Glossary

Teleport

Looking to learn more about Teleport, or hire top fractional experts in Teleport? Pangea is your resource for cutting-edge technology built to transform your business.
Hire top talent →
Start hiring with Pangea's industry-leading AI matching algorithm today
A Pangea Expert Glossary Entry
Written by John Tambunting
John Tambunting
Co-Founder and CTO
Credentials
B.A. Applied Mathematics - Brown University, Y Combinator Alum - Winter 2021
9 years of experience
AI Automation, Full Stack Development, Technical Recruiting
John Tambunting is a Co-founder of Pangea.app and lead software engineer specializing in technical recruiting. He helps startups hire top software engineers and product designers, and writes about hiring strategy and building high-performing teams.
LinkedIn
Last updated on Feb 25, 2026

What is Teleport?

Teleport is an open-source infrastructure identity platform that enforces zero trust access across servers, databases, Kubernetes clusters, internal web applications, and — as of 2025 — AI agent infrastructure including Model Context Protocol (MCP) servers. Instead of distributing SSH keys, API tokens, or database passwords, Teleport issues short-lived cryptographic certificates tied to a verified user or machine identity. Every session is authenticated, authorized against role-based policies, and fully recorded. Originally built as a modern SSH bastion, Teleport has expanded into a unified system of record for both human and machine identities spanning cloud, on-prem, and hybrid environments.

Key Takeaways

  • Short-lived certificates replace persistent SSH keys and passwords, so stolen credentials expire before they can be exploited.
  • Teleport covers servers, databases, Kubernetes, web apps, and AI agents from a single control plane — no separate tools per resource type.
  • Community Edition became commercially restricted in v16: companies with 100+ employees or $10M+ revenue must move to the paid Enterprise tier.
  • The 2026 Agentic Identity Framework extends Teleport's zero trust model to AI agents and LLMs accessing production infrastructure.
  • Platform and DevSecOps engineers list Teleport as a key skill — demand is growing fastest in companies formalizing access governance post-rapid-cloud-expansion.

How Teleport Works

The analogy that clicks for most engineers: Teleport works like a corporate badge system for your infrastructure. A new hire gets a badge (a short-lived certificate) that grants access to specific rooms (servers, databases, clusters) based on their role — and the badge expires at the end of each shift. There are no master keys floating around that an attacker can copy.

Concretely, Teleport runs an auth server that acts as a certificate authority. When an engineer runs `tsh login`, they authenticate via SSO (Okta, Azure AD, GitHub) and receive a certificate valid for hours or days. That certificate grants access only to the resources their role permits. Kubernetes kubectl calls, psql sessions, and SSH connections all flow through Teleport's proxy — every command logged, every session replayable — without requiring developers to change their existing tooling.

AI Agent Identity: The 2026 Frontier

Teleport's most consequential expansion in 2025-2026 is extending its identity model to AI agents — and this is something most zero trust evaluations still overlook. The problem is real: as LLMs are given tools to query databases, call internal APIs, and execute commands, they need identities and access policies just like human engineers do. Without them, an AI agent with a leaked API token has standing access to production data.

Teleport's Secure MCP (Model Context Protocol) capability, which reached general availability in 2025, enforces RBAC and ABAC when AI agents connect to databases and internal services through MCP servers. The Agentic Identity Framework, announced in January 2026, formalizes this into a full reference architecture. Teleport was named an IDC Innovator in Security for Agentic AI in 2025 and is now listed in the AWS Marketplace AI Agents and Tools category — signaling real enterprise traction, not just a marketing pivot.

Teleport vs. the Alternatives

StrongDM offers faster time-to-value and a cleaner database access UX, making it appealing for teams that want quick wins — but it is cloud-only, has no air-gapped deployment option, and lacks native machine or workload identity support.

HashiCorp Boundary + Vault is the right call for organizations already invested in the HashiCorp ecosystem. Boundary routes access while Vault manages secrets; combined they cover similar ground, though neither handles AI agent identity natively.

CyberArk and BeyondTrust are the incumbent PAM platforms in heavily regulated industries — finance, healthcare, government. They carry deeper compliance certifications and credential vaulting history, but are significantly heavier to deploy and more expensive at scale. Teleport is often chosen by engineering-led organizations that want developer-friendly workflows; CyberArk is chosen when the compliance team runs the evaluation.

