NetFoundry | Developers
Universal Zero Trust

Universal zero trust

Simple for a single app or an entire WAN, from air-gapped sites to multicloud.

Software-only, high-performance networking to connect anything from AI to OT. Replace VPN, SD-WAN, MPLS, PAM, SRA or VDI. Built-in identity for workloads, machines and humans, with prebuilt integration for other IdPs, CAs and PKIs.

Deployment models

Air-gapped, on-premises, hybrid, cloud native NaaS

NetFoundry serves all endpoints (including agentless) and all deployment models:

  • On-premises – deploy overlays for on-prem zero trust, including in air-gapped sites.
  • NaaS – your overlay is still private and dedicated, but the overlay infrastructure – routers and controllers – are provided by NetFoundry as NaaS across over 100 PoPs.
  • Hybrid – deploy endpoints and routers across any set of NetFoundry sites and your sites.

 

Encryption is also flexible, using a unique pluggable cipher architecture. The default is high performance libsodium end to end encryption, but plug-in FIPS compliant encryption or even post-quantum ciphers as necessary.

Options

  • On-premises

  • Global NaaS

  • Hybrid

Each model provides universal identity, policy, controls and telemetry.

Each NaaS overlay is dedicated. You an make it multi-tenant, but NetFoundry does not share it.

The first zero trust native overlay networks

NetFoundry is the first to build zero trust into the network with universal identities. Spin up zero trust native overlays, in minutes, for a single AI application or an entire WAN.

Deploy for IT, OT or IoT

Includes agents for Windows, Linux, macOS, iOS, Android, containers, VMs, eBPF daemons. Pre-built into proxies, browsers, modems, edge servers, firewalls. Use SDKs to integrate into any software.

Reliability and performance

NaaS includes HA, dynamic optimization, ingress and egress load balancing, across over 100 PoPs, with 24×7 enterprise support and SLAs. On-premises includes features and tools to get 99.999% uptime.

On-premises, hybrid or NaaS

Deploy in air-gapped sites, OT, multicloud and everything in between. Every overlay is zero trust native with all zero trust functionality built in and prebuilt integrations. NaaS spans over 100 sites.

NetFoundry’s built-in identity (X.509-based) is universal – for workloads, devices, humans. Identity based controls, policy and telemetry replace dependencies on IPs and NAT. Posture and MFA is built-in, as is support for any OAuth or OIDC IDP.

No inbound access

Software-defined, zero trust native overlays makes IT, OT, IoT or AI unreachable from underlay networks. Close all inbound ports and eliminate all VPNs. 

Authorize before connect

NetFoundry includes identity, continuous authentication and authorization for users, admins, devices, servers, workloads, AI agents and MCPs. Strong auth is required before overlay access – the overlay itself is auth aware.

Mutual TLS (mTLS) is built-in for every overlay segment. End to end encryption (E2EE) with keys sovereign to the endpoints means nobody has access to your data. Choose ciphers, including FIPS 140 compliant and libsodium.

JIT, one-time and persistent access

Just-in-time (JIT), one-time and persistent access models, based on authorized identities. Integrated with workflow and ticketing (JIRA, ServiceNow, Zendesk, etc.), or use NetFoundry APIs for your own custom integration.

End to end zero trust

Extend zero trust beyond the firewall to applications or hosts. NetFoundry enabled servers have no listening ports – unreachable from underlay networks – only available to strongly authorized sessions.

Open source foundation

NetFoundry open sourced its core zero trust software into the OpenZiti project, and continues to maintain the project. It is an open core model – only enterprise, government and OEM functions are separate.

FedRamp & Government Cloud

NetFoundry is deployed in FedRamp and Government Cloud environments, as well as on-premises and air-gapped sites. Includes supporting CJIS, HIPAA, PCI and FIPS 140 compliance.

EU CRA

The simplest way to meet EU CRA requirements for connected products. Directly integrate zero trust networking into your product, eliminating VPNs. 

