Pomerium
Identity and access management (IAM) software
Privileged access management (PAM) software
Zero trust networking software
Identity management software
Zero trust architecture software
- Features
- Ease of use
- Ease of management
- Quality of support
- Affordability
- Market presence
Take the quiz to check if Pomerium and its alternatives fit your requirements.
$7 per user per month
Free TrialFree version
Small
Medium
Large
- Information technology and software
- Media and communications
- Professional services (engineering, legal, consulting, etc.)
What is Pomerium
Pomerium is an identity-aware access proxy used to enforce zero trust access to internal web applications, APIs, and services. It sits in front of protected resources and makes allow/deny decisions based on user identity, device/context signals, and policy, typically integrating with an external identity provider via OIDC/SAML. It is commonly used by security and platform teams to replace or reduce reliance on network-based access controls (e.g., VPN-style access) and to centralize authentication and authorization at the edge or in Kubernetes. Pomerium is available as open source software and as a managed offering, with deployment options for cloud and on-prem environments.
Identity-aware access enforcement
Pomerium enforces access decisions using authenticated identity rather than network location, aligning with zero trust access patterns. It integrates with common identity providers using standards such as OIDC (and supports SAML via integrations), enabling SSO for protected applications. Policies can incorporate attributes like user/group claims and request context, allowing more granular controls than IP allowlists. This approach helps standardize access across multiple internal apps without modifying each application’s authentication layer.
Flexible deployment architectures
Pomerium can run in containerized environments, including Kubernetes, and can be deployed as a reverse proxy/ingress-style component in front of services. It supports self-hosted operation for organizations that need control over data plane placement and network topology. The product’s architecture fits common patterns such as protecting internal dashboards, admin consoles, and APIs across multiple environments. This flexibility is useful for teams operating hybrid or multi-cloud infrastructure.
Open source and extensible
An open source core can reduce vendor lock-in concerns and allows teams to evaluate functionality before committing to a commercial plan. The product supports standard protocols and can integrate with existing identity and directory systems through the chosen IdP. It also supports automation-friendly configuration and policy management practices that align with infrastructure-as-code workflows. These characteristics can simplify integration into existing security and platform toolchains.
Not a full IAM suite
Pomerium focuses on access proxying and policy enforcement rather than providing a complete identity lifecycle platform. It typically relies on an external identity provider for user directories, MFA, and broader identity governance features. Organizations looking for consolidated user provisioning, HR-driven lifecycle workflows, or extensive identity analytics will usually need additional systems. This can increase integration and operational overhead compared with all-in-one IAM platforms.
Limited PAM depth by itself
While it can gate access to sensitive internal tools, Pomerium is not a full privileged access management system with features like credential vaulting, session recording, and privileged account rotation. For privileged workflows, teams often need complementary controls and tooling beyond an access proxy. This distinction matters for compliance programs that require specific PAM capabilities. Buyers should validate whether their definition of PAM is satisfied by identity-aware proxy controls alone.
Operational complexity for self-hosting
Self-hosted deployments require careful configuration of identity provider integration, certificates, routing, and policy rules to avoid misconfigurations. Running the service reliably at scale can involve additional components (e.g., load balancing, observability, and secrets management) depending on the environment. Teams without mature platform engineering practices may find initial setup and ongoing maintenance non-trivial. Managed options can reduce this burden but may change cost and control trade-offs.
Plan & Pricing
| Plan | Price | Key features & notes |
|---|---|---|
| Personal (Pomerium Zero - personal) | Free | For individuals/hobbyists; managed control plane + self-hosted data plane; includes quotas (e.g., 10 users, 1 custom domain, 1 admin user, 2 service accounts, 5 policies, 10 routes) and access to Pomerium Core (open-source). |
| Business (Pomerium Zero - business) | $7 per user/month (billed annually) | For teams replacing VPNs; managed control plane + self-hosted data plane; higher quotas (e.g., up to 1,000 users, 5 custom domains, 20 admin users, 20 service accounts, 100 policies, 100 routes); billing based on monthly active users. |
| Enterprise (Pomerium Enterprise) | Custom pricing | Fully self-hosted/on-premise solution with no usage limits, additional support options, requires contact/sales/license; Enterprise offers private registry access and license keys and the ability to sign up for a free trial (contact required). |
