Hybrid database access control in external-to-database security systems is achieved by selectively operating a database server system in different security modes. During low traffic, access to the server is monitored by an agent subject to access policies (LSP) stored at an external security device (ESD). During high traffic, access is monitored by the server itself subject to access policies (DSP). The ESD translates an access policy (LSP) to an access policy (DSP) supported by the server. Thereafter the agent intercepts session login information and transmits it to the ESD, which determines an access policy is relevant to the session, updates the session login information according to database protocol rules, and sends the updated session login information to the agent. The agent releases the updated session login information to the server which allows a session based on the particular objects access rules (DSP) corresponding to the updated session login information.