Introduction
Most secrets managers focus on storing credentials. StrongDM focuses on eliminating them entirely.
StrongDM is not a traditional secrets manager in the way AWS Secrets Manager or HashiCorp Vault are. It’s a zero-trust infrastructure access platform a proxy layer that grants engineers access to databases, servers, Kubernetes clusters, and cloud consoles without ever giving them the underlying credentials.
In the context of Privileged Access Management (PAM) and secrets management, StrongDM sits at the intersection of both: it vaults secrets and controls access but the unique value is that end users never actually see the secrets they’re using.
In this CyberSecurityO review, we explore how StrongDM redefines infrastructure access governance and where it fits in the modern identity security stack.
Company Overview
StrongDM was founded in 2015 in San Jose, California by Justin McCarthy and Tim Prendergast. The company raised significant funding from investors including Tiger Global and has grown into a recognized player in the privileged access and infrastructure access management space.
Key milestones:
- 2015: Founded with the proxy-based access model
- 2018: Series A
- 2020: Series B ($54M) β accelerated by remote work and cloud adoption
- 2022: Series C ($78M) β enterprise expansion, compliance features
- 2023-2024: AI-assisted access workflows, identity orchestration integrations
- 2025: Continued expansion into NHI and workload identity access
StrongDM serves technology companies, healthcare organizations, financial services firms, and any enterprise with complex infrastructure access requirements and compliance mandates.
What Is StrongDM?
StrongDM is a zero-trust infrastructure access management platform that provides:
- Proxy-based access to databases, servers (SSH/RDP), Kubernetes, web apps, and cloud consoles
- Credential vaulting β infrastructure credentials are stored in StrongDM, not on engineer laptops
- Just-in-time (JIT) access β temporary, time-limited access to resources
- Session recording β full session logging for compliance and forensics
- Audit trail β every access event, query, and command is logged
The key principle: engineers never handle credentials. StrongDM’s client connects the user’s tool (psql, kubectl, a browser) to the target resource through an encrypted proxy. The credential is used server-side by StrongDM never exposed to the end user.
Key Features
1. Proxy-Based Access (Credential-less Access)
StrongDM’s proxy sits between users and infrastructure. When a database engineer runs psql, StrongDM authenticates the engineer, checks policy, and proxies the connection using vaulted credentials β without the engineer ever seeing the database password.
2. Resource Types Supported
- Databases: PostgreSQL, MySQL, MongoDB, MSSQL, Oracle, Snowflake, Redshift, BigQuery, DynamoDB
- SSH / RDP: Linux servers, Windows RDP, bastion hosts
- Kubernetes: Kubectl access with RBAC enforcement
- Web Apps: HTTP proxying for internal web consoles
- Cloud Consoles: AWS, Azure, GCP console access via federated identity
3. Just-in-Time (JIT) Access
Engineers request access to resources with a defined duration and reason. Approvers (managers or automated workflows) grant time-limited access. When the window expires, access is revoked automatically.
4. Session Recording & Replay
All sessions are recorded: SQL queries, SSH commands, kubectl commands, RDP screen recordings. Security teams can replay sessions for incident investigation, compliance audits, or training.
5. Identity Integrations (Zero Trust Auth)
StrongDM integrates with:
- Okta, Azure AD/Entra ID, Google Workspace (IdP-driven access)
- SAML/OIDC for SSO
- Conditional access policies (e.g., require MFA for prod access)
6. Workflow Automation
StrongDM integrates with Slack, PagerDuty, and JIRA for access approval workflows. Engineers request access in Slack, and managers approve with one click.
7. Policy Engine
Fine-grained policies control:
- Who can access which resources
- During what time windows (business hours only)
- From what locations/IP ranges
- With what session duration limits
8. Compliance Reporting
Pre-built reports for SOC 2, PCI DSS, HIPAA, and ISO 27001 showing who had access to what, when, and what they did.
Architecture
Deployment options:
- SaaS Control Plane (StrongDM-hosted) β standard deployment
- StrongDM Relay/Gateway β self-hosted relay for private network resources without public egress
Use Cases
Database Access for Developers and DBAs
Developers connect to PostgreSQL or MySQL in production via their normal psql/MySQL client β but through StrongDM. They never know the database password. All queries are logged. Access is revoked after their shift or project ends.
Kubernetes Production Access
Platform engineers access production KubernetesHIPAA and Identity Security clusters via kubectl through StrongDM. Fine-grained RBAC is enforced, sessions are recorded, and JIT approval is required for destructive operations.
Remote Access for Third-Party Vendors
Contractors and vendor teams access specific infrastructure resources via StrongDM with time-limited sessions, IP restrictions, and full session recording. No VPN, no credential sharing.
PCI DSS / HIPAA Compliance
Healthcare and financial organizations use StrongDM’s session recording and audit logs to demonstrate compliance with PCI DSS (Requirement 8, 10) and HIPAA access control requirements β without manual log collection.
SOC 2 Type II Preparation
StrongDM’s access audit trail directly addresses SOC 2 CC6 (Logical Access Controls) requirements. Pre-built compliance reports reduce audit preparation time significantly.
NHI & Service Account Governance
StrongDM vaults service account credentials for machine workloads β application identities access databases through the StrongDM proxy just as human users do, with consistent policy enforcement and audit.
Pricing
StrongDM uses per-user subscription pricing with annual contracts. Pricing is not publicly listed; contact sales for quotes.
Factors that affect pricing:
- Number of users
- Number of resources (databases, servers, clusters)
- Session recording storage
- Enterprise compliance features
Typical positioning: Mid-market to enterprise, with a focus on organizations with 50+ engineers accessing infrastructure. Not designed for individual developers or small startups.
