Which heritage company became today’s Remote Support and Privileged Remote Access (PRA)?

Correct: b. Bomgar’s remote-access technology became Remote Support and PRA — and Bomgar was the company that acquired BeyondTrust in 2018, keeping the BeyondTrust name. Avecto became EPM (endpoint), PowerBroker became PMUL (Unix/Linux), and Likewise/PBIS became AD Bridge.

Rahul at TCS must give an OEM hardware vendor recorded access to 6 servers inside one known data-centre network — no VPN, and no agent installed on each server. Which combination fits?

Correct: a. Vendor access to internal infrastructure is PRA’s lane, and ONE Gateway (Jumpoint) on a known network brokers access to many targets with no per-server agent. Password Safe Direct Connect serves internal admins checking out vaulted credentials, not external vendor workflows; Remote Support targets employee helpdesk; AD Bridge is Linux identity, unrelated to access brokering.

Priya’s team at HCL shares the root password of 200 Linux servers in a spreadsheet, and auditors want every privileged command centrally approved and recorded. Which pairing answers both demands?

Correct: d. Two pains, two products: the shared spreadsheet password is vault-and-rotate (Password Safe), and per-command central accept/reject with keystroke recording on Linux is PMUL (pbrun decisions made by pbmasterd, logged by pblogd). EPM-Windows/RS is the wrong OS and audience; Entitle/Insights govern cloud entitlements and detection, not Unix command control; AD Bridge gives identity, not command policy.

A new admin reviewing SuryaBank’s firewall finds the on-prem PRA appliance allowed to reach gwsupport.bomgar.com and btupdate.com, and panics about a "third-party backdoor". What is the correct analysis?

Correct: c. PRA descends from Bomgar, and the documented optional outbound destinations for support tunnels and updates still use bomgar.com — heritage frozen into infrastructure, exactly like the Avecto service name and PBPS registry path. It is not counterfeit hardware or DNS error, and the Dec-2024 incident involved a stolen SaaS API key plus CVE-2024-12356 — not these update domains.

SuryaBank deployed Password Safe six months ago, yet the CISO discovers vendors STILL connect over VPN with Domain Admin accounts. The PAM team insists "we have BeyondTrust". What is the real gap?

Correct: b. This is the family-map failure: Password Safe solves the shared-credential pain, but the no-VPN vendor-access pain is PRA’s job — a different product with its own appliance and licence. An unactivated licence would have blocked the vault work they already did; Smart Rules automate onboarding, not vendor connectivity; Pathfinder is a platform direction and renames vocabulary, it does not add vendor access.

For 10,000 laptops where every user is local admin, two designs are proposed: (A) vault each laptop’s local admin password in Password Safe and make users check it out when needed; (B) deploy EPM, remove admin rights, and elevate approved applications by policy. Which is stronger for daily work, and why?

Correct: a. For day-to-day endpoint work, least privilege beats checkout: EPM elevates the application token while the user stays standard, so malware in the user’s session gains nothing. Design A makes every checkout a full-admin session (the exact risk you were removing) and adds 10,000 rotation workflows. Vaulting laptop admin passwords is a fine complement (e.g., for break-glass), but it is not the daily-work control; EPM is built precisely for workstations.

The BeyondTrust Universe: Password Safe, PRA, EPM, PMUL & the Pathfinder Platform

Q: In a Wipro interview, the panel asks Sneha: "We still run the Bomgar box for vendor access — can you manage it?" What are they actually running?

Correct: b. "Bomgar box" is field slang for the B-Series remote-access appliance — today’s Remote Support and PRA. The twist students miss: Bomgar was the BUYER in 2018 but adopted the BeyondTrust name. It was never a firewall, has nothing to do with Avecto (endpoint lineage), and CyberArk is a different vendor entirely.

Q: Karthik at Airtel must remove local admin rights on 8,000 Windows laptops, but engineers still need ONE packet-capture tool to run elevated. Which product does this job?

Correct: c. This is the endpoint least-privilege lane: EPM strips admin rights but elevates the specific approved application (the user stays standard). Vaulting 8,000 local passwords (a) makes users check out full admin again — the opposite of least privilege for daily work; PRA (b) is remote access, not token control; AD Bridge (d) is Linux-to-AD identity, wrong OS and wrong problem.

