Stop Building Connectivity. Start Shipping It.
- Embed Zero Trust connectivity in your apps and devices
- Outbound-only, identity-first connectivity
- No firewall changes, no VPNs
- Managed control plane, FIPS-validated, white-labeled
- Live in a sprint, not a multi-year build
import ziti from '@openziti/ziti-sdk-nodejs';
const zitiIdentityFile = process.env.ZITI_IDENTITY_FILE;
await ziti.init(zitiIdentityFile).catch((err) => { /* handle error */ });
ziti.httpRequest(
'myDarkWebService',
undefined,
'GET',
'/',
['Accept: application/json'],
undefined,
undefined,
(obj) => {
console.log(`response is: ${obj.body.toString('utf8')}`);
}
);
Connectivity Friction Slows Every Deal and Every Deployment
No matter how your product reaches customers — software on their network, a device in the field, or a service calling back to your cloud — it has to cross networks you don’t control. That means firewall changes, open ports, and delays. This friction shows up during evaluation, during onboarding, and in ongoing support, slowing revenue and raising the cost of every account you win.
- Every evaluation stalls when a prospect’s security team has to open inbound firewall ports or stand up a VPN before they can even test your product
- Deployments slow to the pace of the customer’s network and firewall change process, pushing out time to first value and time to revenue
- Each install becomes an ongoing support burden as connectivity breaks on NAT, certificate expiry, and firewall changes you don’t control
- Every listening port your product opens is attack surface a customer’s security team will challenge
- Evolving cryptographic standards, especially post-quantum, become your problem to track, build, and ship
- Years of engineering go into transport plumbing instead of the features that win deals
Embed Zero Trust Connectivity. Ship It as Your Own.
The NetFoundry SDK is simple enough to add that you can go live in a single sprint. NetFoundry runs everything behind the scenes — the managed control plane, identity, key rotation, and scale. You ship a finished, branded product instead of building and operating a Zero Trust network yourself.
- Live in minutes — add the SDK and make your first authenticated connection the same day
- A managed control plane, run for you as SaaS — consume connectivity instead of operating it
- FIPS-validated encryption for regulated and government markets
- Full white-labeling — customers see your product and your brand
- Native NetFoundry SDKs for Go, C, .NET, Java, Node.js, and Swift
- Least-privilege access by default — each identity reaches only the exact service it is authorized to, nothing else
- Outbound-only by design, so your services stay fully dark with identity and key rotation handled for you
App & API Protection, Without the Multi-Vendor Stack
Traditional application and API protection relies on public IPs behind a patchwork of firewalls, WAFs, and load balancers — a fragmented stack that stays visible to the internet and under constant scan. NetFoundry cloaks the infrastructure entirely: services connect outbound-only and authenticate before anything is exposed. With nothing public, there’s nothing to scan, nothing to patch under pressure, and nothing to tune around.
Traditional app & API protection
- Visible public IPs behind firewalls, WAFs, and load balancers
- WAF rule tuning and IP allowlists to hold down false positives
- TLS certificate, load-balancing, and SSO complexity across vendors
- IP-only visibility before authentication, and fragmented logs to correlate
- Zero-day exposure while patches lag, under relentless automated bot scans
NetFoundry cloaked architecture
- Outbound-only and authenticate-to-connect — invisible on the internet
- No ACLs, allowlists, or WAF rules to tune and maintain
- Flexible access: end-to-end Zero Trust for endpoints, plus clientless
- Centralized, identity-based visibility for human and non-human traffic
- No public attack surface, so no scan-and-exploit race against patching
Embedded Connectivity in Three Moves
No appliance to install, no inbound ports to open, no VPN to manage — connectivity becomes part of your product and runs on a platform NetFoundry operates.
Embed the SDK in your product
Add the NetFoundry SDK for your language — Go, C, .NET, Java, Node.js, or Swift. Each instance of your software or device receives a cryptographic identity, the basis for every connection it makes.
Dial out and authenticate first
Your service initiates outbound, mutually authenticated connections. Identity is verified and policy evaluated before any routable path exists. Your product has no open ports and stays dark to the network.
Run it as a managed, branded service
NetFoundry operates the control plane that authorizes and orchestrates these connections at scale, with FIPS-validated cryptography and full white-labeling. Traffic is encrypted end to end between identities. It stays private even across networks you don’t control. Customers experience it as a native feature of your product, under your brand.
Software or Hardware, It Connects the Same Way
The same embedded connectivity compiles into an application or onto a device. Every instance dials out over an authenticated, outbound-only path with no listening ports. The model holds whether your product runs in a customer’s cloud or on hardware in the field you can’t easily reach.
Connect into customer environments — and back to your cloud
Embed the SDK wherever your software runs. Reach into a customer’s environment, or connect back from theirs to your cloud — neither side opens inbound ports. Every path is outbound-only and mutually authenticated, encrypted end to end, and least-privilege by default.
Ship devices that connect securely from anywhere
Compile the SDK into firmware so each device carries its own cryptographic identity and dials out from behind any NAT, with no ports to expose on hard-to-patch equipment. The identity holds across a long field lifecycle and helps you meet requirements such as IEC 62443.
Embedded, Shipped, and Running in the Field
Software vendors and platform builders embed NetFoundry so their products reach customer environments without inbound ports, VPNs, or firewall changes on either side.
Siemens embeds NetFoundry in its network devices as Siemens SINEC Secure Connect — outbound-only, no inbound ports, managed control plane, white-labeled through NetFoundry.
