GigaOm Radar for Zero Trust Network Access (ZTNA) v4

Secure remote access provides numerous benefits to organizations, making it an essential component of their business operations. One of the primary advantages is that it enables employees to work from home or from any location outside the office while maintaining secure access to company resources. 

This feature has become increasingly popular in recent years, especially with the rise of remote, hybrid, and other flexible work arrangements. Moreover, secure remote access ensures that employees have continuous access to critical data and applications needed for their work, even after regular working hours. This guarantees that employees can respond promptly to urgent requests or alerts and work on important projects without being constrained by geographical or time limitations.

In the past, VPNs were the conventional means of achieving secure remote access. VPNs offered an alternative to exposing internal systems' remote access protocols, such as SSH and RDP, to the internet, where unauthorized individuals could attempt to establish a connection. By implementing a VPN, organizations gained greater control over who could access these protocols.

However, VPNs have limitations in the control they offer since they often grant authorized users excessive access to internal networks and resources. Furthermore, VPNs do not account for the context in which legitimate users access resources through the VPN.

Zero trust network access (ZTNA) addresses the limitations of VPNs by implementing an access model based on the user's identity as well as the context of the connection request. For example, each time a connection is requested, the system establishes a trusted relationship with the user, unlike VPNs, which establish trust once and do not review it again. This approach ensures access to internal networks and resources is restricted to only authorized users in specific contexts—such as location, time of day, and device type—providing enhanced security and control. By taking into account these contextual factors, ZTNA can effectively mitigate many risks that are left behind by VPNs.

This is our fourth year evaluating the ZTNA space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 28 ZTNA solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading ZTNA offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well ZTNA solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): SMBs are smaller, often locally focused companies with simpler IT requirements and limited resources. These organizations often value simplicity, ease of use, and all-inclusive approaches.

• Large enterprise: Large enterprises are organizations with significant size and complex IT needs, often with global operations and diverse user bases. These organizations often value advanced features and integrations.

In addition, we recognize the following deployment models:

• Cloud only: All resources, including applications, data, and infrastructure, are hosted in the cloud, with no on-premises components. 

• Hybrid: These use a mix of cloud and on-premises resources, allowing organizations to leverage the benefits of both, often to support legacy applications.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Identity verification

• Encrypted communication protocols

• Least privilege access

• Resource request context evaluation

• Centralized policy management

• Inspection and logging

• Cross-platform compatibility

• Device posture assessment

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a ZTNA solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating ZTNA Solutions.”

Key Features

• Cloud and SaaS integrations: Cloud and SaaS integrations enable ZTNA solutions to extend secure access to cloud-based applications and services, ensuring seamless and protected connectivity for users regardless of the application's deployment model. This integration capability is essential for organizations adopting cloud technologies and SaaS solutions. 

• Advanced DLP: Advanced data loss prevention (DLP) is a critical security feature that protects sensitive data by inspecting and blocking unauthorized access or sharing based on policies. Its importance lies in safeguarding organizational assets and ensuring compliance with regulatory standards in an increasingly complex threat landscape.

• Risk-based authentication: Risk-based authentication adapts authentication requirements based on contextual factors such as user behavior, device trust, and network location, providing an additional layer of security that goes beyond static authentication methods. This dynamic approach enhances security while improving user experience. 

• Unmanaged device support: Unmanaged device support enables secure access for users on personal or BYOD devices, ensuring they can work productively without compromising security. This is essential for organizations embracing remote work and BYOD policies. 

• Legacy application support: Legacy application support ensures that organizations can protect and control access to older, on-premises, and custom-built applications, providing a bridge to modern security frameworks without disrupting existing workflows. 

• Session monitoring: Session monitoring provides continuous visibility and control over user sessions, enabling security teams to detect and respond to suspicious activities or policy violations in real time. 

• Security policy customization: Security policy customization allows organizations to tailor access controls to their specific needs, ensuring security policies align with their unique risk profiles and compliance requirements. 

• IAM integration: Identity and access management (IAM) integration connects ZTNA solutions with systems to streamline user authentication and risk assessment. It enhances security by ensuring seamless access control and enabling informed, identity-based decisions to protect organizational resources.

Table 2. Key Features Comparison

Emerging Features

• SCIM protocol support: System for cross-domain identity management (SCIM) protocol support enables automated user identity management across cloud applications by facilitating provisioning and deprovisioning from a central identity store.

• Enterprise browser integration: Enterprise browser integration is an emerging capability that embeds zero trust (ZT) security policies directly into secure enterprise browsers (SEBs), enhancing user experience and control.

Table 3. Emerging Features Comparison

Business Criteria

• Scalability: Scalability refers to the solution's ability to accommodate growth and changing demands without sacrificing performance or availability. It ensures that the ZTNA solution can handle increasing user bases and resource requests as the organization expands. 

• Cost: The cost criterion considers the total expense of owning and operating the ZTNA solution, including initial implementation, ongoing maintenance, and potential hidden expenses. Transparent and justifiable costs are essential for long-term budgeting and planning. 

• Flexibility: Flexibility refers to the solution's ability to adapt to diverse deployment models, integration requirements, and customization needs, ensuring it aligns with the organization's unique structure and strategies. 

• Ecosystem: A rich vendor ecosystem enhances the ZTNA solution's capabilities and interoperability through partnerships and integrations with leading security and cloud providers. A robust vendor ecosystem is vital to a ZTNA solution, enhancing its capabilities and interoperability.

• Ease of use: The ease of use metric focuses on how intuitive and user-friendly a solution is, which will reduce administrative overhead and ensure rapid user adoption. Ease of use is vital, offering intuitive interfaces, streamlined workflows, and automated processes that simplify management and enhance user experiences. Better solutions provide self-service capabilities, empowering users to independently perform common tasks, reducing the burden on IT support. 

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for ZTNA

As shown in Figure 1, the ZTNA market reveals a dynamic industry in transition, striking a balance between established approaches and emerging technologies. The distribution of vendors across most quadrants highlights a diverse ecosystem where innovation and maturity hold value, depending on customer needs and specific use cases. The concentration of vendors in the Maturity half suggests that the market prioritizes stability and proven solutions, reflecting enterprise buyers’ preference for reliable security frameworks, especially for mission-critical applications. Yet a substantial presence in the Innovation half points to significant disruption, with newer vendors challenging traditional methods by offering more flexible and responsive solutions. A clear trend toward the Platform Play side signals market consolidation as vendors expand beyond point solutions to meet customer demand for integrated security ecosystems. This shift is evident in the clustering of vendors, particularly in the upper-right quadrant of Mature Platform Play, where established players have evolved into providers of comprehensive security platforms. 

Performance across the market varies, with outperformers found in two different quadrants of the Radar. Fast Movers, primarily positioned in the middle rings, indicate that many established vendors are actively evolving their offerings to stay competitive. The ZTNA landscape is evolving, where traditional boundaries between security categories are blurring as vendors expand their capabilities. The innovation cycle is accelerating, with Innovation/Feature Play solutions driving new approaches. Customers grapple with increasing complexity in their security requirements, fueling demand for both specialized tools and comprehensive platforms. 

The unequal distribution between Feature Play and Platform Play approaches illustrates the growth of ZTNA in new areas and outside of IT-centric use cases. The buyers in this market recognize the value in both strategies—specialized tools for atypical environments and integrated platforms for a holistic security posture. This balance reflects a healthy ecosystem where different approaches can thrive based on customer needs. Ultimately, the chart paints a picture of a vibrant ZTNA market, characterized by consolidation among established players and persistent innovation from emerging vendors, providing customers with a wide array of options to address evolving security challenges.

When reviewing solutions, it’s important to remember that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Absolute Security: Absolute Secure Access Enterprise

Solution Overview
Absolute Security focuses on delivering comprehensive security solutions through its Secure Access portfolio. The company's flagship offering, Absolute Secure Access Enterprise, is a converged security service edge (SSE) solution that brings together multiple security capabilities including ZTNA, secure web gateway (SWG), cloud access security broker (CASB), DLP, remote browser isolation (RBI), content disarm and reconstruction (CDR), endpoint compliance, and distributed firewall.

The Secure Access portfolio consists of three distinct products: Secure Access Core, Secure Access Edge, and Secure Access Enterprise. Each has its own backplane and is available for separate purchase, though all share a common user interface. Hybrid deployment is possible with Secure Access Enterprise. Licensing options determine feature availability.

Absolute Security's approach centers on providing security, visibility, and control for organizations with diverse infrastructure environments. It supports both in-office and remote workforce security needs, especially with resilient, persistent, always-on connectivity to applications and resources in challenging, highly mobile conditions

Absolute Security is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Absolute Security scored well on a number of decision criteria, including:

• Advanced DLP: The offering provides exceptional data loss prevention capabilities through its Level 4 SWG option. The solution employs sophisticated scanning of outbound traffic to identify sensitive information such as credit card numbers and SSNs. What distinguishes its approach is the nuanced likelihood threshold system (ranging from Very Likely to Very Unlikely), with contextual analysis that recognizes how data formatting affects sensitivity. For example, properly formatted SSNs trigger stronger responses than unformatted number strings. While the DLP functionality requires the RBI add-on to inspect PDFs and Office documents thoroughly, the comprehensive approach to data protection represents a best-in-class implementation.

• IAM integrations: The solution seamlessly connects with an extensive array of authentication providers, including Entra, Okta, RSA, SafeNet, YubiKey, Duo-Security, and numerous others. This breadth of integration options enables organizations to maintain their identity infrastructure investments while implementing the tool’s security controls, supporting diverse authentication needs across enterprise environments.

• Security policy customization: The solution provides highly flexible security policy definition based on multiple variables, including user roles, device posture assessment, network zones, and application sensitivity classifications. This multidimensional approach to policy creation helps security teams address complex compliance requirements while maintaining appropriate security levels across different organizational contexts. The ability to tailor security policies to specific organizational needs represents a significant strength in the offering.

Opportunities
Absolute Security has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: The solution's cloud provider ecosystem has limitations. While it offers secure access to popular cloud services, organizations with niche or specialized cloud requirements may find integration options limited. The depth of integration varies across supported platforms, with some offering only basic functionality rather than comprehensive feature parity.

• Legacy application support: The solution relies on TCP/IP for connectivity. Though the agent-based architecture allows connections to most legacy systems, environments with specialized non-TCP/IP protocols or highly customized legacy applications may experience compatibility issues. Implementation complexity increases significantly with certain outdated systems that require specialized configurations.

• Session monitoring: This feature provides real-time visibility, logging, and anomaly detection for user activities, supporting security and compliance needs. Despite the high score, in environments with ultra-low latency requirements, such as financial trading, the overhead of real-time monitoring could introduce delays that impact performance.

Absolute Security was classified as a Forward Mover due to its slower rate of development, as indicated by its average scores across cloud integrations, legacy application support, and session monitoring capabilities, which are key features other solutions have developed at faster rates 

Purchase Considerations
Absolute Security offers a user- or device-based licensing approach with competitive pricing, including standard support. The licensing structure appears straightforward, with additional costs for technical account managers and professional services when needed. The solution is structured as a complete ZTNA offering that scales horizontally for organizations requiring low latency and high availability across many concurrent connections. While the solution supports various use cases effectively out of the box, organizations should note that advanced customizations will require additional services, which may impact the total cost of ownership. The solution provides an intuitive interface with centralized management capabilities, though the requirement for more expertise with advanced customizations suggests some learning curve for full utilization. 

Use Cases
Absolute Security excels in financial services environments requiring robust DLP capabilities for protecting customer data and transaction monitoring. Its comprehensive authentication integration framework benefits healthcare organizations that need strong identity verification while connecting to legacy medical systems through their agent-based architecture. Government agencies customize their security policy to implement strict access controls based on clearance levels, device posture, and location. The solution's session monitoring capabilities provide the visibility needed for compliance in these highly regulated industries while supporting modern and legacy infrastructure connections.

Accops: HySecure 

Solution Overview
Accops provides security and digital workspace solutions focusing on secure remote access technologies. The company's HySecure offering is a comprehensive secure access gateway designed to enable organizations to provide controlled access to business applications and data from any device or location.

Accops HySecure manages authentication, authorization, and secure connectivity between users and corporate resources. The solution incorporates zero trust principles while providing access to both on-premises and cloud applications through a unified interface.

HySecure is part of Accops's broader workspace security portfolio, which includes complementary products for endpoint security and virtual desktop infrastructure. The solution works with these other components to provide end-to-end security for remote work scenarios.

Accops is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Accops scored well on a number of decision criteria, including:

• Advanced DLP: The solution enforces read-only access mechanisms to prevent unauthorized data copying, blocks screenshot and screen recording attempts, and implements strict clipboard usage controls. With on-the-go DLP monitoring of data transfers, the tool provides robust protection against potential data leakage across multiple channels and user interactions.

• Unmanaged device support: Flexible solutions for securely incorporating unmanaged devices are provided. The approach includes kiosk-mode access for non-administrative devices, clientless HTML5 access through their HyLite technology for RDP/SSH connections, and conditional BYOD access following context verification. This layered strategy ensures unmanaged devices can be productively utilized without compromising security.

• Security policy customization: The solution provides highly granular policy customization capabilities, enabling security teams to enforce device-specific requirements such as mandatory antivirus, implement application-level microsegmentation, and create sophisticated access restrictions based on time and geolocation parameters. This flexibility allows organizations to tailor security controls to risk management and compliance requirements.

Opportunities
Accops has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: The solution offers a cloud provider ecosystem that’s relatively typical in this space. The SPAN technology for secure tunnels works well in standard deployments but may require additional configuration in complex network environments with specialized routing requirements.

• Risk-based authentication: Contextual MFA is reasonably well implemented but lacks some advanced behavioral analytics capabilities found in security-focused competitors. Device posture checks and geolocation factors provide standard protection, but organizations in highly regulated industries or those facing sophisticated threats may find the granularity and adaptability of risk signals insufficient for their comprehensive security requirements.

• Session monitoring: While the solution offers real-time geographical heatmaps and granular activity logs, it lacks advanced user behavior analytics and sophisticated anomaly detection. The emphasis on high availability through load balancing and active-active clusters addresses operational continuity but comes at the expense of deeper security analytics that could identify subtle threat patterns.

Purchase Considerations
Accops offers a software-based solution with minimal hardware investment, contributing to reasonable operational costs. The licensing structure appears straightforward, with out-of-the-box features that help lower ongoing maintenance expenses. Accops is a comprehensive access solution suitable for enterprise environments, supporting on-premises, cloud, and hybrid deployments. The solution can adapt to growing workloads without requiring major infrastructure changes, utilizing SPAN technology and a software-defined perimeter for scaling. From a deployment perspective, Accops provides advantages by avoiding complex network changes and enabling straightforward onboarding with minimal friction. The solution demonstrates strong flexibility by supporting access from any device (managed or BYOD) over any network type, including LAN, WAN, and mobile connections. It also accommodates various application types, including legacy systems and virtual apps, and provides clientless access for web and SaaS applications. Administrators benefit from an intuitive user interface and unified management console, allowing them to enable secure access without complex VPN setups.

Use Cases
Accops excels in enabling secure third-party contractor access with its robust unmanaged device support and kiosk-mode functionality. Healthcare organizations benefit from Accops's DLP capabilities that enforce read-only access while preventing screenshots and clipboard usage, which are critical for protecting sensitive patient data. Manufacturing environments with legacy systems find value in Accops's Layer 4-7 tunneling for RDP and SSH access, encapsulated in TLS 1.3 without requiring application modifications. These capabilities are enhanced by granular security policies that can enforce device-specific rules and application-level microsegmentation based on user contexts.

Akamai: Enterprise Application Access

Solution Overview
Akamai is a leading internet infrastructure provider known for its global content delivery network (CDN). The company offers security solutions, superior threat intelligence, and a global operations team, providing defense in depth to safeguard enterprise data and applications. Leveraging its extensive edge network to deliver the Akamai Enterprise Application Access (EAA) solution, it is a ZTNA offering that provides secure application access for organizations as well as CDN capabilities.

Enterprise Application Access is part of Akamai's broader enterprise security portfolio. It functions as a cloud-based service that connects users to applications without granting network access. The solution uses Akamai's distributed edge platform to provide secure, granular access controls while maintaining performance and delivering superior scalability and security for enterprise environments.

Akamai is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Akamai scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution offers seamless and secure cloud and SaaS integrations that leverage its extensive global edge network. It delivers enhanced performance and security for cloud services through its distributed architecture. Notably, the score was elevated specifically due to Akamai's impressive global footprint of points of presence (POPs), which provides proximity advantages for cloud service delivery and security enforcement worldwide.

