Keystrike

Keystrike FAQ: Remote Access Governance, Post-Authentication Security & Compliance

Get answers about how Keystrike closes the governance gap between access intent and access reality, how it compares to PAM, SIEM, and EDR, and how it supports compliance with NIS2, DORA, IEC 62443, HIPAA, FedRAMP, and SOC 2.

Keystrike is a continuous remote access governance platform. It governs what happens after login — addressing the governance gap that IAM, PAM, SIEM, and EDR leave open. These questions and answers cover how Keystrike works, how it compares to adjacent tools, and what it means for your security stack and compliance obligations.

53 questions available

What problem does Keystrike solve that existing tools do not?

Keystrike is a privileged session monitoring platform that closes the post-authentication security gap in enterprise and OT environments. Most controls (IAM, MFA, VPN/ZTNA, PAM) verify identity and network access at the moment of login, then implicitly trust the session. In reality, credentials, MFA tokens, browser cookies, and RDP/SSH sessions are routinely stolen or hijacked. Once inside, attackers can operate with the victim's privileges until EDR or human analysts catch up. Keystrike removes this implicit trust by continuously validating the legitimacy of every interactive action during a remote session. Each keystroke/mouse click must be cryptographically attested as originating from a verified human on an approved device. If attestation is missing or invalid, the action is blocked in real time.
Executive Overview

How does Keystrike strengthen remote access security?

Keystrike adds a deterministic, in-band enforcement layer inside RDP, SSH, and similar interactive protocols. Instead of relying on probabilistic anomaly detection, it validates good behavior: only commands backed by real human input from a trusted workstation are allowed to execute. This design shuts down common attacker paths; credential replay, session hijacking, remote command injection, and living-off-the-land techniques; because the adversary cannot generate the required cryptographic proof of physical presence.
Executive Overview

Where does Keystrike fit in the security stack?

Keystrike complements, not replaces, existing identity, endpoint, and monitoring tools. IAM/MFA confirm who logs in, PAM controls when and to what, VPN/ZTNA control network reachability, and EDR/SIEM detect anomalies. Keystrike governs what actually happens after login by enforcing legitimacy at the moment of command execution.
Executive Overview

Is Keystrike a Zero Trust solution?

Keystrike aligns with Zero Trust principles — continuous verification, explicit authorization, and per-action enforcement — but it is not a generic Zero Trust platform. Keystrike is a continuous remote access governance platform that operationalizes post-authentication verification inside live sessions. It completes, rather than replaces, the Zero Trust access controls that IAM, MFA, and ZTNA provide.
Executive Overview

What risk does Keystrike eliminate?

Keystrike eliminates blind trust in authenticated sessions. Rather than detect misuse after-the-fact, it prevents unauthorized actions as they are attempted and produces continuous, audit-ready evidence that control was enforced throughout the session.
Executive Overview

What is the Governance Gap?

The Governance Gap is the space between access intent and access reality. When a user authenticates through IAM, PAM, or MFA, the security stack has done its job — up to that point. But authentication answers only one question: should this person be allowed in? It says nothing about what happens inside the session — what commands are run, what files are touched, what systems are reached. That gap — between who was granted access and what they actually did with it — is where authenticated attackers operate, ransomware is deployed through legitimate credentials, and third-party contractors exceed their authorized scope. Keystrike closes this gap by governing the live session itself.
Executive Overview

Why isn't MFA enough to secure remote sessions after login?

MFA verifies identity at the moment of login. Once access is granted, MFA has done its job — it provides no visibility into, or control over, what happens inside the session. An attacker who has stolen valid credentials and MFA tokens, or who has hijacked an active session, operates with full privileges after authentication completes. Keystrike addresses this by continuously verifying every action inside the session — not just the login event — ensuring that commands are deterministically enforced against policy throughout the session, not just at the perimeter.
Executive Overview

How does Keystrike govern third-party and contractor remote access?

Third-party remote access is one of the highest-risk vectors in enterprise environments. Keystrike governs contractor and vendor sessions the same way it governs internal sessions — with live visibility (SEE), deterministic enforcement (CONTROL), and continuous evidence generation (PROVE). This ensures contractors operate within their authorized scope, unauthorized commands are blocked before they execute, and every session produces cryptographically attested audit records. This is directly applicable to NIS2, DORA, and other frameworks that require organizations to govern, not just permit, third-party remote access.
Executive Overview

How does Keystrike enforce remote access policies?

Keystrike sits on both ends of the connection: a workstation agent and a server-side Terminator agent. The workstation agent cryptographically signs human input; the Terminator verifies attestation before allowing commands to execute. Policy (e.g., enforcement vs. audit mode, protocol and server scope) is applied inline, so suspicious or unauthorized actions are blocked instantly.
How Keystrike Works

How does Keystrike determine whether a command is legitimate?

Every command must be directly traceable to verified human input (keystrokes, mouse clicks) coming from an approved, Keystrike-protected workstation. The Terminator checks that the cryptographic attestation for that input is present, valid, and timely. If the linkage is broken or absent, the action is treated as potentially malicious and is blocked (in enforcement mode).
How Keystrike Works

How does Keystrike verify human input?

On the workstation, the agent (running with high privilege) observes human-interface events (keyboard/mouse) and produces a cryptographic attestation proving they are genuine physical inputs. Importantly, Keystrike does not transmit or store the actual characters; it uses irreversible hashes/artifacts that prove legitimacy without creating a keylogging risk.
How Keystrike Works

Does Keystrike work with RDP, SSH, and similar protocols?

Yes. Keystrike supports interactive, human-driven protocols such as RDP and SSH. Commands execute only after attestation is verified, binding each action to a verified human on a trusted device.
How Keystrike Works

What happens if attestation is missing?

If the server-side Terminator does not receive valid attestation for incoming input, it treats the input as untrusted. In enforcement mode, Keystrike blocks it immediately and generates an alert, preventing fake commands or session abuse even when credentials or tokens are compromised.
How Keystrike Works

What if enforcement is disabled?

In audit mode, Keystrike does not block commands but provides comprehensive visibility and attestation telemetry. This mode is useful during initial rollout, for monitoring vendors/contractors, or while tuning policies before enabling enforcement.
How Keystrike Works

Does enforcement apply to all types of remote access?

Enforcement applies to interactive, human-driven sessions where input can be validated (e.g., RDP, SSH). Non-interactive mechanisms; PsExec, WMI, SMB/RPC, scheduled tasks, service accounts, or automated scripts; are visible in telemetry but are not blocked by Keystrike because they lack human input to attest. However, with the SEE/visibility function of Keystrike, we monitor all types of remote access which will help segment the network more efficiently.
Interactive vs. Non-Interactive Sessions

Does Keystrike monitor non-interactive sessions or other admin activity?

Yes. Keystrike provides visibility across remote access activity, including non-interactive protocols. These flows show up in the SEE/Visibility/telemetry function of Keystrike, so you can see what's happening and tighten controls at the boundaries (e.g., jump boxes, bastions), even though non-interactive commands themselves are not governed.
Interactive vs. Non-Interactive Sessions

Can someone bypass Keystrike by using an unapproved device?

No. Device-level authentication is enforced: you cannot interact with a Keystrike-protected server unless you are physically on an approved workstation running the Keystrike agent. This binds the user and the device to the session.
Device Authentication & Bypass Resistance

What if an attacker tries to fake keyboard or mouse input?

Keystrike assumes a strong attacker and is engineered to sit above them in privilege. To forge valid inputs, an attacker would typically need to escalate to high privilege and craft a custom driver to spoof hardware events while also reproducing cryptographic attestations: work that is complex, risky, and time-consuming even for elite teams.
Device Authentication & Bypass Resistance

What about attacks with hardware/firmware access?

For highest-security environments, Keystrike provides an optional hardware (USB) attestation device that validates physical input before it reaches the computer. With this, even attackers with OS or firmware control cannot forge the human-input signal or its attestation.
Device Authentication & Bypass Resistance

Is Keystrike unbreakable?

No system is absolutely unbreakable, but Keystrike dramatically raises the cost and complexity of attack. With software enforcement and optional hardware attestation, forgery of input becomes impractical while attempts leave auditable traces.
Device Authentication & Bypass Resistance

Does Keystrike record or store keystrokes?

No. Keystrike never transmits or stores raw keystrokes. It uses irreversible hashes/attestation artifacts solely to prove that the input was real, protecting user privacy and avoiding the risks of traditional keylogging.
Technical Architecture & Deployment

What operating systems does Keystrike support?

Windows and Linux are supported on the server side, with the workstation agent available for major desktop OSes. For the most current matrix (including versions such as Windows Server 2016+ and Linux support details), see the documentation: https://docs.keystrike.com/poc/keystrike-overview
Technical Architecture & Deployment

How do we deploy Keystrike?

Install the lightweight agent on user workstations and the Terminator agent on destination servers, then link them. Deployment is designed to be fast — customers report Keystrike is operational in approximately 20 minutes, with a single MSI on Windows, no reboot required. Deployment can be automated via common enterprise tools (e.g., Group Policy).
Technical Architecture & Deployment

Will users need training or change their workflow?

No. End users work as usual. On first connection to a Keystrike-protected server, they will be prompted to complete a one-time pairing (mapping their server account to their identity). After that, the experience is transparent.
Technical Architecture & Deployment

Will Keystrike be detected or blocked by EDR?