Q: Meera’s cloud team at Flipkart wants AWS and Azure permissions granted just-in-time — approved for one task, auto-expiring after it. Which piece of the BeyondTrust universe does exactly this?

Correct: a. Entitle (acquired April 2024) is the JIT cloud-entitlement engine — time-bounded, self-serve, auto-expiring access to cloud roles, killing standing privilege. BeyondInsight is a console, not an entitlement engine; Remote Support is helpdesk remote control; PMUL governs Unix/Linux commands, not AWS/Azure IAM.

Q: SuryaBank’s procurement compares Password Safe with CyberArk on commercials. Which differentiator do practitioners quote most for Password Safe?

Correct: d. The repeatedly-quoted commercial edge is asset-based licensing: unlimited users and sessions per managed asset, versus CyberArk’s per-user model. It is not free for anyone (a); the whole point is that it is NOT per-user pricing (b); and no vendor bundles a competitor-migration service as a licence feature (c).

Most engineers think…

Most engineers think BeyondTrust is one product you install once — "we have BeyondTrust", so passwords, vendor access and endpoint rights must all be covered.

Wrong — BeyondTrust is a family built from acquisitions (Bomgar, Avecto, PowerBroker/eEye-era BeyondTrust, Likewise, Entitle). Buying Password Safe gives you a vault; it does not give you PRA’s vendor access or EPM’s endpoint least privilege. Knowing which box solves which problem — and what its old name was — is the actual job skill interviewers test.

① The heritage map — Bomgar, Avecto, PowerBroker, PBIS

Walk into any PAM team in Bengaluru and you will hear product names that do not exist on beyondtrust.com any more: "the Bomgar box", "Avecto policies", "PowerBroker on the Linux estate". None of these people are out of date — the old names are baked into service names, registry paths, binaries and even job descriptions. BeyondTrust today is one badge over four bloodlines, and you need to speak both generations fluently.

The strangest story first. In 2018, Bomgar — a remote-support appliance company — acquired BeyondTrust and then kept the BeyondTrust name. The buyer took the target’s name, because BeyondTrust was the better-known PAM brand. Bomgar’s technology became today’s Remote Support (helpdesk) and Privileged Remote Access (PRA). The lineage is still visible in production: the appliance’s vendor-support tunnel and update domains live on bomgar.com to this day.

Figure 1 — The heritage map — who became what

Read left to right: the four heritage names and the modern products they became. The arrow labels show exactly WHERE each old name still leaks into a live system — that is why interviewers still use them.

Three more bloodlines. Avecto Defendpoint became Endpoint Privilege Management (EPM) for Windows and Mac — and the Windows agent service is literally still named "Avecto Defendpoint Service", with its config under HKLM\SOFTWARE\Avecto\Privilege Guard Client. PowerBroker became Privilege Management for Unix & Linux (PMUL) — every binary keeps the pb prefix (pbrun, pbmasterd), and even Password Safe’s session-proxy registry path says PBPS (PowerBroker Password Safe). PBIS / Likewise became AD Bridge, and the agent still installs to /opt/pbis.

👉 So far: four heritage names → four modern products, and the old names survive in services, registry paths, binaries and interviews. Next: a card per bloodline you can flip through before any interview.

The four bloodlines

Tap each card — old name on the front, what it became (and where it still leaks) on the back.

📦

Bomgar

tap to flip

Acquired BeyondTrust in 2018, kept the BeyondTrust NAME. Became Remote Support + PRA. So: "Bomgar box" = the RS/PRA appliance.

🛡️

Avecto Defendpoint

tap to flip

Became EPM for Windows and Mac. The Windows service is still named Avecto Defendpoint Service. So: old name lives on every endpoint.

🐧

PowerBroker

tap to flip

Became PMUL. pbrun, pbmasterd and the PBPS registry path all keep the pb prefix. So: see pb anywhere, think PowerBroker.

🌉

PBIS / Likewise

tap to flip

Became AD Bridge — Linux joins Active Directory. Agent still installs to /opt/pbis. So: file paths reveal heritage.