• Legacy application support: The offering extends secure access capabilities to non-web-based applications, effectively protecting older applications without introducing additional network complexity. This enables organizations to maintain security standards across both modern and legacy applications within a unified access framework.

• IAM integration: Native connection to Akamai’s identity provider is available, as is support for major third-party providers, including Entra ID, Okta, Ping, Google, and, for multifactor authentication, Cisco DUO and native Akamai FIDO-2. Additionally, the tool supports other SAML-based identity providers through custom integrations, ensuring flexibility for diverse identity management requirements.

Opportunities
Akamai has room for improvement in a few decision criteria, including:

• Advanced DLP: Organizations with complex legacy systems might experience integration difficulties, as the unified DLP approach may not fully accommodate specialized environments without additional configuration. The lack of fine-tuning options within the ZTNA context limits customization for specific industry compliance requirements.

• Risk-based authentication: This solution may present challenges for organizations with strict separation of duties requirements or highly regulated environments where authentication decisions must follow predetermined, documented workflows rather than dynamic risk calculations. The reliance on behavioral analytics and contextual signals could also create false positives during legitimate but unusual access scenarios, potentially impacting user experience during organization-wide changes such as office relocations or network infrastructure modifications.

• Unmanaged device support: While functional, the solution’s posture assessment capabilities lack the depth found in specialized endpoint security solutions. The system effectively ensures basic security standards for BYOD scenarios, but organizations in highly regulated industries or with complex compliance requirements may find the granularity of controls insufficient for their specific needs.

Purchase Considerations
Akamai offers competitive pricing with potential volume discounts for larger deployments, making it accessible despite its enterprise-grade capabilities. The solution leverages the company’s unparalleled global architecture and distribution network, providing exceptional scalability that would be difficult for competitors to match. This positions Akamai as a comprehensive platform solution capable of handling enterprise-scale deployments. Moreover, Akamai stands out with its intuitive interface and seamless experience for both administrators and users, suggesting relatively straightforward deployment and management processes. The solution supports diverse deployment options and integrations that enhance its adaptability across different environments. Akamai maintains a robust and expanding ecosystem with numerous technology partners and integrations, creating a strong network effect for customers invested in the platform. Given these characteristics, Akamai appears well positioned for organizations seeking an established, enterprise-ready solution with global reach and simplified administration.

Use Cases
Akamai performs well in globally distributed enterprises requiring secure access to legacy applications, leveraging its extensive edge network for consistent performance across regions. Organizations with hybrid IT environments benefit from Akamai's ability to provide unified protection across cloud services and on-premises data centers without adding network complexity. The solution's strong IAM integration capabilities serve enterprises with complex identity ecosystems using multiple providers like Entra ID, Okta, and Ping, as well as Cisco DUO and native Akamai MFA multifactor authentication. These strengths make Akamai suitable for large enterprises needing to balance performance, security, and compatibility across diverse technology landscapes.

Appgate: Appgate SDP

Solution Overview
Appgate is a cybersecurity company specializing in software-defined perimeter (SDP) and zero trust network access solutions. The company has recently focused on expanding its ZTNA capabilities while maintaining its core approach to secure access management.

Appgate's solution consists of two primary components working in tandem: Appgate SDP, which provides secure access to on-premises and cloud resources, and the Zero Trust Platform, a cloud-based service offering advanced risk analysis and context-aware access controls. A distinctive aspect of Appgate's approach is its direct-routed ZTNA model, which enables secure access without requiring all traffic to route through the vendor's infrastructure.

The company focuses on secure access, emphasizing risk-based controls and broad protocol support to address diverse enterprise environments and use cases.

Appgate is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Appgate scored well on a number of decision criteria, including:

• Security policy customization: The solution utilizes "Claims"—data elements collected from user identity providers, devices, and networks—to build highly granular access policies. With 30 predefined Claims available and the flexibility to add custom ones, organizations can create precisely tailored security policies. The platform further enhances customization by integrating with external sources through Appgate ZTP or direct API calls to services like CrowdStrike, Trellix, InTune, or databases.

• Session monitoring: The provided auto-resolver functionality continuously interrogates and collects environmental metadata, enabling the solution to dynamically update access policies and entitlements in real time based on changing conditions. The platform also includes robust alerting for security-relevant events such as unauthorized port access attempts, though it doesn't perform in-line deep packet inspection.

• Legacy application support: The solution extends protection to legacy applications across cloud environments through risk-based controls and broad protocol support. A standout feature is the ability to inject multifactor authentication capabilities into unmodified legacy applications running on mainframe and midrange systems, providing modern security for traditional infrastructure.

Opportunities
Appgate has room for improvement in a few decision criteria, including:

• Advanced DLP: Currently, the solution relies entirely on a co-selling agreement with Island to deliver these features rather than offering integrated functionality. With native DLP implementation still approximately six months out on the vendor’s roadmap, organizations with immediate data protection requirements will face integration complexities and potential gaps in their security posture when implementing this solution.

• Cloud and SaaS integrations: While functional across major cloud providers, the solution’s integrations lack the depth and breadth found in more cloud-focused competitors. Its SDP and ZTP solutions provide standard access capabilities but may require additional configuration and customization for organizations with complex multicloud environments or specialized SaaS applications that fall outside mainstream providers.

• IAM integration: Organizations with highly specialized identity management systems or custom-built IAM solutions may experience integration challenges. Despite supporting multiple authentication protocols and dynamic access controls, the solution may require additional configuration work in complex hybrid identity environments or when dealing with legacy identity systems that don't conform to standard protocols.

Purchase Considerations
Appgate SDP offers software licensing that includes an option for Zero Trust Platform cloud services to deliver additional risk analysis capabilities, built on AWS for scalability and resilience. The pricing model appears straightforward, with strong value representation given the comprehensive capabilities. Appgate positions as a complete platform solution with flexible deployment models across clients and virtual/physical gateways that can scale to handle increasing user traffic and resource demands securely. The solution demonstrates exceptional adaptability with deployment models that accommodates nearly any use case, whether for users, services, containers, applications, or servers. For implementation and ongoing support, Appgate provides 24/7 support services, professional services for deployment and training, and dedicated customer success managers who assist with ongoing management and expansion needs, ensuring a smoother adoption experience.

Use Cases
Appgate SDP is particularly effective for securing legacy applications, offering risk-based access controls and multifactor authentication without requiring modifications to these critical systems. Manufacturing and utilities benefit from Appgate's comprehensive session monitoring capabilities that automatically adjust access policies based on environmental changes, enhancing operational technology security. Highly regulated industries appreciate Appgate's extensive policy customization using their Claims framework, which incorporates user, device, and network attributes while integrating with external security tools like CrowdStrike and InTune for adaptive access decisions based on real-time security postures.

Armis

Solution Overview
Armis is a leading cyber exposure management and security company. The Armis Centrix platform is purpose-built to provide comprehensive visibility, intelligence, and control across all connected assets, including managed, unmanaged, IT, OT, IoT, and medical devices. The company has expanded its capabilities with the strategic acquisition of OTORIO, enhancing its ability to secure operational technology (OT) environments and industrial systems.

Armis's secure access application leverages OTORIO's technology and expertise to deliver specialized ZTNA capabilities for industrial and operational technology environments. The solution provides secure remote access to critical infrastructure and industrial control systems, addressing the unique challenges associated with OT security and compliance requirements.

Armis is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Armis scored well on a number of decision criteria, including:

• Unmanaged device support: With its agent-free approach, the solution excels at securing unmanaged devices. It operates as a completely clientless platform, requiring no endpoint agents and allowing users to access resources from any modern browser on unmanaged devices. The platform implements credential injection via password vaults to maintain security without device management requirements. This hybrid approach of passive monitoring and customizable active querying provides organizations with accurate, real-time asset insights without disrupting operations.

• Legacy application support: The solution enables targeted access using protocols like RDP and SSH specifically designed for OT environments. It conceals IP addresses of legacy systems from direct discovery and supports NAT traversal without requiring firewall reconfiguration. This approach secures legacy systems in OT environments while eliminating VPN dependencies for access to older systems.

• Session monitoring: The solution offers a strong feature set and provides comprehensive visibility into remote activities. It delivers live monitoring of all remote sessions with recording capabilities for detailed activity tracking. Security teams can terminate suspicious connections in real time while maintaining full audit logs of connection details for compliance and security purposes. The extensive logging of user activities supports thorough forensic analysis when investigating security incidents. 

Opportunities
Armis has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: Although the score reflects a high level of capability, there are specific instances where this feature may face limitations, such as in niche industries with SaaS applications that may not fully align with Armis’s integration framework, or in verticals with unique regulatory requirements that demand additional compliance configurations beyond the standard offering.

• IAM integration: While Armis integrates with major identity providers like Entra ID, Google Workspace, Okta, and other SAML/OIDC compliant solutions, some organizations with complex identity structures may find limitations. The inclusion of its own identity provider adds management complexity for environments with established IAM strategies. Organizations in highly regulated industries may require additional configuration and validation steps to ensure compliance requirements are met when using Armis's IAM integration capabilities.

• Security policy customization: Organizations with extremely heterogeneous IoT/OT environments may face challenges scaling policy management across thousands of unique device types. The granularity of controls provides excellent security but can potentially create management overhead when deployed across multiple business units with different security requirements or technical expertise levels. The real-time telemetry-driven approach, while powerful, can demand significant computational resources in environments with extremely high device counts or rapid state changes.

Purchase Considerations
Armis offers transparent subscription-based licensing with flexible models, including per-asset, per-site, or FTE options. The solution incorporates industry-specific adaptations such as OT site sizing, making licensing appropriate for different deployment scenarios. Service tiers range from Standard basic support to Diamond, with a dedicated resident engineer, plus optional Managed Threat Services for advanced environments. 

The solution is primarily designed for enterprises, with intentional targeting of this market segment. Armis functions as a comprehensive solution that integrates ZTNA, SD-WAN, SWG, and FWaaS into a unified cloud-delivered solution, though it lacks DLP capabilities and offers only average support for legacy applications.

The ecosystem includes strong integrations with major security vendors, including Crowdstrike, Gigamon, SentinelOne, Akamai, and Zscaler, facilitating broader enterprise adoption. The SD-WAN Connector provides connectivity to cloud and on-premises applications through Windows and Linux agents. The user experience emphasizes visual elements with simplified menus, supported by a well-structured support model with defined SLAs.

Use Cases
Armis excels in securing healthcare environments with comprehensive visibility across unmanaged medical devices and clinical systems. Its agentless approach enables protection without disrupting sensitive equipment while providing risk-based authentication for clinical access. Additionally, Armis offers strong capabilities for industrial OT/IoT security, combining its robust unmanaged device monitoring with context-aware policies that accommodate specialized operational technology requirements. Its cost-effective subscription model and enterprise focus make it particularly well suited for manufacturing organizations implementing zero trust across converged IT/OT networks. The solution's flexible deployment options support hybrid environments where both cloud and on-premises assets require unified protection.

Barracuda Networks: Barracuda SecureEdge Access

Solution Overview
Barracuda Networks is a provider of cloud-based security and data protection solutions with a focus on delivering comprehensive yet user-friendly security technologies. The company offers SecureEdge Access, a ZTNA solution that enables secure application access with dynamic, context-aware security controls.

SecureEdge Access is positioned within Barracuda's broader security portfolio as a secure access service edge (SASE) solution. The solution demonstrates flexibility in deployment, being available via SaaS, self-hosted options, or through Azure's virtual WAN, allowing organizations to select the model that best aligns with their infrastructure requirements.

Barracuda Networks is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Barracuda Networks scored well on a number of decision criteria, including:

• Session monitoring: The solution offers comprehensive monitoring capabilities. The ZTNA Dashboard provides customizable views of user session traffic, while dedicated SECURITY and WEBFILTER dashboards deliver actionable insights into security posture and compliance status. The solution captures detailed network-level data on user activities through their ZTNA framework. Additionally, it offers a complimentary Report Creator tool that enables organizations to generate detailed application usage reports by user over a three-month period, enhancing visibility into access patterns.

• IAM integration: The solution stands out with its flexible identity management options. It integrates seamlessly with leading identity providers, including Entra ID, Google Workspace, and Okta, and supports any SAML/OIDC-compliant identity provider. This broad compatibility is complemented by the inclusion of its own identity provider capability, giving organizations multiple deployment options based on their existing infrastructure.

• SCIM protocol support: The solution supports SCIM for major identity platforms, including Entra ID and Okta, enabling automated user provisioning, deprovisioning, and identity synchronization. This capability streamlines access management workflows and helps maintain consistent identity information across systems.

Opportunities
Barracuda Networks has room for improvement in a few decision criteria, including:

• Risk-based authentication: The current implementation relies on binary yes/no determinations of endpoint safety, lacking the nuanced evaluation that modern zero trust architectures require. While the company’s roadmap includes leveraging XDR agents for more granular assessments, organizations with immediate needs for sophisticated risk-based authentication will find the current capabilities insufficient for environments facing complex threat landscapes.

• Cloud and SaaS integrations: The solution requires specific agent-based implementation for cloud connectivity. The SD-WAN Connector agent approach is adequate for standard Windows/Linux environments but may create deployment complexities in diverse infrastructure settings. The vendor’s policy distinction between "public endpoint" and "internal resources" provides basic functionality but lacks the sophisticated granularity found in more advanced solutions.

• Unmanaged device support: While SecureEdge Access technically supports unmanaged devices, the solution lacks comprehensive device posture assessment and remediation capabilities needed for organizations with strict compliance requirements. Organizations in highly regulated industries may find the depth of security controls for unmanaged devices insufficient for their risk management needs.

Purchase Considerations
Barracuda Networks offers a straightforward per-seat licensing model at $6.50 USD/month with a 25-seat minimum. This transparent pricing includes ZTNA with unlimited workloads, SD-WAN Connector, and Web Security features (IPS, SSL Inspection, URL Filtering, ATP). The solution is intentionally designed and scaled for SMB and midsize enterprises and may present challenges for larger enterprises. Barracuda positions its SecureEdge as an integrated platform that combines ZTNA, SD-WAN, SWG, and FWaaS into a single cloud-delivered solution, though it has some limitations in DLP capabilities and risk-based assessments. For organizations with existing Barracuda investments, SecureEdge Site or CloudGen Firewall devices can be integrated into the SASE framework, providing a migration path. The deployment experience is enhanced with agents available for Windows, macOS, Android, iOS, and Linux from standard app stores. Barracuda includes deployment assistance and self-paced training resources with the purchase, with optional remote or on-site implementation services available for organizations requiring additional support. Their ecosystem is strengthened through partnerships with Microsoft Azure and Teridion Networks for cloud and WAN services.

Use Cases
Barracuda Networks delivers effective ZTNA capabilities for small to midsize enterprises seeking cost-efficient security without extensive complexity. The solution excels in manufacturing environments with IoT and industrial control systems through its specialized SD-WAN connector for secure device access. Organizations with established identity frameworks using Entra ID, Google Workspace, or Okta benefit from Barracuda's strong IAM integration and SCIM protocol support. The comprehensive session monitoring dashboard provides detailed visibility into user traffic and application usage, making it valuable for businesses requiring detailed audit trails for compliance without investing in separate monitoring tools.

Block Armour: Secure Shield Platform*

Solution Overview
Block Armour is a security solution provider specializing in innovative zero trust network access technologies. The company focuses on leveraging distributed ledger technology alongside traditional security approaches to deliver differentiated access control capabilities for organizations seeking advanced protection.

Block Armour’s Secure Shield Platform represents a specialized offering in the secure access market, focusing on delivering specific advanced features rather than competing as a comprehensive platform. The solution emphasizes strong authentication mechanisms and distributed security models that align with next-generation network security requirements.

The company takes a targeted approach to secure access, focusing on developing specific innovative capabilities rather than attempting to cover all aspects of secure access management. This specialized strategy allows Block Armour to address particular use cases where its unique technology provides distinct advantages.

Block Armour is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the ZTNA Radar chart.

Strengths
Block Armour scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The platform implements SDP architecture to enhance cloud application security. It provides zero trust access controls combined with encrypted connectivity for cloud applications, establishing a security foundation for organizations adopting cloud services.

• Legacy application support: The Secure Shield Platform can be implemented either on-premises or in cloud environments, enabling risk-based zero trust access controls and device posture checks specifically designed for TCP applications, including UNIX systems. This capability helps extend modern security practices to traditional infrastructure.

