Passwordless Device Identity-Aware Network Access with Hardware-Rooted Security.

Eliminate the security risks associated with SCEP and shared passwords. BastionXP automates certificate-based authentication for WiFi and VPNs, using hardware-rooted attestation. BastionXP ensures only verified, corporate-approved devices can access your network.

Learn more Request a Demo
Hardware-Rooted Device Attestation

Verify the Silicon, Not Just the Software. BastionXP challenges the device to prove its identity using its TPM (Trusted Platform Module) or Apple Secure Enclave(SE). By verifying the hardware's cryptographic signature, we ensure the device requesting access is a genuine, corporate-issued asset—not a spoofed virtual machine.

Immutable Device Identity

Non-Exportable, Hardware-Bound Keys. Unlike SCEP or manual enrollment, TPM/SE ensures private keys are generated directly inside the device's secure hardware. These keys can never be exported, copied, or stolen by malware, providing an unbreakable link between the digital certificate and the physical machine.

Continuous Posture Verification

Trust is Earned, Then Re-Verified. Device identity isn't a one-time event. BastionXP performs attestation checks during every certificate renewal. If a device’s security posture changes—or if its hardware integrity is compromised—access is automatically revoked in real-time.

Secure Onboarding & Auto-Enrollment

Zero-Touch Deployment via ACME. Eliminate manual CSRs and "Shared Secrets." Using the ACME protocol with Attestation extensions, BastionXP automates the entire device onboarding process. New corporate devices receive their hardware-backed identity silently and securely, with zero user intervention.

Phishing-Resistant Authentication

The Ultimate Defense Against Credential Theft. By tying authentication to a hardware-bound device identity, you eliminate the risk of phishing. Even if an employee's credentials are stolen, the attacker cannot access your VPN, Wi-Fi, or SaaS apps without the physical, attested corporate device.

Unified Fleet Visibility

Inventory-Backed Access Control. Gain a "Single Pane of Glass" view of every attested device in your fleet. BastionXP logs the hardware serial numbers, TPM versions, and OS metadata, allowing you to create granular access policies based on the specific DNA of your hardware inventory.

The SCEP Era is Over

For two decades, SCEP was the industry workhorse. But in a world of sophisticated supply-chain attacks and mobile-first workforces, pre-shared password based authentication is a security risk. If you are still using SCEP to onboard devices to your VPN, Wi-Fi, or SaaS apps, you aren’t practicing Zero Trust—you’re practicing "Best-Guess" Security.

SCEP is a Liability in 2026

  • The "Static Secret" Problem: SCEP relies on a pre-shared challenge password. If an attacker intercepts that password from your MDM or a disgruntled employee, they can request a "trusted" certificate for any rogue device. SCEP can’t tell a corporate laptop from a hacker’s virtual machine.
  • Software Keys are Exportable Keys: SCEP doesn't care where a private key lives. It allows keys to be generated in software, meaning they can be exported, cloned, and moved to unauthorized hardware. Once a SCEP-issued certificate is stolen, your perimeter is wide open.
  • No Cryptographic Proof of Hardware: SCEP has no mechanism to verify the TPM (Trusted Platform Module) or Secure Enclave. It simply assumes the device at the other end of the request is what it claims to be. In the age of sophisticated device spoofing, "assuming" is a recipe for a breach.

Zero Trust for the Modern Perimeter

Traditional VPNs and Wi-Fi networks are often the weakest links. BastionXP turns every device into its own secure perimeter using TPM/Secure Enclave attestation.

Secure Network Access:

  • Corporate VPN & ZTNA: Eliminate credential stuffing. BastionXP issues short-lived, ACME-automated certificates that prove the device’s integrity before the VPN tunnel ever opens.
  • Enterprise Wi-Fi (802.1X): Seamlessly onboard corporate laptops and mobiles. Use ACME to rotate certificates automatically, ensuring only managed, healthy devices can join your airwaves.
  • SaaS & Cloud Apps: Bridge the gap between the browser and the hardware. Use device attestation as a primary factor for SSO & mTLS, ensuring your data stays within corporate-owned assets.

How It Works: BastionXP ACME Device Attestation

BastionXP doesn't just simplify and automate your certificate management; it gives you the confidence that only 'known-good' hardware has access to your infrastructure.