Pause & Predict

Predict: you open regedit on a Password Safe appliance and find HKLM\SOFTWARE\BeyondTrust\PBPS\SessionManager. What does PBPS stand for — and why is it still there? Type your guess.

Answer: PowerBroker Password Safe — the product’s heritage name from the PowerBroker family. Renaming a product in marketing is cheap; renaming registry paths, service names and config keys breaks thousands of customer installs, so vendors leave them. That is why the field speaks both names — the OLD ones are frozen into running systems.

INTERVIEW HACK — answer in both names

When a JD says "PowerBroker experience" it means PMUL; "Bomgar" means Remote Support/PRA; "Avecto" or "Defendpoint" means EPM. In the room, say both: "Privilege Management for Unix and Linux — the old PowerBroker, so pbrun and pbmasterd." One sentence proves you know the product AND its history. Put both names on your CV — recruiters keyword-search the old ones.

Quick check · Q1 of 10

In a Wipro interview, the panel asks Sneha: "We still run the Bomgar box for vendor access — can you manage it?" What are they actually running?

a) A firewall appliance discontinued in 2018b) BeyondTrust Remote Support / PRA — Bomgar acquired BeyondTrust in 2018 and the combined company kept the BeyondTrust namec) Avecto’s endpoint agent under a nicknamed) A CyberArk session manager component

Correct: b. "Bomgar box" is field slang for the B-Series remote-access appliance — today’s Remote Support and PRA. The twist students miss: Bomgar was the BUYER in 2018 but adopted the BeyondTrust name. It was never a firewall, has nothing to do with Avecto (endpoint lineage), and CyberArk is a different vendor entirely.

② The product family by problem solved

Stop asking "what is BeyondTrust?" and start asking "which pain is this box for?" Five pains cover the whole family: shared unrotated privileged passwords · vendors needing access without VPN · helpdesk remote-controlling employees · everyone-is-local-admin laptops · Linux root chaos with a separate local account on every box. Five pains, five products — and picking the wrong one is the most common rookie mistake in PAM projects.

Pain 1: shared passwords → Password Safe. The vault that stores, rotates and brokers privileged credentials. Think of an SBI bank locker: your key plus the bank officer’s key (request + approval), the counter register (audit trail), and the lock re-keyed after every visit (rotation on check-in). Crucially it also has a session proxy: admins RDP/SSH to the proxy, never to the target, and the password never reaches their screen. Password Safe runs on the BeyondInsight platform — more on that in section ③.

Pain 2 and 3: remote access — two products, one bloodline. PRA walks vendors and admins to privileged infrastructure: it is the escorted-plumber model. A VPN hands the plumber a duplicate key to your whole house; PRA walks him to the one leaking bathroom, on CCTV, and out — per-system sessions, every client dialing outbound on TCP 443, no inbound firewall holes, everything recorded. Remote Support is the same Bomgar lineage pointed at a different audience: helpdesk technicians supporting employees’ machines, licensed by concurrent technicians (PRA is typically named-user). Same appliance family, different job — confusing them is a classic interview trap.

Figure 2 — The pick-the-product decision tree

Start at the amber question, follow your pain down to a product box. The red strip is the anti-pattern every one of these boxes replaces: VPN plus standing admin rights.

Pause & Predict

Predict: the network team says "just give the OEM vendor a VPN account — it works fine." What will the auditor flag, and which product answers all of it? Type your guess.

Answer: Three findings: (1) VPN grants NETWORK-wide reach, not access to one approved system — lateral movement risk; (2) no session recording — nobody can prove what the vendor did; (3) a standing credential that lives on after the work order closes. PRA answers all three: per-system brokered sessions over outbound 443, full recording, and access that expires with the approval window.

Pain 4: local admin everywhere → EPM. The wedding-hall rule: the guest stays a normal guest, but one task gets a temporary VIP band. EPM removes admin rights from users and instead elevates individual applications by policy — the user account never becomes administrator. Pain 5: Linux chaos → PMUL + AD Bridge. pbrun is like a gram-panchayat approval system: the request goes to pbmasterd (the sarpanch with the central rulebook), which stamps ACCEPT or REJECT, pblocald does the work and pblogd writes every keystroke in the register. Unlike sudo, the decision is made centrally, not from a local file an admin can edit. AD Bridge is Aadhaar for Linux: one central AD identity accepted by every server, instead of a separate local account per box.

