Now SOC 2 Type II Certified

Privileged Access.
Zero Compromise.

Mandate is the enterprise-grade privileged access management platform that lets authorized users execute commands as any identity — with full audit trails, policy enforcement, and zero-trust credential governance.

See How It Works
SOC 2 ISO 27001 GDPR HIPAA FedRAMP
user root
dev admin
ops www
99.97% Uptime SLA
4.7B+ Privileged Sessions Managed
14,000+ Enterprise Deployments
<2ms Policy Evaluation Latency
Capabilities

Enterprise Privilege Management,
Rebuilt From First Principles

Every feature maps to a real operational need. Every permission boundary is enforced at the kernel level.

Identity Delegation Engine

Execute any command as any authorized user with -u USER. Seamlessly assume target identities without credential sharing — full impersonation with complete audit trails.

-u user

Group Vector Control

Override primary group context with -g GROUP. Fine-grained group-level access boundaries let you execute with precisely scoped permissions — no over-provisioning.

-g group

Deep Shell Immersion™

Full login shell simulation with -i loads target user profiles, environment files, and resource configurations. Complete identity context — not just a permission flip.

-i (login shell)

Credential Cache Governance

Refresh sessions with -v, invalidate with -k, or purge all cached credentials with -K. Timestamp-based session control with configurable TTLs.

-v / -k / -K

Privilege Audit & Enumeration

List all authorized commands and privileges with -l. Complete visibility into what each identity can do, across every host. Verbose mode reveals the matching policy rules.

-l (list)

Zero-Interaction Mode

Non-interactive execution with -n and background processing with -b. Purpose-built for CI/CD pipelines, automation workflows, and headless infrastructure operations.

-n / -b

Secure File Editing

Edit privileged files without exposing a root shell using -e (sudoedit). Temporary copies, automatic rollback, symlink protection — built-in guardrails for sensitive file modification.

-e / sudoedit

Environment Preservation Layer

Carry forward environment variables with -E, set HOME to the target user with -H, or preserve the invoking user's group vector with -P. Total context control.

-E / -H / -P
Architecture

Four-Phase Privilege Mediation

Every privileged operation flows through our battle-tested governance pipeline.

01

Policy Evaluation

The security policy plugin evaluates the requesting identity against the configured ruleset. Mandate checks user membership, target identity, command path, host context, and timestamp validity — all in under 2ms.

02

Authentication Challenge

If the policy requires it, Mandate issues a credential challenge. Supports terminal-based password, graphical askpass helpers (-A), stdin piping (-S), and PAM integration. Configurable timeout with automatic session locking.

03

Execution Context Assembly

The runtime assembles the target execution environment: real and effective UIDs/GIDs, supplementary group vectors, environment variables, working directory, umask, and scheduling priority — all configured by policy.

04

Monitored Execution & Audit

A dedicated monitor process allocates a pseudo-terminal, manages signal relay (SIGINT, SIGTSTP, job control), captures I/O for logging, and reports exit status back through the audit plugin chain.

Interactive

Privilege Escalation Visualizer

See exactly how identity transitions work — select a source identity, target identity, and command to visualize the privilege flow.

👤
developer
uid=1001
mandate -u root
🛡️
Policy Engine
Evaluating...
GRANTED
root
uid=0
Mandate Session
$ mandate -u root systemctl restart nginx
[policy] Evaluating developer → root for: systemctl restart nginx
[auth] Password challenge issued
[granted] Session 4a7f2e — executing as root (uid=0)
Governance

Policy Configuration Studio

Define who can do what, where, and how — with our visual policy editor powered by the Mandate rule engine.

Policy Rules

# Mandate Policy Configuration
# /etc/mandate.conf

# User privilege specification
# user    host = (run_as) commands

# Developers can restart web services
%developers   ALL = (root) /usr/bin/systemctl restart nginx, \
                           /usr/bin/systemctl restart apache2, \
                           /usr/bin/systemctl status *

# Ops team has full command access with authentication
%ops          ALL = (ALL:ALL) ALL

# Deploy user — no password for deployment commands
deploy        ALL = (root) NOPASSWD: /usr/bin/apt-get update, \
                                     /usr/bin/apt-get install *, \
                                     /usr/bin/systemctl restart *

# Admin group — unrestricted access
%admin        ALL = (ALL:ALL) ALL

# Defaults
Defaults        timestamp_timeout=15
Defaults        log_output
Defaults        requiretty
Policy valid — 4 rules, 0 errors
Why Mandate

The Category-Defining Difference

Capability Mandate Competitor A Competitor B
Multi-identity delegation ✓ Any user or group Root only Limited
Credential cache with TTL ✓ Configurable per-terminal Session-based only No caching
Non-interactive mode ✓ Full CI/CD support Partial
Secure file editing ✓ sudoedit with symlink protection
Plugin architecture ✓ Policy, audit, I/O Limited Monolithic
Environment preservation ✓ Selective or full All or nothing
I/O session recording ✓ Built-in Third-party only
LDAP policy backend ✓ Native Partial
Compliance

Real-Time Audit Log

Every privileged action, every identity transition, every policy evaluation — logged, timestamped, and immutable.

