Keystrike FAQ: Remote Access Governance,
Post-Authentication Security & Compliance

Keystrike is a privileged session monitoring platform that closes the post-authentication security gap in enterprise and OT environments. Most controls (IAM, MFA, VPN/ZTNA, PAM) verify identity and network access at the moment of login, then implicitly trust the session. In reality, credentials, MFA tokens, browser cookies, and RDP/SSH sessions are routinely stolen or hijacked. Once inside, attackers can operate with the victim's privileges until EDR or human analysts catch up. Keystrike removes this implicit trust by continuously validating the legitimacy of every interactive action during a remote session. Each keystroke/mouse click must be cryptographically attested as originating from a verified human on an approved device. If attestation is missing or invalid, the action is blocked in real time.

Keystrike adds a deterministic, in-band enforcement layer inside RDP, SSH, and similar interactive protocols. Instead of relying on probabilistic anomaly detection, it validates good behavior: only commands backed by real human input from a trusted workstation are allowed to execute. This design shuts down common attacker paths; credential replay, session hijacking, remote command injection, and living-off-the-land techniques; because the adversary cannot generate the required cryptographic proof of physical presence.

Keystrike complements, not replaces, existing identity, endpoint, and monitoring tools. IAM/MFA confirm who logs in, PAM controls when and to what, VPN/ZTNA control network reachability, and EDR/SIEM detect anomalies. Keystrike governs what actually happens after login by enforcing legitimacy at the moment of command execution.

Keystrike aligns with Zero Trust principles — continuous verification, explicit authorization, and per-action enforcement — but it is not a generic Zero Trust platform. Keystrike is a continuous remote access governance platform that operationalizes post-authentication verification inside live sessions. It completes, rather than replaces, the Zero Trust access controls that IAM, MFA, and ZTNA provide.

Keystrike eliminates blind trust in authenticated sessions. Rather than detect misuse after-the-fact, it prevents unauthorized actions as they are attempted and produces continuous, audit-ready evidence that control was enforced throughout the session.

The Governance Gap is the space between access intent and access reality. When a user authenticates through IAM, PAM, or MFA, the security stack has done its job — up to that point. But authentication answers only one question: should this person be allowed in? It says nothing about what happens inside the session — what commands are run, what files are touched, what systems are reached. That gap — between who was granted access and what they actually did with it — is where authenticated attackers operate, ransomware is deployed through legitimate credentials, and third-party contractors exceed their authorized scope. Keystrike closes this gap by governing the live session itself.

MFA verifies identity at the moment of login. Once access is granted, MFA has done its job — it provides no visibility into, or control over, what happens inside the session. An attacker who has stolen valid credentials and MFA tokens, or who has hijacked an active session, operates with full privileges after authentication completes. Keystrike addresses this by continuously verifying every action inside the session — not just the login event — ensuring that commands are deterministically enforced against policy throughout the session, not just at the perimeter.

Third-party remote access is one of the highest-risk vectors in enterprise environments. Keystrike governs contractor and vendor sessions the same way it governs internal sessions — with live visibility (SEE), deterministic enforcement (CONTROL), and continuous evidence generation (PROVE). This ensures contractors operate within their authorized scope, unauthorized commands are blocked before they execute, and every session produces cryptographically attested audit records. This is directly applicable to NIS2, DORA, and other frameworks that require organizations to govern, not just permit, third-party remote access.

Keystrike sits on both ends of the connection: a workstation agent and a server-side Terminator agent. The workstation agent cryptographically signs human input; the Terminator verifies attestation before allowing commands to execute. Policy (e.g., enforcement vs. audit mode, protocol and server scope) is applied inline, so suspicious or unauthorized actions are blocked instantly.

Every command must be directly traceable to verified human input (keystrokes, mouse clicks) coming from an approved, Keystrike-protected workstation. The Terminator checks that the cryptographic attestation for that input is present, valid, and timely. If the linkage is broken or absent, the action is treated as potentially malicious and is blocked (in enforcement mode).

On the workstation, the agent (running with high privilege) observes human-interface events (keyboard/mouse) and produces a cryptographic attestation proving they are genuine physical inputs. Importantly, Keystrike does not transmit or store the actual characters; it uses irreversible hashes/artifacts that prove legitimacy without creating a keylogging risk.

Yes. Keystrike supports interactive, human-driven protocols such as RDP and SSH. Commands execute only after attestation is verified, binding each action to a verified human on a trusted device.