PMUL submit host (Linux) — pbrun asks the policy server, not local sudoers

# run a privileged task — pbmasterd decides centrally per /etc/pb.conf policy
pbrun id

# request execution on a remote run host
pbrun -h db-prod-01 uname -a

Expected output

$ pbrun id
uid=0(root) gid=0(root) groups=0(root)
$ pbrun -h db-prod-01 uname -a
Linux db-prod-01 5.14.0-427.el9.x86_64 #1 SMP x86_64 GNU/Linux

👉 So far: vault-and-rotate = Password Safe · vendor access = PRA · helpdesk = Remote Support · endpoint least privilege = EPM · Linux = PMUL + AD Bridge. Next: what happens when someone picks the wrong box.

Sneha at Infosys faces this

Sneha’s manager says: "We bought BeyondTrust — remove local admin rights from 5,000 laptops by Friday." She logs into the BeyondInsight console, hunts every menu, and finds nothing about Workstyles, elevation or application policies.

Likely cause

Wrong product. The client bought Password Safe (vault + rotation on BeyondInsight). Endpoint least privilege is EPM — a separate product with its own console (PM Cloud) and its own per-endpoint agent. A vault cannot elevate an application.

Diagnosis

Match the pain to the product: "everyone is local admin" is the EPM lane, not the vault lane. Check what is actually licensed before promising a date.

PM Cloud (EPM console) > Policies > Create Policy > QuickStart for Windows template

Fix

Procure/activate EPM, deploy the agent via Intune/SCCM, start from the QuickStart for Windows template (All Users + High/Medium/Low Flexibility workstyles), brand the messages, then remove users from the local Administrators group in rings.

Verify

On a pilot laptop after a reboot: right-click an approved app → "Run as administrator" now shows the EPM policy message instead of the Windows UAC prompt, and the test user is no longer in the local Administrators group.

COMMON MISTAKE — "we have BeyondTrust, so it’s covered"

Symptom: leadership believes endpoints are protected because "BeyondTrust is deployed" — but laptops are still full of local admins, or vendors still come in over VPN. Cause: one product’s licence got mentally stretched across the whole family. Fix: keep a one-line scope map — Password Safe = vault, PRA = vendor access, EPM = endpoints, PMUL = Linux — and check the actual licence before answering any "are we covered?" question.

Quick check · Q2 of 10

Karthik at Airtel must remove local admin rights on 8,000 Windows laptops, but engineers still need ONE packet-capture tool to run elevated. Which product does this job?

a) Password Safe — vault each laptop’s admin passwordb) Privileged Remote Access — broker sessions to the laptopsc) Endpoint Privilege Management — remove admin rights and elevate just the approved app per policyd) AD Bridge — join the laptops to AD

Correct: c. This is the endpoint least-privilege lane: EPM strips admin rights but elevates the specific approved application (the user stays standard). Vaulting 8,000 local passwords (a) makes users check out full admin again — the opposite of least privilege for daily work; PRA (b) is remote access, not token control; AD Bridge (d) is Linux-to-AD identity, wrong OS and wrong problem.

③ The platform layer — BeyondInsight, Insights, Entitle, Pathfinder One

Above the five products sits a layer most beginners never get straight. Start with BeyondInsight: it is the management platform and web console that Password Safe runs on — one login, two layers. BeyondInsight owns the plumbing every vault needs: the Assets grid, Discovery scans that walk your IP ranges like a census enumerator, Smart Rules that auto-onboard what discovery finds, and Analytics & Reporting. Password Safe adds the vault verbs on top: requests, approvals, sessions, rotation. When a candidate says "BeyondInsight and Password Safe are two separate consoles", the interview is usually over.

