What Is ZTNA and Why It Replaced VPN
Zero Trust Network Access (ZTNA) is a cybersecurity framework that grants identity-based, context-aware access to specific enterprise applications-without exposing the broader network. Unlike VPNs, which authenticate once and then grant broad network access, ZTNA verifies every access request individually against user identity, device posture, location, and behavioral patterns. Applications remain invisible to unauthorized users, and lateral movement across the network is blocked by design.
Gartner defines ZTNA as products and services that create an identity and context-based, logical-access boundary around enterprise applications, restricting access via a trust broker to named entities and limiting lateral movement within a network.
The ZTNA market is projected to grow from $1.34 billion in 2025 to $4.18 billion by 2030 at a CAGR of 25.5%, according to MarketsandMarkets. North America accounts for 42.4% of market revenue. Gartner forecast that by 2025, at least 70% of new remote access deployments would use ZTNA over VPN-up from under 10% in 2021.
Enterprise adoption is driven by four forces: VPN replacement for hybrid workforces, attack surface reduction through application cloaking, compliance with Zero Trust mandates (NIST SP 800-207, OMB M-22-09, NIS2), and the need to secure access across cloud, hybrid, and on-premises applications from a unified policy framework.
12 Evaluation Criteria for Enterprise ZTNA
The right ZTNA solution depends on infrastructure complexity, compliance requirements, user populations, application portfolio, and security maturity. The following criteria provide a structured evaluation framework.
1. Deployment Architecture
ZTNA solutions deploy as agent-based (software on managed endpoints for deep device posture assessment), agentless (browser-based access for BYOD and contractors), or universal (combining both). Agent-based holds the largest market share in 2025 due to deeper endpoint visibility. Organizations with significant BYOD or contractor access should prioritize vendors offering robust agentless capabilities alongside agent-based deployment.
2. Application Coverage
A production ZTNA deployment must support web applications (HTTP/HTTPS), thick client applications (RDP, SSH, database clients), legacy applications with proprietary protocols, cloud-native workloads across multiple providers, and on-premises applications. Vendors that support only web applications leave critical gaps in hybrid environments.
3. Identity and Authentication Integration
Evaluate support for SAML 2.0, OIDC, LDAP, Active Directory, and integration with identity providers (Okta, Microsoft Entra ID, Google Workspace, Ping Identity). Verify phishing-resistant MFA support (FIDO2, hardware tokens) and conditional access policies based on risk scoring.
4. Device Posture Assessment
Evaluate depth of device checks: OS version, patch level, EDR status, disk encryption, firewall status, jailbreak detection, and certificate-based device identity. The solution should enforce differentiated access based on posture-full access from compliant managed devices, restricted access from unmanaged devices.
5. Network Architecture: How Connections Are Established
This is one of the most consequential architectural decisions in ZTNA and often the least understood.
Service-initiated (inside-out) architecture uses connectors deployed alongside applications that establish outbound connections to the ZTNA broker. Users connect to the broker, which routes traffic through the existing outbound tunnel. No inbound firewall ports are required on the application side.
Reverse-access architecture takes this further: the application-side component initiates all connections outbound, and the broker never pushes traffic inbound. The firewall remains in a permanent deny-all state for inbound traffic. There are no listening services, no discoverable IP addresses, and no exposed attack surface-the application infrastructure is completely invisible to the public internet.
The security difference is significant. Service-initiated architectures still require the broker to maintain connectivity to the connector-meaning the connector must be reachable by the broker service. True reverse-access architectures eliminate even this dependency, making the application environment unreachable from outside. For organizations protecting classified systems, critical infrastructure, or high-value targets, this distinction matters.
This architectural choice also affects DDoS resilience. Applications behind a service-initiated connector can still be indirectly impacted if the broker or connector communication channel is disrupted. Applications behind a true reverse-access architecture have no externally reachable endpoint to target-the firewall’s permanent deny-all state means there is nothing for attackers to flood. Understanding this architectural distinction is foundational to evaluating any ZTNA solution against a serious Zero Trust architecture framework.
6. Microsegmentation Integration
ZTNA controls north-south traffic (user-to-application). A complete Zero Trust architecture also requires east-west controls (application-to-application, workload-to-workload). Evaluate whether the vendor offers integrated microsegmentation or requires a separate product. Unified north-south and east-west policy enforcement reduces architectural complexity and eliminates gaps between access control and workload isolation.
