LegionUse CasesCareersAboutContact
Book a Demo
⚿ DVARPALA
Identity-First VPN

Access that follows
identity.
Always audited.

JIT Access · Instant Revocation · Full Audit Trail

Dvarpala ties infrastructure access directly to corporate identity. Remove someone from your IdP — their VPN access disappears instantly. Zero manual steps, zero lingering credentials.

Request Early Access See Features
In Development · Join the waitlist — no credit card
⚿ Dvarpala · Access Audit LogLive
Time
Principal
Resource
Action
Status
09:40:12
raj.mehta
prod-db
READ
Granted
09:40:38
sara.chen
s3://backups
LIST
Granted
09:41:02
anon-agent
prod-db
WRITE
Denied
09:41:15
dev.kumar
k8s:prod
EXEC
JIT Grant
09:42:15
dev.kumar
k8s:prod
EXEC
Expired
09:43:01
maya.s
rds:replica
READ
Granted
EngineerJIT RequestDvarpalaGranted
Expires: 60 min
2,841Events/hr
2,798Granted
43Denied
100%Audited
Identity-First VPNInstant Access RevocationJIT AccessFull Audit TrailMulti-Cloud ConnectivityMFA EnforcementRole-Based Access ControlZero Lingering CredentialsSSO IntegrationIdentity-First VPNInstant Access RevocationJIT AccessFull Audit TrailMulti-Cloud ConnectivityMFA EnforcementRole-Based Access ControlZero Lingering CredentialsSSO Integration
The Problem

When employees leave, their
access shouldn't linger.

The Problem

When employees leave, their infrastructure access doesn't. Revocation is manual, delayed, and unreliable — credentials linger, audit trails are incomplete, and compliance gaps widen with every offboarding.

Manual revocation is slow — credentials outlive the employee by days or weeks
Audit trails are patchy — nobody knows who accessed what, when, or from where
Access isn't tied to identity — role changes don't automatically update permissions
Compliance gaps compound — SOC2, ISO27001 require audit-ready access logs at all times
The Solution

Dvarpala ties infrastructure access directly to corporate identity. When someone is removed from your IdP, their VPN access dies instantly — automatic, immediate, auditable.

Instant revocation — remove from IdP, access cut off immediately. No manual steps.
Complete audit trail — every connection logged with who, what, when, and where
Identity-first access — permissions follow the user's SSO group automatically
Compliance-ready — logs, policies, and reports structured for SOC2 and ISO27001
Unique Features

Access that follows
identity. Always audited.

01
Identity-First VPN
Access tied directly to corporate SSO — Google Workspace, Okta, and Entra ID. No SSO, no access. Period.
Core
02
Instant Access Revocation
Removing a user from the IdP immediately cuts off VPN access. Zero delay, zero lingering credentials, zero manual steps.
Security
03
Role-Based Access Control
Enforce least-privilege access based on team, role, and service. Engineers get exactly what they need — nothing more.
Access
04
Multi-Cloud Connectivity
Single VPN spanning AWS, GCP, and Azure VPCs. One policy layer, one audit trail, across your entire multi-cloud footprint.
Infrastructure
05
Sensitive Service Classification
Tag critical services and enforce stricter access policies for them. Production databases get a different policy to staging.
Policy
06
Full Audit Trail
Every connection logged with complete context — who, what, when, and where. Export-ready for compliance reviews.
Compliance
07
MFA Enforcement
Support for TOTP and WebAuthn for high-security environments. MFA required before any VPN session is established.
Auth
08
Session Management
Control sessions with idle timeouts, real-time tracking, and forced disconnects. No stale sessions left open overnight.
Sessions
09
Geo & Device Policies
Restrict access based on user location and device type. Engineers on unmanaged devices or unexpected locations are blocked automatically.
Policy
10
Split Tunneling
Route only required traffic through the VPN for efficiency. Everything else goes direct — no unnecessary latency for non-sensitive requests.
Network
11
Suspicious Activity Alerting
Detect failed logins, unusual locations, and anomalous access patterns. Shankh routes the alert — Legion investigates.
Monitoring
12
Automated User Lifecycle + Open-Core Architecture
Zero-touch onboarding and offboarding synced with your identity provider. And because Dvarpala is built on open-core architecture, your network infrastructure is transparent and inspectable — no black boxes securing your access layer.
Lifecycle
How It Works

Connect identity.
Access follows. Automatically.

