It's 3 a.m. and an alert fires: a production database table was dropped. Who ran the command? When? What else did they touch before and after? In most organizations the honest answer is a shrug and a desperate grep through shell history files that may have been cleared, rotated, or never captured at all.
Shell history is not an audit log. It records commands, not context — not the output the operator saw, not the interactive prompts they answered, not the moment they realized something was wrong. To truly understand an incident, you need to watch it happen.
Logs tell you what; replay tells you how
Command logs answer "what command ran." Session replay answers a much richer set of questions: what the operator saw, how they navigated, where they hesitated, and exactly what the terminal displayed in response. During a security investigation, that difference is everything.
An audit trail you can't watch is a list of claims you have to trust.
How recording works
Subnomic captures the full terminal stream — input and output — for every session, tied to a verified identity. Because we control the transport, recording is not an opt-in agent on the host that a privileged user could disable. It happens in the path that every session already flows through.
- Keystroke fidelity — the recording is the actual byte stream, replayable at original timing or scrubbable frame-by-frame.
- Tamper-resistant — recordings are written to the control plane, not the host being audited.
- Searchable — find every session that touched a host, ran a command pattern, or occurred in a time window.
- Identity-bound — each recording is attributed to a cryptographically verified actor, not a shared account.
Replay during an incident
When something breaks, you open the session and watch it like a video. Scrub to the moment the table was dropped. See the command, the confirmation prompt, the output. Rewind to understand what led there. The investigation that used to take hours of correlating fragmentary logs becomes a few minutes of watching what actually happened.
Compliance as a side effect
SOC 2, ISO 27001, HIPAA and PCI all expect that privileged access is logged and reviewable. With complete session recording, the evidence is already there — you don't scramble to reconstruct it at audit time. The control is continuous, not a once-a-year fire drill.
Privacy and scope
Recording everything raises legitimate questions about sensitive data. Recordings are access-controlled, retained according to your policy, and — in self-hosted deployments — never leave your infrastructure. Visibility for auditors does not mean visibility for everyone.
The bottom line
You can't secure what you can't see. Recording every session keystroke-by-keystroke turns your most dangerous moments — privileged access to production — from a blind spot into your best source of truth.
See replay in action — book a demo or join the waitlist.