• Unmanaged device support: The solution implements risk-based zero trust access policies with integrated device posture checks while also supporting clientless access capabilities from unmanaged endpoints to cloud applications. This balanced approach helps organizations accommodate diverse access scenarios while maintaining security standards.

Opportunities
Block Armour has room for improvement in a few decision criteria, including:

• Advanced DLP: The solution lacks some data protection capabilities. While DLP functionality is integrated into the SSE feature set, these capabilities are rudimentary and lack the sophistication needed for organizations with complex data protection requirements. Companies in regulated industries or those handling sensitive data may find the basic DLP features insufficient for compliance requirements and comprehensive data security governance.

• IAM integration: The vendor's preference for its proprietary blockchain-based identity solution leaves room for improvement in this area. While the solution can integrate with SAML-based identity providers, these implementations require custom integrations that increase deployment complexity and potential maintenance overhead. Organizations with established identity ecosystems may face challenges incorporating Block Armour into their existing authentication frameworks without significant additional configuration work.

• Session monitoring: The solution provides good blockchain session logging capabilities, but limitations exist in the breadth of monitoring capabilities. While the tamper-proof blockchain logging and SIEM integration provide solid foundational monitoring, organizations with requirements for advanced user behavior analytics or sophisticated anomaly detection may find the depth of monitoring capabilities insufficient for detecting subtle threat patterns or conducting comprehensive forensic investigations.

Block Armour was classified as a Forward Mover given its relatively slow rate of development in the zero trust space. While its blockchain-based approach offers innovative potential, the current implementation shows limited advancement in core capabilities compared to market leaders. 

Purchase Considerations
Block Armour offers a unified zero trust network access software solution sold globally through partners and cloud marketplaces. The licensing approach covers on-premises, cloud, and remote access environments through a single offering, suggesting a streamlined SKU structure. Its Secure Shield product appears positioned as a feature solution that provides unique zero trust access capabilities without requiring network overhauls, potentially appealing to both SMB and enterprise customers seeking implementation without significant infrastructure changes. From a deployment perspective, Block Armour utilizes a centralized policy controller with distributed gateways and agents in customer environments, supporting both vertical and horizontal scaling through additional compute resources when needed for high availability. The solution has been deployed globally for over five years, indicating market validation, and comes with training and support resources for integration. While the solution offers core integrations with Active Directory/Azure AD for SSO, SMTP for notifications, and CEF log forwarding to SIEMs, the lower ecosystem score suggests limited third-party integrations beyond these essentials, which may require consideration by organizations with complex integration requirements.

Use Cases
Block Armour provides effective security for organizations requiring tamper-proof audit trails through its unique blockchain-based session logging capabilities. Financial institutions benefit from this immutable recordkeeping while connecting distributed branch offices to central systems. Manufacturing companies with mixed legacy and modern applications appreciate Block Armour's unified zero trust approach that works across both environments without requiring network redesign. The solution's on-premises deployment option appeals to organizations in regulated industries with data sovereignty requirements that need consistent security controls across hybrid environments while maintaining control over their security infrastructure.

Bowtie: Bowtie Private Access

Solution Overview
Bowtie delivers zero trust network access capabilities through a distinctive decentralized SaaS delivery model. The company focuses on providing specific secure access functionalities rather than attempting to serve as a comprehensive security solution.

Bowtie Private Access functions as part of its Bowtie SASE solution, delivering targeted zero trust capabilities through a unified interface and data plane. While integrated into this wider security framework, the Private Access functionality can be purchased separately for organizations seeking specific ZTNA capabilities.

Bowtie takes a focused approach to secure access, emphasizing its decentralized architecture that differentiates it from competing offerings in the market, particularly addressing use cases where traditional centralized ZTNA approaches may present limitations.

Bowtie is positioned as an Entrant and Forward Mover in the Innovation/Feature Play quadrant of the ZTNA Radar chart.

Strengths
Bowtie scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution’s controllers are vendor agnostic and can be deployed within various cloud service provider environments, offering organizations flexibility in their cloud strategy. This enables security teams to maintain consistent controls across different cloud environments without being locked into specific providers.

• Session monitoring: The solution tracks fundamental session data, including user identity, accessed resources, timing information, bandwidth consumption, and session duration. It also offers optional tracking features such as monitoring when Bowtie access is paused, providing basic visibility into user activities and resource utilization patterns.

• Security policy customization: The platform allows for policy stacking and the creation of rules based on user groups, device types, and conditional parameters. The vendor has expanded the solution’s policy deployment flexibility within the past year, increasing its range of potential use cases and deployment scenarios.

Opportunities
Bowtie has room for improvement in a few decision criteria, including:

• IAM integration: The solution offers a limited integration ecosystem. While it supports any SAML 2.0 compliant identity provider, the lack of a robust catalog of ready-to-deploy integrations creates additional implementation work for organizations. The lack of mature, preconfigured connections means security teams must invest more resources in setting up and maintaining identity integrations, potentially extending deployment timelines and increasing operational overhead.

• Unmanaged device support: Notable gaps exist in the vendor’s mobile strategy. With Android support still in beta, organizations with significant Android mobile workforces face limitations. While the application of consistent security policies across managed and unmanaged devices is beneficial, companies in BYOD environments that heavily rely on mobile access may find the current implementation insufficient for their operational needs.

• Legacy application support: The solution is dependent on TCP/IP protocols. While this covers most legacy applications, organizations with highly specialized applications or non-TCP/IP protocols will encounter compatibility issues. The generic approach to legacy application support lacks optimizations for specific application types that could improve performance and security for commonly used legacy systems.

Bowtie was classified as a Forward Mover given its average scores in legacy application support and unmanaged device capabilities, and below average scores in IAM integration. These lower scores are a result of the slower than typical development rate. However, the recent expansion of platform support (with mobile capabilities in beta) indicates a commitment to addressing gaps in their unmanaged device strategy. 

Purchase Considerations
Bowtie utilizes a straightforward licensing model with a platform fee plus per-user charges. Their deployment approach requires installing controllers within private networks and agents on end user devices, which creates scalability challenges atypical for this market segment. While agents can be deployed via MDM or manually, this requirement across locations represents a potential hurdle for organizations seeking rapid deployment. The solution is positioned for various use cases, with particular strength in security-sensitive environments such as aerospace, financial services, retail, manufacturing, and healthcare sectors. Organizations should note the limited integration ecosystem, which currently supports only Okta, Azure, and Terraform, though improvements are in development. Bowtie demonstrates strength in user experience with improved administrative interfaces and greater transparency for end users compared to previous versions. The support structure includes rapid response capabilities, comprehensive documentation, and training resources as needed, potentially offsetting some of the deployment complexity for organizations with limited technical resources.

Use Cases
Bowtie delivers effective security for organizations with specific private network access requirements across multiple locations, leveraging its controller-within-network deployment model. Manufacturing companies benefit from Bowtie's legacy application support for any TCP/IP-based protocol, enabling secure access to proprietary production systems. Healthcare providers appreciate the solution's extensive device support across Windows, MacOS, Linux, and ChromeOS platforms with consistent security policy application. The solution's simplified user experience with transparent authentication makes it particularly valuable for organizations seeking to balance security requirements with minimal workflow disruption for clinical staff and administrators.

Broadcom: VeloCloud SD-Access

Solution Overview
Broadcom is a major technology infrastructure provider that offers networking and security solutions, including, with the acquisition of VMware, the VeloCloud portfolio. The company focuses on delivering enterprise-grade connectivity and security technologies for distributed organizations.

VeloCloud SD-Access is a cloud-managed remote access solution that enables secure connectivity for remote workers and devices. The solution creates a private network fabric connecting servers, clouds, and remote endpoints without requiring hardware edges. VeloCloud SD-Access operates as part of Broadcom's broader networking portfolio, with particular integration capabilities with VeloCloud SD-WAN.

Broadcom takes a comprehensive approach to secure access, emphasizing both performance and security through end-to-end encryption and zero trust principles while maintaining integration with existing infrastructure investments.

Broadcom is positioned as a Leader and Outperformer in the Innovative/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Broadcom scored well on a number of decision criteria, including:

• Risk-based authentication: The solution provides access through the use of multifactor authentication, device posture assessment, and user context evaluation. The system continuously monitors these authentication factors and dynamically adjusts access privileges based on real-time monitoring results. The vendor is enhancing these capabilities with a planned risk-scoring system that will incorporate multiple data sources, including device posture, Edge Intelligence (AIOps), SD-WAN Edge Firewall Services, and SSE data.

• Security policy customization: VeloCloud SD-Access evaluates and enforces customized security policies for zero trust remote access, with the ability to tailor policies for specific users or groups. The system incorporates multiple authentication methods and analyzes contextual factors like user location, access time, and device characteristics to determine the legitimacy of access requests. Its device posture assessment examines security elements including software patches, antivirus status, encryption, and policy adherence, while OS type detection can restrict access to specified operating systems.

• IAM integration: VeloCloud SD-Access integration with identity providers through SSO, OAuth 2.0, and SAML protocols ensures secure authentication and identity lifecycle management. The system synchronizes with Active Directory, Azure AD, Okta, and other IAM platforms to enable centralized identity management. Additional security measures include role-based access control (RBAC), multifactor authentication, continuous user session validation for anomaly detection, and automatic access revocation when users depart or permissions change.

Broadcom was classified as an Outperformer given its strategic acquisitions, including Symantec Enterprise and VMware, which have significantly expanded the application of ZTNA security controls. Its accelerated integration of these technologies into its ZTNA solution and ambitious roadmap for comprehensive risk scoring and analytics position the company to rapidly advance its market standing in the coming year.

Opportunities
Broadcom has room for improvement in a few decision criteria, including:

• Unmanaged device support: While the solution provides adequate agent-based support with controlled onboarding and microsegmentation, it currently lacks support for agentless unmanaged devices. This gap creates substantial challenges for organizations seeking browser-based access options and those with contractors or partners who cannot install agents. The requirement for agent installation on all unmanaged devices limits flexibility in temporary access scenarios.

• Session monitoring: The current implementation of this feature set focuses primarily on connection logging rather than advanced analytics. While the solution records all remote connections and denied access attempts, it lacks sophisticated user behavior analytics and anomaly detection. 

• Advanced DLP: Despite strong DLP capabilities, the solution’s implementation through PAC file redirection creates potential performance impacts. While the integration with Symantec Enterprise Cloud enables thorough inspection, this approach may introduce latency in high-volume environments. Organizations with latency-sensitive applications or dispersed global workforces may experience user experience degradation when DLP inspection is fully enabled.

Purchase Considerations
Broadcom's VeloCloud SD-Access features a transparent user- and machine-based licensing structure, where each user can access up to five devices, while machine and IoT devices require individual licenses. A pool licensing option is available for organizations preferring concurrent user access with one device per user. The distributed architecture with cloud-hosted management plane and data plane (Relays) enables quick deployment and effective scaling. This positions it as a comprehensive platform solution suitable for organizations seeking unified management of both branch and remote access networks. The solution demonstrates particular strength in multicloud, peer-to-peer, contractor, machine, and specialized desktop access scenarios. Its ecosystem integration is exceptional, with out-of-the-box posture checks for major security vendors, including Microsoft Defender, Sophos, Carbon Black, Hysolate, Cybereason, and OPSWAT, along with robust API availability and excellent identity provider support. For implementation and ongoing operations, Broadcom offers comprehensive support services, including deployment assistance, performance analysis, and training, backed by 24/7 global support. This unified support approach enhances customer confidence and streamlines the deployment experience.

Use Cases
Broadcom excels in securing highly regulated industries where complex authentication requirements intersect with legacy application access needs. Healthcare organizations benefit from its advanced risk-based authentication capabilities that continuously evaluate user context while connecting to critical medical systems. Financial institutions leverage Broadcom's sophisticated DLP functionalities through secure web gateway integration for sensitive transaction protection. The solution's strong IAM integration capabilities make it valuable for enterprises with mature identity frameworks needing to extend zero trust principles to diverse application environments while maintaining unified security policies across cloud and on-premises deployments.

Check Point: Harmony SASE Private Access

Solution Overview
Check Point is a cybersecurity provider with a broad portfolio of security solutions for organizations of all sizes. The company's Harmony SASE Private Access offering serves as their ZTNA solution within their broader security ecosystem.

Harmony SASE Private Access is a cloud-native service that functions as part of Check Point's Harmony suite, delivering secure access capabilities alongside other security controls. The solution connects users to resources through a proprietary agent that supports multiple device types (Windows, Mac, Linux, ChromeOS, Android, and iOS), as well as agentless methods for enforcing granular access policies while providing additional security layers like web filtering and malware protection.

Check Point adopts a holistic strategy for secure access by combining ZTNA features with extensive security measures via a centralized management console, streamlining administration across varied environments.

Check Point is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Check Point scored well on a number of decision criteria, including:

• Risk-based authentication: The solution constantly evaluates device parameters to verify compliance with access policies, including checks for running antivirus software, registry key settings, and disk encryption status. Organizations can fine-tune security by configuring the time intervals for these device checks, providing a balance between security and operational efficiency.

• Session monitoring: The solution offers a range of comprehensive logging and analysis capabilities that collect and analyze detailed user session logs and security events, capturing extensive contextual information. The logs include connecting devices, user identities, device posture status, network usage, destination applications, and accessed assets, providing rich visibility into user access patterns and potential security concerns.

• Security policy customization: The solution enables security teams to create tailored policies based on users/groups, device types, traffic types, and destination types. The solution's documentation notes that once fully integrated into their SASE architecture, this capability could potentially achieve top-tier status if it performs as expected.

Opportunities
Check Point has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: Secure tunnels are established for public cloud and SaaS platforms, but this implementation lacks differentiation from industry standards. Organizations with complex multicloud environments or those requiring specialized integrations with niche SaaS applications may find the current capabilities adequate but basic, potentially requiring additional configuration work for advanced use cases.

• Advanced DLP: Despite the solution providing visibility into standard sensitive data types and supporting custom definitions, organizations with sophisticated data governance requirements may find limitations in the depth of content inspection and automated remediation workflows. Moreover, its GenAI protection capabilities may not address the full spectrum of emerging AI-driven data leakage scenarios that cutting-edge enterprises face.

• Legacy application support: The solution covers essential protocols like RDP, VNC, and SSH, and its native support for the RDP protocol without requiring an agent is advantageous. However, organizations with specialized legacy applications beyond these standard protocols may encounter compatibility challenges if using only the agentless access method (agent based methods support more applications and protocols). The solution may require additional configuration or customization for complex legacy environments with proprietary protocols.

Purchase Considerations
Check Point offers its ZTNA solution as a subscription, seamlessly integrated into its broader SASE offering—suggesting a unified, streamlined approach to licensing within its broader security portfolio. The architecture is deployed as dedicated customer instances within Check Point's PoPs, with agents deployed on managed devices. This approach enables scalability to support growing numbers of user connections as organizational needs evolve. The solution is positioned as a comprehensive platform that implements zero trust methodology with least privilege access and microsegmentation capabilities across on-premises, cloud, and hybrid/multicloud environments. A particular strength lies in its ecosystem integration, with comprehensive support for leading identity providers, SCIM, major public clouds, and APIs for third-party orchestration tools and SIEMs. For organizations considering implementation, Check Point provides a robust support structure, including onboarding assistance, ongoing support, extensive learning materials, and access to a dedicated technical account manager. This comprehensive support package suggests a commitment to successful deployment and operation, potentially offsetting any complexity in initial setup for organizations with limited internal resources.

Use Cases
Check Point delivers strong, continuous risk evaluation capabilities that benefit organizations with dynamic security requirements. Financial institutions utilize Check Point's comprehensive session monitoring to maintain detailed audit trails tracking users, devices, and accessed assets. Healthcare providers appreciate the browser security approach that offers DLP, antiphishing, and malware protection without requiring specialized browsers. The solution's flexibility across on-premises, cloud, and hybrid environments with microsegmentation capabilities serves organizations implementing zero trust architectures while maintaining compatibility with existing infrastructure investments. Government agencies leverage Check Point's extensive ecosystem integrations for seamless incorporation into complex security frameworks.

Cisco: Secure Access

Solution Overview
Cisco is a leading networking and security technology provider with a comprehensive portfolio that spans infrastructure, collaboration, and cybersecurity offerings. The company's Secure Access solution represents its ZTNA capabilities within its broader security ecosystem.