🖥️ This is the console you’ll live in for vault work — BeyondInsight → left menu. One console: platform features (Assets, Smart Rules, Discovery) plus the Password Safe module. (Recreated for clarity — your console matches this.)

beyondinsight.suryabank.in · Home

Assets

every discovered server and workstation

Smart Rules

criteria → actions: the auto-onboarding engine

Managed Systems / Managed Accounts

what Password Safe rotates

Password Safe

requests · approvals · sessions

Secrets Safe

team/app secrets organised in safes

Configuration

Privileged Access Management settings

Open Password Safe

Now the deployment shapes — the question every architect round asks. On-prem, BeyondInsight/Password Safe ships as a U-Series appliance (hardened Windows-based, deployable as an HA pair with heartbeat failover) or a software install on your own servers. Remote Support and PRA ship on the B-Series appliance (physical or virtual, usually parked in the DMZ). And everything has a SaaS shape: Password Safe Cloud lives at <yoursite>.ps.beyondtrustcloud.com and reaches back into your network through Resource Brokers — worker VMs that dial outbound on 443 only, like a Delhivery hub inside your society: the warehouse never enters the gate; the hub dials out to fetch jobs.

MISTAKE — "cloud got patched, so we’re fine" (the Dec-2024 lesson)

Symptom: in January 2025 your scanner flags CVE-2024-12356 (CVSS 9.8, unauthenticated command injection in Remote Support/PRA) on the on-prem appliance, while a friend’s SaaS tenant already shows patched. Cause: BeyondTrust auto-patched all CLOUD instances on 2024-12-16 — but on-prem patching is YOUR job, applied via the /appliance interface (fix shipped in RS/PRA 24.3.1). Fix: subscribe the appliance to btupdate.com auto-updates and treat vendor advisories as P1 — this CVE went into CISA KEV on 2024-12-19, during the US Treasury incident window.

Two newer pieces complete the layer. Identity Security Insights is the cloud ITDR product: its True Privilege Graph ingests AD, Entra ID, Okta, AWS, GCP, even GitHub, and maps Paths to Privilege — every back-lane of group nesting and role chaining an attacker could walk from a helpdesk account to domain admin, like a Google Maps route view for privilege escalation. Entitle (acquired April 2024) brings JIT cloud entitlements with IGA and CIEM: think Tatkal ticket versus lifetime first-class pass — AWS/Azure roles granted for today’s journey, then gone. And Pathfinder One (launched February 2025) is the umbrella platform pulling all of it together — a direction, not an installer. Its most visible side effect: the docs renamed Jump terminology (Jumpoint→Gateway, Jump Item→Asset) — lesson ⑤ onwards teaches both.

Password Safe REST API — sign in, then list managed accounts (base path /BeyondTrust/api/public/v3)

POST /BeyondTrust/api/public/v3/Auth/SignAppIn HTTP/1.1
Host: beyondinsight.suryabank.in
Authorization: PS-Auth key=<128-char-api-key>; runas=suryabank\svc-api-read;

GET /BeyondTrust/api/public/v3/ManagedAccounts HTTP/1.1
Host: beyondinsight.suryabank.in

Expected output

HTTP/1.1 200 OK
[
  {"AccountName":"administrator","SystemName":"DC-MUM-01","DomainName":"suryabank.in"},
  {"AccountName":"root","SystemName":"swift-app-03"}
]

Note two real-world catches in that API call: session state is kept between calls (sign in once, then work), and GET ManagedAccounts only returns accounts that have Enable for API Access set and that the runas user holds a Requestor/ISA role on — an empty list usually means a permissions gap, not an empty vault.

Pause & Predict

Predict: the CISO asks "can we see every path an attacker could take from a helpdesk account to domain admin — across AD, Entra ID AND AWS?" Which layer answers, and which product would you NOT use? Type your guess.

Answer: Identity Security Insights — its True Privilege Graph computes effective (not nominal) privilege and draws the Paths to Privilege across AD, Entra ID, Okta and the clouds. You would NOT answer with Password Safe: a vault knows what it stores and rotates, but it cannot see group-nesting escalation chains across identity providers. Detection of paths = Insights; control of credentials = the vault.

