QuickZTNA
Get started free

The platform

One agent. Every layer of access.

QuickZTNA consolidates your VPN, SSO gateway, secrets manager, SIEM, DLP, session recorder, and Terraform workflow into one tailnet. Every feature below is shipped, tested, and gated by plan — no coming-soon shelf.

Start free Compare plans
Free — 100 devices, 3 users Business — $10/mo · 60-day trial Workforce — Contact sales
Category 01

Networking & Connectivity

The ZTNA primitives. Ship with every plan, no gate, no trial. This is the foundation.

10 features

Post-Quantum WireGuard

Free

X25519 + ML-KEM-768 hybrid key exchange on every tunnel. FIPS 203 compliant. No config — quantum-safe by default.

MagicDNS

Free

Every device reachable at ..zt.net. Zero DNS config.

DERP relays

Free

4 global regions (BLR, NYC, LON, SFO) relay when P2P is blocked by symmetric NAT or CGNAT.

STUN NAT discovery

Free

Automatic public endpoint discovery. Peers find each other without central coordination.

ABAC ACLs

Free

Rules on user, tag, posture, time of day, country, protocol, port. Evaluated per connection.

Subnet routes

Free

Advertise + accept CIDR routes. Bridge home labs, cloud VPCs, legacy networks.

Exit nodes

Free

Route outbound traffic through a chosen peer. Geofence compliance, egress control.

Device posture

Free

OS version, disk encryption, firewall, antivirus checks. Block non-compliant devices.

Auto-quarantine

Free

Failed posture → machine isolated automatically. Admin notified.

Tailnet IP allocation

Free

Atomic 100.64.x.x allocation. Guaranteed no collisions, even under concurrent registration.

Category 02

AI & Assistant

Claude-powered. Answers questions about your tenant, drafts policies, explains events, takes action.

9 features

AI chat

Free

Conversational Q&A about your network, policies, users, and recent events.

Natural-language ACLs

Free

Type "Laptops can SSH to prod between 9–6 IST" — get a ready-to-apply ACL rule.

Event summarizer

Free

24-hour security digest. Anomalies surfaced, noise suppressed.

Security digest

Free

Daily report: machines, threats blocked, compliance rate, JIT requests.

Policy drift detection

Free

AI reviews your ACLs vs industry baselines. Flags overly permissive rules.

Access heatmap

Free

Visualize which users touch which resources, when, how often.

AI actions

Business+

Approved auto-remediation. AI proposes, admin confirms, system executes with rollback.

Incident response playbooks

Business+

Generate context-aware response steps for a specific incident.

JIT recommendations

Business+

Suggests time-bounded grants based on historical access patterns.

Category 03

Security & Threat Detection

Defense in depth. Shipped as a single agent, not five separate tools to deploy.

7 features

DNS filtering

Free

Block malicious domains. Per-org allow/deny lists. Threat-intel feed sync.

Cloud firewall (FaaS)

Free

Stateful firewall rules at the edge. Per-app, per-user, per-tag.

Honeypot / deception

Business+

Decoy machines. Any interaction alerts. Zero false positives.

Anomaly detection

Workforce

UEBA baselines. Flags unusual access patterns, data movement, login geography.

Data Loss Prevention (DLP)

Workforce

Scans agent-captured text for credit cards, SSNs, API keys. Report or block.

CASB

Workforce

SaaS app discovery, shadow-IT visibility, approval workflow.

User risk scoring

Workforce

Per-user risk timeline. Combines posture, behavior, threat intel.

Category 04

Governance & Compliance

Audit-ready by default. SOC 2 / ISO 27001 / HIPAA artifacts generated, not assembled.

6 features

Compliance reports

Business+

One-click SOC 2 / ISO 27001 / HIPAA evidence bundles. Signed, timestamped.

Continuous compliance

Business+

Background rules run daily. Drift flagged before audit time.

Session recording

Business+

Capture admin sessions (shell, SSH jump). Replay for audit.

JIT access workflow

Free

Request → approve → time-bounded grant → auto-revoke. Full audit trail.

Access review campaigns

Free

Periodic campaigns. Approvers confirm / revoke. Everything logged.

Policy version rollback

Free

Every ACL change versioned. Roll back to any prior version instantly.

Category 05

Identity & Provisioning

Bring your identity provider. SSO, SCIM, OAuth — all free. MFA-ready, device-bound.

6 features

Email + password

Free

PBKDF2-SHA256 100K iterations. Timing-safe. Per-email rate-limited.

GitHub / Google OAuth

Free

One-click sign-in for dev teams. Respects org domains.

SAML / OIDC SSO

Free

Okta, Azure AD, Google Workspace, Auth0, any IdP.

TOTP MFA

Free

RFC 6238. Replay-protected (used codes cached 90s). 10 backup codes per user.

SCIM 2.0 provisioning

Business+

Automated user lifecycle from Okta, Azure AD. Groups sync.

Org groups (departments)

Workforce

Sub-tenants within an org. Scoped ACLs, isolated users.

Category 06

Endpoint Management

One agent — remote commands, secure shell, WebRTC desktop, OTA updates.

5 features

Remote management

Business+

Run safe diagnostic commands across the fleet. Whitelisted verbs only.

Remote desktop (WebRTC)

Workforce

Browser-based remote control. Consent-gated, session-recorded.

Software inventory

Workforce

Patch overview per device. Approved software policy. Outdated versions flagged.

Device wipe / lock

Free

Admin can lock or wipe stolen/lost devices with signed commands.

OTA agent updates

Free

Self-update via signed releases. Controlled by client_versions table.

Category 07

Data & Access Layer

Protect internal apps, databases, Kubernetes, cloud VPCs — through the same tailnet.

7 features

Secrets vault

Business+

AES-256-GCM encrypted secrets. Envelope encryption with per-org DEKs. Rotation policies.

Database access broker

Workforce

Register PG/MySQL/Mongo/Redis. JIT credentials, scoped queries, audit.

Kubernetes access

Workforce

Identity-scoped kubeconfig. RBAC inherited from your org roles.

Cloud firewall sync

Workforce

AWS SG / Azure NSG / GCP firewall auto-sync with tailnet membership.

App connector

Workforce

Protect internal web apps (Jira, Jenkins, Grafana) with reverse proxy + ZTNA auth.

Webhook forwarder

Workforce

Inbound webhooks delivered through the mesh to private targets.

Terraform provider

Workforce

Full IaC for machines, ACLs, DNS, users, settings. GitOps-friendly.

Category 08

Workforce & Productivity

Built for distributed teams. Consent-first, GDPR-aware, compliance-ready.

6 features

Session tracking

Workforce

Login/logout, active time, idle windows, machine activity.

App & domain usage

Workforce

Top domains per user, per machine. Productive vs unproductive categorization.

Productivity scoring

Workforce

Rule-based scoring. Custom rules per team. Weekly reports.

Schedule compliance

Workforce

Work-hour adherence. Flag excessive overtime, weekend work.

Digital Experience Monitoring

Workforce

Per-device network health: latency, packet loss, jitter. Health score.

Monitoring consent (GDPR)

Workforce

Required user acknowledgment before analytics start. Audit-logged.

See exactly what's on each plan.

Full per-feature comparison. Honest limits. No surprise upsells.

Compare plans Start free · 100 devices