  • Request: The device requests a certificate via the ACME protocol.
  • Attestation: BastionXP challenges the device to prove its identity using its hardware security module (TPM/Secure Enclave) and ACME challenge type Device Attestation (device-attest-01).
  • Verification: BastionXP verifies the signature of the hardware security module (TPM/Secure Enclave) and validates the device certificate with the manufacturer's CA.
  • Issuance: Once verified, BastionXP issues a short-lived, cryptographically-signed certificate.
  • Access: The device uses this certificate to instantly authenticate to your VPN, Wi-Fi, or SaaS apps.
  • Storage: The device private key never leaves the hardware module and is stored securely in it.

Start Your Free Trial Now

Try BastionXP for free with no commitments. No credit card required.

Get Started For Free

Frequently Asked Questions

  • What is BastionXP?

    BastionXP is a Zero Trust Security Platform that uses hardware-rooted device attestation to provide passwordless and certificate based WiFi and VPN access for enterprise managed devices. It replaces static credentials (like passwords and long-lived public-private keys) with an automated PKI/CA infrastructure that issues certificates to all endpoints.

    BastionXP integrates with your MDM to automate hardware-rooted device certificate lifecycle management, so that only company approved devices can access resources such as WiFi, VPN and SaaS apps.

  • By moving away from static secrets, BastionXP eliminates the risk of credential theft. Every connection—whether it’s a developer accessing a server or an IoT gateway connecting to the cloud—is authenticated via Mutual TLS (mTLS) and rooted in hardware trust.

  • Yes. A core pillar of our Zero Trust philosophy is the use of ephemeral certificates. By issuing certificates that expire in hours or days rather than years, the "window of opportunity" for an attacker is virtually eliminated.

  • Yes. BastionXP includes a fully compliant ACME (RFC 8555) server, that supports 'device-attest-01' challenge. This allows for automated certificate enrollment and renewal for mobile devices, workloads, web servers, VPNs, Wi-Fi access, NAS, RADIUS server, databases and internal services using standard tools like Certbot, Lego, cert-manager or custom ACME clients.

  • Device Attestation ensures that certificates are only issued to genuine, authorized hardware. BastionXP supports Apple Managed Device Attestation (MDA) and Windows TPM attestation, verifying the device's unique identity at the hardware level before any credentials are issued.

  • BastionXP strictly follows RFC standards for EAB to authenticate clients using EAB credentials during the ACME account creation phase. Unlike Let's Encrypt (public ACME CA) that issues certificates to all clients, BastionXP Private ACME CA with EAB support, issues certificates to only those clients that provide a shared credential.

  • SCEP was designed decades ago and relies on "Challenge Passwords" that are often shared, static, or easily intercepted. BastionXP replaces this weak link with modern attestation. We don't just ask for a password; we verify the device’s unique hardware signature and security posture before issuing a certificate.

  • Yes. Since BastionXP issues standard X.509 digital certificates, it integrates seamlessly with any WiFi Access Point (via RADIUS) or VPN Gateway (via IKEv2/IPsec) that supports EAP-TLS certificate-based authentication.

  • Because our certificates are short-lived and identity-aware, access expires in few hours automatically. By integrating with your MDM (like FleetDM or Jamf), BastionXP can automatically stop issuing certificates to any device marked as "Stolen," effectively locking it out of the network in real-time.

  • For the end-user, the process is invisible. When a new corporate device is shipped to an employee, BastionXP can automatically enroll the device and provision the necessary certificates the moment it first connects to the internet, with no manual configuration required from IT or the user.

  • Yes. Please write to us for the Enterprise Free Trial Version of BastionXP. We can offer the free trial as a self-hosted or cloud-hosted solution.

  • BastionXP Enterpise Version supports:

    a) Private PKI/CA and ACME server that issues TLS X.509 certificates and keys based on hardware-rooted device attestation for Apple Devices.

    b) Integrates with your favorite MDM such as Jamf, Fleet DM and others.

    b) Integrates with Google G-Suite, Microsoft Office 365, Okta, Keycloak, and AWS IAM based SSO/OAuth.

    c) Role Based Access Control using Microsoft Azure Active Directory, Okta, Keycloak or any IAM.

    e) Priority customer support.

  • BastionXP solution is a cloud native application that is cloud vendor agnostic. It works seamlessly in any cloud including AWS, GCP, Azure or Digital Ocean cloud.

  • Yes. We offer a cloud hosted version of BastionXP as a SaaS offering. You can try the cloud version for free for 30-days. No credit card required. Please write to us to learn more about the SaaS offering.

  • Please write to [email protected] for sales, queries, pricing and demo request.

Contact Us

For sales, support, demo or any queries, please write to us at:

[email protected]