Highlights

  • Universal identities replace IP addresses

  • Built-in authentication and authorization

  • mTLS and E2EE

  • Built-in HA, ingress LB, egress LB

  • Performance optimization across over 100 PoPs (NaaS)

  • Identity-based telemetry for all use cases

The First Zero Trust Native Networking

Simplify with built-in zero trust

Your private, dedicated overlay itself is zero trust. This means you eliminate the almost impossible complexity of trying to bolt-on ZTNA and VPNs:

  1. Your overlay natively only accepts identified, authenticated, authorized sessions. PEP is moved to session egress.
  2. NetFoundry provides those functions for every use case (yes, even for flows like VoIP).
  3. You then initiate each session outbound towards the overlay.
  4. The result of the above is your firewalls now block all inbound. This simplifies microsegmentation – for example, your servers firewalls (e.g. iptables) will block all inbound, and microsegment all outbound. 
  5. Since NetFoundry provides identity for workloads, machines, and humans, you get simplicity and control. You can integrate with IdPs and CAs, but it is your choice, so you only do it when it makes sense.

Zero Trust Native Networking replaces ZTNA, SD-WAN and VPN

How NetFoundry's unique zero trust native approach simplifies and secures networking

Secure-by-design

VPNs and ZTNA are bolt-on ramps – they are secure access to insecure networks. NetFoundry builds zero trust into the network overlay itself – whether it replaces one VPN or an entire SD-WAN.


Performance

NetFoundry’s full mesh overlay eliminates backhauling, and routes each session according to the best available path, across over 100 PoPs (NaaS).  On-prem NetFoundry includes algorithms for HA, load balancing and dynamic performance optimization.

Universal identity

As the first to provide identity-based zero trust for everything and every use case, NetFoundry  simplifies management and enables automation. Includes identities for workloads, servers, machines, devices and humans.


Flexible access

Including just in time (JIT), one-time and time-bound access made simple. Workflow and IdP integrations are optional but supported. 3rd party is simple because the overlay includes identity – no need to add 3rd parties to enterprise directories.

NetFoundry | Developers
  • Built-in is simpler than bolted-on
  • Secure-by-design is simpler than day two 
  • Identities are simpler than IPs
  • Native microsegmentation is simpler than ACLs
Case Study

Tata Sons’ Shift to Zero Trust AppNets

How Tata Sons Replaced VPNs with NetFoundry To Simplify Networking

Learn how Tata Sons transitioned from VPNs to NetFoundry’s Zero Trust AppNets to achieve reliable, scalable, and secure access for their distributed teams. This empowered Tata Sons to deliver security without compromising performance.

Tata Sons’ Journey to Zero Trust

Case Study

KEO’s Zero Trust SD-WAN

KEO’s Solution: Using NetFoundry As A Zero Trust, Multicloud SD-WAN

Discover how KEO transitioned from VPNs to a seamless, zero trust architecture using NetFoundry AppNets. By doing so, KEO was able to reduce overhead, enhance security, and ensure connectivity that adapts to the needs of its users—all without relying on traditional VPN solutions.

KEO’s Secure Zero Trust Transition

Implementation and Scalability

Seamless Implementation and Scalable Zero Trust with NetFoundry

NetFoundry AppNets are designed to integrate with existing systems, minimizing the need for significant infrastructure changes. This low-risk, scalable solution allows organizations to embrace Zero Trust Networking quickly and cost-effectively as they grow, without overhauling their entire architecture. As business needs evolve, NetFoundry scales easily to provide consistent, secure access across any location or device. The NetFoundry Console provides a single pane of glass to manage all your AppNets and policies.

NetFoundry | Developers

Rapid Setup

Easy Integration

Centralized Management

Proven Scalability

NetFoundry | Executives

Ready to Move Beyond VPN, ZTNA and SD-WAN?

Switch to NetFoundry’s AppNets for secure by design networking