Comparing NetFoundry and OpenZiti

Because both NetFoundry products and OpenZiti software have skyrocketed in popularity (NetFoundry now delivers billions of sessions per month), we are often asked for a short summary comparison. So, a blog post. 

Although NetFoundry has options ranging from air-gapped to multicloud native NaaS versions, this post focuses on the NaaS, since it is the most asked about. Likewise, NetFoundry products include white-label, resell and OEM options, but we’ll also keep those separate.

TL;DR — NetFoundry invented, developed, open sourced and continues to lead and maintain OpenZiti software. NetFoundry sells the world’s leading zero trust native networking products, which include:

• OpenZiti software
• NetFoundry patented software
• NetFoundry-managed networks (supporting billions of sessions per month)
• Enterprise support (24×7) and SLAs (up to 99.95%)
• Air-gapped and on-prem solutions (including FIPS-compliant) 
• Enterprise and OEM functionality (including white-label options)
• Certifications and compliance
• Third-party integrations

OpenZiti is software – it is not a product, but it is great for home use, non-production use cases and learning about some of NetFoundry’s capabilities.  NetFoundry provides products.

NetFoundry NaaS products

NetFoundry zero trust native overlays can be deployed as fully managed NaaS, hybrid, on-premises or air-gapped.  NetFoundry products are used by two of the largest five companies in the world, governments and critical infrastructure on three continents.  

NetFoundry also provides OEM and white label products for providers to embed zero trust into their products.  However, this post is about NetFoundry NaaS and focuses mainly on unique NetFoundry product capabilities (but all the other OpenZiti software capabilities are included in NetFoundry products).

Why NetFoundry NaaS (in plain terms)

Outcomes & assurances

• Proven at billions of sessions/month with private, customer-dedicated overlays (not shared between customers).
  24×7 support and SLA up to 99.95%.
• Global reach with operations across 100+ PoPs for consistent performance.
• Deploy anywhere: extend overlays via agentless and endpoint options; host endpoints and site gateways with one-click deploy/suspend on AWS, Azure, GCP, OCI.

Privacy, sovereignty & compliance

• End-to-end encryption with key sovereignty at your endpoints—NetFoundry cannot access customer data.
• Dedicated instances by default; customers may make them multi-tenant, but overlays are never shared across customers.
• SOC 2 Type II. Guidance and options for NIST 800-171, FFIEC/COBIT, FIPS, CJIS, HIPAA, PCI DSS, FedRAMP/GovCloud, NIS2, IEC 62443, NERC CIP, EU CRA, DORA.
• Crypto choices: high-performance libsodium (default) with the ability to toggle FIPS-compliant and post-quantum encryption modes.

Operate from day one

• Powerful console & abstractions: service-centric policies and automation reduce toil—no DIY dashboards or glue code. Built in RBAC and full APIs so you keep control.
• Instant org & tenant bootstrap: we auto-create your Organization, Network Group, and first Network at signup—no YAML, scripts, or CLI loops—so teams can onboard the same day.
• Multi-tenant (your way): every customer gets a private, dedicated instance; within it you can structure your own tenants for lines of business, customers, or environments.
• White-label & vanity domains: theme the console, BYO DNS/TLS, present a branded experience.
• Billing & usage metering: built-in dashboards for chargeback/showback—see consumption by app, team, or tenant.
• Rich telemetry & audit logs: including which people/devices consumed which services and applications (with usage insights).

For Dev & DevOps: What “Managed” Actually Gets You 

Reliability, performance & scale (how it’s delivered)

• HA by design across control and data planes, with ingress/egress load balancing and auto-scaling.
  NetFoundry-operated control/data planes across 100+ PoPs; endpoints/routers dynamically optimize paths to use the best connections.
• Hardened, tested, certified OpenZiti endpoints for any OS, supplemented with eBPF and endpoint wrappers.

Management, identity, authn/authz

• All-batteries-included: identity, authentication, authorization; turnkey IdP (Auth0, OIDC) and CA integrations with centralized control.
  Automated provisioning via SCIM; universal identities for humans and NHIs; integrations with Keycloak, CyberArk, and support for SPIFFE.
• API-first + RBAC: fine-grained token scopes, service accounts, user/role admin, audit trails.
• Multi-tenant, your way: private instance for your org; model tenants inside it (by LOB/customer/env) with hierarchical RBAC and policy boundaries.

Platform services you don’t have to build

• Dedicated, managed PKI: automated per-network hierarchies with optional external CA chaining.
• Lifecycle ops as buttons: start/stop, suspend/resume, rolling upgrades, backups with safe defaults and rollbacks; updates & upgrades are automated with customer-controlled windows.
• Instant org & tenant bootstrap: on signup we create your Organization → Network Group → first Network—no YAML/scripts/CLI loops.

Reach & access workflows

• Choose agentless (zero trust proxy / reverse proxy) or endpoint-based connectivity.
• Host endpoints and site gateways (edge routers) with one-click lifecycle in AWS/Azure/GCP/OCI.
• Access models: JIT, one-time, time-bound, persistent, integrated with leading ticket/workflow systems.

Observability, compliance modes & APIs

• Dashboards, traces, alerts, audit logs, and usage out of the box.
• Crypto modes on demand: toggle FIPS-compliant and post-quantum options as needed.
• API-first + RBAC for CI/CD and ops automation.
  

Start in Minutes

Whether you’re connecting SaaS to private data, securing AI/agent traffic, or segmenting OT networks, NetFoundry gets you there faster and more securely.

Start a free trial or book a live demo and ship your next secure service without the network complexity.

Notes

• This post focuses on global, NetFoundry-hosted and managed NaaS products, but NetFoundry also provides hybrid, on-premises and air-gapped products. 
• This includes providing a management solution which is based on NetFoundry’s global NaaS management suite (which manages billions of sessions per month) and customized for on-premises use cases.  
• Likewise, NetFoundry enables partners to integrate NetFoundry software into products in partner, OEM and white-label models, creating secure by design products (built-in zero trust connectivity and networking).

About NetFoundry

Thousands of businesses, including 2 of the largest 5 in the world, use NetFoundry to securely connect any workflow, via NetFoundry NaaS, on-premises and partner models, replacing anything from VPNs to SD-WANs. NetFoundry’s overlays are the first to be driven by built-in, cryptographically authenticated identities for humans and non-humans (NHI for devices, AIs, OT). Providers use NetFoundry to embed zero trust in their products in an OEM model. NetFoundry is the inventor and maintainer of the world’s most used open source zero trust platform, OpenZiti. Start a free trial, book a live demo or learn more.