Timestamp User Target Command Status Session
Live — streaming events
In Action

See Mandate in the Wild

Execute as Root

Terminal — mandate session
developer@host:~$ mandate ls /root
[mandate] password for developer: ********
.bashrc .profile .ssh backups scripts

Run as Another User

Terminal — mandate session
admin@host:~$ mandate -u www-data ls /var/www/html
index.html style.css app.js images

Login Shell Immersion

Terminal — mandate session
ops@host:~$ mandate -i
[mandate] password for ops: ********
root@host:~# whoami
root

Privilege Enumeration

Terminal — mandate session
developer@host:~$ mandate -l
User developer may run the following commands on host:
  (root) /usr/bin/systemctl restart nginx
  (root) /usr/bin/systemctl restart apache2
  (root) /usr/bin/systemctl status *
Plans

Pricing That Scales With Your Security Posture

Every tier includes full audit logging and SOC 2 compliance reporting.

Operator
$29/seat/mo
  • Single target identity (root)
  • Basic command execution
  • 5-minute credential cache
  • Password authentication only
  • Terminal-scoped sessions
  • Standard audit log (7-day retention)
Most Popular
Platform
$79/seat/mo
  • Multi-identity delegation (-u, -g)
  • Login shell & shell mode (-i, -s)
  • Configurable credential TTL
  • Non-interactive & background mode
  • Secure file editing (sudoedit)
  • Environment preservation (-E, -H, -P)
  • Askpass integration (-A)
  • 90-day audit retention
Governance
$149/seat/mo
  • Everything in Platform
  • Policy plugin architecture
  • LDAP policy backend
  • I/O session recording & replay
  • Custom security policy plugins
  • NOPASSWD rules
  • Command timeout enforcement
  • Unlimited audit retention
Sovereign
Custom
  • Everything in Governance
  • Dedicated security engineer
  • Custom audit plugin development
  • FedRAMP & HIPAA attestation
  • On-premise deployment option
  • 99.99% SLA with 24/7 support
  • Air-gapped environment support
  • Executive compliance dashboard
Trusted By

What Security Leaders Are Saying

★★★★★
"Before Mandate, our privilege management was a liability. Now we have full visibility into every identity transition across 4,000 servers. The audit log alone paid for the entire deployment in the first compliance cycle."
Lucas Kirkland
Lucas Kirkland CISO, NovaStar Financial
★★★★★
"The non-interactive mode transformed our CI/CD pipeline. We went from manual privilege requests to fully automated, policy-governed deployments. Our ship velocity increased 3x overnight."
Kira Tanaka
Kira Tanaka VP of Platform Engineering, DataMesh
★★★★★
"The Policy Configuration Studio is a game-changer. We went from managing raw config files to visual, version-controlled policy definitions. Our auditors actually understand what we're doing now."
Vera Suresh
Vera Suresh Head of Compliance, Fortify Labs
★★★★★
"Credential cache governance with configurable TTLs gave us the security posture our board demanded without destroying developer velocity. The -k flag integration with our .logout scripts was chef's kiss."
Athena Vasquez
Athena Vasquez Staff SRE, ScaleForge
FAQ

Frequently Asked Questions

Mandate supports configurable timeout policies. If no password is entered within the configured limit (default: 5 minutes), the session terminates gracefully. Use the askpass helper (-A) for graphical environments, or -S to read from stdin for automated workflows.

Yes. Mandate's policy engine lets you restrict commands on a per-user, per-host basis. Combined with the noexec functionality, you can prevent shell escapes from editors and other programs. However, if a user is granted arbitrary command execution, a root shell is inherently possible — which is why Mandate enforces least-privilege by default.

Absolutely. With our I/O logging plugin, every keystroke and screen output from privileged sessions is captured, timestamped, and stored immutably. Sessions can be replayed for forensic analysis or compliance audits. This is standard on Governance and Sovereign plans.

Yes, with a caveat. Environments that set the Linux "no new privileges" flag will prevent Mandate from operating, as the setuid bit is ignored. Most container orchestrators allow you to configure this flag. Check your container documentation to ensure the flag is not set when Mandate needs to run.

By default, Mandate caches credentials on a per-terminal basis for 5 minutes. This means authenticating in one terminal does not grant access in another — a critical isolation boundary. You can customize the timestamp_type and timestamp_timeout settings to tune this behavior for your security requirements.

Backed by mandō

Lyst Drift Locus Repliq Portage Voidal Scaffold Vøid Imprint Concat Stratum Folio Topline Tailstream Sieve Seekr Rewrite Trellis Sortable SINGULR Census Slice Morph FanOut Argonaut Reverb Formatik Epoch Solstice IDENT Signum Quorum Pulsar Overseer Terminus PURGE Dispatch Sotto Limelight Persist Vantage Canopy Attaché Détaché Tether Aegis CLAIMR Cohort Archivex Deflate Unravel ArcVault XTRAKT Conduit Fetch VaultLink Teleport DeltaSync Heartbeat Hopscotch Resolver Namesake Uplink CONNEX Callsign Milieu Propagate Sourcery Persona SEVER Chronicle Codex Relevance Resolv Nomenclature MAGIQ Intrinsic Diverge Patchwork VIGIL Breeze Cadence Kronos Atelier SUPRA AFFIRMATIV Mandate Turnkey Accession Reforge Collective PipeForge Netweave Panoptik Substrate Repose Verity FAULTR Provenance Chrono