There are no known incompatibilities with major EDR solutions. Keystrike operates as a read-only consumer of input events on the workstation and an inline verifier on servers, with a minimal footprint that avoids typical EDR friction points.
Technical Architecture & Deployment

Does Keystrike integrate with my Identity Provider (SSO)?

Yes. The Keystrike admin panel supports SSO with Microsoft and Google today. Additional IDP and SCIM integrations are on the roadmap.
Technical Architecture & Deployment

Can Keystrike be hosted entirely on our premises?

Not currently. Keystrike uses a secure, cloud-based dispatch service. For highly restricted environments, discuss options such as limited-connectivity configurations and recovery codes with our team.
Technical Architecture & Deployment

What happens if an attacker disables an agent?

Fail-secure behavior applies: if the workstation agent is disabled, no inputs have valid attestation, so the server drops all commands and raises alerts.
Technical Architecture & Deployment

What are the network and performance requirements?

Agents make a single outbound, encrypted connection to the dispatch service and use minimal bandwidth. The footprint is lightweight (on the order of a few MB of memory) and not on the system's critical path, so end users and admins generally do not notice any performance impact.
Technical Architecture & Deployment

Does Keystrike work with VDI and RMM tools?

Yes. For VDI, install the agent on the endpoint and the VDI session host to maintain the attestation chain. Keystrike also works alongside RMM tools; functionality for platforms like NinjaOne has been validated in recent Terminator versions.
Technical Architecture & Deployment

How does Keystrike behave if the dispatch service is unavailable?

Recovery codes allow continued access when needed (e.g., in critical infrastructure scenarios). Administrators can enter a recovery code at the protected system to restore operations safely until connectivity is re-established.
Technical Architecture & Deployment

Does Keystrike install kernel drivers or require reboots?

No kernel driver is required on Windows; Keystrike leverages standard OS APIs as a read-only consumer of input events, keeping the footprint small and deployment friction low.
Technical Architecture & Deployment

Is agent installation required on every endpoint?

Yes. Keystrike uses an agent-based model: a workstation agent on the user device and a Terminator agent on each protected server. This is essential to bind human input to a specific, approved device and to verify it at the server.
Technical Architecture & Deployment

What are the most common use cases for Keystrike?

Enterprise IT: Protect domain controllers, AD/Entra services, identity providers, databases, and other crown jewels where a single compromise could be catastrophic.

OT/ICS: Enforce control on jump boxes and bastion hosts at network segment boundaries so only verified human input can operate high-value systems.

Desktop Support (preliminary): Confirm that remote desktop interactions truly originate from authorized IT staff.

Data Centers: Ensure every privileged action across critical infrastructure is cryptographically tied to a verified human operator.

MSSPs: Enforce operator accountability across multi-tenant environments, so every keystroke on managed client infrastructure is attributed to a verified human — not a script, bot, or compromised credential.
Use Cases

Can Keystrike support systems on-prem, private cloud, and public cloud?

Yes. Keystrike protects connections to servers wherever they run, provided the access occurs over interactive protocols that carry human input which can be attested.
Use Cases

Does Keystrike run on IoT devices or specialized equipment?

No. Rather than installing on constrained or specialized devices, deploy Keystrike on the jump boxes and bastions that control access to those assets, enforcing strong boundaries without touching the devices themselves.
Use Cases

How do Keystrike alerts differ from other systems?

Most tools tell you that something happened and leave investigation to correlation across many noisy signals. With enforcement enabled, Keystrike alerts that something was attempted but stopped—giving analysts immediate context and a head start on containment and forensics.
SIEM / SOAR / SOC Integration

What forensic evidence is available to analysts?

Analysts can review detailed activity logs and attestation metadata for each event, including who connected, from where, when, and how actions were validated or blocked. See the documentation for data fields available in the activity view: https://docs.keystrike.com/guide/activity?shareableToken=OUlcsf5Caw0ZsJwGkehyV
SIEM / SOAR / SOC Integration

Does Keystrike integrate with Splunk, Microsoft Defender, or other SIEM/SOAR platforms?

Yes. Keystrike sends alerts and events via webhooks, which can be ingested by most SIEM/SOAR platforms, including Splunk and Microsoft Defender ecosystems.
SIEM / SOAR / SOC Integration

How does Keystrike handle IP addresses and PII concerns?

Keystrike does not use IP addresses for policy or enforcement decisions. IP is included in activity logs (visible to administrators) and optionally in webhook notifications for SIEM/SOAR integrations. This supports investigations while minimizing reliance on PII for access control.
SIEM / SOAR / SOC Integration

How does Keystrike help demonstrate control to regulators and auditors?