Cisco Secure Access is an integrated component of Cisco's security portfolio rather than a standalone offering. The solution enables context-aware access control based on various factors, including user identity, device posture, and environmental conditions, allowing organizations to implement dynamic security policies across diverse application environments.

Cisco adopts a thorough strategy for secure access, focusing on seamless integration with current Cisco infrastructure investments and ensuring compatibility with its overarching security framework to meet enterprise-wide access management requirements.

Cisco is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Cisco scored well on a number of decision criteria, including:

• IAM integration: The solution seamlessly integrates with SAML-based SSO identity providers, including industry leaders Microsoft Entra ID and Okta. It further enhances identity management through SCIM protocol support for automated user provisioning with Meraki Cloud Auth, Entra ID, and Okta. Cisco's web application authentication works through SAML IdP redirection, while its clientless ZTNA implementation on Cisco Firewalls maintains compatibility with SAML identity providers.

• Legacy application support: Protocol tunneling and proxy services are employed to provide secure access to legacy applications without requiring modifications to the applications themselves. This approach enables organizations to extend zero trust principles to their entire application portfolio, including older systems that may not support modern authentication methods natively.

• Session monitoring: The solution implements comprehensive real-time session monitoring capabilities, aligning with best security practices. This approach provides visibility into user activities and access patterns, enabling security teams to detect potential threats and policy violations as they occur.

Opportunities
Cisco has room for improvement in a few decision criteria, including:

• Advanced DLP: The reliance on cloud-based processing for content inspection and machine learning classification could conflict with regulations mandating local data storage and processing, potentially requiring custom configurations. Additionally, in highly specialized industries like healthcare or legal sectors, the predefined DLP policies and AI-based classification might not fully align with niche data types or custom compliance needs, necessitating manual policy adjustments. 

• Unmanaged device support: While basic security policy enforcement and temporary access methods are available, organizations with significant contractor workforces or BYOD programs may find the reduced control problematic for maintaining consistent security postures. The solution provides functional access for unmanaged devices but lacks the comprehensive device posture assessment and remediation capabilities necessary for high-security environments.

• SCIM protocol support:. Despite the SCIM implementation efficiently handling standard user lifecycle management tasks, organizations with complex identity architectures or custom-built systems may encounter synchronization challenges. The solution works well with mainstream cloud applications but may require additional configuration and customization for specialized or legacy identity environments.

Purchase Considerations
Cisco’s licensing approach balances features and cost, offering long-term efficiency despite potentially higher initial implementation costs. The solution appears suitable for organizations of all sizes, seamlessly supporting large-scale deployments across distributed environments with the capacity to handle vast numbers of users, devices, and applications. This positions Cisco as a comprehensive platform offering rather than a feature-specific tool. Cisco benefits from its robust ecosystem that facilitates integration with other Cisco solutions and third-party products, creating a cohesive security posture across environments. This integration advantage may be particularly valuable for existing Cisco customers looking to expand their security infrastructure. The administrative experience includes intuitive management interfaces with comprehensive documentation and training resources that make the solution accessible to IT teams, though not exceptional in this regard. While Cisco demonstrates strong use case applicability overall, potential customers should note its limitations in unmanaged device support, which may impact organizations with significant BYOD requirements or contractor access needs. This consideration is particularly relevant for modern hybrid work environments requiring flexible access controls.

Use Cases
Cisco delivers strong security policy customization capabilities that benefit organizations implementing granular, context-based access controls across complex environments. Global enterprises leverage Cisco's exceptional scalability to maintain consistent security posture across distributed locations. Healthcare providers utilize the solution's legacy application support for connecting remote clinicians to critical medical systems without requiring application modifications. Financial institutions benefit from Cisco's risk-based authentication that addresses security challenges based on user behavior, device posture, and location while maintaining compliance requirements. The robust ecosystem integration simplifies deployment in environments with existing Cisco infrastructure investments.

Citrix: Citrix Secure Private Access

Solution Overview
Citrix is a major technology provider specializing in virtualization, networking, and digital workspace solutions. The company leverages its established position in these markets to deliver secure remote access capabilities with particular emphasis on hybrid work environments.

Citrix Secure Private Access represents the company's ZTNA offering within the broader Citrix platform. This solution enables secure access to both self-hosted and SaaS applications, functioning as a modern alternative to traditional VPNs. The technology employs connector appliances that create outbound control channels to the organization's Citrix Cloud tenant, enabling VPN-less access to on-premises web applications.

Citrix’s approach to secure access focuses on seamless integration with existing Citrix infrastructure and alignment with its overarching digital workspace vision to provide smooth user experiences while bolstering security.

Citrix is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Citrix scored well on a number of decision criteria, including:

• Risk-based authentication: The solution delivers exceptional risk-based authentication capabilities powered by advanced analytics that continuously evaluate access requests. The platform implements dynamic, risk-adaptive authentication requirements that adjust security controls based on real-time risk assessment, creating a responsive security posture that balances protection with user experience.

• Security policy customization: Granular and extensively customizable security policies with inheritance mechanisms that streamline administration are a core capability of this solution. The platform's automation and scalable orchestration abilities enhance policy management, allowing security teams to implement sophisticated controls that adapt to complex enterprise environments without creating administrative overhead.

• Enterprise browser integration: The solution provides enhanced security controls through its Google Chrome Enterprise Premium integration, demonstrating the company’s commitment to browser-based security and interoperability with leading technologies. This integration with Citrix Secure Private Access provides secure browsing environments for Windows, Mac, and Linux endpoints, which includes faster zero-day responses.

Opportunities
Citrix has room for improvement in a few decision criteria, including:

• Advanced DLP: Organizations with hybrid infrastructure or complex application landscapes may experience implementation challenges. The SSL offload process, while effective for inspection, can introduce performance overhead in high-throughput environments or with latency-sensitive applications. The Chrome Enterprise Premium integration delivers robust DLP functionality, but organizations with diverse browser requirements may encounter inconsistent protection. 

• Legacy application support: While Citrix provides access mechanisms for legacy Windows applications through its virtualization technology, organizations with highly specialized or custom-developed legacy applications may encounter compatibility challenges requiring additional configuration or workarounds. The automatic routing between modern web applications and legacy applications through different rendering engines creates a functional solution but may introduce performance variability depending on network conditions and application complexity. Resource-intensive legacy applications might experience performance limitations when rendered through the HDX engine, particularly in environments with constrained bandwidth or high-latency connections.

• IAM integration: While Citrix provides comprehensive user authentication with multiple identity providers, the more limited options for administrative authentication create potential management complexity. Organizations heavily invested in Okta or on-premises Active Directory for administrative access will need to maintain separate identity management approaches for Citrix administration. The discrepancy between user and administrative authentication options may create challenges for organizations implementing consistent identity lifecycle management processes.

Purchase Considerations
Citrix offers competitive pricing with flexible licensing options, and premium support is free if organizations require enhanced assistance. The solution is designed to scale efficiently with horizontal scaling capabilities, flexible deployment options, and high availability configurations to handle high traffic volumes. Citrix appears positioned as a comprehensive solution that can adapt to diverse needs through granular access controls and legacy application support. It provides deployment flexibility, ensuring a customizable experience. Additionally, a strong unmanaged device support paradigm enables secure remote access for fringe use cases. The solution benefits from a robust vendor ecosystem that integrates with leading cloud, security, and identity providers, enhancing its functionality and adaptability in complex environments. A particular strength lies in its user experience, with a highly intuitive interface that simplifies deployment, configuration, and management for both end users and IT administrators. Recent improvements include an expanded catalog of mature integrations and additional capabilities with Chrome Enterprise Browser, which further streamlines the user experience for organizations standardized on Chrome.

Use Cases
Citrix excels in regulated industries that require strong risk-based authentication capabilities, addressing security challenges dynamically based on user behavior and context. The Citrix Secure Private Access integration with Chrome enterprise Premium provides organizations with consistent security controls across diverse endpoints without requiring specialized configuration. Its exceptional security policy customization enables healthcare providers to implement granular access rules based on clinical roles, device posture, and data sensitivity. The solution's intuitive interface and comprehensive session monitoring capabilities benefit financial institutions needing to balance user experience with compliance requirements while maintaining visibility across distributed environments.

Cloudbrink: The Cloudbrink Service

Solution Overview
Cloudbrink is a security and networking provider focused on delivering high-performance zero-trust access solutions for the hybrid workforce. The company differentiates itself through its emphasis on combining enterprise-grade security with optimized performance for remote workers.

The Cloudbrink Service (also marketed as High Performance ZTNA or Personal SASE) is the company's core offering, delivering a software-based access solution through several key components. These include the Brink App for user devices, FAST Edges (Flexible, Autonomous, Smart, and Temporal software-defined edges), the proprietary Brink Protocol for traffic optimization, and Connectors for secure access to internal resources. Together, these components provide a comprehensive and secure access architecture.

Cloudbrink employs a targeted strategy for secure access, prioritizing performance enhancement via their adaptive edge infrastructure while upholding zero trust principles and incorporating cutting-edge security methods such as the Automated Moving Target Defense.

Cloudbrink is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Cloudbrink scored well on a number of decision criteria, including:

• Session monitoring: The solution tracks detailed session metrics, including login timestamps, total session duration, and timeout status. The platform collects extensive endpoint data such as OS information, agent versions, and geolocation, while also calculating endpoint quality of experience (QoE) scores, a function of measuring packet loss and packet recovery. Application-specific monitoring captures accessed SaaS and datacenter applications, application throughput measurements, and data transfer metrics. This robust monitoring framework supports system health tracking and enables alert triggering based on collected metrics.

• Unmanaged device support: The vendor implements zero trust security with user MFA, device posture assessment, and role/context-based access controls tailored to unmanaged endpoints. The platform intelligently differentiates between device types, providing full access to managed devices while restricting access to unmanaged ones based on contextual information. Cloudbrink enforces security requirements for BYOD scenarios, including active security products, posture assessment checks, and compliance enforcement, by blocking or quarantining noncompliant devices.

• Legacy application support: Cloudbrink’s architecture features independent Zero-Trust Security and Application Performance acceleration stacks that function regardless of application capabilities or protocols. This design enables the platform to apply the same security and performance enhancements to legacy applications.

Opportunities
Cloudbrink has room for improvement in a few decision criteria, including:

• Enterprise browser integration: While the solution supports third-party secure browsers and applies performance acceleration and zero trust access controls to them, organizations seeking a comprehensive security solution with integrated browser capabilities may face additional implementation complexity when integrating Cloudbrink with their chosen enterprise browser.

• Risk-based authentication: Cloudbrink relies heavily on third-party systems for risk assessment rather than developing native capabilities. By depending on IDPs and CrowdStrike for risk scoring, the solution creates potential security gaps if these external systems fail or if integrations are disrupted. Although the ability to integrate with various frameworks provides flexibility, organizations with complex risk assessment requirements may find the dependency on external risk scoring mechanisms limiting, especially in environments that require unified, consistent security controls.

• IAM integration: Cloudbrink takes a SAML 2.0-based integration approach. While this standard protocol enables interoperability with most identity providers, the solution lacks the depth of prebuilt integrations and specialized connectors that would streamline deployment in complex identity environments. Organizations with nonstandard identity architectures or specialized authentication requirements may find additional configuration work necessary to achieve optimal integration. 

Purchase Considerations
Cloudbrink offers exceptional transparency in its licensing with a single Named-User license that covers all capabilities without restrictions on FAST edges, connectors, or bandwidth. Each license supports up to five devices per user, mirroring familiar SaaS models like Microsoft Office 365 and Salesforce. This straightforward approach eliminates hidden costs, with all support and onboarding included for customers and incentives based on term duration and license volume. As a 100% cloud-native SaaS solution, Cloudbrink enables rapid onboarding in minutes through its web-based management portal, with horizontal scaling capabilities to maintain performance as an organization grows. The solution demonstrates flexibility by supporting all popular use cases while delivering insights beyond typical offerings through additional high-fidelity telemetry, making it particularly suitable for latency-sensitive applications where other ZTNA solutions may struggle. Cloudbrink's ecosystem integrates with identity providers supporting SAML 2.0, Microsoft Conditional Access, and CrowdStrike for device posture assessment. The platform also facilitates transition from IPSec-based legacy VPN to TLS 1.3-based ZTNA, supporting organizations in their security modernization journey. Administrative experience benefits from simplified product configurations, intuitive UI/UX, and comprehensive documentation.

Use Cases
Cloudbrink excels in supporting distributed workforces with latency-sensitive applications through its unique acceleration capabilities that enhance performance while maintaining security. International organizations benefit from CloudBrink's comprehensive unmanaged device support that applies zero trust controls while enabling secure access from various endpoints. Manufacturing industries appreciate the solution's protocol-agnostic approach to legacy application support that maintains performance optimization regardless of application age. The extensive session monitoring provides organizations with detailed visibility into user experience metrics, connection quality, and application performance, making it valuable for businesses requiring both security and optimal application delivery across global operations.

Cloudflare: Cloudflare One

Solution Overview
Cloudflare is a global network security and performance provider known for its content delivery network and cybersecurity services. The company leverages its vast global network to deliver secure access capabilities alongside its broader security and performance offerings.

Cloudflare One functions as the company's ZTNA solution, providing secure application access through context-aware controls. The solution can be purchased independently from Cloudflare's other security offerings such as Cloud One (SASE) and Cloudflare Zero Trust (SSE), allowing organizations to adopt components that align with their specific requirements.

Cloudflare uses a targeted strategy for secure access, prioritizing the fusion of ZTNA features with its robust global network infrastructure to ensure dependable application connectivity, especially excelling in accommodating unmanaged devices.

Cloudfare is positioned as a Leader and Forward Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Cloudflare scored well on a number of decision criteria, including:

• Risk-based authentication: Cloudflare provides a sophisticated adaptive authentication system. The solution intelligently adjusts authentication requirements based on multiple risk factors, including user behavior patterns, device posture assessments, and network location information. The platform leverages advanced machine learning capabilities to detect anomalous access attempts and dynamically adjust authentication challenges accordingly, creating a security model that responds to changing risk conditions.

• Session monitoring: The solution provides real-time monitoring of user behavior during ZTNA sessions, enabling security teams to detect anomalies, ensure compliance with security policies, and effectively manage security risks. This continuous monitoring approach creates a foundation for detecting potential threats or policy violations as they emerge.

• IAM integration: The platform integrates seamlessly with all SAML and OIDC compliant identity providers as well as most OAuth providers. It explicitly supports major identity platforms, including Centrify, OneLogin, and Ping Identity, while also enabling authentication via AWS IAM Identity Center through SAML integration. Additionally, it allows authentication using AWS credentials via direct AWS IAM integration, providing flexible options for diverse identity infrastructures. 

Opportunities
Cloudflare has room for improvement in a few decision criteria, including:

• Advanced DLP: The solution offers a balanced approach that prioritizes breadth over depth. While it provides context and content-aware inspection with flexible policy controls, organizations with sophisticated data protection requirements may find limitations in the granularity of content analysis. The reliance on integration with third-party DLP solutions for advanced use cases creates additional implementation complexity and potential gaps in coverage for organizations seeking a unified security approach.

• Legacy application support: The solution provides inconsistent performance across different legacy technologies. While it offers both agent-based and agentless options with protocol translation capabilities, organizations with highly specialized or proprietary legacy systems may encounter compatibility challenges. The implementation complexity increases significantly with certain legacy applications, potentially requiring additional configurations or customizations that could impact deployment timelines.

• Security policy customization: The platform’s policy framework offers standard granular controls such as role-based access, device posture checks, and MFA, providing a solid foundation for access security. However, organizations with complex compliance mandates or highly specialized access needs may encounter limitations. While effective for common business scenarios, the framework can become difficult to manage in environments requiring fine-tuned policy customization or adherence to strict regulatory conditions. 

Cloudflare was classified as a Forward Mover due to its slower rate of development in new features like advanced DLP, which is growing in popularity. Additionally, its legacy application support and the ability to customize security policy has had no significant development in the last year, allowing peers to outpace them in these categories.