Pros & Cons
β Pros
- Credential-less access β engineers never see the passwords they use (unique differentiator)
- Session recording for databases, SSH, Kubernetes, and RDP β unmatched auditability
- JIT access workflows via Slack/Teams/JIRA β practical zero-trust access approvals
- Compliance reporting pre-built for SOC 2, PCI DSS, HIPAA β reduces audit burden dramatically
- Multi-protocol support β databases, SSH, RDP, Kubernetes, web apps in one platform
- Identity-native β works with Okta, Entra ID, Google Workspace as the identity source
- Proxy architecture eliminates credential exposure at the endpoint level
β Cons
- Not a traditional secrets manager β no API for applications to retrieve secrets (that’s not what StrongDM does)
- SaaS dependency β the control plane is cloud-hosted (Relay mitigates for private resources)
- Higher cost than pure secrets managers β designed for the full infrastructure access use case
- Requires client installation β engineers install the StrongDM desktop client (no browser-only access for most resources)
- Session recording storage costs β extensive session logs can be significant at scale
- No dynamic secrets in the traditional sense β StrongDM vaults credentials but doesn’t generate short-lived database users like Vault
StrongDM vs Traditional PAM vs Secrets Managers
| Capability | StrongDM | CyberArk PAM | HashiCorp Vault | AWS Secrets Manager |
|---|---|---|---|---|
| Human Access Control | β (Best) | β | β οΈ | β |
| Session Recording | β | β | β | β |
| Credential Vaulting | β | β | β | β |
| App/Machine Secrets | β οΈ | β | β | β |
| Dynamic Secrets | β | β | β | β οΈ |
| JIT Access Approval | β | β | β | β |
| Compliance Reporting | β (Best) | β | β | β |
| Developer UX | β | β οΈ | β οΈ | β |
Best Practices
- Use StrongDM as your primary human infrastructure access layer β complement with HashiCorp Vault or AWS Secrets Manager for application secrets.
- Enable JIT access for all production resources β no standing access to production databases or servers.
- Require MFA via your IdP (Okta, Entra ID) for production resource access β StrongDM enforces IdP-level conditional access.
- Configure session recording retention policies aligned with your compliance requirements (PCI = 1 year, HIPAA = 6 years).
- Integrate with your SIEM via StrongDM’s audit log streaming β set alerts for unusual access patterns.
- Use Slack workflows for access approval β make JIT access frictionless so engineers actually use it.
- Review access grants quarterly via StrongDM’s access review reports, and remove stale access proactively.
FAQs
Q1: Is StrongDM a secrets manager or a PAM tool?
It’s both β and neither perfectly. StrongDM is an infrastructure access management platform that vaults credentials (like a secrets manager) and controls privileged access (like a PAM tool), but its core innovation is the proxy model that eliminates credential exposure.
Q2: Can StrongDM replace CyberArk PAM?
For human privileged access to infrastructure (databases, servers, Kubernetes), StrongDM is a strong alternative to CyberArk PAM, often with faster deployment and better developer UX. For application secrets management, session isolation, or regulated mainframe environments, CyberArk has capabilities that StrongDM doesn’t.
Q3: Can applications retrieve secrets from StrongDM via API?
StrongDM is primarily designed for human access, not application secret retrieval. For application secrets, pair StrongDM with HashiCorp Vault, AWS Secrets Manager, or Akeyless.
Q4: Does StrongDM support Kubernetes access?
Yes β kubectl commands are proxied through StrongDM with full command logging, time-based access control, and JIT approval workflows.
Q5: How does StrongDM handle network-isolated resources?
The StrongDM Relay/Gateway component can be deployed inside private networks, allowing StrongDM to proxy access to resources without requiring public internet exposure.
Q6: Is StrongDM compliant with SOC 2 / PCI DSS?
Yes, StrongDM is SOC 2 Type II certified. Its session recording, audit logs, JIT access, and access control features directly address SOC 2, PCI DSS, HIPAA, and ISO 27001 requirements. Pre-built compliance reports accelerate audit preparation.
Q7: What identity providers does StrongDM integrate with?
StrongDM integrates with Okta, Azure AD/Entra ID, Google Workspace, OneLogin, Ping Identity, and any SAML 2.0 or OIDC-compatible identity provider.
Conclusion
StrongDM occupies a unique and valuable position in the identity security landscape. It’s not trying to replace your secrets manager it’s trying to make your engineers’ credentials invisible.
For organizations with compliance-driven infrastructure access requirements (SOC 2, PCI, HIPAA), distributed engineering teams accessing production databases and servers, or zero-trust programs that require JIT access and session recording, StrongDM is one of the most practical implementations of zero-trust principles available.
Its limitations are deliberate: it’s not an application secrets platform, it’s not building block for NHI workloads, and it’s not cheap. But for the human infrastructure access problem β which remains one of the top sources of data breaches β StrongDM delivers a genuinely differentiated solution.
Recommended pairing: StrongDM (human access) + HashiCorp Vault or AWS Secrets Manager (application secrets) = comprehensive identity security coverage.
CyberSecurityO Rating: 8.6 / 10 βββββ
Related Queries from the user
- StrongDM Review 2025 – 2026: The Secrets Manager Where Nobody Ever Sees the Password
- StrongDM vs CyberArk PAM: Which Infrastructure Access Platform Wins?
- How StrongDM Implements Zero-Trust Infrastructure Access (With Session Recording)
- StrongDM vs HashiCorp Vault: Different Tools for Different Problems
- Why StrongDM Is the Best Infrastructure Access Manager for SOC 2 Compliance
Β
Follow Identity Pulse on LinkedIn for weekly coverage of PAM, secrets management, and zero-trust infrastructure access β curated by CyberSecurityO for security and IAM professionals.
Join our IAM Community:
