QuickZTNA
Get started free
Post-quantum ML-KEM-768 · live on every tunnel · FIPS 203

100 devices on an encrypted mesh in 2 minutes. Quantum-safe.

QuickZTNA replaces your VPN, SSO gateway, and secrets manager with a single post-quantum-encrypted agent. Issue one auth key, run one install command, and your entire workforce is on the tailnet. Free forever for 100 devices.

Start free — no card required Read the 2-minute quickstart

curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh

acme.zt.net · fleet rollout ● 100 connected
$ ansible all -m shell -a "curl -fsSL .../install.sh | ZTNA_AUTH_KEY=$KEY sh"
→ 100 hosts · detecting OS/arch...
→ Downloading ztna v3.2.0 (linux-amd64, darwin-arm64, windows-amd64)
→ Installing service · starting daemon · ztna up
→ ML-KEM-768 + X25519 hybrid keypair generated per host
→ Tailnet IPs allocated · MagicDNS registered
✓ 100/100 devices online in 1m 47s — quantum-safe
 
$ ztna status
laptop-prod-01 100.64.1.7 · tag:laptop · direct
db-primary 100.64.1.12 · tag:prod-server · 4.2ms
ci-runner-03 100.64.1.18 · tag:ci · 38ms direct
eu-edge-07 100.64.1.31 · tag:edge · derp-lon

Built on open standards · Verifiable crypto · No harvest-now-decrypt-later

SOC 2 Type II
NIST PQC FIPS 203
GDPR · DPA available
4 global DERP regions
Razorpay · custom invoicing
Open-source Go client

The platform

One control plane. Every layer of access.

Mesh networking, identity, ZTNA policy, AI assistance, and workforce analytics — unified in a single agent.

Post-Quantum by default

Hybrid ML-KEM-768 + X25519 on every tunnel

Every WireGuard peer-to-peer tunnel uses a NIST FIPS 203 key exchange. The PSK is derived via HKDF-SHA256 from both classical and post-quantum shared secrets — so stored traffic can't be decrypted even if X25519 breaks tomorrow.

< 2 min
100-device fleet rollout
0 ms
user-facing handshake overhead
FIPS 203
ML-KEM-768 compliant
Hybrid
classical fallback per-peer
ML-KEM-768 X25519 ChaCha20-Poly1305 HKDF-SHA256
Mesh networking

WireGuard P2P with DERP fallback

Direct peer-to-peer tunnels wherever NAT allows. Four global DERP relays (India, US East, Europe, US West) cover CGNAT and symmetric-NAT peers automatically.

AI policy

Natural-language ACLs

"Laptops can SSH to prod 9–6 IST." Done. Powered by Claude.

JIT access

Request · approve · auto-revoke.

ABAC policies

Rules keyed on user, tag, device posture, time of day, country, protocol, and port. Evaluated per connection.

MagicDNS & subnet routes

Every device reachable at <name>.<org>.zt.net. Advertise subnet routes · exit nodes · AWS / GCP / Azure firewall sync.

Workforce analytics

Session tracking, DEM, DLP, CASB, anomaly detection, session recording, remote desktop — all from the same agent.

SSO + SCIM 2.0

Google, GitHub, OIDC, SAML. SCIM provisioning for Okta, Azure AD. TOTP MFA. Device-bound refresh tokens.

Secrets vault

AES-256-GCM encrypted secrets with rotation policies. Integrated with the agent — no second tool to deploy.

Terraform + API

57 REST endpoints. Full Terraform provider for machines, ACLs, DNS, users. GitOps your network state.

Setup

Two minutes, not two quarters.

No bastion hosts. No certificates to rotate. No firewall-change requests. No public IPs exposed. Bring your identity provider, run one command, ship.

Read quickstart
01

Issue one auth key

In the dashboard, create a reusable auth key that covers every device you want to enrol. Set an expiry, optional tags, and that's it.

ztna auth-key create --reusable
02

Pipe the installer everywhere

One command on Linux, macOS, and Windows. Works from shell, Ansible, Intune, Jamf, cloud-init. Detects OS, installs service, auto-connects.

curl ... | ZTNA_AUTH_KEY=tskey-auth-xxx sh
03

You're on the mesh

Every device joins your tailnet with a hybrid ML-KEM-768 + X25519 tunnel. Reachable by MagicDNS name, quantum-safe from day one.

ssh prod-db.acme.zt.net

Quantum-safe access. Free forever for 100 devices.

Built for the founder, the indie ops team, the YC batch, the Fortune 500 pilot. Upgrade to Business ($10/mo) or Workforce when you're ready — never before.

Start free Compare plans
  • No credit card · no time limit
  • Self-serve SSO + SCIM
  • ML-KEM-768 on every tunnel