👉 So far: BeyondInsight is the console under Password Safe · U-Series/B-Series/SaaS are the shapes · Insights watches identity attack paths · Entitle grants JIT cloud access · Pathfinder One is the umbrella. Next: see the whole layer drawn as one stack.

Figure 3 — The platform layer above the products

Bottom row: the five products you deploy. Middle: the layer that manages and watches across them. Top: Pathfinder One — the umbrella direction, not a new installer.

Quick check · Q3 of 10

Meera’s cloud team at Flipkart wants AWS and Azure permissions granted just-in-time — approved for one task, auto-expiring after it. Which piece of the BeyondTrust universe does exactly this?

a) Entitle — the 2024 acquisition for JIT cloud entitlements (IGA + CIEM)b) BeyondInsight — the management consolec) Remote Support — the helpdesk productd) PMUL — pbrun and pbmasterd

Correct: a. Entitle (acquired April 2024) is the JIT cloud-entitlement engine — time-bounded, self-serve, auto-expiring access to cloud roles, killing standing privilege. BeyondInsight is a console, not an entitlement engine; Remote Support is helpdesk remote control; PMUL governs Unix/Linux commands, not AWS/Azure IAM.

④ How they combine — one Indian bank, full stack

Now assemble everything inside one estate. Meet SuryaBank — a mid-size private bank headquartered in Mumbai: two data centres, about 400 Windows servers (10.20.0.0/16), 220 RHEL servers running core-banking and SWIFT middleware (10.30.0.0/16), 10,000 branch laptops (192.168.x.x per branch), and 35 OEM vendors — the ATM-switch vendor, the CBS vendor, the HSM vendor — who all used to come in over VPN. RBI’s cyber-security framework expects privileged access to be controlled, recorded and reviewable. Here is the reference deployment.

Figure 4 — SuryaBank — four products, four audited roads

Trace each actor: the vendor (red, internet) reaches ONE switch through the DMZ PRA appliance; Aditya reaches the domain controller only via the Password Safe proxy; branch laptops run EPM; Linux commands route through pbmasterd. Nobody holds a standing key.

▶ One Tuesday at SuryaBank — four products in four moves

Watch the same morning from four seats: the vendor, the DC admin, a branch laptop and a Linux engineer. Press Play for the healthy path, then Break it to see the failure.

① VendorOEM engineer (internet) → PRA 203.0.113.20:443 → Gateway → ATM switch 10.20.7.15

▼

② DC adminAditya → Password Safe proxy 10.20.5.11:4489 → RDP DC-MUM-01, credential injected

▼

③ Laptopbranch user → EPM elevates one approved app → user token stays standard

▼

④ Linuxpbrun systemctl restart swift-app → pbmasterd 10.30.2.8:24345 → ACCEPT · pblogd records

Press Play to step through the healthy path. Then press Break it.

Who logs into what console? Aditya and the DC admins use the Password Safe portal on BeyondInsight to request, get approved, and land in proxied sessions. Priya’s vendor-management team administers PRA’s /login console — Gateways (Jumpoints), Asset Groups, approval policies — while vendors themselves only ever see the access console. Karthik’s desktop team lives in the PM Cloud (EPM) console shipping Workstyle policies to 10,000 laptops. Meera’s Unix team maintains the PMUL policy on the policy server (pb.conf on pbmaster01) and joins new servers to AD with domainjoin-cli. The SOC gets Identity Security Insights dashboards. Five teams, five consoles, one badge.

🖥️ The vendor-access team’s admin console — PRA /login → Asset Management (versions before 25.x call this menu Jump). (Recreated for clarity — your console matches this.)

pra.suryabank.in/login · Asset Management

Gateway (formerly Jumpoint)

dc-mum-gw01 · online

Asset Groups (Jump Groups)

DC-Servers · ATM-Switches · HSM

Asset Policies (Jump Policies)

Vendor-Hours + Approval required

Vault → Accounts

atm-svc account — injected, never shown

Save

AD Bridge (Linux) — join a new RHEL server to Active Directory, then verify

sudo /opt/pbis/bin/domainjoin-cli join suryabank.in pam-join@suryabank.in

# verify the join (reboot once before first AD logon)
/opt/pbis/bin/domainjoin-cli query

Expected output

Password:
SUCCESS

Name = lnx-swift-03
Domain = SURYABANK.IN
Distinguished Name = CN=LNX-SWIFT-03,OU=Linux,DC=suryabank,DC=in

👉 So far: vendor → PRA · admins → Password Safe proxy · laptops → EPM · Linux → PMUL + AD Bridge, each team in its own console. Last piece: what the bill looks like.

