Passwordless Device Identity-Aware Network Access with Hardware-Rooted Security.

Eliminate the security risks associated with SCEP and shared passwords. BastionXP automates certificate-based authentication for WiFi and VPNs, using hardware-rooted attestation. BastionXP ensures only verified, corporate-approved devices can access your network.

Learn more Request a Demo

Hardware-Rooted Device Attestation

Verify the Silicon, Not Just the Software. BastionXP challenges the device to prove its identity using its TPM (Trusted Platform Module) or Apple Secure Enclave(SE). By verifying the hardware's cryptographic signature, we ensure the device requesting access is a genuine, corporate-issued asset—not a spoofed virtual machine.

Immutable Device Identity

Non-Exportable, Hardware-Bound Keys. Unlike SCEP or manual enrollment, TPM/SE ensures private keys are generated directly inside the device's secure hardware. These keys can never be exported, copied, or stolen by malware, providing an unbreakable link between the digital certificate and the physical machine.

Continuous Posture Verification

Trust is Earned, Then Re-Verified. Device identity isn't a one-time event. BastionXP performs attestation checks during every certificate renewal. If a device’s security posture changes—or if its hardware integrity is compromised—access is automatically revoked in real-time.

Secure Onboarding & Auto-Enrollment

Zero-Touch Deployment via ACME. Eliminate manual CSRs and "Shared Secrets." Using the ACME protocol with Attestation extensions, BastionXP automates the entire device onboarding process. New corporate devices receive their hardware-backed identity silently and securely, with zero user intervention.

Phishing-Resistant Authentication

The Ultimate Defense Against Credential Theft. By tying authentication to a hardware-bound device identity, you eliminate the risk of phishing. Even if an employee's credentials are stolen, the attacker cannot access your VPN, Wi-Fi, or SaaS apps without the physical, attested corporate device.

Unified Fleet Visibility

Inventory-Backed Access Control. Gain a "Single Pane of Glass" view of every attested device in your fleet. BastionXP logs the hardware serial numbers, TPM versions, and OS metadata, allowing you to create granular access policies based on the specific DNA of your hardware inventory.

The SCEP Era is Over

For two decades, SCEP was the industry workhorse. But in a world of sophisticated supply-chain attacks and mobile-first workforces, pre-shared password based authentication is a security risk. If you are still using SCEP to onboard devices to your VPN, Wi-Fi, or SaaS apps, you aren’t practicing Zero Trust—you’re practicing "Best-Guess" Security.

SCEP is a Liability in 2026

The "Static Secret" Problem: SCEP relies on a pre-shared challenge password. If an attacker intercepts that password from your MDM or a disgruntled employee, they can request a "trusted" certificate for any rogue device. SCEP can’t tell a corporate laptop from a hacker’s virtual machine.
Software Keys are Exportable Keys: SCEP doesn't care where a private key lives. It allows keys to be generated in software, meaning they can be exported, cloned, and moved to unauthorized hardware. Once a SCEP-issued certificate is stolen, your perimeter is wide open.
No Cryptographic Proof of Hardware: SCEP has no mechanism to verify the TPM (Trusted Platform Module) or Secure Enclave. It simply assumes the device at the other end of the request is what it claims to be. In the age of sophisticated device spoofing, "assuming" is a recipe for a breach.

Zero Trust for the Modern Perimeter

Traditional VPNs and Wi-Fi networks are often the weakest links. BastionXP turns every device into its own secure perimeter using TPM/Secure Enclave attestation.

Secure Network Access:

Corporate VPN & ZTNA: Eliminate credential stuffing. BastionXP issues short-lived, ACME-automated certificates that prove the device’s integrity before the VPN tunnel ever opens.
Enterprise Wi-Fi (802.1X): Seamlessly onboard corporate laptops and mobiles. Use ACME to rotate certificates automatically, ensuring only managed, healthy devices can join your airwaves.
SaaS & Cloud Apps: Bridge the gap between the browser and the hardware. Use device attestation as a primary factor for SSO & mTLS, ensuring your data stays within corporate-owned assets.

How It Works: BastionXP ACME Device Attestation

BastionXP doesn't just simplify and automate your certificate management; it gives you the confidence that only 'known-good' hardware has access to your infrastructure.

Request: The device requests a certificate via the ACME protocol.
Attestation: BastionXP challenges the device to prove its identity using its hardware security module (TPM/Secure Enclave) and ACME challenge type Device Attestation (device-attest-01).
Verification: BastionXP verifies the signature of the hardware security module (TPM/Secure Enclave) and validates the device certificate with the manufacturer's CA.
Issuance: Once verified, BastionXP issues a short-lived, cryptographically-signed certificate.
Access: The device uses this certificate to instantly authenticate to your VPN, Wi-Fi, or SaaS apps.
Storage: The device private key never leaves the hardware module and is stored securely in it.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free

Frequently Asked Questions

What is BastionXP?

BastionXP is an Identity-Aware Automated Certificate Lifecycle Management platform that uses hardware-rooted device attestation to provide passwordless WiFi and VPN access for enterprise managed devices.

BastionXP integrates with your MDM to automate hardware-rooted device certificate lifecycle management, so that only company approved devices can access resources such as WiFi, VPN and SaaS apps.
Can I get a free trial version of BastionXP?

Yes. You can download and try the free version of BastionXP. Please refer to our documentation on BastionXP "Getting Starting" guide. Remember that the free trial version comes with a limited feature set without the enterprise features. If you want to try the Enterprise Version, please write to us: [email protected].
What features are available in the enterprise version of BastionXP?

BastionXP Enterpise version supports:

a) Private PKI/CA that generates SSL/TLS X.509 certificates and keys based on hardware-rooted device attestation.

b) Integrates with your favorite MDM.

b) Google G-Suite, Microsoft Office 365, Okta, Keycloak, and AWS IAM based SSO/OAuth.

c) Role Based Access Control using Microsoft Azure Active Directory, Okta, Keycloak or any IAM.

e) Priority customer support.
Can I host BastionXP in AWS?

BastionXP solution is a cloud native application that is cloud vendor agnostic. It works seamlessly in any cloud including AWS, GCP, Azure or Digital Ocean cloud.
Can you provide a cloud hosted version of BastionXP as a SaaS offering?

Yes. We offer a cloud hosted version of BastionXP as a SaaS offering. You can try the cloud version for free for 30-days. No credit card required.
How to enquire for sales, demo and pricing?

Please write to [email protected] for sales, queries, pricing and demo request.

Contact Us

For sales, support, demo or any queries, please write to us at:

[email protected]