
Universal zero trust
Simplify zero trust for a single app or an entire network. From air-gapped sites to multicloud.
Software-only, high-performance networking to connect anything from AI to multicloud. Replace VPN, SD-WAN, MPLS, PAM, SRA or VDI. Includes identity for workloads, servers, machines and humans.
Deployment models
Air-gapped, on-premises, hybrid, cloud native NaaS
NetFoundry provides simple, universal zero trust by serving any type of endpoint (including agentless), but also by providing a choice of deployment models.
Encryption is also flexible to meet different needs – the default is libsodium, and FIPS compliant encryption is available.
- On-premises – deploy overlays for on-prem zero trust, including in air-gapped sites.
- NaaS – your overlay is still private and dedicated, but the overlay infrastructure – routers and controllers – are provided by NetFoundry as NaaS.
- Hybrid – deploy endpoints and routers across any set of sites.
Options
On-premises
Global NaaS
Hybrid
Each model supports every use case, providing universal identity, policy, controls and telemetry.
The first zero trust native overlay networks
NetFoundry is the first to build zero trust into the network with universal identities. Spin up zero trust native overlays, in minutes, for a single AI application or an entire WAN.
Deploy for IT, OT or IoT
Includes agents for Windows, Linux, macOS, iOS, Android, containers, VMs, eBPF daemons. Pre-built into proxies, browsers, modems, edge servers, firewalls. Use SDKs to integrate into any software.
Reliability and performance
NaaS includes HA, dynamic optimization, ingress and egress load balancing, across over 100 PoPs, with 24×7 enterprise support and SLAs. On-premises includes features and tools to get 99.999% uptime.
On-premises, hybrid or NaaS
Deploy in air-gapped sites, OT, multicloud and everything in between. Every overlay is zero trust native with all zero trust functionality built in and prebuilt integrations. NaaS spans over 100 sites.
NetFoundry’s built-in identity (X.509-based) is universal – for workloads, devices, humans. Identity based controls, policy and telemetry replace dependencies on IPs and NAT. Posture and MFA is built-in, as is support for any OAuth or OIDC IDP.
No inbound access
Software-defined, zero trust native overlays makes IT, OT, IoT or AI unreachable from underlay networks. Close all inbound ports and eliminate all VPNs.Â
Authorize before connect
NetFoundry includes identity, continuous authentication and authorization for users, admins, devices, servers, workloads, AI agents and MCPs. Strong auth is required before overlay access – the overlay itself is auth aware.
Mutual TLS (mTLS) is built-in for every overlay segment. End to end encryption (E2EE) with keys sovereign to the endpoints means nobody has access to your data. Choose ciphers, including FIPS 140 compliant and libsodium.
JIT, one-time and persistent access
Just-in-time (JIT), one-time and persistent access models, based on authorized identities. Integrated with workflow and ticketing (JIRA, ServiceNow, Zendesk, etc.), or use NetFoundry APIs for your own custom integration.
End to end zero trust
Extend zero trust beyond the firewall to applications or hosts. NetFoundry enabled servers have no listening ports – unreachable from underlay networks – only available to strongly authorized sessions.
Open source foundation
NetFoundry open sourced its core zero trust software into the OpenZiti project, and continues to maintain the project. It is an open core model – only enterprise, government and OEM functions are separate.
FedRamp & Government Cloud
NetFoundry is deployed in FedRamp and Government Cloud environments, as well as on-premises and air-gapped sites. Includes supporting CJIS, HIPAA, PCI and FIPS 140 compliance.
EU CRA
The simplest way to meet EU CRA requirements for connected products. Directly integrate zero trust networking into your product, eliminating VPNs.Â
Highlights
Universal identities replace IP addresses
Built-in authentication and authorization
mTLS and E2EE
Built-in HA, ingress LB, egress LB
Performance optimization across over 100 PoPs (NaaS)
Identity-based telemetry for all use cases
The First Zero Trust Native Networking
Simplify with built-in zero trust
Your private, dedicated overlay itself is zero trust. What does that mean?
- Your overlay only accepts identified, authenticated, authorized sessions.
- NetFoundry provides the identity, authentication and authorization for every use cases, initiating each session outbound towards the overlay.
- The firewall rules on your servers and your separate firewalls block all inbound traffic. All traffic is identified and authorized at initiation, so your firewalls and servers no longer need to ‘listen’ to the underlay network.
- Since NetFoundry provides identity for workloads, servers, machines, devices and humans – everything – you get full visibility and control.
Zero Trust Native Networking versus ZTNA and VPN
How NetFoundry's unique zero trust native approach simplifies and secures networking
Secure-by-design
VPNs and ZTNA are bolt-on ramps – they are secure access to insecure networks. NetFoundry builds zero trust into the network overlay itself – whether it replaces one VPN or an entire SD-WAN.
Performance
NetFoundry’s full mesh overlay eliminates backhauling, and routes each session according to the best available path, across over 100 PoPs (NaaS). On-prem NetFoundry includes algorithms for HA, load balancing and dynamic performance optimization.
Universal identity
As the first to provide identity-based zero trust for everything and every use case, NetFoundry simplifies management and enables automation. Includes identities for workloads, servers machines, devices and humans.
Flexible access
Just in time (JIT) and one-time access are simple because there are no network dependencies. Workflow and IdP integrations are optional but made simple. 3rd party is simple because the overlay includes identity – no need to add 3rd parties to enterprise directories.

- Built-in is simpler than bolted-on
- Secure-by-design is simpler than day twoÂ
- Identities are simpler than IPs
- Native microsegmentation is simpler than ACLs
Case Study
Tata Sons’ Shift to Zero Trust AppNets
How Tata Sons Replaced VPNs with NetFoundry To Simplify Networking
Learn how Tata Sons transitioned from VPNs to NetFoundry’s Zero Trust AppNets to achieve reliable, scalable, and secure access for their distributed teams. This empowered Tata Sons to deliver security without compromising performance.
Tata Sons’ Journey to Zero Trust
Case Study
KEO’s Zero Trust SD-WAN
KEO’s Solution: Using NetFoundry As A Zero Trust, Multicloud SD-WAN
Discover how KEO transitioned from VPNs to a seamless, zero trust architecture using NetFoundry AppNets. By doing so, KEO was able to reduce overhead, enhance security, and ensure connectivity that adapts to the needs of its users—all without relying on traditional VPN solutions.
KEO’s Secure Zero Trust Transition
Implementation and Scalability
Seamless Implementation and Scalable Zero Trust with NetFoundry
NetFoundry AppNets are designed to integrate with existing systems, minimizing the need for significant infrastructure changes. This low-risk, scalable solution allows organizations to embrace Zero Trust Networking quickly and cost-effectively as they grow, without overhauling their entire architecture. As business needs evolve, NetFoundry scales easily to provide consistent, secure access across any location or device. The NetFoundry Console provides a single pane of glass to manage all your AppNets and policies.

Rapid Setup
Easy Integration
Centralized Management
Proven Scalability

Ready to Move Beyond VPN, ZTNA and SD-WAN?
Switch to NetFoundry’s AppNets for secure by design networking