Licensing shape at a glance. Password Safe’s most-quoted commercial edge is asset-based licensing: pay per managed asset, with unlimited users — the unlimited-thali model, versus CyberArk’s per-plate (per-user) billing. PRA is sold per named user (a per-asset SKU also exists), Remote Support by concurrent technicians, and EPM/PMUL typically per endpoint/host. For your CV: BeyondTrust was a Leader in the 2025 Gartner Magic Quadrant for PAM with the highest Ability to Execute — and Indian JDs (Wipro, UST and friends) routinely ask for two PAM tools, so the concepts you learn here transfer straight onto CyberArk vocabulary.

Figure 5 — BeyondTrust family — your one-glance product map

Keep this card open during labs and revise it before any interview: product, heritage name, problem, console, and the one number worth memorising per tile.

PROVE THE MAP — 60-second self-test

Without scrolling up: (1) name the product for each pain — shared passwords, vendor access, helpdesk, local-admin laptops, Linux root; (2) give each one’s heritage name; (3) say which console each SuryaBank team logs into; (4) recall one number per product — 4422/4489, 443, 24345, /opt/pbis. If all four come out clean, you own this lesson.

Pause & Predict

Predict: SuryaBank’s Linux lead worries that AD Bridge will "copy all AD users into /etc/passwd on every server". Does it? Type your guess.

Answer: No. AD Bridge resolves identities live through the NSS/PAM stack via its agent — nothing is synced into local files. That is the whole point: one central AD identity (the Aadhaar model) accepted everywhere, instead of thousands of local entries that drift. If an auditor finds AD users inside /etc/passwd, something else put them there.

Quick check · Q4 of 10

SuryaBank’s procurement compares Password Safe with CyberArk on commercials. Which differentiator do practitioners quote most for Password Safe?

a) It is free for regulated banksb) Per-user pricing that undercuts CyberArk per seatc) It bundles a free CyberArk migration serviced) Asset-based licensing — unlimited users per managed asset

Correct: d. The repeatedly-quoted commercial edge is asset-based licensing: unlimited users and sessions per managed asset, versus CyberArk’s per-user model. It is not free for anyone (a); the whole point is that it is NOT per-user pricing (b); and no vendor bundles a competitor-migration service as a licence feature (c).

🎮 Hands-on: BeyondTrust PAM Essentials room Recap lesson 1: PAM Fundamentals

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from BeyondTrust docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: In one line each, what problem do Password Safe, PRA, EPM and PMUL solve? Then compare to the expert version.

Expert version: Password Safe vaults, rotates and proxies shared privileged credentials (nobody sees the password). PRA brokers recorded, per-system remote access for vendors and admins over outbound 443 — no VPN. EPM removes local admin and elevates approved applications, so the user stays standard. PMUL routes Unix/Linux privileged commands through a central accept/reject policy server (pbrun → pbmasterd) with full keystroke logging.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Product Family at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

