PLATFORM FEATURES
Everythingamodernremoteaccessplatformneeds

Built for engineering teams who take security seriously.

AGENTS

Cryptographic identity, not credentials

Every agent generates an ED25519 keypair at install time. Registration with the rendezvous server requires a valid signature. No shared passwords. No centrally managed credentials to rotate.

ED25519 Identity Generation

Each agent identity is derived from a local keypair generated at install time. The public key becomes the permanent agent identity. Reinstalling the agent creates a new cryptographic identity instead of reusing shared credentials.

Signed Registration

Agent registration requires a valid ED25519 signature over a timestamp and nonce. The rendezvous server rejects replayed registration payloads inside the LRU + TTL replay window.

Heartbeat Tracking

Agents send signed heartbeats to the rendezvous server. Online state updates in real time, while stale agents fall offline after the heartbeat TTL window expires.

Pairing Key Workflow

New agents generate a human-readable pairing key. Operators redeem it in the dashboard to bind the agent to their team, and the key expires after first use.

TRANSPORT

End-to-end encrypted. Relay cannot decrypt.

The transport model treats relay nodes as untrusted infrastructure. Encryption is negotiated between the session endpoints, and every relay packet remains ciphertext.

X25519 Key Exchange

Every session negotiates fresh X25519 material between the operator side and the agent side. Session keys are ephemeral and are not stored after disconnect.

AES-256-GCM Sessions

Terminal data, command output, file transfer, and future session streams are encrypted with AES-256-GCM before they touch the relay path.

HKDF Key Derivation

Both ends derive session keys with SHA-256 HKDF and the explicit label tucdesk-session-v1. Protocol mismatch fails closed before payload processing.

Relay Fallback

When direct connection fails, the relay provides UDP/TCP fallback transport. It forwards ciphertext only and cannot distinguish readable session content.

Transport encryption flowKEY EXCHANGEDERIVATIONDATA FLOWOPERATOR KEYAGENT KEYX25519ECDHSHARED SECRETHKDF LABELAES-256-GCM KEYPAYLOADENCRYPTRELAY ∅DECRYPT
FLEET

Scale from one machine to ten thousand

Agent tagging

Group agents by environment, owner, role, or risk class. Tags drive fleet runs and policy targeting.

Command details →

Fleet run

Execute approved commands across many agents in parallel and inspect per-agent output, duration, and error state.

Command details →

ACL policy

Allow or deny access by agent, team, tag, and time window. Policy evaluation is team-scoped and audit-visible.

Command details →

Session recording

Capture terminal sessions in asciinema-compatible format with signed audit context and tenant-prefixed storage paths.

Command details →

Desktop access (RDP/VNC)

Connect to Windows and Linux desktops via RDP and VNC through the same zero-trust channel. No VPN, no port-forwarding.

Command details →

LAN discovery

mDNS broadcast lets agents discover each other on the same network for sub-millisecond local connections without touching the relay.

Command details →

Anomaly detection

Behavioural analysis flags unusual session patterns, access timing anomalies, and command-frequency outliers before they become incidents.

Command details →

Command approval gate

High-risk operations stop for human confirmation before execution. The decision and actor are written to audit.

Command details →

Address book

Curate known endpoints, ownership notes, favorites, use counts, and operational context for repeated access.

Command details →
ADVANCED ACCESS

Desktop, LAN, and Workload Identity

TucDesk reaches machines beyond the SSH shell. RDP and VNC sessions use the same zero-trust channel. LAN-local agents connect at sub-millisecond latency. Workload identity extends the model to CI/CD and service accounts.

Desktop Protocol (RDP/VNC)

Access Windows RDP and Linux VNC desktops through the TucDesk zero-trust channel. Guacamole protocol translation handles screen encoding — operators see a browser-native desktop session with the same audit trail as a terminal session.

LAN / mDNS Discovery

When operator and agent are on the same network, mDNS broadcast provides direct LAN-path connectivity. Session latency drops below 1ms. The relay is bypassed entirely. Ideal for on-premise environments and air-gapped segments.

WebAuthn / Hardware Keys

Operators can authenticate with FIDO2 hardware security keys (YubiKey, Passkeys) for high-assurance access to critical agents. Hardware key sessions bypass password fatigue while satisfying compliance requirements for privileged access.

MCP + AI

Your fleet, controlled by intent

TucDesk exposes a controlled MCP surface for AI operators. Tools can inspect state and request execution, but approval gates, ACL evaluation, and audit logging remain in the data path.

list_agents

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

get_agent

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

connect_session

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

run_command

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

list_sessions

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

get_audit_log

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

list_fleet_runs

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

get_recording

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

list_address_book

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

get_security_posture

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

manage_acl

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

pair_agent

Team-scoped MCP tool with request validation, permission checks, and immutable audit output for operator review.

MCP intent approval flowNL inputIntent parserRisk assessmentLOW / MEDIUMHIGH / CRITICALExecuteHuman confirmAuditExecute
POLICY

Deny by default, allow by policy

ControlHow it works
Open modePermits normal access while still recording actor, target, and session metadata.
Allowlist modeOnly explicitly allowed agents, tags, teams, or windows can be reached.
Blocklist modeBlocks specified high-risk targets while allowing routine workflows.
Time windowsRestrict access to maintenance windows or approved incident response periods.
AUDIT

Immutable, signed, exportable

Audit entries include actor, action, timestamp, session context, policy decision, and server signature. The chain is exportable for SIEM review and compliance evidence.
START BUILDING

Every feature ships on day one. Free up to 3 agents.

No feature flags behind paywalls. Fleet commands, audit recordings, mobile approvals, and AI MCP tools are available on every plan tier.

Get Started FreeView PricingSecurity Model

SOC 2 Type I in progress (Q3 2026) · ED25519 · AES-256-GCM · Open protocol