Balabit vs Wallix vs Ekran System


In modern day business world, securing digital perimeter of your organization is not nearly enough to establish reliable cyber threats protection. Often, attacks will come from within the organization, requiring a completely different set of measures to identify and mitigate them. User action monitoring is the best tool for detecting and deterring malicious insiders.


There are many hybrid solutions that incorporate user action monitoring into their main functionality aimed mostly at protecting from outsider threats. But there are also specialized insider threat detection and prevention solutions, such as Ekran System, that focus only on user monitoring.


In this product review we will compare Ekran System to two competitor privileged action monitoring solutions that also incorporate user action monitoring functionality: Balabit Shell Control Box and Wallix AdminBastion Suit. We will look into general functionality, explore strong suits and limitations of all three solutions and see which of them does the better job of detecting and preventing insider threats – specialized or a more broadly focused one.



Ekran System

Balabit Shell Control Box

Wallix AdminBastion Suit


User action monitoring solution for insider threat detection

Privilege user monitoring and access control appliance

Privileged identity management appliance


Target audience

Large companies and SMB

Large companies

Large companies






Technical approach

Agent-based solution

Proxy-based solution

Proxy-based solution

User monitoring functionality

  • Indexed video recording of every local and remote session regardless of protocol and applications used
  • Extensive metadata collection
  • Extensive record filtering
  • Additional authentication for identifying shared account users
  • Video recording of user sessions, routed through Balabit appliance
  • Additional authentication options
  • Recording of user sessions, routed through Wallix host in a Flash video (for graphic session) or text (for SSH session) format
  • Additional authentication options

Additional features

  • Customizable alerts and notifications
  • Manual user blocking
  • Optional USB device blocking
  • Web-based management panel
  • Forensic export
  • Choice between alerting and automatic session termination
  • Protected audit trails
  • Password management features
  • Password vault
  • Web-based interface
  • Router and bastion mode support
  • Alerts and automatic session blocking
  • Protected audit trails
  • Extensive password management functionality
  • Password vault
  • Web-based and native clients


  • Support for free database
  • Flexible licensing scheme
  • Optimized license provisioning for virtual environment
  • Advanced protection from tampering with agent
  • Exceptional performance and stability, low storage requirements
  • Quick deployment and easy maintenance with automatic client updates
  • Advanced SIEM and other third party solution integration
  • Additional option for high availability
  • Optimized for virtual environment
  • Unobtrusive deployment
  • SIEM integration
  • Unobtrusive deployment


Video recording functionality


In terms of recording functionality, there are large technical differences between Ekran System vs Balabit vs Wallix. While both Balabit and Wallix use an additional appliance that acts as a bastion host and captures all traffic, routed through it, Ekran System employs an alternative approach. It uses recording agents installed locally on specific endpoints and capable of capturing any sessions, initiated on these endpoints.


Agent-based approach gives Ekran System a number of advantages when it comes to detecting insider threats. It can capture both local and remote sessions for any given endpoint and is completely agnostic to applications and protocols used. It can monitor any user regardless of the level of privilege they have. Local agent also allows Ekran System to capture a large amount of additional metadata, including keystrokes, visited web pages, application and active window names, entered commands and executed scripts in an SSH session, etc. All metadata is indexed and coupled with a corresponding video for easy searching. Ekran System also features a powerful record filtering that allows to record only specific applications.


Balabit provides video recording of user sessions along with basic additional information, such as application names, visited URLs, etc. that can be used for quick search. Main problems of Balabit are incompleteness of collected metadata and relatively large storage requirements for graphic session recordings.


Wallix has a recording functionality similar to Balabit. It captures graphic sessions in a Flash video format, which also has a relatively large storage requirements, while text sessions are captured only in a text form. Wallix uses optical character recognition in order to allow searching recordings based on various keywords, however, the number of additional data it provides is less than Ekran System. Ekran System also uses a special file format, optimized to efficiently store indexed graphic sessions and has much smaller storage requirements than either Balabit or Wallix.


Alerting and incident response


Ekran System features customizable real-time alerts that can be set according to the needs of your organization. Upon alert, notification is sent to security personnel with the link to corresponding session, allowing them to review it later or watch it live and manually block the user if needed. It also can detect any USB device and automatically block it, if needed.


Balabit also features an alert system with the ability to either receive a notification or automatically terminate session, upon detecting a predefined suspicious event. Wallix provides an alert system that can both send a notification and automatically block the user.


Other features


Additional functionality of both Wallix and Balabit is broader than that of Ekran System. Both act as a bastion host, providing another layer of protection from outsider attacks, although they also act as a single point of failure and can be a performance bottleneck if deployed incorrectly. Both systems feature password vaults and extensive privilege identity management, allowing you to store, manage, and change passwords to privileged accounts automatically. Deployment of a bastion host is relatively quick and painless for an organization and does not require any major changes to network architecture.


Additional features of Ekran System are aimed at making it more affordable and improving quality of life of the customer. Support for a free database makes Ekran System much more affordable for small companies, while intuitive license management and automatic client updates makes it easy to deploy and maintain.




The main difference between hardware-based solutions of Balabit and Wallix and software-based Ekran System is in the licensing. Whether you need to monitor ten or a thousand endpoints, you still need to buy a single appliance. It makes licensing hardly flexible and small or gradually growing deployments financially inefficient.


At the same time Ekran System licensing depends only on the number of monitored end-points. In its standard edition, Ekran System provides even management components for free, thus deployment cost consists only of the endpoint licenses.




The differences in Ekran System vs Wallix vs Balabit lie in the focus and target audience chosen by each vendor. While Balabit and Wallix provide broad functionality that large enterprises in need of managing many privileged users and protecting their accounts from breaches and hacking attacks would choose, they have lower rating in the user monitoring department.


Ekran System, in comparison, is aimed at companies of any size with its robust user monitoring capabilities and lowest price among the three solutions. It is a specialized insider threat detection software that is an easy recommendation to anyone who wishes to protect their organization from potential attacks from within.