Purchase Considerations
Cloudflare offers competitive pricing with flexible licensing options, though premium support services come at an additional cost. The solution leverages Cloudflare's global network and cloud-native architecture to deliver exceptional scalability with multi-region support and autoscaling capabilities, making it suitable for organizations of all sizes with unpredictable growth patterns. This positions Cloudflare as a comprehensive platform solution rather than a feature-specific offering. The solution demonstrates good flexibility by supporting diverse use cases and deployment models with multiple access modes, though it does not stand out exceptionally in this area compared to market leaders. Cloudflare benefits from a strong vendor ecosystem with established official partnerships, providing solid integration capabilities for common enterprise environments, though there remains room for further expansion and deeper integrations with specialized systems. The administrative experience is streamlined through a user-friendly management interface that enhances adoption and day-to-day operations, though not exceptionally differentiated from competitors. Organizations considering Cloudflare should weigh its extraordinary scalability against their specific requirements for flexibility and ecosystem integration depth.

Use Cases
Cloudflare excels in securing globally distributed organizations through its extensive network architecture and exceptional scalability. Financial institutions benefit from the solution's risk-based authentication capabilities that adapt security challenges based on user behavior, device context, and location data. The comprehensive session monitoring functionality provides organizations with real-time visibility for compliance and security risk management across diverse environments. For enterprises with established identity frameworks, Cloudflare's strong IAM integration with SAML and OIDC providers enables consistent security implementation while extending protection to both modern and legacy applications through its flexible access methods.

Ericsson: NetCloud SASE ZTNA

Solution Overview
Ericsson delivers secure access capabilities through its NetCloud SASE offering, with ZTNA functioning as a key component of this integrated security and networking suite. The company leverages its telecommunications expertise and its Cradlepoint acquisition to deliver security solutions with particular strengths in cellular-connected environments.

NetCloud SASE ZTNA offers ZTNA functionality that can be purchased separately from other components in the SASE suite. The solution supports multiple deployment options, including customer-hosted (requiring NetCloud Exchange Service Gateway and ZTNA user licenses), cloud-delivered (utilizing Ericsson's global network of 50 distributed PoPs), and hybrid approaches combining both models. Management is handled through NetCloud Manager, the same interface used for Cradlepoint Wireless WAN routers.

Ericsson takes a distinctive approach to secure access, emphasizing integration with cellular connectivity and employing isolation technologies, including remote browser isolation and reverse RBI (clientless ZTNA), to protect applications from unmanaged devices.

Ericsson is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Ericsson scored well on a number of decision criteria, including:

• Security policy customization: The solution provides a comprehensive security policy framework. It offers device posture assessment to evaluate security status and considers device location, hardware, and software configurations when determining security impact. The platform provides geolocation services to determine physical device location and implements policies based on this data. Additional security measures include traffic scanning with IDS/IPS for suspicious activity detection, actions to block or alert on potential network threats, access control for sensitive systems, privileged remote access management with strict isolation policies, and vulnerability assessments for proactive remediation.

• Unmanaged device support: Clientless ZTNA is provided through the cloud-delivered NetCloud SASE platform and uses isolation techniques to secure corporate web-based applications. The platform effectively protects against risks from both managed and unmanaged devices by treating all devices as untrusted by default, implementing true zero trust principles.

• Session monitoring: The solution provides extensive monitoring capabilities. It monitors each ZTNA client connection through its cloud management system, tracking the end device, tunnel, and traffic to resources. The platform provides centralized visibility of WAN flows and offers detailed traffic analysis through its Network Traffic Analysis dashboard, which also supports forensic investigation capabilities. 

Opportunities
Ericsson has room for improvement in a few decision criteria, including:

• Advanced DLP: The solution’s product architecture separates DLP functionality from its core solution. While the DLP capabilities themselves are robust, with features for scanning files, blocking unauthorized access, and controlling data movement, organizations face increased cost and integration complexity, as these are packaged as a separate SSE product. This fragmented approach creates additional procurement hurdles and potential implementation challenges for organizations seeking comprehensive data protection within their zero trust architecture.

• Cloud and SaaS integrations: The solution provides a secure virtual appliance approach to cloud resource access. While functional for basic cloud connectivity scenarios, it lacks specialized optimizations for specific cloud environments that would enhance performance and security. Organizations with complex multicloud architectures or those requiring deep integration with cloud-native services may find the implementation adequate but not differentiated from standard industry approaches.

• IAM integration: The solution takes a basic approach to identity management integration. While supporting SAML 2.0 compliant identity providers offers fundamental interoperability, the absence of above-mentioned prebuilt integrations suggests potential additional configuration work. Organizations with complex identity environments or specialized authentication requirements may face implementation challenges and extended deployment timelines compared to solutions with extensive preconfigured connectors.

Purchase Considerations
Ericsson offers straightforward user-based ZTNA licensing for both customer-hosted and as-a-service models. The solution demonstrates exceptional scalability, with a hierarchical administrative structure and integration with existing identity providers. For customer-hosted deployments, organizations can select Service Gateway capacity from 250Mbps to 4Gbps, while as-a-service customers benefit from unlimited data for each user. Ericsson's approach leverages Cradlepoint routers and virtual edges, treating routers as zero trust "sites" that eliminate the need for separate app connectors and simplify deployment for IoT, mobile, and branch locations. The solution shows particular strength in supporting cellular WANs for secure interconnection of IoT devices, vehicle fleets, and temporary sites. The ecosystem includes integrations with Zscaler and Palo Alto. Additionally, Ericsson’s cloud infrastructure is provider agnostic and can be hosted in any environment, depending on customer needs. Administrative experience benefits from a well-regarded support model with many services included in the base cost and a particularly strong customer community for peer assistance.

Use Cases
Ericsson excels in connecting distributed industrial environments through its innovative approach to securing IoT, OT, and mobile assets via Cradlepoint routers that function as zero trust sites. Transportation enterprises benefit from this capability for maintaining secure fleet connectivity across cellular networks without requiring traditional VPN infrastructure. Companies in industries such as manufacturing and utilities appreciate Ericsson's robust legacy application support for critical operational technologies. The solution also uses Carrier NAT translation to support overlapping IP addressing, enabling faster IoT deployment at scale. This technique also obscures IP addresses and minimizes the attack surface. The solution's exceptional security policy customization capabilities enable organizations to implement granular controls based on device location, posture, and network conditions while maintaining high performance across cellular and fixed networks.

Fortinet: Universal ZTNA

Solution Overview
Fortinet is a cybersecurity company with a comprehensive security platform spanning network, cloud, and endpoint protection. The company's approach to ZTNA is tightly integrated within its broader security ecosystem rather than existing as a standalone offering.

Fortinet Universal ZTNA capabilities are embedded into its core security products, particularly the FortiGate Next-Generation Firewall (NGFW). These capabilities can be enhanced through additional licensing or subscriptions, allowing organizations to leverage existing Fortinet investments when implementing zero trust principles. The solution delivers granular, context-aware access controls based on multiple factors, including user identity and device posture.

Fortinet takes a comprehensive approach to secure access, emphasizing integration with its broader security portfolio to provide consistent policy enforcement and visibility across diverse environments.

Fortinet is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Fortinet scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution provides a comprehensive cloud integration approach. A major year-over-year advancement is its integration into a cloud-delivered SASE solution, eliminating previous reliance on traditional firewall deployments. It leverages Fortinet security fabric connectors to enable broad integrations that extend beyond typical cloud and SaaS applications, providing extensive coverage for diverse cloud environments.

• Session monitoring: Fortinet enables very detailed logging through FortiOS, providing comprehensive insights regardless of deployment architecture. This consistent monitoring approach ensures organizations maintain complete visibility across their security infrastructure independent of how components are implemented.

• Security policy customization: The solution provides very strong firewall-like policy customization capabilities that can incorporate a diverse array of security services. Organizations can seamlessly integrate intrusion detection systems (IDS), malware scanning, web filtering, and other security functions into unified policies. This integration allows security teams to implement sophisticated, multilayered protection while maintaining centralized policy management.

Opportunities
Fortinet has room for improvement in a few decision criteria, including:

• Unmanaged device support: While the solution offers a portal-based approach for unmanaged device access, similar to the company’s VPN implementation, organizations face significant feature limitations unless they also deploy FortiGate hardware appliances. This creates deployment challenges for companies seeking hardware-agnostic solutions or those with existing non-Fortinet infrastructure, potentially increasing total cost of ownership.

• Risk-based authentication: The solution’s risk-based authentication, although good, is heavily dependent on the vendor’s broader ecosystem. While the SASE deployment model enables enhanced risk-based authentication scenarios, organizations achieve optimal results only when implementing both the EPP and SASE solutions together. Companies with heterogeneous security stacks or those using competitive endpoint protection platforms may find they cannot fully leverage the platform’s risk assessment capabilities.

• IAM integration: The solution favors the vendor’s proprietary identity solutions. While mature integrations exist for major providers like Azure AD and Okta, implementation is most streamlined when using Fortinet's native identity solutions such as Fortiauthenticator. Companies with complex hybrid identity environments or those using specialized identity providers may face integration challenges and require additional configuration.

Purchase Considerations
Fortinet offers a favorable pricing approach for its zero trust solution, which comes included by default with FortiGate purchases and is now available as part of its SASE service (it’s not sold as a standalone product). This integration with existing Fortinet products potentially simplifies the purchasing decision for current customers. The solution demonstrates adequate scalability through its SASE offering, with the addition of FortiGate in Azure enhancing deployment options. For organizations needing simpler implementation, the agentless option provides advantages, though advanced features still require agent deployment. Fortinet positions this as a comprehensive solution with exceptional flexibility, allowing extensive security policy customization and broad IAM support that enables creative access control implementations. Session monitoring capabilities provide valuable telemetry that can integrate with SIEMs or SOARs for enhanced security operations. The solution benefits from integration with the broader Fortinet portfolio through security fabric connectors, creating a cohesive ecosystem for organizations already invested in their technology. The administrative experience is intuitive and accessible for various use cases, making it approachable for organizations with different levels of technical expertise.

Use Cases
Fortinet excels in organizations requiring deep network security integration with its zero trust architecture through its Security Fabric framework. Financial institutions benefit from its comprehensive DLP capabilities incorporated directly into access policies for sensitive data protection. The solution's exceptional security policy customization enables detailed access controls similar to firewall rules while incorporating advanced services like malware inspection and IDS. Organizations with complex hybrid environments appreciate Fortinet's strong legacy application support across on-premises, hybrid, and cloud/SaaS architectures. The solution's extensive session monitoring capabilities make it valuable for security operations teams leveraging SIEMs or SOARs for enhanced threat detection and response.

Genians: Genian ZTNA

Solution Overview
Genians is a network security provider that leverages its extensive network access control (NAC) expertise to deliver zero trust solutions. The company combines traditional network security approaches with modern zero trust principles to address evolving access control requirements.

Genian ZTNA functions as the company's zero trust network access solution, providing comprehensive visibility and access control across diverse environments. The solution consists of four primary components: Policy Server, which acts as the policy decision point; ZTNA Sensor and Gateway, which serve as enforcement points; and ZTNA Agent, which enables secure endpoint access with multifactor authentication capabilities.

Genians emphasizes “universal” ZTNA that bridges traditional networks with modern zero trust principles through a hybrid enforcement model. This strategy is designed for organizations with complex mixed environments that require consistent security policies across all access scenarios.

Genians is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Genians scored well on a number of decision criteria, including:

• Legacy application support: The solution is built on NAC foundations, enabling effective legacy environment control without requiring application modifications. The platform utilizes multiple enforcement mechanisms, including ARP enforcement, 802.1X authentication, and SNMP monitoring, to secure legacy systems. Its VxLAN-based connectivity eliminates the need for static IPs or VPNs when integrating legacy applications. Additional security layers include microsegmentation, policy-based access controls, and zero trust principles with MFA and posture validation specifically adapted for legacy applications.

• IAM integration: The solution integrates with traditional directory services like Active Directory and LDAP, as well as cloud identity providers, including Azure AD, Okta, Google Workspace, and Ping Identity. It enables SSO through industry-standard protocols (SAML 2.0 and OpenID Connect) while implementing both role-based and attribute-based access controls for dynamic permissions management. Advanced features include continuous IdP synchronization for automated user lifecycle management, suspicious login detection, and support for passwordless authentication via FIDO2/WebAuthn standards.

• Unmanaged device support: Genians takes a sophisticated approach to unmanaged devices, employing L2-based device profiling with deep packet inspection to accurately fingerprint diverse endpoint types, including IT, OT, and IoT devices. Security controls include microsegmentation to isolate unmanaged devices, captive web portal redirection for authentication and compliance verification, continuous device posture validation through always-on ZTNA, and granular access restrictions based on real-time device risk assessment. 

Opportunities
Genians has room for improvement in a few decision criteria, including:

• Advanced DLP: The solution lacks native DLP capabilities. It relies entirely on third-party integrations for DLP functionality, creating significant implementation complexity and potential security gaps. Organizations with data protection requirements face additional procurement costs, integration challenges, and possible inconsistencies in policy enforcement when implementing Genians alongside separate DLP solutions.

• Cloud and SaaS integrations: While its Cloud Connector component enables basic policy enforcement across cloud environments, organizations with complex multicloud architectures may find limitations in the depth of integration with specialized cloud services. The gateway-based approach works well for standard deployments but may create performance bottlenecks in high-throughput cloud environments.

• Risk-based authentication: The company’s focus on traditional security indicators rather than advanced behavioral analysis results in more limited risk assessment capabilities. While the solution effectively evaluates device security posture and can revoke access based on policy violations, it lacks sophisticated user behavior analytics and continuous authentication capabilities. Organizations facing advanced persistent threats may find the risk assessment model insufficient for detecting subtle attack patterns that don't trigger conventional security alerts.

Purchase Considerations
Genians offers a device-based pricing structure based on unique MAC addresses across three distinct editions: Basic for visibility, Professional for NAC, and Enterprise for ZTNA and automation capabilities. This transparent approach provides clear differentiation between service tiers. Deployment options include cloud-managed, on-premises, or through AWS Marketplace, with self-deployed ZTNA Gateway using node-based licensing. The solution supports installations in customer cloud environments (AWS, Azure, GCP) or on-premises using physical or virtual appliances, and can handle over 500,000 concurrent endpoints to accommodate organizations of various sizes. Genians integrates NAC with ZTNA for comprehensive visibility across on-premises, remote, and cloud environments, positioning it as a platform solution rather than a feature-specific tool. This approach enables detailed insights into IT, OT, and IoT assets with real-time policy enforcement capabilities. The solution offers strong ecosystem integration with IT security tools like NGFW, VPN, IDS/IPS, MDM, and SIEM, supported by Webhook, REST API, and Syslog for custom integrations. Administrative experience is designed for simplicity while remaining transparent to end users, supported by comprehensive documentation, video tutorials, and Slack-based community assistance.

Use Cases
Genians excels in securing diverse device environments with its Layer 2-based device profiling capabilities that effectively identify IT, OT, and IoT devices without requiring agents. Manufacturing organizations benefit from Genians' exceptional legacy application support built on NAC foundations that secure industrial systems without modifications. Healthcare institutions leverage its comprehensive security policy customization with over 600 conditions to implement granular access controls for clinical workstations and medical devices. The continuous session monitoring capabilities provide visibility into device posture, network trust levels, and behavioral anomalies, making it valuable for organizations needing to balance operational technology protection with usability in complex network environments.

InstaSafe: InstaSafe Zero Trust Access

Solution Overview
InstaSafe is a security provider specializing in zero trust secure access solutions for remote employees and third-party contractors. The company focuses on developing specific innovative authentication and access control capabilities rather than attempting to serve as a comprehensive security platform.

InstaSafe Zero Trust Access (ZTA) represents a targeted offering in the secure access market, delivering a combination of secure access, multifactor authentication, identity provider integration, and reporting capabilities. The solution's distinctive feature is its split-plane architecture that separates the control plane from the data plane, directly addressing latency challenges while reducing operational costs by minimizing data transfer charges.

The company employs a distinct strategy for secure access, concentrating on refining authentication processes and enhancing performance specifically for remote workforce situations instead of offering a wide range of security features.

InstaSafe is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the ZTNA Radar chart.

Strengths
InstaSafe scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution connects to SaaS applications using SAML 2.0 authentication protocols and also supports API-based authentication for applications that don't implement SAML. This provides basic flexibility when integrating with various cloud services.

• Advanced DLP: The solution implements fundamental DLP controls, including clipboard management to prevent unauthorized data transfers, watermarking capabilities to identify document origins, and restrictions on screen capture and download functionality. These controls provide basic protection against common data exfiltration methods.

• Session monitoring: The platform tracks various endpoint details during active sessions, including device information, browser specifications, operating system data, and IP addresses. The solution also records basic session metrics, including login time, logout time, and total session duration, providing fundamental visibility into user access patterns. 

Opportunities
InstaSafe has room for improvement in a few decision criteria, including:

• Unmanaged device support: There are significant limitations in the vendor’s browser plugin approach to clientless ZTNA. While browser-based access provides convenience, the dependence on plugins creates compatibility challenges with numerous endpoint types and browser versions. Organizations with diverse technology environments or those using specialized or locked-down browsers will face substantial access barriers. This implementation approach may exclude certain employee segments or contractor populations from accessing critical resources, creating operational obstacles for organizations with varied device ecosystems.

• Security policy customization: The platform provides rudimentary policy management capabilities. Its policy framework is limited to basic user group rules, lacking the sophisticated conditional logic and contextual awareness found in more advanced solutions. Organizations with complex compliance requirements or those needing fine-grained access controls based on multiple factors will find the policy engine insufficient. This limitation creates security gaps in environments requiring nuanced policy enforcement based on dynamic risk factors.

• IAM Integration: While the solution integrates with common identity systems like Azure AD and LDAP, organizations with specialized identity providers or complex hybrid identity environments may encounter integration challenges. The ability to function as an identity provider adds flexibility but creates potential redundancy in environments with established IAM frameworks, potentially complicating identity governance.

InstaSafe was classified as a Forward Mover given its slow rate of development on features like its unmanaged device support and security policies The solution's constraints make it less suitable for enterprises with sophisticated security requirements but well positioned for organizations beginning their zero trust journey.

Purchase Considerations
InstaSafe utilizes a straightforward per-user, per-year pricing model distributed through a broad channel partner ecosystem. This approach suggests reasonable transparency in licensing, though complete details on volume discounts or additional fees aren't specified. The deployment process involves synchronizing users and groups from the organization's Active Directory to InstaSafe's IDP, after which synced users receive emails with instructions to download the agent. This approach appears designed for organizations with existing Active Directory infrastructure. While InstaSafe supports common use cases such as VPN/SSO alternatives, third-party access, and SaaS SSO, it also offers some differentiated capabilities, including Secure VoIP, always-on VPN, and AD group policy integration. The solution provides APIs for out-of-the-box integrations, though the ecosystem depth appears moderate rather than extensive. Organizations considering InstaSafe should note that while support and training are available, the lower rating for ease of use suggests the administrative experience may require more effort compared to market alternatives. The solution appears positioned to serve specific access control needs while leveraging existing directory investments.

Use Cases
InstaSafe provides effective security for small to medium organizations transitioning from VPN to zero trust architecture with its AD integration capabilities and per-user licensing model. The solution excels in secure VoIP protection environments where communication confidentiality is critical. Organizations using primarily Chrome browsers benefit from InstaSafe's browser control features that restrict downloads and printing for sensitive applications. The platform's basic DLP controls, which include clipboard management and watermarking, offer reasonable protection for TCP/IP-based legacy applications in environments where complex policy customization isn't required.

Ivanti: Neurons for Zero Trust Access

Solution Overview
Ivanti specializes in secure access solutions, endpoint management, and IT service management technologies. 

Neurons for Zero Trust Access serves as Ivanti's ZTNA solution within its broader security portfolio. This solution functions alongside Ivanti Connect Secure (formerly Pulse Connect Secure), providing a unified cloud-based platform that combines both VPN and ZTNA capabilities. Previously, Ivanti’s solution leveraged SWG and CASB components from Lookout, but as of this version of the report, that is no longer true. 

Ivanti's approach targets large enterprises with complex application deployments and extensive infrastructure, focusing on simplifying the migration from traditional VPN solutions to a secure service edge architecture.

Ivanti is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Ivanti scored well on a number of decision criteria, including:

• Legacy application support: The vendor offers an exceptional approach to legacy systems. Its core value proposition centers on enabling smooth migration from VPN to ZTNA by offering both access methods under a unified cloud umbrella. The solution works seamlessly with Ivanti Connect Secure and can coexist with any Layer 3 VPN product, leveraging most-specific routing to avoid conflicts with VPN default routing. This approach significantly simplifies the transition to zero trust architecture while maintaining support for legacy applications.

• Cloud and SaaS Integrations: Ivanti Neurons for Zero Trust Access leverages a virtual appliance-based solution that is cloud-agnostic and compatible with AWS, Google, Apple, and Microsoft cloud. This enables ZTA for a broad variety of systems from on-premises, hybrid, to cloud. 

• Risk-based authentication: Ivanti stood out with high rankings for their contextual authentication framework. The solution implements risk-based authentication by leveraging user and entity behavioral analytics alongside multiple contextual controls. These controls include location awareness, login attempt monitoring, device posture assessment, time-based access rules, and analysis of the software bill of materials running on devices, creating a multidimensional risk evaluation model.

Opportunities
Ivanti has room for improvement in a few decision criteria, including:

• Unmanaged device support: The solution’s HTML5 browser-based approach has limitations. While the Unified Access solution provides clientless remote access, this implementation can face performance constraints with bandwidth-intensive applications. Organizations with specialized endpoint requirements or those using applications that don't function optimally in browser environments may experience usability issues. The browser dependency also creates potential compatibility challenges when organizations deploy browser security controls that conflict with the solution's functionality.

• Security policy customization: The solution has structural limitations in its policy framework. The rigid association model between applications, gateways, and device compliance policies creates complexity for organizations with dynamic infrastructure requirements. While the separation of duties between IT and SecOps streamlines specialized work, it may lead to coordination challenges in rapidly changing environments. Organizations with complex conditional access requirements based on multiple variables may find the policy structure insufficiently adaptable.

• IAM integration: While the solution includes mature integrations for specific providers like Okta and SailPoint, organizations using alternative identity solutions face additional configuration work for custom SAML integrations. This creates implementation challenges for enterprises with complex or nonstandard identity ecosystems, potentially extending deployment timelines and increasing overhead.

Purchase Considerations
Ivanti offers a per-user pricing model with options for either full ZTNA or a combined VPN+ZTNA package designed for organizations in transition from traditional VPN. While the offerings are feature-rich, some organizations may find the pricing on the higher end of the market. However, the solution utilizes a distributed SDP architecture where user traffic directly accesses ZTA Gateways for specific applications, allowing customers to deploy multiple gateways for high availability without incurring additional costs. This architecture ensures continuous access during controller outages with built-in availability zone redundancy. Ivanti Neurons for Zero Trust Access provides application-centric security rather than network-wide protection, with capabilities including fine-grained access policies, authentication management, and automated risk scoring. Organizations implementing Ivanti can leverage professional services for initial setup and ongoing best practice guidance, complemented by online training modules and certification courses. The solution features an intuitive user experience with architecture designed for straightforward deployment and maintenance.

Use Cases
Ivanti excels in organizations transitioning from VPN to zero trust architecture through its exceptional legacy application support that maintains compatibility with existing infrastructure. The solution's distributed architecture with multiple gateways provides consistent security for enterprises with geographically dispersed operations requiring high availability. Healthcare institutions benefit from Ivanti's risk-based authentication capabilities that adapt access requirements based on contextual factors, including user behavior, location, and device posture. The intuitive user experience and straightforward deployment process make it valuable for organizations with limited security staff while still providing robust protection for critical applications.

Menlo Security: Menlo Secure Application Access

Solution Overview
Menlo Security is a cybersecurity provider specializing in cloud-based security solutions with an emphasis on isolation technology. The company leverages its established Secure Cloud Browser technology to deliver zero trust access capabilities.

Menlo Secure Application Access functions as the company's ZTNA solution, providing controlled access to internal applications, web resources, and SaaS platforms. The solution implements a distinctive network isolation approach where users connect through Menlo's Secure Cloud Browser rather than establishing direct connections to applications, preventing malicious content from reaching endpoints and blocking potential data exfiltration attempts.

Menlo employs a thorough strategy for secure access, applying zero trust concepts not just to networks but to applications, browsers, and content as well, offering flexible deployment through a web portal, browser extension, or an optional client.

Menlo Security is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Menlo Security scored well on a number of decision criteria, including:

• Advanced DLP: The solution offers sophisticated data protection capabilities. It provides robust DLP with context and content-aware inspection mechanisms that analyze data in transit and offers highly flexible DLP policy controls while seamlessly integrating with leading third-party DLP solutions. This comprehensive approach to data protection enhances overall security posture through multilayered DLP integration.

• Unmanaged device support: The solution enables zero-touch deployment for unmanaged devices through web portal access or browser extensions, simplifying adoption. The platform implements least-privileged application access based on multiple factors, including user identity, group membership, source IP, and geolocation. Security for unmanaged devices is further enhanced through web traffic and file sanitization via the Secure Cloud Browser. Additional protections include dictionary-based DLP with over 300 built-in dictionaries for monitoring uploads and downloads, plus browser-centric DLP controls like read-only access and watermarking for web applications.

• Security policy customization: The solution extends policy capabilities beyond basic user/group assignments to include sophisticated contextual rules. Examples include restricting financial application access to corporate IP addresses during business hours, blocking social media access except for explicitly approved instances, and applying conditional access to cloud storage based on user identity and device posture. The platform also enforces device health through posture checks for antivirus status and OS patch compliance. 

Menlo Security was classified as an Outperformer given its strong focus on browser isolation technology, continuous enhancement of data protection capabilities, and expanded coverage for unmanaged devices. Its recent development velocity in adapting its secure browser approach to address emerging threats positions it to continue advancing in the ZTNA market.

Opportunities
Menlo Security has room for improvement in a few decision criteria, including:

• Enterprise browser integration: The company’s reliance on its Secure Cloud Browser approach rather than native enterprise browser integration can be limiting. While it effectively secures web-based applications, organizations with complex browser extension ecosystems or those requiring deep browser customization may find this approach insufficient. The network separation methodology can create compatibility issues with specialized web applications that rely on direct network access, although Menlo’s implementation reduces the likelihood of this.

• IAM integration: While integrations with platforms like Okta and Azure AD function adequately, organizations with specialized identity requirements or custom-built IAM solutions face additional configuration challenges. For customers that rely on OAUTH2.0 based federation, this solution doesn’t offer broad support for iDPs based on that technology.

• Security policy customization: Despite the solution’s policy flexibility, organizations with highly complex compliance requirements may encounter limitations. While the solution effectively handles time-based, location-based, and posture-based controls, enterprises in heavily regulated industries might find edge cases where the current policy framework lacks sufficient granularity. Policy management can become unwieldy in environments requiring frequent adjustments across numerous applications with varying compliance requirements. 

Purchase Considerations
Menlo Security offers competitive pricing with flexible subscription models and transparent structure, making licensing decisions straightforward for organizations evaluating zero trust solutions. The offering is positioned as a comprehensive solution that efficiently scales to accommodate large-scale deployments, suggesting suitability for both mid-market and enterprise environments, depending on specific requirements. The solution adapts to diverse organizational needs through deployment flexibility and granular access controls, allowing it to function effectively as either a complete solution or to address specific security requirements within a broader architecture. Organizations benefit from Menlo Security's strong vendor ecosystem that integrates with leading cloud, security, and identity providers, enhancing overall functionality and interoperability with existing investments. A notable strength is its exceptional ease of use, with its intuitive interface, comprehensive documentation, and automation capabilities that focus on simplifying complex security implementations. This approach potentially reduces the need for extensive professional services and training compared to more complex alternatives in the market.

Use Cases
Menlo Security excels in financial services environments requiring robust protection for sensitive client data through its advanced DLP capabilities with over 300 predefined dictionaries and custom dictionary options. Healthcare organizations benefit from its comprehensive unmanaged device support that maintains security through web traffic sanitization and least-privilege access policies based on user context. Manufacturing companies leverage Menlo's legacy application support capabilities to isolate critical systems while enforcing modern security controls. The intuitive interface with detailed session monitoring provides security teams visibility into user interactions with web applications while maintaining strong protection against sophisticated web-based threats.

NetFoundry: NetFoundry Platform

Solution Overview
NetFoundry is a software company specializing in secure networking and connectivity solutions with a focus on embedding zero trust networking directly into applications and products. The company addresses the limitations of traditional network-based security models by offering programmable networking capabilities.

NetFoundry's core offering centers on AppNets—embeddable, zero trust overlay networks that segment network access to ensure only trusted users and services can connect to applications. The solution functions as a specialized feature set within the broader zero trust networking market, allowing companies to implement secure connectivity through minimal code integration or other endpoint options.

The company operates a single platform that currently includes the NetFoundry and zrok products. This software-only solution can be deployed across diverse environments, including major cloud providers and private datacenters, inheriting existing network infrastructure.

NetFoundry is positioned as a Leader and Fast Mover in the Innovation/Feature Play quadrant of the ZTNA Radar chart.

Strengths
NetFoundry scored well on a number of decision criteria, including:

• Legacy application support: The company offers a comprehensive approach to legacy systems. The solution embeds zero trust principles directly within the network layer, supporting diverse use cases that include remote access, multicloud environments, DevOps workflows, IoT devices, and site connectivity. The platform enables both north-south WAN and east-west LAN connections with support for client or server-initiated protocols and static/dynamic ports. While encouraging microsegmentation for optimal security, the solution also accommodates macrosegmentation approaches like CIDRs with identity-based connection discovery. For particularly challenging legacy scenarios, it provides connectivity options for machines that cannot host software or require Layer 2 connections, and employs embedded PKI to secure legacy applications that lack SAML/OIDC compatibility.

• Risk-based authentication: The solution employs a continuous authentication model. It evaluates real-time identity and device posture on an ongoing basis, initially establishing trust through x509 certificates and mutual TLS. The platform performs dynamic posture checks, including operating system validation, multifactor authentication, and MAC filtering, for comprehensive risk assessment. When noncompliance is detected, the solution can immediately revoke access or enforce re-authentication while also modifying privileges adaptively to maintain security according to zero trust principles.

• Security policy customization: The solution offers a flexible policy framework. Its zero trust architecture enforces strong cryptographic identity verification before allowing connectivity and it implements attribute-based access control (ABAC) with tagging capabilities for creating granular access policies based on user roles, device status, and location context. The Orchestration component enables comprehensive management of provisioning, configuration, security policies, monitoring, and network optimization. Additional strengths include rapid policy adjustment capabilities and a multiplatform, open source model that facilitates integration with existing infrastructure.

Opportunities
NetFoundry has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: The solution’s integration ecosystem is pretty much limited to Microsoft products. While it provides gateways in major hyperscaler marketplaces and prebuilt integrations with Azure AD, Microsoft AD, and Microsoft Endpoint Manager, organizations using diverse SaaS platforms or specialized cloud services may find integration options insufficient. Companies with complex multicloud strategies requiring deep integration with non-Microsoft cloud services may encounter implementation challenges requiring additional configuration work.

• IAM integration: NetFoundry demonstrates a solid capability in IAM integration by supporting Azure AD and Okta through external JWT signers and SCIM 2.0 for user and group synchronization. This enables alignment of access policies with organizational changes and supports identity verification within a Zero Trust framework using x509 certificates. However, while the integration works well in many scenarios, it may face challenges in environments with less common or legacy identity providers that do not have a mature integration ready to use. Additionally, in industries with stringent regulatory requirements, such as healthcare or finance, the reliance on external authentication mechanisms might introduce complexities in meeting specific compliance mandates for identity lifecycle management or audit trails.

• Session monitoring: Despite the solution’s generally good monitoring capabilities, organizations with specialized compliance requirements in highly regulated industries may encounter limitations. While the solution effectively collects network metadata and provides comprehensive tracking of identity metrics, it may lack the industry-specific monitoring templates and predefined compliance reports needed for seamless regulatory adherence in sectors like healthcare or financial services.

Purchase Considerations
NetFoundry offers the Enterprise Edition for service providers and the Premium Edition for strategic partners looking to embed zero trust networking capabilities, with a 30-day free trial available for evaluation. Interestingly, the solution does not target typical IT enterprise buyers but focuses exclusively on OEM and partner deals, which affects its positioning in the market. The solution demonstrates exceptional scalability, supporting over 1 billion fabric sessions monthly and 80TB of data monthly, with its largest deployment including 500,000 users across major financial institutions. This scale-up and scale-out architecture ensures robustness for large implementations. NetFoundry supports diverse use cases, including remote access, multicloud, DevOps, IoT, and site-to-site connectivity, though its rating suggests it meets rather than exceeds market expectations for flexibility. The solution integrates well with OIDC providers like Okta and Ping Identity, offers prebuilt integrations with Azure AD and Microsoft Endpoint Manager, and provides edge routers for multiple cloud platforms. NetFoundry offers 24/7 technical support, comprehensive onboarding programs, and training services, though the average rating for ease of use indicates a potentially moderate learning curve.