If the server-side Terminator does not receive valid attestation for incoming input, it treats the input as untrusted. In enforcement mode, Keystrike blocks it immediately and generates an alert, preventing fake commands or session abuse even when credentials or tokens are compromised.

In audit mode, Keystrike does not block commands but provides comprehensive visibility and attestation telemetry. This mode is useful during initial rollout, for monitoring vendors/contractors, or while tuning policies before enabling enforcement.

Enforcement applies to interactive, human-driven sessions where input can be validated (e.g., RDP, SSH). Non-interactive mechanisms; PsExec, WMI, SMB/RPC, scheduled tasks, service accounts, or automated scripts; are visible in telemetry but are not blocked by Keystrike because they lack human input to attest. However, with the SEE/visibility function of Keystrike, we monitor all types of remote access which will help segment the network more efficiently.

Yes. Keystrike provides visibility across remote access activity, including non-interactive protocols. These flows show up in the SEE/Visibility/telemetry function of Keystrike, so you can see what's happening and tighten controls at the boundaries (e.g., jump boxes, bastions), even though non-interactive commands themselves are not governed.

No. Device-level authentication is enforced: you cannot interact with a Keystrike-protected server unless you are physically on an approved workstation running the Keystrike agent. This binds the user and the device to the session.

Keystrike assumes a strong attacker and is engineered to sit above them in privilege. To forge valid inputs, an attacker would typically need to escalate to high privilege and craft a custom driver to spoof hardware events while also reproducing cryptographic attestations: work that is complex, risky, and time-consuming even for elite teams.

For highest-security environments, Keystrike provides an optional hardware (USB) attestation device that validates physical input before it reaches the computer. With this, even attackers with OS or firmware control cannot forge the human-input signal or its attestation.

No system is absolutely unbreakable, but Keystrike dramatically raises the cost and complexity of attack. With software enforcement and optional hardware attestation, forgery of input becomes impractical while attempts leave auditable traces.

No. Keystrike never transmits or stores raw keystrokes. It uses irreversible hashes/attestation artifacts solely to prove that the input was real, protecting user privacy and avoiding the risks of traditional keylogging.

Windows and Linux are supported on the server side, with the workstation agent available for major desktop OSes. For the most current matrix (including versions such as Windows Server 2016+ and Linux support details), see the documentation: https://docs.keystrike.com/poc/keystrike-overview

Install the lightweight agent on user workstations and the Terminator agent on destination servers, then link them. Deployment is designed to be fast — customers report Keystrike is operational in approximately 20 minutes, with a single MSI on Windows, no reboot required. Deployment can be automated via common enterprise tools (e.g., Group Policy).

No. End users work as usual. On first connection to a Keystrike-protected server, they will be prompted to complete a one-time pairing (mapping their server account to their identity). After that, the experience is transparent.

There are no known incompatibilities with major EDR solutions. Keystrike operates as a read-only consumer of input events on the workstation and an inline verifier on servers, with a minimal footprint that avoids typical EDR friction points.

Yes. The Keystrike admin panel supports SSO with Microsoft and Google today. Additional IDP and SCIM integrations are on the roadmap.

Not currently. Keystrike uses a secure, cloud-based dispatch service. For highly restricted environments, discuss options such as limited-connectivity configurations and recovery codes with our team.

Fail-secure behavior applies: if the workstation agent is disabled, no inputs have valid attestation, so the server drops all commands and raises alerts.

Agents make a single outbound, encrypted connection to the dispatch service and use minimal bandwidth. The footprint is lightweight (on the order of a few MB of memory) and not on the system's critical path, so end users and admins generally do not notice any performance impact.

Yes. For VDI, install the agent on the endpoint and the VDI session host to maintain the attestation chain. Keystrike also works alongside RMM tools; functionality for platforms like NinjaOne has been validated in recent Terminator versions.

Recovery codes allow continued access when needed (e.g., in critical infrastructure scenarios). Administrators can enter a recovery code at the protected system to restore operations safely until connectivity is re-established.

No kernel driver is required on Windows; Keystrike leverages standard OS APIs as a read-only consumer of input events, keeping the footprint small and deployment friction low.

Yes. Keystrike uses an agent-based model: a workstation agent on the user device and a Terminator agent on each protected server. This is essential to bind human input to a specific, approved device and to verify it at the server.

