Excalibur SAM vs. WALLIX

View

Key Competitive	Excalibur (Modern)	WALLIX (Traditional)
Platform	✅ Unified Platform, Passwordless-first, visual streaming isolation Integrated MFA + PAM + Remote Access in one easy-to-manage platform with true air-gap isolation via DOM streaming. No complex integrations, multiple agents, or modules needed.	⚠️ Proxy-based gateway, traditional credential vaulting Proxies secure connections but allows potential direct interaction between endpoint and resource. Appliance-based architecture with less flexibility for modern cloud environments.
Deployment	✅ Low: Cloud-native, deploys in hours Kubernetes-based cloud-native deployment with secure tunnels — eliminates VPN complexity. Quick time-to-value with minimal operational burden.	⚠️ Medium: Appliance-based, longer deployment Appliance-based architecture requires more infrastructure planning and setup time. Less dynamic scaling compared to modern cloud-native approaches.
Total Cost (TCO)	✅ Lower, streamlined licensing Cost-efficient licensing structure with everything included — no hidden fees for MFA, RBI, or session recording. Cloud-native architecture reduces infrastructure and operational costs.	⚠️ Moderate, add-ons increase cost Competitive base pricing but additional modules and external MFA solutions add to total cost. Appliance-based model requires more infrastructure investment.
NIS2 Readiness	✅ Full coverage out of the box, single platform Covers NIS2 requirements for access control, MFA, session monitoring, and incident response — in a single platform. Compliance is the reason organisations buy — we make it simple to achieve.	⚠️ Good coverage but requires add-ons Covers core PAM requirements but may need additional modules for complete NIS2 compliance. No built-in passwordless MFA — requires external integration.
Data Sovereignty	✅ 100% EU owned & operated, zero US footprint Fully European company with zero US presence — not subject to the US CLOUD Act in any way. No foreign government can compel access to your data or demand secret backdoors.	⚠️ French HQ but international presence raises questions Headquartered in France (EU), but having presence in the US, which may create jurisdictional exposure. Companies with any US employees, offices, or subsidiaries can be subject to US CLOUD Act.
Architecture	✅ Isolation by Design, resilient to Zero-Day Threats Architecture inherently protects against zero-day threats through isolation and air-gap design. Reduce attack surfaces, no lateral movements, no reliance on signatures or known threat databases — unknown attacks are neutralised by default.	⚠️ Proxy-Based, Limited Zero-Day Resilience Proxy-based architecture relies on filtering and policy enforcement rather than true isolation. Less inherent protection against novel zero-day attacks compared to air-gap approaches.
AI & Governance Model	✅ Pre-Execution (Pre-Emptive) Pre-emptive governance reduces risk exposure and eliminates reactive firefighting. Real-time AI analyzes user intent and behavior for threat detection before actions are executed.	⚠️ Post-Execution (Reactive) Reactive model means damage may already be done before intervention. Security controls primarily detect and respond after actions have already occurred.
Web Access & RBI	✅ Native DOM-streaming RBI with WAF, bi-directional protection Innovative DOM-streaming Remote Browser Isolation (RBI) with visually lossless, lag-free sessions. Zero-trust, bi-directional protection — guards users from malicious web apps AND web apps from user threats.	❌ No inherent RBI-WAF, resource protection only, no user-side protection Primarily protects resources; no inherent user-side RBI-WAF capabilities. Limited protection against sophisticated web-based threats targeting users.
MFA Integration	✅ Built-in, Passwordless Built from the ground-up on passwordless authentication (biometric phone MFA, passkeys). Users never handle passwords directly — credentials are transparently managed.	⚠️ External MFA providers, password-based Relies primarily on external MFA providers, password rotation, and credential vaulting. More complex to manage, not future-proofed for passwordless authentication.
📝 Audit Security	✅ Cryptographically Signed Audits Actions cryptographically signed and tied directly to authenticated identity. Enhanced compliance, forensic strength, internal accountability.	⚠️ Standard Audit Logging Detailed session logs and keystroke capture but without inherent cryptographic non-repudiation. Less robust for compliance and forensic requirements.
Endpoint Agents	✅ Fully agentless, HTML5 browser only Completely agentless — no endpoint agents required. Access via standard HTML5 browser. Easy rollout and support with zero client installation.	⚠️ Requires plugins for advanced features Typically agentless for basic access but can require endpoint agents/plugins for certain advanced features. Higher deployment complexity and management overhead for full capability.

Why Excalibur SAM Wins

True air-gap isolation — no proxy gateway (Zero trust)

Endpoint threats isolated — ransomware-proof (Protection)

Passwordless MFA — built-in, no add-ons (Security)

RBI-WAF — bi-directional browser isolation (Protection)

Fully agentless — zero endpoint software (Simplicity)

Cloud-native K8s — scales dynamically (Scaling)

Cryptographic audits — tamper-proof logs (Compliance)

100% EU sovereignty — no CLOUD Act risk (Trust)

NIS2-ready — out of the box (Compliance)

Lower TCO — all-inclusive licensing (Value)

The Compliance Buying Logic

Nobody buys security because they want to — only because they have to

Regulations like NIS2, DORA, and the EU Cyber Resilience Act are what drive purchasing decisions. The winning vendor is the one that covers all requirements, deploys easily, and costs less. With upcoming EU digital sovereignty rules, being a truly European vendor with zero US footprint is no longer optional — it's a decisive advantage.