Use Cases
NetFoundry excels in complex industrial environments requiring secure connectivity to legacy operational technology systems through its exceptional support for all protocols, including L2 connections with embedded PKI. Additionally, it offers the uncommon ability to deploy 100% on-premises without the need for a cloud connection. Manufacturing organizations benefit from its BrowZer solution that enables secure application access from standard browsers without software installation, ideal for contractor and third-party access. Critical infrastructure providers leverage NetFoundry's robust scalability, proven in deployments supporting over 180 million weekly sessions across distributed locations, while maintaining comprehensive session monitoring for security compliance. The continuous risk-based authentication with real-time identity and device posture evaluation enhances protection for sensitive industrial control systems.

Nile: Nile Access Service 

Solution Overview
Nile is a cybersecurity provider specializing in zero trust network access with a distinctive focus on securing internal networks rather than traditional remote access scenarios. The company partners with established ZTNA providers like Palo Alto Networks and Zscaler to complement its internal security approach with remote access capabilities.

The Nile Access Service functions as a network-as-a-service offering that integrates wired and wireless infrastructure, AI automation, and campus ZTNA capabilities under the Nile Trust Service brand. The solution implements Layer 3 segmentation techniques to create isolated environments for user sessions and application access, eliminating traditional VLANs and standard CLI configuration requirements.

The vendor takes a different approach to secure access, emphasizing internal network security through automated infrastructure deployment, continuous user authentication, and traffic isolation, while integrating with external security providers for comprehensive protection.

Nile is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Nile scored well on a number of decision criteria, including:

• Unmanaged device support: With its comprehensive approach, the solution excels in securing unmanaged devices. It implements granular enforcement rules that restrict unmanaged IoT devices to only required resources while providing per-endpoint isolation with full traffic inspection. The platform employs microsegmentation policies to manage east-west traffic without requiring additional firewall or SSE components. User group identity is flexibly defined using segments, subnets, RADIUS attributes, and SCIM/IdP groups, while service profiles can be refined through protocol and source/destination port specifications for precise access control.

• Legacy application support: The solution offers flexible integration with traditional systems and supports multiple legacy application categorization methods, including FQDN, IP address, IP subnet, and application groups, which can be used as sources or destinations in policy definitions. It enforces a default deny posture for endpoint communication with legacy applications and requires explicit policy definition within its zero trust framework. This approach ensures secure external resource communication for legacy applications through controlled policy implementation.

• Session monitoring: The solution offers sophisticated analytics capabilities. It tracks both pre- and post-connectivity metrics for endpoints across sites to compute comprehensive health scores via its NXI platform. The system leverages AI-driven predictive insights with self-supervised machine learning models and confidence intervals for proactive issue detection. Extensive monitoring covers DNS, RADIUS, DHCP, RSSI, link quality, latency, data rates, and various network and system events for anomaly detection. Additional capabilities include time-series predictive analytics with spatial and temporal views, and tracking of zero trust policy hits with integration to SIEMs or third-party incident response systems.

Opportunities
Nile has room for improvement in a few decision criteria, including:

• Risk-based authentication: The solution lacks native risk assessment capabilities. It relies entirely on partner integrations for security posture risk scores rather than providing built-in functionality. Organizations seeking comprehensive risk-based authentication will face integration complexities and potential security gaps when implementing Nile's solution. While the company collects endpoint analytics and plans future Trust Engine integration with EDR systems, these forward-looking initiatives don't address current limitations in the solution’s risk assessment framework.

• Security policy customization: The solution’s policy framework is based on standard attributes. While it offers flexible enforcement via policy groups and contextual controls, organizations with highly complex compliance requirements may find limitations in the depth of conditional logic available. The geo- and tag-based policy associations work well for standard deployments but may become unwieldy for enterprises with sophisticated microsegmentation needs across diverse environments.

• IAM integration: Despite supporting major providers, the solution’s management approach is somewhat limited compared with some competitors. It connects with any SAML-compatible IdP and automatically sets up SCIM when available, but organizations with specialized identity workflows or custom authentication requirements may face integration challenges. 

Purchase Considerations
Nile offers a subscription-based deployment with flexible per-user or per-square-foot pricing, positioning it as a competitive option in the market. However, organizations should note that isolation-based guest services and DHCP services are available as add-ons to the base subscription. The solution is fundamentally hardware-based, which presents the minor challenges typical of physical devices; however its DHCP, Guest, and RADIUS services are all cloud based. This approach has remained unchanged year over year while competitive solutions have moved beyond hardware dependencies, potentially creating limitations for rapidly growing deployments. Nile's universal zero trust model simplifies policy management by securing LAN, remote, and cloud access through partnerships with ZTNA vendors like Palo Alto Networks, with recent improvements in session monitoring and risk-based authentication enhancing its capabilities. From an integration perspective, Nile works effectively with modern firewall and cloud security vendors while maintaining compatibility with legacy NAC and MDM solutions, providing broad ecosystem support. The all-inclusive subscription model covers support, upgrades, hardware refreshes, and AI-assisted problem resolution, offering a moderately straightforward administrative experience that balances functionality with usability.

Use Cases
Nile excels in securing complex IoT and operational technology environments through its granular endpoint isolation capabilities that restrict unmanaged devices to specific resources. Educational institutions benefit from Nile's comprehensive session monitoring that tracks device connectivity metrics and network health scores across distributed campuses. Manufacturing organizations appreciate the solution's strong legacy application support that enables secure access to critical systems through precise categorization based on IP subnets and application groups. The AI-powered predictive analytics capabilities provide security teams with early detection of potential network issues before they impact operations, making it valuable for environments with diverse device types requiring consistent security controls.

Palo Alto Networks: Prisma Access ZTNA 2.0*

Solution Overview
Palo Alto Networks is a leading cybersecurity company that provides comprehensive security solutions for organizations across various sectors. The company maintains a strong market presence in the network security space while expanding its capabilities into cloud security and zero trust architectures.

Prisma Access ZTNA 2.0 represents Palo Alto Networks' zero trust network access solution, which can be purchased either as a standalone product or as part of its broader SASE offering. The solution utilizes the Prisma Access Service as its central control plane for managing and enforcing access policies. Through this architecture, the solution implements multiple security controls, including multifactor authentication, device posture assessment, and continuous monitoring to ensure authorized access.

Palo Alto Networks employs an all-encompassing strategy for secure access, branding its solution as ZTNA 2.0 to highlight advanced features that go further than simple access management, tackling wider security challenges within the zero trust model.

Palo Alto Networks is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Palo Alto Networks scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution excels in cloud and SaaS integration by offering single sign-on capabilities, robust security controls, and optimized performance specifically designed for cloud-based applications. This integration strategy helps organizations maintain consistent security posture across traditional and cloud environments.

• Session monitoring: The solution delivers a powerful feature set, with its visibility capabilities particularly notable. It provides real-time monitoring of user behavior during ZTNA sessions, enabling security teams to detect anomalies that might indicate compromised accounts or insider threats. Its continuous monitoring approach also supports compliance assurance by maintaining detailed records of access activities and policy enforcement.

• Security policy customization: The solution offers granular policy configuration options. Its dynamic zero trust approach enables security teams to implement sophisticated controls including role-based access restrictions, device posture assessments, and multifactor authentication requirements. This flexibility allows organizations to tailor security policies to their specific risk profile and compliance needs.

Opportunities
Palo Alto Networks has room for improvement in a few decision criteria, including:

• Advanced DLP: Palo Alto Networks has some architectural integration limitations. While the solution provides context and content-aware inspection, these DLP capabilities exist as part of the broader SASE solution rather than as native ZTNA features. Organizations seeking comprehensive data protection may face additional implementation complexity when deploying only the ZTNA component. Companies in highly regulated industries might find the depth of content inspection and automated remediation workflows insufficient for specialized compliance requirements.

• Legacy application support: While the solution provides both agent-based and agentless options with protocol translation capabilities, organizations with highly specialized legacy systems or proprietary protocols may experience compatibility challenges. The implementation complexity increases with certain legacy technologies, potentially requiring additional configuration and customization that could extend deployment timelines.

• IAM integration: Though integration with SAML 2.0-compliant IdPs and mature connections to mainstream providers like Azure AD and Okta offer solid functionality, organizations with complex hybrid identity environments or specialized authentication requirements may encounter limitations. The solution works well with standard identity scenarios but may require additional configuration work for edge cases or nonstandard identity architectures. 

Purchase Considerations
Palo Alto Networks offers competitive pricing with flexible subscription models and a transparent structure, making licensing decisions straightforward for organizations evaluating zero trust solutions. The solution efficiently scales horizontally by leveraging the company's global network presence for distributed traffic handling, positioning it as a comprehensive platform play suitable for both mid-market and enterprise environments. While the solution demonstrates deployment flexibility and granular access controls, its average support for legacy applications and unmanaged devices puts it in the middle of the market for overall flexibility. Organizations benefit from Palo Alto Networks' strong vendor ecosystem that integrates with leading cloud and security providers, enhancing overall functionality and interoperability with existing investments. The administrative experience is streamlined through a user-friendly management interface that prioritizes ease of use, though it doesn't stand out exceptionally compared to alternatives in the market. This balance of capabilities suggests the solution would appeal to organizations seeking a comprehensive security offering with reasonable pricing and scalability, though those with significant legacy application requirements should evaluate the fit carefully.

Use Cases
Palo Alto Networks excels in global financial institutions requiring comprehensive risk-based authentication that addresses security challenges based on user behavior, device posture, and location signals. The solution's robust session monitoring capabilities provide real-time visibility into user activities, making it valuable for organizations with strict compliance requirements needing detailed audit trails. Healthcare providers benefit from Palo Alto Networks’ security policy customization features that enable granular access controls based on clinical roles and data sensitivity while maintaining consistent security across distributed environments. The extensive cloud integration capabilities support organizations implementing zero trust across hybrid infrastructures.

Portnox: Portnox Cloud Unified Access Control 

Solution Overview
Portnox is a cybersecurity provider specializing in cloud-based access control solutions. The company focuses on developing specific innovative access management capabilities that span both network and application resources.

Portnox Cloud Unified Access Control represents a specialized offering in the access control market, delivering a combination of network access control, conditional application access, and infrastructure administration through TACACS+. The solution includes several integrated components—Portnox RADIUS-as-a-Service, Zero-Trust NAC, TACACS+, and Conditional Access for Applications—all accessible through a single interface with a common backplane and available for individual purchase or as a bundled platform.

The company takes a focused approach to secure access, emphasizing the unification of traditionally separate access control domains to provide consistent policy enforcement across diverse enterprise environments.

Portnox is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the ZTNA Radar chart.

Strengths
Portnox scored well on a number of decision criteria, including:

• Security policy customization: Portnox offers a flexible policy framework. The solution supports a highly adaptable policy engine capable of addressing complex business rules and security requirements. The platform enables dynamic, context-aware access control with built-in scalability and automation capabilities. Portnox implements both RBAC and ABAC models for precise policy enforcement. Security teams can customize policies based on multiple factors, including user identity, role, device posture, and compliance status. The solution also leverages network context and geolocation data to block access from high-risk regions.

• Unmanaged device support: The solution provides secure IoT access through MAC bypass and device fingerprinting technologies. The platform integrates with mobile device management (MDM) solutions to enhance risk scoring and enforce compliance policies. Automated remediation actions further strengthen security for unmanaged devices by enabling rapid response to detected issues.

• Risk-based authentication: The solution’s risk policy engine scores devices based on security posture assessment and supports various response actions, including deny, allow, quarantine, or automated remediation, based on risk level. However, while this functionality remains solid, the vendor has not made significant improvements year over year, while competitors have continued to enhance their offerings in this area.

Opportunities
Portnox has room for improvement in a few decision criteria, including:

• Legacy application support: The vendor provides an unconventional approach to application compatibility. While competitors focus on supporting the TCP/IP protocols that underpin legacy applications, the solution prioritizes applications using SAML 2.0 or OpenID. This fundamentally limits the solution's effectiveness in environments with true legacy applications that lack modern authentication protocol support. Organizations with older proprietary applications or specialized systems will face significant implementation barriers when deploying Portnox.

• Risk-based authentication: The solution is functional in this area but is slow in developing its implementation. Though the risk policy engine adequately scores devices based on security posture and enables standard remediation actions, the solution has shown no meaningful evolution over the past year, while competitors continue to advance their capabilities. Organizations seeking cutting-edge risk assessment with sophisticated behavioral analysis or advanced threat detection may find the vendor’s approach increasingly outdated.

• Cloud and SaaS integrations: The solution offers RESTful API integration and identity provider support. While these capabilities meet basic requirements for cloud connectivity, they lack the depth of specialized optimizations for specific cloud environments. Organizations with complex multicloud architectures or those requiring deep integration with specialized SaaS applications may find the implementation adequate but insufficiently differentiated from standard industry approaches.

Portnox was classified as a Forward Mover given its challenges in maintaining momentum as competitors accelerate development in key areas like risk-based authentication. Its unique approach to legacy application support through identity protocols rather than traditional TCP/IP support represents both a strategic differentiation and a potential limitation, depending on customer environments.

Purchase Considerations
Portnox offers a modular platform with individual components available through one- and three-year SaaS subscription options, with transparent pricing and add-ons listed on their website. This approach allows organizations to select and pay for only the capabilities they need. The solution is deployed as a SaaS offering on Azure with multi-location redundancy, leveraging the lightweight RADIUS protocol to minimize latency issues—providing adequate scalability for most organizational needs. Portnox delivers secure application access with passwordless authentication and risk assessment capabilities, along with automated remediation features that transparently address security issues. The solution offers integration capabilities with tools supporting RESTApi and maintains membership in the Microsoft Intelligent Security Association, though its ecosystem depth appears adequate rather than exceptional. For implementation and ongoing operations, Portnox provides dedicated onboarding services, 24/7 support, and a comprehensive knowledge base, creating a positive user experience for administrators. The solution shows particular strength in IoT security through robust device fingerprinting and secure MAC Authentication Bypass, which may appeal to organizations with significant IoT deployments.

Use Cases
Portnox excels in healthcare environments with extensive IoT medical devices requiring secure access through its advanced fingerprinting and automated MAC bypass capabilities. Manufacturing facilities benefit from Portnox's robust security policy customization for creating granular access rules based on device types, compliance status, and network context. Educational institutions appreciate the solution's automated remediation features that transparently resolve device compliance issues without disrupting classroom technology. The platform's passwordless authentication options and integration with major identity providers make it valuable for organizations seeking to enhance security while reducing administrative overhead in device-rich environments.

SonicWall: SonicWall Cloud Secure Edge

Solution Overview
SonicWall is a cybersecurity provider specializing in comprehensive security solutions, including firewalls, secure remote access, and cloud security services. The company recently acquired Banyan Security, significantly enhancing its zero trust capabilities and solution portfolio.

SonicWall Cloud Secure Edge, powered by Banyan's technology, functions as the company's ZTNA solution, providing secure application access through adaptive, context-aware controls. The solution comprises three main components: App (the user-facing component), Edge (connecting users to applications), and Command Center (centralized management and policy configuration).

SonicWall employs a robust strategy for secure access, focusing on extensive compatibility with unmanaged devices and detailed security policies, making it especially ideal for situations involving mergers or acquisitions, where managing a variety of devices is essential.

SonicWall is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Sonicwall scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The Cloud Secure Edge solution provides seamless integration with cloud services and SaaS applications. It offers easy implementation, flexible deployment options, and standards-based authentication mechanisms that enhance its competitiveness in the market.

• Risk-based authentication: The solution offers excellent adaptive authentication capabilities. It adapts authentication requirements based on real-time risk assessments, factoring in user behavior patterns, device posture evaluation, location information, and other contextual signals to determine appropriate security controls.

• Session monitoring: The solution provides an excellent monitoring framework, earning a perfect score. It offers real-time visibility into user activities, comprehensive logging capabilities, and sophisticated anomaly detection, enabling both effective security management and compliance assurance across the environment.

Opportunities
Sonicwall has room for improvement in a few decision criteria, including:

• Advanced DLP: While the solution provides standard controls for both private and SaaS applications, including restrictions on screenshots and clipboard functions, organizations with sophisticated data protection requirements may find these capabilities insufficient. Companies in highly regulated industries or those handling particularly sensitive information may require more advanced content inspection, automated classification, and contextual analysis than what the vendor currently offers.

