Database credentials remain one of the most common attack vectors in enterprise breaches, but most organizations still manage them through shared tables, hard-coded connection strings, or standalone credential vaults without any session controls. The Chicago-based cybersecurity company known for its password management platform is trying to close that gap with KeeperDB, a new capability that embeds database access controls directly into its privileged access management (PAM) platform.
The product was announced at the RSA Conference 2026 in San Francisco, where Keeper collected 18 industry awards in categories including password management, privileged access management and zero-trust security.
What KeeperDB actually does
KeeperDB adds a vault-native database access interface to KeeperPAM, Keeper’s unified privileged access management platform. In practical terms, this means that developers, database administrators, and security teams can connect to MySQL, PostgreSQL, Oracle, and Microsoft SQL Server databases directly from Keeper Vault without exposing credentials in plain text or relying on separate database management tools.
Each database session is managed by centralized policies with full session logging for auditing and compliance purposes. The idea is simple: if organizations already store their passwords, secrets, and privileged credentials in Keeper, database access should live there as well, rather than requiring a separate tool with its own credential store.
“KeeperDB represents our natural evolution zero trust architecture,” said Darren Guccione, CEO and co-founder of Keeper Security. “By placing database access directly in the vault, we eliminate the credential expansion that poses a risk in most enterprise environments.”
Credential propagation problem
The KeeperDB addresses problem is well documented. In most organizations, database credentials are scattered across configuration files, environment variables, CI/CD pipelines, and individual developer machines. When an employee leaves or a credential is compromised, tracing every instance of that credential becomes an exercise in archaeology.
Traditional database access tools compound the problem. Each tool maintains its own connection profiles and stored credentials, creating multiple copies of sensitive data outside of any centralized management framework. for subordinate organizations SOC 2, HIPAA, PCI DSSor similar compliance requirements, this fragmentation makes audit preparation significantly more time-consuming.
KeeperDB’s approach unifies database access under the same zero-knowledge encryption and policy engine that already manages passwords, SSH keys, API tokens, and remote desktop sessions in KeeperPAM. Credentials are never exposed to users in clear text, access is granted based on role-based policies, and every query session is logged.
Proxy mode for existing workflows
Recognizing that many teams build workflows with existing database clients, Keeper also provides KeeperDB Proxy. This helpful feature allows developers to continue using their preferred tools (pgAdmin, MySQL Workbench, DBeaver, and similar clients) while routing connections through the Keeper infrastructure. A proxy provides centralized policy enforcement, credential protection, and session visibility without requiring teams to abandon existing tools.
This is a pragmatic compromise. Asking database administrators to switch from tools they’ve used for years is a surefire way to create friction and reduce adoption. By offering both a local vault interface and a proxy mode, Keeper is betting that organizations will take the least disruptive path.
A broader PAM strategy
KeeperDB is the latest addition to the platform that goes well beyond its password management origins. KeeperPAM now includes password and passkey management, secrets management DevOps and CI/CD pipelinesprivileged session management with logging, remote browser isolation, secure remote desktop and SSH access via Keeper Connection Manager, and now database access.
The company’s strategy is to integrate multiple point solutions into a single platform with a single credential store and a single policy engine. For managed service providers (MSPs), Keeper in February announced a revamped 2026 partner program with tiered discounts and expanded activation resources, citing midmarket and channel as key growth targets alongside direct enterprise sales.
F1 connection
Keeper’s presence at RSAC coincided with the company’s push for greater visibility. Now in its third season as the official cyber security partner of the Atlassian Williams F1 Team, Keeper launched a global advertising campaign in March 2026 featuring driver Alex Albo. Filmed during pre-season testing in Bahrain, the campaign draws parallels between the real-time data protection required in Formula 1 operations and the first identity security model Keeper is promoting for enterprise environments.
Williams uses KeeperPAM to protect passwords, infrastructure secrets and privileged accounts at Grove headquarters and trackside, where race strategy, telemetry and engineering systems depend on tightly controlled access to sensitive data.
What is this signal?
A broader trend that KeeperDB reflects is the continued consolidation of identity and access management tools. Organizations that once provided separate solutions for password management, secret management, privileged access, remote access, and database access are increasingly looking for unified platforms that reduce complexity and the number of credential stores to protect.
Keeper isn’t the only vendor implementing this strategy. CyberArk, BeyondTrust, and Delinea have expanded their PAM platforms in recent years. What sets Keeper’s approach apart is its zero-knowledge architecture (Kepper’s own servers cannot access customer data) and a consumer-grade user experience that the company claims drives higher adoption rates than traditional enterprise PAM tools.
KeeperDB is now available to KeeperPAM customers with support for MySQL, PostgreSQL, Oracle, and Microsoft SQL Server. KeeperDB Proxy is expected to follow in the next release.