Keystrike produces continuous, session-level evidence that actions were executed only with verified human input and in accordance with policy. This is stronger than traditional access logs because it proves how access was used and preventive controls were actively enforced at the time of action.
PROVE — Governance, Compliance & Audit Evidence

How does Keystrike strengthen privileged access governance overall?

It moves organizations from periodic, after-the-fact reviews to continuous governance. With real-time enforcement, device-level authentication, human attestation, and structured telemetry, teams can both prevent misuse and furnish audit-ready evidence on demand—raising control maturity across regulated environments.
PROVE — Governance, Compliance & Audit Evidence

What compliance standards/certifications does Keystrike have?

Keystrike is SOC 2 Type 2 certified, with ISO 27001 in progress. The platform's continuous enforcement and evidence artifacts support controls relevant to privileged access, insider risk mitigation, and strong customer authentication themes.
PROVE — Governance, Compliance & Audit Evidence

How is Keystrike different from Privileged Access Management (PAM) solutions like CyberArk or BeyondTrust?

PAM locks away credentials, brokers approval, and elevates privileges. However, PAM typically stops at the moment access is granted. Keystrike governs what happens after login, validating that every action is human and compliant in real time and producing evidence as it happens. Together, PAM + Keystrike close the loop between access approval and access accountability.
How Keystrike Compares

How is Keystrike different from SIEM platforms like Splunk or Microsoft Sentinel?

SIEM centralizes and correlates logs. It is superb for search and investigation but is reactive by nature. Keystrike acts in-band on the live session: it validates inputs, enforces policy, and generates structured, high-signal evidence – not just raw logs – so investigations start with a trustworthy ground truth.
How Keystrike Compares

How is Keystrike different from session recording tools like CyberArk PSM or BeyondTrust Session Manager?

Recording tools capture what happened for later review; they do not stop bad actions in the moment. Keystrike blocks illegitimate inputs before commands run and retains attestations proving why an action was permitted or denied.
How Keystrike Compares

Why isn't EDR, like CrowdStrike or Microsoft Defender, sufficient for privileged session security?

EDR detects and responds to malicious behavior at the endpoint, often probabilistically and post-execution. Keystrike is proactive and deterministic for interactive access: it allows only attested, human-driven actions and denies everything else, reducing the workload on EDR and SOC teams.
How Keystrike Compares

If we already use MFA, ZTNA, or VPN tools like Okta, Microsoft Entra ID, or Zscaler, why do we need Keystrike?

MFA/ZTNA/VPN validate identity and network access at connection time. They don't continuously validate commands during the session. Keystrike governs the post-login trust gap by enforcing per-action legitimacy throughout the session.
How Keystrike Compares

What is the Keystrike SEE module and what does it monitor?

SEE is a new module in the Keystrike product: a discovery and visibility capability. It maps remote access flows across the organization and surfaces which protocols (RDP, SSH, WinRM, PSExec, WMI, PowerShell remoting, FTP, Telnet, certain RMMs, etc.) are in use, which are secured by Keystrike, and where policy gaps remain.
SEE — Live Visibility & Discovery

Where does the SEE Module get its data?

From the same agents that power enforcement. Workstation and server agents report telemetry to the central service, enabling the module to present a unified view of remote access activity and trends across departments and environments.
SEE — Live Visibility & Discovery

Does SEE support natural language queries and scale to enterprises?

The SEE Module translates natural language questions into structured queries behind the scenes, making it accessible to both analysts and managers. It supports enterprise scale with grouping (e.g., via Active Directory departments/OU structures) and visualizations that can be collapsed by team or system role.
SEE — Live Visibility & Discovery

Does SEE provide compliance reporting?

Roadmap capabilities include secure scores, burndown charts, and recommended actions that show progress over time (e.g., percentage of remote access now governed by Keystrike).
SEE — Live Visibility & Discovery

How long has Keystrike been around and where is it based?

Keystrike has operated for nearly three years and has been in the market for almost two. The company is headquartered in Iceland and registered in Delaware.
Company Information

See Remote Access Governance in Practice

If you're assessing how to govern authenticated remote sessions in your environment — and what evidence you can produce when an auditor asks — the right first step is a direct conversation with someone who understands your stack.

Request an Executive Briefing →See How the Platform Works →
KeystrikeContinuous remote access governance platform that addresses the Governance Gap between access intent and access reality. Keystrike delivers SEE (live session visibility), CONTROL (deterministic enforcement), and PROVE (cryptographic attestation) inside active remote sessions. It completes IAM, PAM, SIEM, and XDR investments.Cybersecurity Software2021100-500
ReykjavikIceland
Keystrike Security PlatformRemote Access Governance PlatformWindows, macOS, Linux, Chrome OS3.2.1