Regulation creates the need — NIS2, DORA, CRA force organisations to act

We cover all requirements — MFA, PAM, session control, monitoring in one platform

We make it easy — cloud-native tunnels, agentless, deploys in hours

Then it's about price — same coverage, significantly lower cost

Pure EU sovereignty wins — zero US footprint eliminates all doubt

Sovereignty Dimension	Excalibur SAM	WALLIX
Company Ownership	✅ 100% EU owned, zero US footprint	⚠️ French HQ, but international operations
US CLOUD Act	✅ Not subject — zero US presence	⚠️ Verify US footprint — potential exposure
NIS2 Coverage	✅ Full coverage — single platform	⚠️ Partial — lacks built-in passwordless MFA
EU Vendor Qualification	✅ Qualifies for upcoming EU vendor-preference regulations	⚠️ International presence may create jurisdictional risk

Not All "EU" Vendors Are Equal — A company headquartered in the EU but with US offices, employees, or subsidiaries can still be subject to US CLOUD Act jurisdiction. The test is whether there is any US "presence" that creates legal nexus.

WALLIX's International Footprint — WALLIX has international operations beyond France. Customers should verify the exact US footprint to assess CLOUD Act exposure.

Excalibur's Position — Zero US presence of any kind — no US employees, no US offices, no US subsidiary. This makes Excalibur categorically immune to US CLOUD Act demands.

The Decisive Question — Ask any vendor: "Do you have any employees, offices, subsidiaries, or legal entities in the United States?" If the answer is anything other than "No", they may be subject to forced data disclosure.

What is the US CLOUD Act?

US law (2018) that lets the government demand any data from any company with US presence — regardless of where data is stored — without EU court approval
Can compel backdoors and impose gag orders — disclosure means imprisonment / extradition
Applies to any US nexus — offices, subsidiaries, or even employees in the US is enough

Handling Objections

"WALLIX is established; Excalibur is newer"

• Next-gen streaming tech verified by independent tests
• EU-backed innovation with proven deployments
• Protection WALLIX's proxy architecture cannot match
• Modern cloud-native vs legacy appliance approach

"WALLIX is also European"

• Being "European" and having zero US footprint are different things
• Any US presence (employees, offices, subsidiaries) creates CLOUD Act exposure
• Ask: "Do you have ANY US-based employees or entities?"
• Excalibur has categorically zero US presence

"Users prefer native RDP/SSH clients"

• Browser streaming eliminates native client vulnerabilities
• Zero endpoint footprint, reduced attack surface
• Consistent experience across all platforms
• VITRO provides visually lossless, lag-free experience

"Streaming might be slow/degrade quality"

• VITRO & Guacamole optimization = lag-free experience
• Visually lossless proven in enterprise deployments
• Pilot demonstrations available
• DOM streaming is fundamentally lighter than pixel streaming

"WALLIX has more granular PAM features"

• Excalibur prioritizes fundamental isolation & passwordless security
• RBI-WAF protection WALLIX simply cannot match
• Unified solution vs. separate product modules
• When feature parity exists, price and sovereignty decide

"We're buying for NIS2 compliance"

• Perfect — that's exactly what Excalibur was built for
• Single platform covers MFA, PAM, session monitoring, and access control
• WALLIX requires external MFA — we include passwordless built-in
• When coverage is equal, it comes down to price, speed, and sovereignty — we win all three

Key Discovery Questions

How critical is true endpoint isolation vs proxy-based access?

Are you exploring passwordless authentication for privileged users?

Do users need simplified access from multiple devices without installing software?

Are you concerned about ransomware or endpoint-based threats reaching critical systems?

Is your current PAM solution complex to manage and deploy?

How effective is your existing protection against web-based zero-day threats?

What regulation is driving this purchase — NIS2, DORA, or internal policy?

Does your organisation have requirements around EU data sovereignty or vendor nationality?

Do you know if your current vendor has any US-based employees, offices, or subsidiaries?

How quickly do you need to be compliant? What's your deployment timeline?

Key Competitive Advantages

TRUE ZERO-TRUST ISOLATION

Excalibur's air gap architecture creates complete isolation between endpoints and resources — eliminating the attack path that WALLIX's proxy-based approach cannot close.

COMPREHENSIVE WEB PROTECTION

Excalibur's bi-directional RBI-WAF protects both users and web applications, addressing a critical gap in WALLIX's security model.

PASSWORDLESS AUTHENTICATION

Excalibur's built-in passwordless MFA eliminates credential vulnerabilities and simplifies deployment compared to WALLIX's external MFA dependencies.

MODERN CLOUD ARCHITECTURE

Kubernetes-based deployment provides superior scalability and reduced operational overhead compared to WALLIX's appliance-based approach.

PURE EU DIGITAL SOVEREIGNTY

While WALLIX is French-headquartered, Excalibur's zero US footprint provides categorically stronger sovereignty guarantees. As EU regulations tighten, having zero foreign jurisdictional exposure is a decisive advantage.

REGULATION-READY SIMPLICITY

Compliance drives purchasing — NIS2, DORA, and CRA create the mandate. Excalibur covers all requirements in one platform that deploys via cloud tunnels in hours. When coverage is comparable, price, speed, and sovereignty decide — and we win all three.