PAM 
KeeperAITM is an agentic, AI-powered engine embedded within KeeperPAM® that delivers real-time threat detection and response, as well as privileged session analysis. Built for Privileged Access
3 min read
Published on October 06, 2025
Most Zero Trust Network Access (ZTNA) solutions claim to eliminate perimeter-based security risks, but many actually introduce new vulnerabilities. At the DEF CON hacking conference in August 2025, researchers revealed significant flaws in several popular ZTNA products, including authentication bypasses and credential leakage. KeeperPAM® helps close the security gaps that traditional ZTNA solutions fail to address by enforcing zero-trust and zero-knowledge encryption, vault-based access and outbound-only connectivity.
Continue reading to learn the shortcomings of most legacy ZTNA solutions and how KeeperPAM addresses those flaws to deliver secure access without exposing sensitive data.
The security gaps in legacy ZTNA tools
Despite being depicted as a secure alternative to a Virtual Private Network (VPN), many legacy ZTNA tools introduce vulnerabilities that can be just as harmful as the cyber threats they aim to prevent. Findings presented by AmberWolf at DEF CON 33 highlighted a range of security issues across leading ZTNA products, including vulnerabilities that can enable cybercriminals to escalate privileges on user devices and access critical resources while undetected.
Authentication bypass
Since many ZTNA platforms rely on outdated or poorly enforced authentication methods, weak SAML implementations can allow cybercriminals to replay tokens, effectively bypassing authentication completely. In some instances, device enrollment flows are improperly enforced, creating vulnerabilities that allow unauthenticated devices to connect to critical systems.
Credential exposure
One of the most significant issues with legacy ZTNA solutions is the frequent mishandling of credentials. Long-lived secrets, such as API keys, SSH keys or access tokens, are generally stored on endpoints or in memory, where they’re vulnerable to theft through malware infections or local compromise. Once those credentials are exposed, they can be reused to move laterally or escalate privileges within a network.
Architectural weaknesses
Instead of limiting trust, many ZTNA solutions expand it through architectural weaknesses. Examples include requiring the installation of trusted root certificates for traffic inspection, exposing gateways to the internet and routing traffic through a vendor’s infrastructure. These weaknesses increase an organization’s attack surface, directly contradicting the pillars of zero-trust security.
Posture spoofing
Some ZTNA solutions rely on posture checks to determine whether a device is secure by verifying operating system versions or device certificates. However, many of these checks are enforced on the client side and can be easily manipulated. If the solution accepts cached tokens or credentials without properly revalidating the device, cybercriminals can spoof posture compliance. This allows unauthorized devices to gain access by tricking the system into appearing compliant and bypassing an organization’s protections.
How KeeperPAM eliminates those weaknesses
KeeperPAM is built to eliminate the common vulnerabilities in traditional ZTNA solutions. By combining zero-knowledge encryption, Just-in-Time (JIT) access and an outbound-only architecture, KeeperPAM enforces true zero trust without exposing credentials or increasing the attack surface. Here are KeeperPAM’s core capabilities:
- Zero-knowledge architecture: With KeeperPAM, credentials are never exposed to users, stored on devices or accessible by Keeper. This ensures that secrets are encrypted and decrypted at the device and record level.
- Just-in-Time (JIT) access: KeeperPAM allows admins to grant access only when needed and only for the duration of the session. After a session ends, KeeperPAM automatically rotates credentials to prevent reuse or theft.
- Outbound-only architecture: The Keeper Gateway establishes end-to-end encrypted connections without opening inbound firewall ports or exposing endpoints.
- Session monitoring and recording: KeeperPAM monitors and records all privileged sessions, including SSH, RDP and TLS, for auditing and compliance purposes. KeeperAI provides agentic AI threat detection and response, enabling high-risk sessions to be terminated automatically.
- Native tool support with zero-trust security: By supporting secure tunneling and remote access through native tools like MySQL Workbench or pgAdmin, KeeperPAM maintains zero-trust security behind the scenes.
- Seamless integration with existing Identity Providers (IdPs): KeeperPAM works with existing IdPs, ensuring secure authentication and provisioning without compromising zero-knowledge encryption.
KeeperPAM vs legacy ZTNA approaches
While most ZTNA solutions claim to minimize risks, many still depend on outdated architectures that leave serious security gaps. KeeperPAM takes a different approach by eliminating credential exposure, reducing trust assumptions and enforcing granular access controls. Below are the main architectural and operational differences between KeeperPAM and legacy ZTNA tools:
| Category | KeeperPAM | Traditional ZTNA |
|---|---|---|
| Credential storage | Credentials are encrypted in a zero-knowledge vault and never exposed to users. | Secrets are often stored on devices or in memory, leaving them vulnerable to theft. |
| Gateway exposure | Outbound-only architecture eliminates the need to open inbound firewall ports. | Requires publicly exposed gateways, which expands the attack surface. |
| Token replay risk | Vault-initiated sessions with JIT access help prevent token replay. | Reusable tokens and weak authentication methods allow for token replay. |
| Root certificate installation | Encryption remains end-to-end, making it unnecessary to install trusted root certificates. | Trusted root certificates are often required for traffic inspection, expanding trust boundaries. |
| Traffic interception | No traffic interception is needed since sessions are recorded for SSH, RDP and TLS. | Relies on traffic interception and vendor infrastructure for monitoring. |
| Access control | Just-in-Time (JIT) access with automatic credential rotation. | Broad access policies expand standing access and allow for lateral movement. |
Future-proof your access strategy with KeeperPAM
As cybercriminals exploit weaknesses in traditional ZTNA tools, relying on outdated access solutions is not safe. Organizations need a solution designed to enforce zero trust without compromising security, and KeeperPAM delivers just that. By combining zero-knowledge encryption, vault-based access and granular access controls, KeeperPAM eliminates credential exposure and reduces the attack surface.
Start your free trial of KeeperPAM today to close security gaps and future-proof your access strategy with a scalable and secure solution built for modern cyber threats.
