see secure, agent-based management in action.

Thanks — you're on the list. We'll be in touch soon.

No spam. Unsubscribe anytime.