The Aporeto Platform

The Aporeto Zero Trust Cloud Security Platform provides comprehensive network security solutions that include: Distributed Firewall, Kubernetes Network Security and Cloud Privileged Access Management (PAM) using application identity rather than IP addresses. Aporeto allows you to build and enforce distributed identity-based policies that enable authentication, authorization, and encryption across heterogeneous infrastructure at scale. The Aporeto SaaS-based platform is built for cloud-native applications, simplifies hybrid cloud security, and delivers security at the speed of DevOps.

Application Identity Federation

Since Aporeto secures applications at the network and operating system levels with identity abstraction, Aporeto can normalize identity and security policy across a heterogeneous topology of Linux, Docker, Kubernetes, and Windows servers, as well as human or automated users.

Policy Engine

The Aporeto Policy Engine is a policy framework that is centrally managed/visualized, but distributed and enforced locally on application nodes. Unique to Aporeto is the ability to compile comprehensive application identity tags about monitored applications and infrastructure; these tags are derived from enterprise identity sources (including the host, container platform, container image vulnerability scanner, and cloud provider). The policy filtering factors use these identity tags to control operating system calls, file access, and L3/4/7 network access.

Application Identity Broker

Aporeto normalizes application identity from a variety of enterprise sources (e.g. the operating system, the container host, the cloud provider, and third-party sources of metadata such as container image vulnerability scanner, and user OIDC identity providers) by using API calls to broker metadata about monitored applications and infrastructure. Metadata in different domains is normalized in Aporeto for securing application service network access, application API access, and server SSH access.


Aporeto is a security monitoring engineer’s toolkit. While you can use our visualization dashboards or export data to a SIEM system for correlation against other events, Aporeto has a variety of ways to poll for any Aporeto object metadata or security event. From flow data and graphs in the Aporeto web UI, to automated access via API or the apoctl command-line tool, to in-product programmable javascript-based automation, every relevant security event or Aporeto object metadata can be accessed programmatically.


Aporeto Distributed Policy Enforcer is deployed as either a container or as an enforcement node on an individual host or virtual machine (VM). Any workload outfitted with the Distributed Policy Enforcer and working in conjunction with the Security Orchestrator, is enabled with automated issuance and management of security policy at different layers of the stack. Distributed Policy Enforcers implement functions that include: threat monitoring, transparent network security, API authorization and authentication.

Aporeto Cloud Security Platform

Aporeto Security Orchestrator

Aporeto Distributed Policy Enforcer

Any Workload


Any Cloud


Distributed Firewall

Aporeto provides a uniform approach to security independent of network and infrastructure complexities. Security is moved up the stack to the application level using workload identity, without relying on IP addresses, for granular microsegmentation with seamless distributed security policy management, and end-to-end visualization and enforcement across heterogeneous infrastructure.

    Aporeto generates a unique multi-attribute contextual identity for any application component which is created and managed by the Aporeto platform.

    Aporeto automates security, monitors and protects applications at L3, L4 and L7 through whitelisting, allowing only authorized and authenticated interactions to occur.

    Distributed policies remain portable and persistent across applications and workloads, clouds and clusters no matter where they reside in your hybrid cloud environment for simpler operations and a stronger security solution.


Kubernetes Network Security

Aporeto provides defense-in-depth for Kubernetes and containerized workloads, with consistent policy enforcement across multiple clouds, clusters and heterogeneous infrastructure at scale. The Aporeto Zero Trust SaaS-based solution protects the whole node and not just the pods in a Kubernetes cluster. Aporeto provides developers with greater agility to securely deploy Kubernetes workloads or microservices across hybrid cloud environments with persistent identity-based security.

    DevOps teams can accelerate application deployment with security and compliance already incorporated into the policies.

    Aporeto integrates seamlessly with other Kubernetes technologies, including all existing and cloud-native container network interface (CNI) architectures and service mesh products such as Istio.

    By using one tool to reduce overall security infrastructure complexity, security teams can remain agile experiencing significant ROI cost savings.


Cloud PAM

Aporeto’s Cloud PAM solution enables organizations to eliminate the need for SSH keys and secrets management by implementing just-in-time access policies based on user identities. Every user is issued a unique,  ephemeral, time-bound certificate based on his identity, independent of the underlying user account. Every access request is logged, and every access must be explicitly authorized. Organizations can easily secure critical infrastructure and meet compliance requirements.

    Aporeto enables to you log all CLI commands issued by users on your hosts centrally, makings audits simple and meeting compliance easier.

    Cloud PAM provides secure access to cloud infrastructure and resources while enforcing least privilege role based access by leveraging your corporate identity provider (IdP) for single sign-on (SSO) to issue time bound SSH client certificates to users.

    Cloud PAM simplifies secure user access to infrastructure and resources, eliminating the need for SSH key management and secrets management while obviating the need for cumbersome VPNs, IP ACLs, and jump boxes.

Our Platform is
Verified and Trusted

VMware Partner Ready PKS Badge - 11232019

Security Solutions for Your Cloud


Aporeto is accelerating our expansion to the cloud.

Aporeto is accelerating our expansion to the cloud. With Aporeto, we can secure our Linux workloads on any infrastructure with end-to-end encryption and have a path for modernizing with a security layer that is future-proofed.

Alec Chattaway

Director Cloud Infrastructure Operations

Get Started with Aporeto Today!

Key Resources