Credentials never touch your laptops
The NetStacks Controller owns all credentials, proxies every SSH connection, and logs every action. Your engineers connect to devices without ever seeing a password. That's not a feature — it's the architecture.
How it works: Controller-Proxied SSH
- Auth & SSO
- Credential Vault
- SSH Proxy
- Audit Engine
- Session Recording
The architectural advantage — credentials never leave the server
All SSH connections route through the Controller. Credentials are fetched from the encrypted vault at connection time and stay in server memory — they never reach the engineer's laptop or browser. This means a compromised endpoint cannot leak your network passwords.
The browser-based terminal provides the same experience as the desktop app: AI assistant, session management, multi-send, and topology views. No install required — just a browser and your SSO credentials.
- Credentials never on endpoints — zero exposure surface
- Browser terminal — no install, same full feature set
- Every session automatically recorded and indexed
- Integrates with your existing SSO provider
# 1. Engineer authenticates to Controller
$ netstacks login --sso okta
✓ Authenticated via SAML (session: 8h)
# 2. Controller fetches credentials from vault
# → AES-256-GCM decrypt, Argon2 key derivation
# → Credentials stay in server memory only
# 3. Proxied SSH session established
$ netstacks connect core-rtr-01
✓ SSH proxy active (recording: enabled)
router-01# show ip bgp summary
Neighbor AS MsgRcvd MsgSent State
10.0.0.1 65001 12045 11982 Established
10.0.0.2 65002 8891 8820 Established
# 4. Session recorded, audit logged
# → Every command indexed and searchableDefense in Depth
Five layers of security from transport to audit — each reinforcing the next
Audit & Monitoring
Every action logged. Session recording with command indexing. SIEM export to Splunk, Elastic, QRadar.
Access Control
RBAC with 12+ granular permissions. Custom roles. Approval workflows for privileged operations.
Authentication
SSO via SAML, OIDC, LDAP. MFA enforcement. Short-lived SSH certificates from built-in CA.
Credential Management
AES-256-GCM encrypted vault with Argon2 key derivation. Zero standing privileges. Folder-based access.
Transport Security
All SSH connections proxied through Controller. TLS 1.3 for API and browser. Credentials never leave the server.
Granular RBAC with custom roles matching your org
Built-in Admin, Operator, and Viewer roles cover common needs out of the box. Create custom roles to match your org — give network operators device and template access, security teams audit and credential management, and juniors read-only visibility.
Integrates with your identity provider via SAML 2.0, OpenID Connect, or LDAP. Single sign-on across the platform with MFA enforcement. Users from Okta, Azure AD, Google Workspace, and Active Directory authenticate seamlessly.
- 12+ granular permissions across all platform areas
- Custom roles with any permission combination
- SSO via SAML, OIDC, LDAP — works with your IdP
- Approval workflows for privileged operations
| Permission | Admin | Operator | Viewer |
|---|---|---|---|
| Devices | ✓ | ✓ | ✓ |
| Credentials | ✓ | — | — |
| Templates | ✓ | ✓ | — |
| Stacks | ✓ | ✓ | — |
| Tasks | ✓ | ✓ | ✓ |
| MOPs | ✓ | ✓ | — |
| AI Assistant | ✓ | ✓ | ✓ |
| NOC Agents | ✓ | — | — |
| Users | ✓ | — | — |
| Settings | ✓ | — | — |
| Audit Logs | ✓ | — | — |
| Session Recording | ✓ | ✓ | ✓ |
Every action logged. Every session recorded.
Comprehensive audit trail with SIEM integration and mandatory session recording
Full Audit Logging
Every login, device connection, config change, credential access, and settings modification creates an immutable audit entry. Filter by user, action type, date range, or target device. Retain logs for as long as your compliance policy requires.
SIEM Export
Export audit data as JSON or CSV to Splunk, Elastic, or QRadar. Configure date ranges, event type filters, and scheduled exports. Feed your existing security dashboards without changing your workflow.
Session Recording
Enforce recording by device type, user role, or specific device groups. Centralized storage on the Controller with command-level indexing — search for any command across all recorded sessions.
Config Snapshots
Capture device configurations on schedule or on-demand. Visual diff across time periods to track drift, identify unauthorized changes, and restore previous known-good state with one click.
Deploy how you need to — cloud, on-prem, or air-gapped
The Controller is a single binary that runs on Linux, in Docker, or on Kubernetes. Choose the deployment model that matches your security posture — from fully air-gapped on-premises to cloud-hosted with browser access.
Configuration snapshots capture device configs on schedule. Visual diff shows changes across time periods — track drift, identify unauthorized modifications, and restore previous state. Bulk operations let you manage hundreds of devices from a single console.
- Single binary — simple to deploy and maintain
- Full air-gap support — no outbound internet required
- Config snapshot and diff for change tracking
- Bulk operations across your entire inventory
On-Premises
Full control. Deploy within your network perimeter on bare metal, VM, or container. No data leaves your environment. Air-gap ready.
Cloud / Hybrid
Run the Controller in your cloud VPC. Engineers connect via browser or desktop app. Same security model, flexible deployment.
Built for regulated environments
NetStacks provides the controls and audit capabilities required for compliance with industry standards
Trusted by network teams worldwide
“The Controller architecture changed everything for us. Credentials never leave our servers, every session is recorded, and our engineers can access devices from any browser. We passed our SOC 2 audit with zero findings on network access controls.”
Frequently asked questions
Ready to evaluate NetStacks for your organization?
See the Controller architecture in action. Schedule a demo or start a free trial.