QuickZTNA
Get started free

Pricing

Start on Free forever. Upgrade when you need it.

Same WireGuard encryption on every plan. 100 devices on Free. 60-day Business trial. No credit card to start. Honest limits, fully documented.

Free

For homelabs, founders, small teams.

$0 /mo forever
  • 100 machines
  • 3 users
  • Community support
  • WireGuard-encrypted ZTNA mesh
  • MagicDNS + WireGuard mesh
  • ACL policies + device posture
  • DNS filtering + cloud firewall
  • AI Assistant (chat, ACL builder, digest)
  • JIT access + access reviews
  • SSO · GitHub · Google · TOTP MFA
  • Remote shell (SSH) — free tier
  • Global DERP relays (BLR + FRA)
Start free

No credit card required

Most popular

Business

For growing teams · 60-day free trial.

$10 per user /mo
  • Unlimited machines
  • Billed per active user
  • Priority email support
  • Everything in Free
  • Remote desktop (WebRTC)
  • Compliance status dashboard (SOC 2 readiness)
  • Secrets vault (AES-256-GCM)
  • SCIM 2.0 provisioning
  • AI actions + incident response
  • JIT recommendations
  • 60-day free trial
Start 60-day trial

No credit card required

Workforce

For regulated orgs & distributed workforces.

Contact sales
  • Unlimited machines
  • Custom per-user pricing
  • Dedicated support + SLA
  • Everything in Business
  • Workforce analytics + DEM
  • DLP + CASB + anomaly detection
  • User risk scoring
  • Remote desktop (WebRTC)
  • Software inventory + patch overview
  • App connector (reverse proxy)
  • Database access broker
  • Kubernetes access
  • Terraform provider
  • Org groups (departments)
Contact sales

No credit card required

Compare every feature

What's on each plan, row by row.

Derived directly from the feature-gate code. If it's here, it ships.

Feature Free Business Workforce
Core networking
Machines per org 100 Unlimited Unlimited
Users per org 3 Billed / user Billed / user
WireGuard mesh tunnels
MagicDNS
DERP relays (Bangalore + Frankfurt)
ABAC policies + device posture
Subnet routes + exit nodes
Auto-quarantine on posture fail
Identity
Email + password
GitHub / Google OAuth
SAML / OIDC SSO
TOTP MFA + backup codes
SCIM 2.0 provisioning
Org groups (departments)
AI assistant
AI chat
Natural-language ACL builder
Security digest (24h)
Event summarizer
Policy drift detection
Access heatmap
AI auto-remediation actions
Incident response playbooks
JIT access recommendations
Security & threat
DNS filtering
Cloud firewall (FaaS)
Anomaly detection (UEBA)
Data Loss Prevention (DLP)
CASB + shadow-IT
User risk scoring
Governance & compliance
JIT access workflow
Access review campaigns
Policy versioning + rollback
Compliance reports (SOC 2, ISO, HIPAA)
Continuous compliance scanning
Audit log retention 90 days 90 days 90 days
Endpoint management
Device wipe / lock
OTA agent updates
Remote management + shell
Remote desktop (WebRTC)
Software inventory + patch overview
Data & access
Secrets vault (AES-256-GCM)
Database access broker
Kubernetes access proxy
App connector (reverse proxy)
Webhook forwarder
Terraform provider
Workforce analytics
Session tracking
App / domain usage
Productivity scoring
Schedule compliance
Digital Experience Monitoring (DEM)
GDPR monitoring consent
Support & ops
Support channel Community Priority email Dedicated + SLA
Trial 60 days Pilot on request
Custom invoicing
DPA + SOC 2 report on request

FAQ

Questions, answered honestly.

What's the difference between Free, Business, and Workforce on encryption?
None — every tunnel on every plan uses the same WireGuard cipher suite (X25519 + ChaCha20-Poly1305 + Poly1305). Encryption is never the upsell. Paid plans add features like SCIM provisioning, secrets vault, workforce analytics, DLP, and the AI Operator — not better crypto.
Why only Razorpay? What about Stripe / wire / invoice?
We launched in India first, so Razorpay is the self-serve default (supports 100+ countries via Razorpay International). For non-Razorpay regions or invoice/wire/cheque payment, contact sales@quickztna.com. Stripe is on the 2026-Q2 roadmap.
What happens when I hit the 100-machine limit on Free?
Device registration is hard-blocked at the limit — the 101st device gets a clear 'QUOTA_EXCEEDED' response and isn't added. A safety-net background job also runs every 5 minutes to quarantine any excess machines that got in through a plan downgrade. Nothing already-registered is deleted. Upgrade → quota raises immediately and previously-quarantined devices come back online.
Can I downgrade? What happens to my data?
Yes, any time from the Billing page. Paid features gate down immediately. No data is deleted — if you downgrade then re-upgrade, everything resumes where it left off.
What does the 60-day Business trial include?
All Business-tier features. No credit card required. On day 61 the org auto-downgrades to Free via the expire-trials cron. You can extend via sales if you need more runway for a pilot.
Is there a self-hosted / on-prem option?
Not today — QuickZTNA is a fully managed cloud service. Contact sales@quickztna.com if self-hosted or air-gapped deployment is a requirement, and we'll discuss your needs and our roadmap.
Are superadmins bypassing plan gates?
No. Platform superadmins have cross-org read/write for support, but plan gates are enforced at handler level. A superadmin helping a Free-tier org still hits FEATURE_GATED on paid endpoints. This is intentional.
What are the real enforced limits?
All three are hard-gated in code. (1) Feature gates: every paid handler calls requireFeature() and returns FEATURE_GATED to free-tier callers. (2) Machine limit: enforced at device registration time AND by a 5-minute safety-net cron. (3) User limit: enforced at invite-time, programmatic invite, and on auto-join-by-domain — all three paths refuse to add a user past the cap. No 'policy-only' limits; everything in the matrix is backed by code.

Ship 100 devices today. Zero-trust from the first connection.

Issue one auth key. Pipe one install command. Your whole workforce is on the tailnet.

Start free — no card Talk to sales