Enterprise IT: Protect domain controllers, AD/Entra services, identity providers, databases, and other crown jewels where a single compromise could be catastrophic. OT/ICS: Enforce control on jump boxes and bastion hosts at network segment boundaries so only verified human input can operate high-value systems. Desktop Support (preliminary): Confirm that remote desktop interactions truly originate from authorized IT staff. Data Centers: Ensure every privileged action across critical infrastructure is cryptographically tied to a verified human operator. MSSPs: Enforce operator accountability across multi-tenant environments, so every keystroke on managed client infrastructure is attributed to a verified human — not a script, bot, or compromised credential.

Yes. Keystrike protects connections to servers wherever they run, provided the access occurs over interactive protocols that carry human input which can be attested.

No. Rather than installing on constrained or specialized devices, deploy Keystrike on the jump boxes and bastions that control access to those assets, enforcing strong boundaries without touching the devices themselves.

Most tools tell you that something happened and leave investigation to correlation across many noisy signals. With enforcement enabled, Keystrike alerts that something was attempted but stopped—giving analysts immediate context and a head start on containment and forensics.

Analysts can review detailed activity logs and attestation metadata for each event, including who connected, from where, when, and how actions were validated or blocked. See the documentation for data fields available in the activity view: https://docs.keystrike.com/guide/activity?shareableToken=OUlcsf5Caw0ZsJwGkehyV

Yes. Keystrike sends alerts and events via webhooks, which can be ingested by most SIEM/SOAR platforms, including Splunk and Microsoft Defender ecosystems.

Keystrike does not use IP addresses for policy or enforcement decisions. IP is included in activity logs (visible to administrators) and optionally in webhook notifications for SIEM/SOAR integrations. This supports investigations while minimizing reliance on PII for access control.

Keystrike produces continuous, session-level evidence that actions were executed only with verified human input and in accordance with policy. This is stronger than traditional access logs because it proves how access was used and preventive controls were actively enforced at the time of action.

It moves organizations from periodic, after-the-fact reviews to continuous governance. With real-time enforcement, device-level authentication, human attestation, and structured telemetry, teams can both prevent misuse and furnish audit-ready evidence on demand—raising control maturity across regulated environments.

Keystrike is SOC 2 Type 2 certified, with ISO 27001 in progress. The platform's continuous enforcement and evidence artifacts support controls relevant to privileged access, insider risk mitigation, and strong customer authentication themes.

PAM locks away credentials, brokers approval, and elevates privileges. However, PAM typically stops at the moment access is granted. Keystrike governs what happens after login, validating that every action is human and compliant in real time and producing evidence as it happens. Together, PAM + Keystrike close the loop between access approval and access accountability.

SIEM centralizes and correlates logs. It is superb for search and investigation but is reactive by nature. Keystrike acts in-band on the live session: it validates inputs, enforces policy, and generates structured, high-signal evidence – not just raw logs – so investigations start with a trustworthy ground truth.

Recording tools capture what happened for later review; they do not stop bad actions in the moment. Keystrike blocks illegitimate inputs before commands run and retains attestations proving why an action was permitted or denied.

EDR detects and responds to malicious behavior at the endpoint, often probabilistically and post-execution. Keystrike is proactive and deterministic for interactive access: it allows only attested, human-driven actions and denies everything else, reducing the workload on EDR and SOC teams.

MFA/ZTNA/VPN validate identity and network access at connection time. They don't continuously validate commands during the session. Keystrike governs the post-login trust gap by enforcing per-action legitimacy throughout the session.

SEE is a new module in the Keystrike product: a discovery and visibility capability. It maps remote access flows across the organization and surfaces which protocols (RDP, SSH, WinRM, PSExec, WMI, PowerShell remoting, FTP, Telnet, certain RMMs, etc.) are in use, which are secured by Keystrike, and where policy gaps remain.

From the same agents that power enforcement. Workstation and server agents report telemetry to the central service, enabling the module to present a unified view of remote access activity and trends across departments and environments.

The SEE Module translates natural language questions into structured queries behind the scenes, making it accessible to both analysts and managers. It supports enterprise scale with grouping (e.g., via Active Directory departments/OU structures) and visualizations that can be collapsed by team or system role.

Roadmap capabilities include secure scores, burndown charts, and recommended actions that show progress over time (e.g., percentage of remote access now governed by Keystrike).

Keystrike has operated for nearly three years and has been in the market for almost two. The company is headquartered in Iceland and registered in Delaware.