A question CTOs ask: “We’re already running OpenZiti. Why would we pay NetFoundry?”
It’s a critical question, and smart to ask. OpenZiti is an Apache 2.0 licensed, fully capable platform, and we intentionally built it that way. You can absolutely run it yourself, as many organizations currently do.
But there is a reason major technology providers like MongoDB, Elastic, Confluent, HashiCorp, Redis, and Grafana all follow the same model: they open-source the core technology while offering a managed service for production environments. This model exists not because the open-source version fails to work, but because operating infrastructure at a production scale requires an entirely different discipline than simply using it.
The Operational Reality of Production Zero Trust
Running OpenZiti in a production environment requires managing a complex, distributed system. This entails maintaining:
- Controllers, including high availability (HA), failover protocols, and database backends.
- Edge routers, which require geographic distribution, capacity planning, and constant health monitoring.
- PKI infrastructure, strict certificate lifecycle management, rotation, and revocation.
- Identity management architecture that functions effectively at scale.
- System-wide upgrades across a distributed network without causing disruptions to live connections.
- Comprehensive monitoring, alerting, and rapid incident response.
- Thorough disaster recovery planning and routine testing.
None of these elements are optional for production deployments, and all require highly specialized knowledge. Realistically, maintaining a production overlay network demands at least a half-time Full-Time Equivalent (FTE) engineer, plus another half-time FTE for backup. This resource requirement only grows if you are embedding OpenZiti into your own product or operating across global regions. When compared to industry standards, like Confluent recommending 2-10 FTEs for Kafka, or Grafana noting a single SRE costs over $300K/year, the true cost of self-hosting OpenZiti makes the NetFoundry comparison highly compelling.
The NetFoundry Advantage: Operational Muscle
Managing controllers, routers, PKI, upgrades, monitoring, and DR is our entire job. Your team’s job is to build applications on top of the network. NetFoundry securely handles billions of sessions every month across more than 100 global points of presence. That level of operational muscle cannot be replicated as a weekend project.
Furthermore, NetFoundry operates on a hybrid SaaS model where every customer receives a fully dedicated network – meaning a dedicated controller, dedicated data plane, and dedicated PKI. It is not a multi-tenant shared infrastructure where another customer’s incident impacts your network. NetFoundry manages the complex infrastructure; you retain total ownership of your network configuration and policies.
A Note on PKI: Setting up and maintaining a production certificate authority can be one of the hardest parts of running OpenZiti, and one of the easiest to execute poorly. NetFoundry automatically provisions dedicated, non-shared, non-multi-tenant PKI infrastructure for every single customer.
While technical teams evaluate technology, legal and procurement teams evaluate vendors. Open source software inherently lacks the contractual protections that enterprises require. NetFoundry satisfies both technical and legal requirements by providing:
- SLAs with Financial Remedies: Apache 2.0 software comes with no warranty, express or implied. NetFoundry provides up to 99.95% uptime guarantees backed by service credits. When the board asks what happens during a network outage, you need an answer stronger than “we file a GitHub issue”.
- 24/7 Expert Support: Gain access to 24/7 support directly from the engineers who built the technology. We provide access that answers at 3 AM on a Saturday, replacing reliance on community forums or Stack Overflow.
- IP Indemnification: Open source licenses disclaim all liability. NetFoundry contractually indemnifies your business against intellectual property claims, which is a mandatory procurement checkbox for regulated industries.
- Comprehensive Compliance Support: NetFoundry maintains its own SOC 2 Type II report. We provide expert guidance on mapping our technology to rigorous frameworks including FIPS, PCI DSS, HIPAA, GDPR, EU CRA, and IEC 62443.
- Data Processing Agreements (DPAs): We provide contractual obligations for GDPR, CCPA, and industry-specific data handling, something you cannot get from an Apache 2.0 license.
The NetFoundry Platform: Beyond “Hosted OpenZiti”
Just as Redis Cloud offers architectural capabilities beyond basic “hosted Redis,” NetFoundry is a comprehensive platform built on top of OpenZiti. We provide enterprise-grade capabilities that do not exist in the open-source project:
- No-Code Management Console: Network visualizer, topology dashboards, identity management, and service-centric policies requiring zero YAML or CLI.
