Universal Zero Trust

The simplest way to connect anything. Replace a single VPN or an entire WAN.

NaaS & on-prem options to connect IT, OT or IoT. Even air gapped, AI or multicloud.

Add zero trust to your product, service or infrastructure. Includes white-label option.

NetFoundry | Connect

Transform IT, OT, IoT or AI Connectivity with AppNetsâ„¢

Universal zero trust networking

NetFoundry’s AppNets™ simplify networking by including zero trust in the overlay. Get default microsegmentation, defined by identities and authorization, rather than IPs, without building it.

The first zero trust native overlay networks

NetFoundry is the first to build zero trust into the network. Spin up zero trust native overlays, in minutes, for a single AI application or an entire WAN.

Deploy for IT, OT or IoT

Includes agents for Windows, Linux, macOS, iOS, Android, containers, VMs, eBPF daemons. Pre-built into proxies, browsers, modems, edge servers, firewalls. Use SDKs to integrate into any software.

Reliability and performance

NaaS includes HA, dynamic optimization, ingress and egress load balancing, across over 100 PoPs, with 24×7 enterprise support and SLAs. On-premises includes features and tools to get 99.999% uptime.

On-premises, hybrid or NaaS

Deploy in air-gapped sites, OT, multicloud and everything in between. Every overlay is zero trust native with all zero trust functionality built in and prebuilt integrations. NaaS spans over 100 sites.

NetFoundry’s built-in identity (X.509-based) means identity based controls, policy and telemetry replace dependencies on IPs and NAT. Posture and MFA is built-in, as is support for any OAuth or OIDC IDP.

No inbound access

Software-defined, zero trust native overlays makes IT, OT, IoT or AI unreachable from underlay networks. Close all inbound ports and eliminate all VPNs. 

Authorize before connect

NetFoundry includes identity, continuous authentication and authorization for users, admins, devices, servers, workloads, AI agents and MCPs. Strong auth is required before overlay access.

Mutual TLS (mTLS) is built-in for every overlay segment. End to end encryption (E2EE) with keys sovereign to the endpoints means nobody has access to your data. Choose ciphers, including FIPS 140 compliant and libsodium.

JIT, one-time and persistent access

Just-in-time (JIT), one-time and persistent access models, based on authorized identities. Integrated with workflow and ticketing (JIRA, ServiceNow, Zendesk, etc.), or use NetFoundry APIs for your own custom integration.

End to end zero trust

Extend zero trust beyond the firewall to applications or hosts. NetFoundry enabled servers have no listening ports – unreachable from underlay networks – only available to strongly authorized sessions.

Open source foundation

NetFoundry open sourced its core zero trust software into the OpenZiti project, and continues to maintain the project. It is an open core model – only enterprise, government and OEM functions are separate.

FedRamp & Government Cloud

NetFoundry is deployed in FedRamp and Government Cloud environments, as well as on-premises and air-gapped sites. Includes supporting CJIS, HIPAA, PCI and FIPS 140.

EU CRA

The simplest way to meet EU CRA requirements for connected products. Directly integrate zero trust networking into your product, eliminating VPNs.Â