Connect your identity provider, define access policies, and your team authenticates through SSO to get a VPN tunnel scoped to their role. Every session is logged. When someone leaves and is removed from your IdP, their access is revoked instantly — no manual steps, no lingering credentials.

“We offboarded 3 engineers last quarter. With Dvarpala, their access was gone before the HR email was sent.”

01
Connect your Identity Provider
Link Google Workspace, Okta, or Entra ID. Dvarpala reads groups, roles, and user status in real time.
02
Define access policies per role and service
Map IdP groups to infrastructure resources — which teams access which services, with what privileges, and from where.
03
Engineers authenticate via SSO
No username/password VPN credentials. SSO login grants a scoped VPN tunnel matching the engineer's role. MFA required.
04
Every session is logged in full
Who connected, to what resource, at what time, from which device and location. Every event is audit-trail-ready.
05
Offboard instantly — no manual steps
Remove the user from your IdP. Dvarpala detects the change and revokes all active sessions immediately. No tickets, no delays.
Who It's For

Built for teams tired of
chasing access revocations.

IT & Security Teams
Compliance-driven organisations needing airtight audit trails
You're preparing for SOC2 or ISO27001. You need logs for every access event, instant revocation, and policies you can actually enforce — not just document.
Audit-ready logs for every session
Instant offboarding with zero manual steps
MFA enforcement on all VPN access
Platform Engineers
Teams managing multi-cloud environments at scale
You're running workloads on AWS, GCP, and Azure. You need one policy layer, one audit trail, and role-based access that follows group membership — not manually managed spreadsheets.
Single VPN spanning AWS, GCP, Azure
Role-based access from IdP groups
Split tunneling for network efficiency
Growing Startups
Companies where people join, move, and leave frequently
Your team is growing fast. Contractors come and go. Dvarpala makes sure access follows the employee lifecycle automatically — no ops overhead as you scale from 10 to 100 engineers.
Zero-touch onboarding and offboarding
Geo and device policy enforcement
Suspicious activity alerts via Shankh
Identity-First VPNInstant Access RevocationJIT AccessFull Audit TrailMulti-Cloud ConnectivityMFA EnforcementRole-Based Access ControlZero Lingering CredentialsSSO IntegrationIdentity-First VPNInstant Access RevocationJIT AccessFull Audit TrailMulti-Cloud ConnectivityMFA EnforcementRole-Based Access ControlZero Lingering CredentialsSSO Integration
Pricing

Simple pricing for
teams that ship securely.

Start with open core and scale as your compliance requirements grow. All plans include identity-first VPN and SSO authentication.

01 · Free
Open Core
₹0/month
Identity-first VPN
SSO authentication
Multi-cloud connectivity
Basic audit logs
Open-source access
Request Early Access →
02 · Growth
Team
$8/user/month
Everything in Open Core
Role-based access control
MFA enforcement
Geo & device policies
Real-time dashboard
Suspicious activity alerts
Request Early Access →
03 · Scale
Enterprise
Custom
Everything in Team
Advanced compliance tools
Dedicated security support
Custom integrations
SLA & onboarding
Enterprise deployment
Contact Sales →
Early Access

Your next offboarding
shouldn't be a security incident.

Dvarpala is in development. Join the early access waitlist — no commitment, no credit card. Be first when access control becomes automatic.

Currently onboarding design partners · Read our privacy policy
Request Early Access →Book a Demo