- Instant Bootstrap: Immediate organization and network generation upon signup.
- Multi-Tenant Orchestration: Manage multiple networks from a single pane of glass using hierarchical RBAC.
- Advanced Analytics & Observability: Rich telemetry, connection analytics, application metering, built-in audit logging, and alarm configuration.
- Turnkey Global Infrastructure: Access 100+ already-deployed, actively monitored global points of presence. Enjoy one-click gateway deployments on AWS, Azure, GCP, and OCI.
- Cryptographic Flexibility: Standard, FIPS-compliant, and pluggable cryptographic modes. Managing cipher suites, FIPS compliance, and post-quantum readiness across a distributed overlay is high-stakes; NetFoundry handles this core competency so your zero trust network remains truly secure.
- Seamless Integration: Full orchestration APIs for workflow automation.
- Enterprise Identity Integration: SCIM, Active Directory/LDAP sync, 3rd party CA support, and BYO DNS.
- Agentless Connectivity: Reverse proxy options for environments where deploying endpoint agents is not feasible.
- Customer-Driven Roadmap: Customers get a direct seat at the table to influence feature prioritization, a feedback loop vastly diminished in standard open-source requests.
The Proven Infrastructure Model
This is not a novel business model; it is the dominant standard for open-source infrastructure. The open-source services market is forecast to grow massively from $38B in 2025 to $93B by 2031. This pattern exists because it gives organizations the innovation velocity of open source combined with the operational confidence and legal protections of a vendor relationship.
| Company | Open Source Project | Managed Service |
| MongoDB | MongoDB Community | MongoDB Atlas |
| Elastic | Elasticsearch | Elastic Cloud |
| Confluent | Apache Kafka | Confluent Cloud |
| HashiCorp | Terraform, Vault, Consul | HCP |
| Redis | Redis | Redis Cloud |
| Grafana Labs | Grafana, Loki, Tempo | Grafana Cloud |
| Cockroach Labs | CockroachDB | CockroachDB Cloud |
| NetFoundry | OpenZiti | NetFoundry |
Choosing Your Deployment Path
There are three distinct paths to choose from based on your operational model and compliance requirements.
1. Fully Self-Managed OpenZiti (You Own Everything)
Self-host when:
- You have dedicated infrastructure engineers possessing deep OpenZiti expertise.
- Your compliance requirements strictly mandate on-premises control of all components.
- You are operating in a learning, development, or lab environment.
- Your deployment is small and stable enough that operational overhead remains minimal.
2. NetFoundry Cloud (We Run It All)
Use NetFoundry Cloud when:
- Your team’s primary focus should be building applications, not managing overlay network infrastructure.
- You require production SLAs, vendor support, and contractual guarantees (indemnification, DPA) to pass procurement.
- You need compliance certifications, production-grade metrics, dashboards, and audit logs without building the stack yourself. OpenZiti provides the data plane; NetFoundry provides the visibility.
- You are scaling globally and do not want to manage distributed router infrastructure.
- You want tested, vendor-supported software updates without planning manual upgrade cycles.
3. NetFoundry Self-Hosted (Your Infrastructure, Our Guarantees)
Use NetFoundry Self-Hosted when:
- You need full control over where infrastructure runs and require strict air-gapped isolation.
- You still require contractual guarantees, SLAs, and support on your own infrastructure.
- You need vendor-supported FIPS-compliant cryptography in a self-hosted environment.
- You want production-bundled installers packaged with logs, OS metrics, and stream integration.
- You want the optional “phone a friend” capability—a temporary remote access path granting NetFoundry troubleshooting access inside your otherwise air-gapped network, which you immediately revoke when work concludes.
Conclusion
OpenZiti is, and will permanently remain, open-source Apache 2.0 software. We built it this way because we fundamentally believe zero trust networking should be accessible to everyone.
NetFoundry exists for organizations that want this transformative technology without the operational burden, backed by the contractual surface their business demands. If you are currently evaluating your zero trust networking options, we would rather have the conversation early than late.