• Unmanaged device support: While the solution includes posture assessments and conditional access for unmanaged devices, organizations with diverse device ecosystems may find limitations in the granularity of device controls. The implementation provides standard protection but lacks the sophisticated device detail some environments with strict compliance requirements need. 

• IAM integration: Though the solution supports SAML 2.0, OpenID, and has mature integrations with major providers, it may require additional configuration for less common identity providers. 

Purchase Considerations
Sonicwall offers its zero trust solution in three distinct tiers or editions, each representing different feature packages with transparent pricing structures. This approach allows organizations to select the appropriate feature set based on their specific requirements and budget constraints. The solution is deployed using a cloud-managed control plane with full autoscaling capabilities, positioning it for effective performance across various deployment sizes. For user management, organizations can add operator users either locally or through SAML integration with their existing identity provider. The architecture extends security controls to distributed assets across all environments and protocols, leveraging a cloud-native approach that utilizes the public internet without requiring network tunnels or man-in-the-middle clouds. This design results in a high-performance, scalable solution that maintains privacy and data sovereignty considerations. From an administration perspective, the solution offers rapid deployment in under 15 minutes, one-click access to infrastructure and applications, and a service catalog that simplifies administrative choices. The underlying technology uses Wireguard for simplicity and strength, though the ecosystem integration capabilities appear average for this market segment.

Use Cases
SonicWall excels in highly regulated environments requiring comprehensive risk-based authentication that addresses security challenges based on real-time factors like user behavior and device posture. SMBs seeking an easy on-ramp into ZTNA will also benefit from its simplicity and ease of implementation. Financial institutions benefit from SonicWall's robust session monitoring capabilities that provide detailed visibility into user activities necessary for compliance and threat detection. Manufacturing organizations appreciate the solution's strong legacy application support that extends secure access to critical operational systems without requiring complex network modifications. The cloud-native architecture with autoscaling capabilities makes it valuable for organizations needing to maintain consistent security posture across distributed environments while supporting diverse access requirements.

Sophos: Sophos ZTNA

Solution Overview
Sophos is a cybersecurity provider specializing in integrated security solutions that protect organizations from advanced threats, including ransomware. The company emphasizes cross-product integration and simplified management across its security portfolio.

Sophos ZTNA functions as the company's zero trust network access solution, available as both a cloud service (ZTNA-aaS) and as gateway technology that can be deployed as a virtual appliance or embedded within Sophos Firewall. The solution employs a distinctive single-agent architecture that combines ZTNA and endpoint protection functions, though it also supports agentless access for certain browser-based applications.

Sophos employs a wide-ranging strategy for secure access, focusing on the seamless connection of various security areas through a single platform (Sophos Central). This approach enables organizations to adopt ZTNA within a larger, interconnected security framework instead of treating it as a standalone solution.

Sophos is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Sophos scored well on a number of decision criteria, including:

• Risk-based authentication: The solution utilizes ML to learn user behaviors and continuously inform ZTNA services about device health status. The platform employs a straightforward health categorization system (healthy/unhealthy) with intuitive green, yellow, or red status indicators. This simplified binary health outcome approach streamlines administrative assessment while effectively integrating endpoint health evaluation with ZTNA access decisions, creating a responsive security model.

• Session monitoring: The solution provides detailed logging of user and application access with extensive metadata, including timestamps, user identity, application details, access methods, device health status, session duration, and data volume. The platform incorporates Sophos Endpoint health state information directly into logs and offers robust reporting through Sophos Central. Advanced users can leverage XDR queries for cross-product enriched data analysis, ensuring thorough visibility into access activities across the environment.

• Unmanaged device support: The solution delivers application access through a web portal specifically designed for unmanaged devices, providing a functional but basic capability for accommodating noncorporate assets in access scenarios.

Opportunities
Sophos has room for improvement in a few decision criteria, including:

• SCIM protocol support: There is no SCIM protocol implementation. While the solution provides alternative directory and group synchronization options with Sophos Central, this approach lacks the standardization and efficiency benefits of SCIM. Organizations with complex user lifecycle management requirements face additional operational overhead when provisioning and deprovisioning users. The reliance on custom synchronization methods with Entra, Okta, and on-premise Active Directory creates potential inconsistencies in identity management workflows.

• Cloud and SaaS integrations: Though the solution provides comprehensive integration capabilities, a significant limitation is the reliance on white listing the gateway IP address of SaaS solutions. This is problematic due to the dynamic, ephemeral nature of cloud networking. The breadth of supported SaaS applications could be more extensive, potentially limiting coverage for organizations using specialized or niche cloud services that fall outside Sophos's integration ecosystem.

• IAM integration: While mature integrations exist for mainstream services like Azure, Okta, and Google Workspace, organizations with alternative identity providers or complex hybrid identity environments may face additional configuration challenges. The solution works efficiently with standard identity architectures but may require additional customization for specialized implementations. 

Purchase Considerations
Sophos offers competitive, all inclusive pricing for its zero trust solution. The solution leverages a cloud-native architecture with autoscaling capabilities, providing robust scalability for most implementations, though large-scale deployments may require careful planning to ensure optimal performance. This positions Sophos as a solution that can accommodate growing security needs without immediate infrastructure concerns. Organizations benefit from deployment flexibility through multiple access modes and deployment options, making the solution adaptable to various environments, though some niche use cases (such as completely on-premises) may require customization services. While Sophos maintains a decent vendor ecosystem, the breadth and depth of available integrations could be more extensive when compared to market leaders. The administrative experience provides a user-friendly interface and management capabilities, but organizations requiring advanced configurations or detailed reporting may encounter limitations that could impact operational efficiency. Decision makers should weigh these considerations against their specific requirements when evaluating Sophos against alternatives in the zero trust market.

Use Cases
Sophos performs well in organizations with existing Sophos security infrastructure, leveraging its tight integration between endpoint protection and ZTNA for comprehensive device health assessment. Security operations teams benefit from the solution's detailed session monitoring capabilities that feed into XDR queries for enriched security analysis. Healthcare environments utilize Sophos's risk-based authentication that adapts access decisions based on machine learning-driven behavioral analysis and device health indicators. The strong endpoint integration provides continuous security posture assessment while maintaining detailed audit trails necessary for compliance in regulated industries.

Twingate: Zero Trust Network Access 

Solution Overview
Twingate is a security provider specializing in modern zero trust network access solutions that enable secure connection to private resources without traditional VPN complexities. The company focuses on delivering a streamlined user experience while maintaining robust security controls.

Twingate's ZTNA solution functions as a cloud-based service that creates secure connections between users and resources through a split-tunnel architecture. The system utilizes lightweight clients deployed on user devices to establish encrypted connections to resources based on identity-driven policies while integrating with existing identity providers and security tools.

Twingate takes a simplified approach to secure access, emphasizing ease of use in deployment and management alongside strong security capabilities to address enterprise access needs across diverse environments.

Twingate is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Twingate scored well on a number of decision criteria, including:

• Security policy customization: The solution allows security teams to create granular, role-based access policies through a single unified console. The platform incorporates multiple contextual factors in policy design, including user identity, device posture assessment, and location information, while also considering resource sensitivity when determining appropriate controls. Policies are efficiently distributed via the Twingate Controller for consistent enforcement, supporting highly customizable access rules that can adapt to complex organizational requirements.

• Risk-based authentication: The solution evaluates multiple factors during access attempts, including user role, device posture, geographical location, and network type. The platform creates customizable risk profiles for access attempts and can enforce stricter controls based on device and user context. 

• IAM integration: The solution integrates with existing identity providers to handle user authentication processes, supporting multifactor authentication through iDPs as well as with its own native MFA capability, and single sign-on workflows through the connected IdP. This approach delegates authentication responsibilities to the organization's existing IAM infrastructure while ensuring compatibility with most enterprise identity management systems. 

Opportunities
Twingate has room for improvement in a few decision criteria, including:

• Cloud and SaaS integrations: While the solution enables unified access control across environments and integrates with identity providers, organizations with highly specialized SaaS applications or complex multicloud architectures may face integration challenges. 

• Unmanaged device support: The Twingate Client enables enforcement of device posture checks and policy application. The solution works well for most BYOD scenarios but may lack the granularity needed for highly regulated industries with strict compliance requirements for unmanaged devices.

• Legacy application support: While the solution effectively secures common legacy systems like SSH, RDP, and databases, organizations with highly specialized legacy applications may face integration complexities. The network-level access controls function well for standard implementations but may require additional configuration for uncommon protocols. 

Purchase Considerations
Twingate offers cost-effective ZTNA with transparent pricing that avoids hidden hardware and maintenance expenses. By eliminating legacy VPN infrastructure, the solution can generate additional cost savings for organizations transitioning from traditional approaches. The cloud-native, software-only architecture enables global connector deployment supporting scaling from small teams to large distributed organizations without requiring additional hardware investments. This positions Twingate as suitable for various organizational sizes, though particularly appealing for those seeking simplified deployment. The solution adapts to cloud, on-premises, and hybrid environments with support for diverse resource types, though organizations with specialized needs may encounter limited customization options and occasional compatibility issues with older systems. From an integration perspective, Twingate connects with major identity providers like Okta, Azure AD, and Google Workspace, along with endpoint security tools like SentinelOne, Crowdstrike, and Jamf. The administrative experience offers rapid deployment and a simple interface for both administrators and end users.

Use Cases
Twingate works well for organizations transitioning from VPNs to zero trust security, providing granular policy customization without requiring network architecture changes. Small to medium businesses benefit from its cost-effective approach that eliminates hardware expenses while securing both cloud and on-premises resources. Engineering teams appreciate Twingate's ability to secure legacy applications like SSH, databases, and RDP through network-level access controls with contextual authentication factors. The solution's unified access management across distributed environments makes it valuable for companies with hybrid infrastructure needing consistent security controls without complex deployment requirements.

Zscaler: Zscaler Private Access (ZPA)*

Solution Overview
Zscaler is a cybersecurity company focused on helping organizations navigate digital transformation and cloud adoption challenges through cloud-delivered security solutions. The company maintains a strong market presence in the zero trust security space while continuing to enhance its established offerings.

Zscaler Private Access (ZPA) functions as the company's ZTNA solution within its broader SASE product suite. The solution leverages the cloud as its foundation, employing connectors and agents for different use cases to provide flexible deployment options. ZPA is particularly notable for its app discovery feature, enabling seamless connections between users and applications regardless of the software being used—a capability that distinguishes it in the market.

Zscaler takes a comprehensive approach to secure access, emphasizing cloud-native delivery and adaptable, context-aware controls that enhance security across diverse enterprise environments.

Zscaler is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the ZTNA Radar chart.

Strengths
Zscaler scored well on a number of decision criteria, including:

• Cloud and SaaS integrations: The solution offers seamless connectivity with major cloud service providers, SaaS platforms, and custom applications through an API-based approach. This integration architecture enables organizations to extend consistent security controls across their entire cloud ecosystem while maintaining operational efficiency.

• Advanced DLP: The solution implements robust DLP capabilities with context and content-aware inspection mechanisms that analyze data in transit. This intelligent approach to data security helps organizations identify and protect sensitive information across cloud services and applications.

• Legacy application support: The information provided appears to describe monitoring capabilities rather than legacy application support specifically. However, the description indicates good real-time visibility into behaviors, anomalies, and unusual events through event correlation, which suggests strong analytics capabilities that could benefit security operations.

Opportunities
Zscaler has room for improvement in a few decision criteria, including:

• Session monitoring: While the solution incorporates security policy elements in its monitoring approach, it lacks advanced user behavior analytics and sophisticated anomaly detection compared to security-focused competitors. Organizations with complex compliance requirements or those needing comprehensive forensic capabilities may find the current monitoring framework insufficient for detailed threat hunting and incident response.

• Security policy customization: The solution uses a firewall-centric policy approach. While this familiar model makes implementation straightforward, it can create complexity when managing large-scale deployments with numerous granular exceptions. Organizations with sophisticated microsegmentation requirements or those needing highly context-aware policies beyond traditional network parameters may find the structure limiting for advanced zero trust implementations.

• IAM integration: While integration with standard solutions like Active Directory, Azure AD, and SAML 2.0-compliant providers works effectively, organizations with complex hybrid identity environments may face challenges. The token/cookie issuance post-authentication creates potential session management issues in environments with specialized authentication workflows or custom identity providers. 

Purchase Considerations
Zscaler employs a straightforward licensing approach with a core offering that can be expanded through add-ons and broader solutions within the Zscaler portfolio. Organizations should note that while standard support is included, advanced support requires additional investment. The solution is positioned as a comprehensive security offering that leverages a mature global footprint and partnerships to deliver strong scalability for organizations of various sizes. Zscaler demonstrates exceptional flexibility through its above-average feature set, enabling it to address more use cases than typical alternatives in this market segment. This positions it as suitable for both mid-market and enterprise customers with diverse requirements. The solution benefits from a mature ecosystem with established integrations and official partnerships across multiple domains, facilitating interoperability with existing security investments. Administrative experience is enhanced through an intuitive interface, comprehensive documentation, and automation capabilities that focus on operational simplicity. These factors contribute to a streamlined deployment process, though organizations should consider their requirements for advanced support when calculating total investment.

Use Cases
Zscaler excels in global enterprises requiring unified security across diverse environments through its extensive cloud integration capabilities and worldwide footprint. Financial services organizations benefit from Zscaler's robust DLP functionality that provides context-aware inspection for regulatory compliance. Healthcare providers utilize its risk-based authentication to adjust security challenges based on clinical device context and location factors. The solution's strong SCIM protocol support streamlines user management for organizations with complex identity governance requirements, while its legacy application visibility provides security teams with comprehensive monitoring of access patterns and potential anomalies across hybrid infrastructures.

As the ZTNA market continues to evolve, IT decision-makers face a dynamic landscape shaped by the urgent need for secure remote access and the growing sophistication of cyberthreats. The ZTNA market is experiencing change, driven by the shift to hybrid work environments and the increasing adoption of cloud-based infrastructures as well as OT and IoT. Major players in the space, including established cybersecurity vendors and innovative startups, are competing to offer solutions that prioritize identity-based access, continuous verification, and microsegmentation over traditional perimeter-based security models. For a purchaser or strategist entering this space, the starting point is to recognize that ZTNA is not a one-size-fits-all solution but a framework that must align with an organization’s specific security posture, workforce needs, and digital transformation goals. Understanding the vendor landscape—ranging from comprehensive platforms to niche, best-of-breed solutions—requires a clear assessment of whether integration with existing systems or scalability for future growth is the priority.

Several key themes in the ZTNA market directly impact purchase decisions. The convergence of ZTNA with SASE is a dominant trend, as organizations seek solutions that combine network security and access control. Additionally, the emphasis on user experience cannot be overlooked; solutions that introduce friction or complexity for end users often face adoption challenges. Cost remains a critical factor, with subscription-based pricing models and hidden implementation expenses requiring careful scrutiny. Finally, compliance with regulatory standards like GDPR or HIPAA is nonnegotiable for many industries, making vendor certifications and data protection capabilities a decisive factor. For IT decision-makers weighing adoption, the next best action is to conduct a thorough gap analysis of current security architectures to identify vulnerabilities that ZTNA can address. Engaging stakeholders across IT, security, and business units to define use cases—such as securing remote workforces or protecting cloud applications—will ensure alignment. From there, piloting solutions with a small user group can provide valuable insights into performance, scalability, and user acceptance before committing to a full rollout.

Looking ahead, the ZTNA market is poised for deeper integration with artificial intelligence and machine learning to enhance threat detection and automate policy creation and enforcement. As threats become more advanced, vendors will likely focus on predictive analytics and behavioral profiling to strengthen zero trust principles. Key takeaways for IT leaders include the need to prioritize flexibility in vendor selection, as the market will continue to consolidate, and to invest in employee training to support cultural shifts toward zero trust mindsets. Preparing for the future means building a roadmap that anticipates evolving compliance requirements and hybrid infrastructure demands, ensuring that ZTNA implementations remain adaptable. Staying ahead also requires continuous evaluation of emerging standards and technologies that could redefine secure access.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Chris Ray is a veteran of the cyber security domain. He has a collection of experiences ranging from small teams to large financial institutions. Additionally, Chris has worked in healthcare, manufacturing, and tech. More recently, he has acquired an extensive amount of experience advising and consulting with security vendors, helping them find product-market fit as well as deliver cyber security services.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Zero Trust Network Access (ZTNA)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.