
Universal zero trust
Simple for a single app or an entire WAN, from air-gapped sites to multicloud.
Software-only, high-performance networking to connect anything from AI to OT. Replace VPN, SD-WAN, MPLS, PAM, SRA or VDI. Built-in identity for workloads, machines and humans, with prebuilt integration for other IdPs, CAs and PKIs.
Deployment models
Air-gapped, on-premises, hybrid, cloud native NaaS
NetFoundry serves all endpoints (including agentless) and all deployment models:
- On-premises – deploy overlays for on-prem zero trust, including in air-gapped sites.
- NaaS – your overlay is still private and dedicated, but the overlay infrastructure – routers and controllers – are provided by NetFoundry as NaaS across over 100 PoPs.
- Hybrid – deploy endpoints and routers across any set of NetFoundry sites and your sites.
Encryption is also flexible, using a unique pluggable cipher architecture. The default is high performance libsodium end to end encryption, but plug-in FIPS compliant encryption or even post-quantum ciphers as necessary.
Options
On-premises
Global NaaS
Hybrid
Each model provides universal identity, policy, controls and telemetry.
Each NaaS overlay is dedicated. You an make it multi-tenant, but NetFoundry does not share it.
The first zero trust native overlay networks
NetFoundry is the first to build zero trust into the network with universal identities. Spin up zero trust native overlays, in minutes, for a single AI application or an entire WAN.
Deploy for IT, OT or IoT
Includes agents for Windows, Linux, macOS, iOS, Android, containers, VMs, eBPF daemons. Pre-built into proxies, browsers, modems, edge servers, firewalls. Use SDKs to integrate into any software.
Reliability and performance
NaaS includes HA, dynamic optimization, ingress and egress load balancing, across over 100 PoPs, with 24×7 enterprise support and SLAs. On-premises includes features and tools to get 99.999% uptime.
On-premises, hybrid or NaaS
Deploy in air-gapped sites, OT, multicloud and everything in between. Every overlay is zero trust native with all zero trust functionality built in and prebuilt integrations. NaaS spans over 100 sites.
NetFoundry’s built-in identity (X.509-based) is universal – for workloads, devices, humans. Identity based controls, policy and telemetry replace dependencies on IPs and NAT. Posture and MFA is built-in, as is support for any OAuth or OIDC IDP.
No inbound access
Software-defined, zero trust native overlays makes IT, OT, IoT or AI unreachable from underlay networks. Close all inbound ports and eliminate all VPNs.
Authorize before connect
NetFoundry includes identity, continuous authentication and authorization for users, admins, devices, servers, workloads, AI agents and MCPs. Strong auth is required before overlay access – the overlay itself is auth aware.
Mutual TLS (mTLS) is built-in for every overlay segment. End to end encryption (E2EE) with keys sovereign to the endpoints means nobody has access to your data. Choose ciphers, including FIPS 140 compliant and libsodium.
JIT, one-time and persistent access
Just-in-time (JIT), one-time and persistent access models, based on authorized identities. Integrated with workflow and ticketing (JIRA, ServiceNow, Zendesk, etc.), or use NetFoundry APIs for your own custom integration.
End to end zero trust
Extend zero trust beyond the firewall to applications or hosts. NetFoundry enabled servers have no listening ports – unreachable from underlay networks – only available to strongly authorized sessions.
Open source foundation
NetFoundry open sourced its core zero trust software into the OpenZiti project, and continues to maintain the project. It is an open core model – only enterprise, government and OEM functions are separate.
FedRamp & Government Cloud
NetFoundry is deployed in FedRamp and Government Cloud environments, as well as on-premises and air-gapped sites. Includes supporting CJIS, HIPAA, PCI and FIPS 140 compliance.
EU CRA
The simplest way to meet EU CRA requirements for connected products. Directly integrate zero trust networking into your product, eliminating VPNs.
Highlights
Universal identities replace IP addresses
Built-in authentication and authorization
mTLS and E2EE
Built-in HA, ingress LB, egress LB
Performance optimization across over 100 PoPs (NaaS)
Identity-based telemetry for all use cases
The First Zero Trust Native Networking
Simplify with built-in zero trust
Your private, dedicated overlay itself is zero trust. This means you eliminate the almost impossible complexity of trying to bolt-on ZTNA and VPNs:
- Your overlay natively only accepts identified, authenticated, authorized sessions. PEP is moved to session egress.
- NetFoundry provides those functions for every use case (yes, even for flows like VoIP).
- You then initiate each session outbound towards the overlay.
- The result of the above is your firewalls now block all inbound. This simplifies microsegmentation – for example, your servers firewalls (e.g. iptables) will block all inbound, and microsegment all outbound.
- Since NetFoundry provides identity for workloads, machines, and humans, you get simplicity and control. You can integrate with IdPs and CAs, but it is your choice, so you only do it when it makes sense.
Zero Trust Native Networking replaces ZTNA, SD-WAN and VPN
How NetFoundry's unique zero trust native approach simplifies and secures networking
Secure-by-design
VPNs and ZTNA are bolt-on ramps – they are secure access to insecure networks. NetFoundry builds zero trust into the network overlay itself – whether it replaces one VPN or an entire SD-WAN.
Performance
NetFoundry’s full mesh overlay eliminates backhauling, and routes each session according to the best available path, across over 100 PoPs (NaaS). On-prem NetFoundry includes algorithms for HA, load balancing and dynamic performance optimization.
Universal identity
As the first to provide identity-based zero trust for everything and every use case, NetFoundry simplifies management and enables automation. Includes identities for workloads, servers, machines, devices and humans.
Flexible access
Including just in time (JIT), one-time and time-bound access made simple. Workflow and IdP integrations are optional but supported. 3rd party is simple because the overlay includes identity – no need to add 3rd parties to enterprise directories.

- Built-in is simpler than bolted-on
- Secure-by-design is simpler than day two
- Identities are simpler than IPs
- Native microsegmentation is simpler than ACLs
Case Study
Tata Sons’ Shift to Zero Trust AppNets
How Tata Sons Replaced VPNs with NetFoundry To Simplify Networking
Learn how Tata Sons transitioned from VPNs to NetFoundry’s Zero Trust AppNets to achieve reliable, scalable, and secure access for their distributed teams. This empowered Tata Sons to deliver security without compromising performance.
Tata Sons’ Journey to Zero Trust
Case Study
KEO’s Zero Trust SD-WAN
KEO’s Solution: Using NetFoundry As A Zero Trust, Multicloud SD-WAN
Discover how KEO transitioned from VPNs to a seamless, zero trust architecture using NetFoundry AppNets. By doing so, KEO was able to reduce overhead, enhance security, and ensure connectivity that adapts to the needs of its users—all without relying on traditional VPN solutions.
KEO’s Secure Zero Trust Transition
Implementation and Scalability
Seamless Implementation and Scalable Zero Trust with NetFoundry
NetFoundry AppNets are designed to integrate with existing systems, minimizing the need for significant infrastructure changes. This low-risk, scalable solution allows organizations to embrace Zero Trust Networking quickly and cost-effectively as they grow, without overhauling their entire architecture. As business needs evolve, NetFoundry scales easily to provide consistent, secure access across any location or device. The NetFoundry Console provides a single pane of glass to manage all your AppNets and policies.

Rapid Setup
Easy Integration
Centralized Management
Proven Scalability

Ready to Move Beyond VPN, ZTNA and SD-WAN?
Switch to NetFoundry’s AppNets for secure by design networking