Skip to content

What is BastionXP?

The New Standard for Device Identity

For the modern enterprise, the traditional security perimeter has dissolved. IT teams today face a "perfect storm" of security challenges: credential-based attacks like phishing are at an all-time high, "Shadow IT" and unmanaged devices are proliferating, and the manual overhead of managing legacy PKI or static SSH keys has become an operational bottleneck. When access relies on what a user knows (passwords) rather than what they have (a verified device), the door is left wide open for unauthorized lateral movement.

In an era where identity is the new security perimeter, BastionXP provides a unified platform to manage and secure every digital entity in your organization. It is a cloud-native Managed PKI (Public Key Infrastructure) and Zero Trust Access solution that replaces vulnerable passwords with cryptographically secure digital certificates.

By establishing a "Root of Trust" for every laptop, server, and IoT device, BastionXP ensures that only authorized, compliant and cryptographically proven devices can touch your sensitive data.

Key Pillars of the BastionXP Solution

1. Hardware-Rooted Device Attestation:

Unlike traditional solutions that rely on software-based checks which can be bypassed on jailbroken or rooted devices, BastionXP uses Device Attestation.

  • Secure Enclave Integration: BastionXP communicates directly with the hardware security modules (like Apple’s Secure Enclave or Intel’s TPM) to verify the device's unique identity and boot integrity.

  • Cryptographic Proof: Before a certificate is issued, the device must provide a "digital birth certificate" proving it is a genuine, untampered piece of hardware running an approved OS.

2. Short-Lived Certificates (SLCs) via ACME

Static certificates with long lifespans (1–2 years) create a massive window of exposure if a device is lost or compromised. BastionXP revolutionizes this with Short-Lived Certificates.

  • Automatic Renewal: Using the ACME protocol, BastionXP automatically issues and renews certificates that last only hours (e.g., 4 to 8 hours).

  • Zero-Touch Automation: This happens entirely in the background. If a device fails a health check or attestation during the renewal window, its access is silently and automatically revoked.

3. Secure Wi-Fi and VPN Access (EAP-TLS)

BastionXP acts as a highly secure Private CA and Registration Authority (RA) that integrates seamlessly with your existing RADIUS servers, Wi-Fi AP, NAS and VPN gateways.

  • Passwordless Connectivity: Devices use EAP-TLS to authenticate. Users never see a Wi-Fi or VPN password prompt, eliminating the risk of credential harvesting.

  • Continuous Assurance: Because certificates are frequently renewed through re-attestation, your security posture is verified multiple times a day, not just at initial onboarding.

4. Seamless MDM Ecosystem Integration

BastionXP doesn't replace your MDM (Mobile Device Management) platform; it supercharges it. It integrates with platforms like Intune, Jamf, and Fleet to push configuration profiles.

  • Silent Deployment: The MDM pushes the profile, and the BastionXP ACME server handles the heavy lifting of hardware attestation and certificate issuance without the user ever lifting a finger.