NetFoundry | Developers
Universal Zero Trust

Universal zero trust

Simplify zero trust for a single app or an entire network. From air-gapped sites to multicloud.

Software-only, high-performance networking to connect anything from AI to multicloud. Replace VPN, SD-WAN, MPLS, PAM, SRA or VDI. Includes identity for workloads, servers, machines and humans.

Deployment models

Air-gapped, on-premises, hybrid, cloud native NaaS

NetFoundry provides simple, universal zero trust by serving any type of endpoint (including agentless), but also by providing a choice of deployment models.

Encryption is also flexible to meet different needs – the default is libsodium, and FIPS compliant encryption is available.

  • On-premises – deploy overlays for on-prem zero trust, including in air-gapped sites.
  • NaaS – your overlay is still private and dedicated, but the overlay infrastructure – routers and controllers – are provided by NetFoundry as NaaS.
  • Hybrid – deploy endpoints and routers across any set of sites.

Options

  • On-premises

  • Global NaaS

  • Hybrid

Each model supports every use case, providing universal identity, policy, controls and telemetry.

The first zero trust native overlay networks

NetFoundry is the first to build zero trust into the network with universal identities. Spin up zero trust native overlays, in minutes, for a single AI application or an entire WAN.

Deploy for IT, OT or IoT

Includes agents for Windows, Linux, macOS, iOS, Android, containers, VMs, eBPF daemons. Pre-built into proxies, browsers, modems, edge servers, firewalls. Use SDKs to integrate into any software.

Reliability and performance

NaaS includes HA, dynamic optimization, ingress and egress load balancing, across over 100 PoPs, with 24×7 enterprise support and SLAs. On-premises includes features and tools to get 99.999% uptime.

On-premises, hybrid or NaaS

Deploy in air-gapped sites, OT, multicloud and everything in between. Every overlay is zero trust native with all zero trust functionality built in and prebuilt integrations. NaaS spans over 100 sites.

NetFoundry’s built-in identity (X.509-based) is universal – for workloads, devices, humans. Identity based controls, policy and telemetry replace dependencies on IPs and NAT. Posture and MFA is built-in, as is support for any OAuth or OIDC IDP.

No inbound access

Software-defined, zero trust native overlays makes IT, OT, IoT or AI unreachable from underlay networks. Close all inbound ports and eliminate all VPNs. 

Authorize before connect

NetFoundry includes identity, continuous authentication and authorization for users, admins, devices, servers, workloads, AI agents and MCPs. Strong auth is required before overlay access – the overlay itself is auth aware.

Mutual TLS (mTLS) is built-in for every overlay segment. End to end encryption (E2EE) with keys sovereign to the endpoints means nobody has access to your data. Choose ciphers, including FIPS 140 compliant and libsodium.

JIT, one-time and persistent access

Just-in-time (JIT), one-time and persistent access models, based on authorized identities. Integrated with workflow and ticketing (JIRA, ServiceNow, Zendesk, etc.), or use NetFoundry APIs for your own custom integration.

End to end zero trust

Extend zero trust beyond the firewall to applications or hosts. NetFoundry enabled servers have no listening ports – unreachable from underlay networks – only available to strongly authorized sessions.

Open source foundation

NetFoundry open sourced its core zero trust software into the OpenZiti project, and continues to maintain the project. It is an open core model – only enterprise, government and OEM functions are separate.

FedRamp & Government Cloud

NetFoundry is deployed in FedRamp and Government Cloud environments, as well as on-premises and air-gapped sites. Includes supporting CJIS, HIPAA, PCI and FIPS 140 compliance.

EU CRA

The simplest way to meet EU CRA requirements for connected products. Directly integrate zero trust networking into your product, eliminating VPNs. 

Highlights

  • Universal identities replace IP addresses

  • Built-in authentication and authorization

  • mTLS and E2EE

  • Built-in HA, ingress LB, egress LB

  • Performance optimization across over 100 PoPs (NaaS)

  • Identity-based telemetry for all use cases

The First Zero Trust Native Networking

Simplify with built-in zero trust

Your private, dedicated overlay itself is zero trust. What does that mean?

  1. Your overlay only accepts identified, authenticated, authorized sessions.
  2. NetFoundry provides the identity, authentication and authorization for every use cases, initiating each session outbound towards the overlay.
  3. The firewall rules on your servers and your separate firewalls block all inbound traffic. All traffic is identified and authorized at initiation, so your firewalls and servers no longer need to ‘listen’ to the underlay network.
  4. Since NetFoundry provides identity for workloads, servers, machines, devices and humans – everything – you get full visibility and control.

Zero Trust Native Networking versus ZTNA and VPN

How NetFoundry's unique zero trust native approach simplifies and secures networking

Secure-by-design

VPNs and ZTNA are bolt-on ramps – they are secure access to insecure networks. NetFoundry builds zero trust into the network overlay itself – whether it replaces one VPN or an entire SD-WAN.


Performance

NetFoundry’s full mesh overlay eliminates backhauling, and routes each session according to the best available path, across over 100 PoPs (NaaS).  On-prem NetFoundry includes algorithms for HA, load balancing and dynamic performance optimization.

Universal identity

As the first to provide identity-based zero trust for everything and every use case, NetFoundry  simplifies management and enables automation. Includes identities for workloads, servers machines, devices and humans.


Flexible access

Just in time (JIT) and one-time access are simple because there are no network dependencies. Workflow and IdP integrations are optional but made simple. 3rd party is simple because the overlay includes identity – no need to add 3rd parties to enterprise directories.

NetFoundry | Developers
  • Built-in is simpler than bolted-on
  • Secure-by-design is simpler than day two 
  • Identities are simpler than IPs
  • Native microsegmentation is simpler than ACLs
Case Study

Tata Sons’ Shift to Zero Trust AppNets

How Tata Sons Replaced VPNs with NetFoundry To Simplify Networking

Learn how Tata Sons transitioned from VPNs to NetFoundry’s Zero Trust AppNets to achieve reliable, scalable, and secure access for their distributed teams. This empowered Tata Sons to deliver security without compromising performance.

Tata Sons’ Journey to Zero Trust

Case Study

KEO’s Zero Trust SD-WAN

KEO’s Solution: Using NetFoundry As A Zero Trust, Multicloud SD-WAN

Discover how KEO transitioned from VPNs to a seamless, zero trust architecture using NetFoundry AppNets. By doing so, KEO was able to reduce overhead, enhance security, and ensure connectivity that adapts to the needs of its users—all without relying on traditional VPN solutions.

KEO’s Secure Zero Trust Transition

Implementation and Scalability

Seamless Implementation and Scalable Zero Trust with NetFoundry

NetFoundry AppNets are designed to integrate with existing systems, minimizing the need for significant infrastructure changes. This low-risk, scalable solution allows organizations to embrace Zero Trust Networking quickly and cost-effectively as they grow, without overhauling their entire architecture. As business needs evolve, NetFoundry scales easily to provide consistent, secure access across any location or device. The NetFoundry Console provides a single pane of glass to manage all your AppNets and policies.

NetFoundry | Developers

Rapid Setup

Easy Integration

Centralized Management

Proven Scalability

NetFoundry | Executives

Ready to Move Beyond VPN, ZTNA and SD-WAN?

Switch to NetFoundry’s AppNets for secure by design networking