The practical decision: if you need air-gapped or on-prem deployment, Teleport wins over StrongDM. If you need to satisfy a procurement checklist of 20-year-old PAM requirements, CyberArk wins.

Pricing

Teleport uses a consumption-based model with three billing dimensions: Monthly Active Users (MAU) for human access, Machine/Workload Identities (MWI) for pipelines and services, and Teleport Protected Resources (TPR) for infrastructure assets. Pricing starts around $15/user/month on Enterprise plans.

Community Edition remains free but now carries a hard commercial restriction introduced in v16: companies with more than 100 employees or more than $10M in annual revenue must use Enterprise. This caught a number of fast-growing startups off guard — teams that built their access layer on Community Edition suddenly needed an enterprise contract when they crossed headcount thresholds. If you are evaluating Teleport in 2026 at a company with any growth trajectory, plan for Enterprise pricing from day one. Enterprise Cloud and self-hosted options both exist; the self-hosted path supports air-gapped and FedRAMP-compliant deployments.

Teleport in the Fractional and Contract Talent Market

Teleport expertise appears most often in platform engineering, DevSecOps, and security infrastructure job descriptions. The typical hire is a fractional or contract engineer brought in to design and implement a zero trust access layer — usually at a company in the 50-500 employee range that has accumulated infrastructure debt around SSH key management and wants to get compliant before a SOC 2 audit or Series C.

We see this skill paired most commonly with Kubernetes, Terraform, AWS IAM, and Okta. A candidate who lists Teleport signals they understand both developer experience and security policy design — a combination that remains genuinely scarce. As AI agent deployments scale in 2026, expect to see Teleport listed alongside ML infrastructure roles as companies realize they need identity governance for their agentic systems, not just their human engineers.

The Bottom Line

Teleport has earned a strong position as the infrastructure access platform of choice for engineering-led organizations that want zero trust access without sacrificing developer workflow. Its certificate-based identity model eliminates entire classes of credential-based attacks, and its 2025-2026 expansion into AI agent identity puts it ahead of most competitors on the emerging challenge of governing LLM access to production systems. For companies hiring through Pangea, Teleport expertise signals an engineer who can architect and operationalize zero trust access at the infrastructure layer — a skill set that becomes more valuable as security audits and AI deployments both intensify.

Teleport Frequently Asked Questions

Is Teleport a VPN replacement?

Not exactly — Teleport is an identity-based access platform, not a network-level VPN. It controls access to specific resources (servers, databases, clusters) using certificates and role policies rather than routing all traffic through a tunnel. For teams whose VPN use case is "give engineers access to internal infrastructure," Teleport is a direct replacement with better auditability. For use cases requiring full network-layer routing (e.g., connecting entire subnets), a traditional VPN or Cloudflare Zero Trust may still be needed alongside it.

Can Teleport handle database access without changing developer workflows?

Yes, and this is one of Teleport's strongest selling points. Database access runs through the Teleport proxy but exposes standard ports — engineers use their existing psql, mysql, or MongoDB clients normally. The certificate-based auth happens at login, not at every query. Session recording captures what queries ran and when, without requiring any application-level instrumentation.

How does Teleport's Community Edition licensing work after v16?

Community Edition is free for companies with fewer than 100 employees and under $10M in annual revenue. Beyond those thresholds, commercial use requires an Enterprise license. This restriction was introduced in v16 and has been a common pain point for growing startups. Teams should evaluate Enterprise pricing early rather than building on Community Edition and being forced to renegotiate under time pressure.

Does Teleport support Windows infrastructure?

Windows support exists in Enterprise but is notably weaker than Linux and Kubernetes coverage. Active Directory integration requires ADCS CA configuration, and the Community Edition has no AD support at all. Teams with significant Windows Server footprints should test Windows workflows thoroughly during a proof of concept before committing.

What skills should I look for when hiring a Teleport engineer?

Look for hands-on experience with Teleport role definitions, node labeling, and access request workflows — not just familiarity with the concept. Strong candidates will have configured Teleport's auth connector with an SSO provider (Okta, Azure AD, or GitHub) and managed database or Kubernetes access policies in production. Bonus: experience with Teleport's machine identity or workload certificates for CI/CD pipelines indicates a deeper understanding of the platform's full scope.
No items found.
No items found.