“NetFoundry’s Zero Trust B2B solution has significantly enhanced the security and performance of our integration platform, allowing us to deliver reliable and secure services to our customers without S2S VPN and firewall headaches.”
“NetFoundry enabled us to move to Infrastructure-as-Code automation, including customer connectivity. We are changing the game for MIS printing and labeling to deliver unmatched innovation to our clients, without asking them to open firewall ports or manage S2S VPNs.”
“NetFoundry’s Zero Trust B2B met our customer’s most stringent security requirements — no permitted IP addresses in their firewalls and no S2S VPNs.”
“NetFoundry provides the secure network foundation Rhapsody needs to support private, policy-based access across distributed healthcare environments, including applications, APIs, workloads, and emerging AI-enabled workflows.”
Production-Grade SDKs, Backed by a Managed Platform
NetFoundry created OpenZiti, the most-used open-source Zero Trust networking platform. On top of OpenZiti NetFoundry adds the SDK, the managed control plane, FIPS validation, white-labeling, and the scale that regulated and global markets require — supporting the requirements behind standards from FIPS to IEC 62443 for device security.
Embedded Zero Trust Connectivity, Answered
What is embedded Zero Trust connectivity?
NetFoundry embedded Zero Trust connectivity is secure networking built directly into an application or device, rather than added on with a VPN, firewall, or separate agent. Each software instance or device receives its own cryptographic identity and makes outbound-only, mutually authenticated connections, so it opens no inbound ports and stays invisible on the network. NetFoundry runs the managed control plane behind it, so builders embed secure connectivity as a feature of their own product instead of operating networking infrastructure.
How does NetFoundry let software connect without opening inbound firewall ports?
NetFoundry uses an outbound-only, authenticate-to-connect model, so software never needs a listening port or an inbound firewall rule. Every session dials out and is verified by cryptographic identity before any network path is created, which means neither the vendor nor the customer exposes a public service or opens their firewall. This removes the inbound attack surface that VPNs and public IP addresses normally require.
Can device and hardware OEMs embed NetFoundry connectivity in firmware?
Yes. NetFoundry connectivity compiles into device firmware through the NetFoundry SDKs, so each device carries its own cryptographic identity and dials out from behind any NAT with no listening ports to expose. Because the identity is bound to the device and holds across a long field lifecycle, this model helps OEMs meet device-security requirements such as IEC 62443. Siemens ships this approach inside its own network devices as Siemens SINEC Secure Connect.
What programming languages do the NetFoundry SDKs support?
NetFoundry provides SDKs for Go, C, .NET, Java, Node.js, and Swift, so builders can embed Zero Trust connectivity in most application and device stacks. The SDKs come from OpenZiti, the open-source Zero Trust networking project that NetFoundry created. Developers add the SDK to their product and can typically go live within a single sprint.
How is embedding NetFoundry different from using a VPN or ZTNA product?
NetFoundry embeds connectivity inside the product itself, whereas a VPN or ZTNA product sits alongside it as separate infrastructure the customer must install and manage. Because connections are outbound-only and identity is verified before any path exists, there are no inbound ports, no client for the customer to run, and no public entry point to attack. The result is connectivity that ships as a native feature of the builder’s product rather than a networking layer bolted on later.
Is NetFoundry connectivity suitable for regulated or government markets?
Yes. NetFoundry provides FIPS-validated encryption and a managed control plane, which supports the requirements behind standards ranging from FIPS to IEC 62443 for device security. Connectivity is white-labeled, so regulated vendors ship it under their own brand. NetFoundry is used by thousands of companies, including two of the five largest US companies and eight of the ten largest US banks.
Can builders white-label NetFoundry connectivity as their own product?
Yes. NetFoundry connectivity is fully white-labeled, so a builder’s customers see the builder’s product and brand rather than NetFoundry. NetFoundry operates the managed control plane, the key lifecycle, and the scale behind the scenes, while the builder ships a finished, branded connectivity service. This lets software vendors and device OEMs offer secure connectivity without building or operating the underlying networking platform.
Do I have to run networking infrastructure to use NetFoundry?
No. NetFoundry runs the control plane, identity issuance, key rotation, and global scale for you as a managed service, so you consume connectivity instead of operating it. You embed the NetFoundry SDK in your product and make outbound, authenticated connections, while NetFoundry handles the orchestration behind the scenes. This lets a product team ship secure connectivity without standing up or maintaining a networking platform of its own.
How long does it take to embed NetFoundry connectivity in a product?
NetFoundry is designed so builders can add the SDK and make their first authenticated connection the same day, then go live in a single sprint. The SDK carries the identity, authentication, and outbound-only connection logic, so there is no NAT traversal, certificate handling, or control plane to build from scratch. Teams add the SDK for their language and integrate it the way they would any other library.
Is NetFoundry connectivity ready for post-quantum cryptography?
NetFoundry manages the cryptographic layer behind embedded connectivity, so evolving standards, including post-quantum, are handled at the platform level rather than becoming each builder’s problem to track and ship. Because identity and key rotation run as a managed service, cryptographic updates reach embedded products without a forced redesign of the builder’s application or device. This keeps long-lived software and field hardware aligned with current standards over their lifecycle.
Build It Into Your Product. Ship It as Your Own.
See how the NetFoundry SDKs and the NetFoundry platform let you embed Zero Trust connectivity in a sprint — no listening ports, no customer VPN, no transport layer to build from scratch.