NetFoundry in 15 minutes

A founder’s tour of the company's origin, mission, and unique value proposition


Our mission is to “Protect the App, not the Network”. NetFoundry was founded in 2019 with the mission to disrupt the traditional networking market by approaching the problem of next-generation zero-trust secure application connectivity from the software developer’s point of view.

Application topologies are becoming ever more distributed and dynamic, and businesses are continuously increasing their dependency on secure connectivity to customers and partners. It would be our opinion that it is a ‘fool's errand” to think you can secure access to global application services with a perimeter-based network topology using traditional MPLS, VPNs, and SDWANs.

A new approach to “shift left” application security is required.

Problem Statement

Up until now, everything we know about Networking comes from the point of view of locations to connect, capital expenditure, and preventive access to the network. It is a world of point-to-point connections, trusted identities based on usernames and passwords, and inflexible architectures that are essentially immutable once deployed.

In the past, this was very painful for organizations to cope with these limitations, but organizations could generally deal with it via the use of clever engineering, large operations teams and high vendor spend to mitigate the pain. This is no longer the case and we have hit a tipping point, where organizations can’t effectively stretch the old model of separate networking and security islands to fit the needs of modern businesses.

And it gets worse, because MPLS, VPNs, and SDWANs only provide a false sense of security that you have somehow achieved 100% perimeter isolation and that is rarely achievable. There’s always some opening somewhere, which is why “Scan and Exploit” is now the number #1 cyber threat vector (IBM Threat Intelligence). By contrast, using NetFoundry our customers implement a “deny all” inbound firewall policy effective mitigating this pervasive threat and at the same time significantly reducing the complexity of managing firewall rules to that of a singular rule “deny all”. Full-stop.

NetFoundry’s Unique Solutions Approach

  • Consumed as SaaS - NetFoundry is available as SaaS, including the hosting of private network fabrics on demand, where organizations use our SaaS platform to spin up zero-trust overlay networks in minutes.
  • Application Embeddable - Using NetFoundry portfolio of modern SDKs (Go, Python, Node.JS, Java,.NET, C/C++, ...) software developers can turn any application into a zero-trust application service that is micro-segmented as an isolated air-gapped network.
  • Born Zero-trust - Unlike solutions that simply added this term to market their offerings, NetFoundry has always understood that zero-trust was a journey, not a product. NetFoundry is a “authorize before connect” dark network where every endpoint uses X. 509-based identities, without pre-shared keys, to request ephemeral overlay network connections.
  • Built on Open Source - NetFoundry is open source. We founded the OpenZiti project for teams who want to self-host or add customizations to the platform. The Project naming “Ziti” (zee-tee) is a play on phonetics for zero-trust (ZT).
  • Designed as a SuperCloud - NetFoundry is multi-cloud native, a SuperCloud approach, having built automation to spin-up routers on-demand across all major cloud providers. There is a singular method to connect across private data centers and any cloud providers, as opposed to a myriad of unique direct connect services. i.e. AWS Direct Connect, Azure ExpressRoute, Oracle FastConnect, GCP Direct Interconnect, Alibaba Express Connect, IBM Cloud Direct Link, and so on.
  • Resilient via Intelligent Mesh - Netfoundry is resilient and often more performant than the public internet because as a mesh network with near real-time intelligent routing, there are no single points of failure and the real-time performance of the Internet is a constant factor in dynamic route selection.
  • It is a Platform - As NetFoundry’s name implies, we are a “Platform to build Networks”. This is a critical distinction between NetFoundry and other tools that provide only the building blocks that allow you to hand assemble networks or networks purchased as bespoke direct connects. As a Platform, you can deploy as many networks on-demand as needed. ex. 1 network per individual Application. Each network can have a unique security posture and topology. Or another network just for third-party access, etc.

How to Engage NetFoundry

There are many ways to engage NetFoundry.

Anatomy of a NetFoundry Deployment

The following diagram depicts NetFoundry deployment architecture:

1. Endpoints

SD-WAN type software, except it, goes anywhere and includes zero trust functions. This enables authorized apps to make ephemeral overlay networks. These endpoints support every protocol, and ‘go anywhere’ - deployed on IT and IoT devices, as well as inside the process space of an individual application!

2. Authorize before connect

Each endpoint uses X. 509-based identities, without pre-shared keys, to request ephemeral overlay network connections. Attribute-based authorization is required, including posture checks and MFA when applicable. Other endpoints are denied access to the overlay networks – the strong authorization is required before connection.

3. Overlay network fabric

Overlay routers enable bidirectional data between endpoints, initiated from either side, by bridging both sides (each side opens outbound from its network towards the fabric). These virtual routers are programmable, and function in a mesh with the endpoints to dynamically optimize routing according to real-time conditions. Each session features app-level micro-segmentation.

The platform approach ties it all together. By open sourcing the underlying software, designing all components as multi-cloud native, API-first, and programmable, and building secure-by-design constructs, the platform is simple to manage, extensible, and scalable. Prebuilt integrations with leading solutions ship with the SaaS services, and organizations can use the APIs and SDKs to extend the platform for specific needs.

Learn More

Zero trust for Zero Bucks

Watch a 15-minute demo - Someone with no networking skills, builds a home cloud lab and connects to it with a private zero trust network for $0.

Getting Started with NetFoundry

Watch a 14-minute video demo done by a solution architect presented in detail.

Online Resources

OpenZiti for Developers => Don't forget to"Star our project", please.

Read Our Blog

There is a lot of great content on the Blog, but here are two (2) recommendations on how NetFoundry adds zero-trust to both Salt and Ansible with no change to user behavior, but with realized security improvement, network resilience, and productivity enhancement for DevOps.


Embedding zero trust networking in apps and solutions

Social Media - Follow us / Stay Connected



YouTube - We run a live stream event every week “ZitiTV”