Skip to content
Documentation

Subnomic documentation

Zero Trust access to servers, databases, internal apps and Kubernetes — without VPNs, bastions or handing out credentials. Every connection is RBAC-scoped and recorded.

Get started → Open console

How it works

You install a lightweight agent on a host inside your network. The agent makes a single outbound connection to Subnomic — there are no inbound ports to open. All access (SSH, database queries, internal dashboards, kubectl) is multiplexed over that one tunnel.

Because the agent dials the target from inside your network, the database password, the cluster ServiceAccount and the internal dashboards never have to be exposed to the internet. Subnomic brokers the connection, enforces who is allowed, and records what happened.

The building blocks

  • Servers — the hub for a host: its agents, an interactive terminal, recorded sessions, metrics and the access gate.
  • Agents — the outbound connector you install (host / tunnel / kubernetes / docker). It's what makes a server real.
  • Databases — a browser SQL/command console to Postgres, MySQL, Redis and Mongo.
  • Internal apps — open internal HTTP dashboards through the tunnel.
  • Kubernetes — full kubectl (via a generated kubeconfig) and a browser API console.
  • Resource manager — browse and manage live Kubernetes & Docker resources from the UI, no kubectl or SSH.
  • Guardrails — allow / deny / require-approval rules on what can run.
  • Scheduled tasks — run commands and resource actions on a host, once or on a DST-correct recurring schedule.
  • Workflows — compose tasks, queries, commands and AI steps into a visual DAG that runs as one governed identity.
  • Live sessions — watch an active terminal in real time, join it, or terminate it.
  • Access requests (JIT) — time-boxed, approved access to any target (database, server, app or cluster).
  • Break-glass — a logged emergency path for incidents.
  • Anomaly detection — automatic flags on unusual sessions (off-hours, new host, mass operations).
  • Tamper-evident audit — a cryptographically chained activity log you can verify and stream to a SIEM / Slack.
  • Compliance evidence — on-demand access reviews and SOC 2 / ISO / HIPAA / PCI evidence packs.
  • Agent access (MCP) — scoped, time-boxed, recorded database access for AI agents over MCP.
  • Subnomic AI — plain-language summaries of every recording, and a chat assistant that answers natural-language questions over your audit log.

Where things live

Terminal and Agents are not separate pages — they're tabs inside a server, next to Sessions, Metrics and Access. Databases, Internal apps and Kubernetes have their own sections because a target can be reached by an agent on any server.

New here? Follow Getting started — create a server, install its agent, use it.
Everything is permission-gated. If you cannot see a feature in the console, your role does not have the permission for it — ask an admin (Roles page).