Bomgar: Remote-access company that acquired BeyondTrust in 2018 and kept the BeyondTrust name — lineage of Remote Support and PRA ("the Bomgar box").
Avecto Defendpoint: Heritage name of EPM for Windows/Mac — still the literal Windows service name on every agent.
PowerBroker: Heritage name of Privilege Management for Unix & Linux — survives in pbrun, pbmasterd and PBPS registry paths.
AD Bridge (PBIS/Likewise): Joins Linux/Unix to Active Directory for one central identity; CLI at /opt/pbis/bin/domainjoin-cli.
Password Safe: The vault: stores, rotates and proxies privileged credentials (SSH 4422 / RDP 4489); runs on BeyondInsight.
BeyondInsight: The management platform/console under Password Safe — assets, discovery scans, Smart Rules, reporting.
PRA (Privileged Remote Access): Brokered, recorded vendor/admin access to specific systems over outbound TCP 443 — the no-VPN product.
Remote Support: Helpdesk remote-control product (same Bomgar lineage as PRA); licensed by concurrent technicians.
EPM (Endpoint Privilege Management): Removes local admin rights and elevates approved applications by policy — the user account stays standard.
PMUL: EPM for Unix & Linux: pbrun submits a command, pbmasterd centrally accepts/rejects (port 24345), pblogd records everything.
Identity Security Insights: Cloud ITDR — its True Privilege Graph maps Paths to Privilege across AD, Entra ID, Okta, AWS, GCP, GitHub.
Pathfinder One: The unified platform direction (Feb 2025) over all products; renamed Jump terms (Jumpoint→Gateway, Jump Item→Asset). Entitle (2024 acquisition) supplies its JIT entitlements.

📚 Sources

BeyondTrust press — Bomgar completes acquisition of BeyondTrust; combined company adopts the BeyondTrust name (2018). beyondtrust.com/press
BeyondTrust Docs — BeyondInsight & Password Safe: getting started, Smart Rules, session proxy ports 4422/4489, cloud Resource Brokers. docs.beyondtrust.com/bips/docs/ps-getting-started · docs.beyondtrust.com/bips/docs/ps-ssh-rdp-connections
BeyondTrust Docs — Privileged Remote Access: Jump Technology guide (Jump Client, Jumpoint/Gateway rename, outbound-443 model). docs.beyondtrust.com/pra/docs/jump-overview · docs.beyondtrust.com/pra/docs/on-prem-network-considerations
BeyondTrust Docs — EPM Windows/Mac (Workstyles, QuickStart template, Avecto Defendpoint service heritage). docs.beyondtrust.com/epm-wm/docs/workstyles · docs.beyondtrust.com/epm-wm/docs/gpo-quickstart-templates
BeyondTrust Docs — EPM for Unix & Linux (pbrun → pbmasterd → pblocald → pblogd, ports 24345-24347) and AD Bridge domain-join tool. docs.beyondtrust.com/epm-ul/docs/epm-ul-overview · docs.beyondtrust.com/adb/docs/domain-join-tool
BeyondTrust press — Entitle acquisition (Apr 2024: JIT access, IGA, CIEM) and Pathfinder platform launch (Feb 2025: True Privilege Graph, adaptive JIT). beyondtrust.com/press/beyondtrust-acquires-entitle · beyondtrust.com/press/pathfinder
BeyondTrust advisory BT24-10 / NVD — CVE-2024-12356 (CVSS 9.8, unauthenticated command injection in RS/PRA; cloud auto-patched 2024-12-16; CISA KEV 2024-12-19). nvd.nist.gov/vuln/detail/cve-2024-12356
PeerSpot — BeyondTrust Password Safe vs CyberArk PAM (asset-based licensing as the most-quoted differentiator). peerspot.com/products/comparisons/beyondtrust-password-safe_vs_cyberark-privileged-access-manager
BeyondTrust University — Get Certified (40-question exam, 75% pass, two attempts) + Wipro BeyondTrust PAM architect JD (two PAM tools expected). beyondtrust.com/services/beyondtrust-university/get-certified · careers.wipro.com

What's next?

You can now name every box in the family and the problem it solves. Next we go inside the flagship console — BeyondInsight: U-Series appliances, discovery scans that walk your network, and the Smart Rules that onboard thousands of accounts automatically.

Next · BeyondInsight Deep-Dive: appliances, discovery & Smart Rules → Practice on exam.techclick.in →

The BeyondTrust Universe: — Password Safe, PRA, EPM, PMUL & the Pathfinder Platform

🎯 By the end you will be able to

Pick where you want to start

The heritage map

Pick the product

The platform layer

One bank, full stack

① The heritage map — Bomgar, Avecto, PowerBroker, PBIS

The four bloodlines

② The product family by problem solved

③ The platform layer — BeyondInsight, Insights, Entitle, Pathfinder One

④ How they combine — one Indian bank, full stack

▶ One Tuesday at SuryaBank — four products in four moves

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?