7. Data Protection
Beyond transport encryption (TLS 1.3, AES-256), evaluate DLP capabilities, download controls (view-only, watermarking, copy/paste restrictions), file-level encryption at rest, and compliance with FIPS 140-2/3, HIPAA, PCI DSS 4.0, and GDPR Article 32.
8. Privileged Access Management
Administrative access requires stricter controls. Evaluate support for session recording, just-in-time access provisioning, automatic credential rotation, and integration with PAM platforms. Solutions that unify ZTNA and PAM in a single platform eliminate the security gap between general and privileged access.
9. Scalability and Performance
Evaluate global PoP infrastructure, latency impact versus direct access, bandwidth capacity per user, auto-scaling capabilities, and single points of failure. For globally distributed enterprises, PoP count and geographic coverage directly affect user experience.
10. Compliance and Audit Readiness
Evaluate audit trail completeness (user identity, device posture, application, actions, session duration), SIEM integration (Splunk, QRadar, Microsoft Sentinel), and mapping to NIST SP 800-207, PCI DSS, HIPAA, SOC 2, and ISO 27001.
11. Deployment Complexity and Migration Path
Evaluate infrastructure requirements, integration effort, policy migration from VPN, and availability of parallel-run capabilities that allow VPN fallback during transition.
12. Total Cost of Ownership
Include per-user licensing, bandwidth pricing, connector/gateway infrastructure costs, professional services, agent management overhead, and savings from retiring VPN infrastructure. Organizations consistently report that ZTNA justification comes from risk reduction, not cost savings.
Vendor Comparison: Leading Enterprise ZTNA Solutions
The following profiles cover the leading enterprise ZTNA vendors based on publicly available capabilities, market positioning, and deployment models. Each profile follows the same structure: positioning, architecture, strengths, and honest limitations.
Zscaler Private Access (ZPA)
Position: Cloud-native ZTNA as part of the largest pure-play SSE platform.
ZPA connects users directly to applications through Zscaler’s global security cloud using inside-out connectors (no inbound firewall ports on the application side). It supports agent-based access via the Zscaler Client Connector and agentless browser-based access. ZPA is part of the broader Zscaler Zero Trust Exchange, which includes ZIA (secure web gateway), CASB, and DLP.
Strengths: Largest global PoP infrastructure among ZTNA-focused vendors. Mature application segmentation. Strong SSE integration for organizations consolidating multiple security functions. Extensive enterprise reference base.
Limitations: Premium pricing ($15–25/user/month). Cloud-only delivery-no on-premises deployment option, which disqualifies it for sovereign, classified, or air-gapped environments. Requires significant Zscaler ecosystem commitment for full value. Microsegmentation requires a separate Zscaler product (Zscaler Workload Segmentation), not integrated into ZPA natively.
Palo Alto Networks Prisma Access
Position: ZTNA 2.0 as part of a comprehensive SASE platform, integrated with Palo Alto’s firewall and XDR ecosystem.
Prisma Access delivers continuous trust verification and continuous security inspection of all traffic-not just at connection establishment. It supports the broadest protocol coverage among cloud-delivered ZTNA solutions, including non-web applications. ZTNA 2.0 addresses first-generation ZTNA limitations by inspecting traffic content, not just connection metadata.
Strengths: Continuous post-connection verification (ZTNA 2.0). Full protocol support including thick clients and legacy apps. Deep integration with Cortex XDR and Strata firewalls for organizations already in the Palo Alto ecosystem.
Limitations: Usage-based pricing creates budget unpredictability ($12–20/user/month). Steep learning curve for teams outside the Palo Alto ecosystem. Microsegmentation requires separate Prisma Cloud licensing. No on-premises deployment-cloud-delivered only.
Fortinet Universal ZTNA
Position: ZTNA built into existing Fortinet infrastructure with zero additional licensing.
Fortinet embeds ZTNA directly into FortiGate appliances and FortiClient, allowing organizations to activate ZTNA on infrastructure they already own. The unified FortiClient agent covers ZTNA, VPN, EDR, and vulnerability scanning. FortiSASE extends cloud-delivered ZTNA for organizations without on-premises FortiGates.
Strengths: No additional licensing for existing Fortinet customers-the lowest-cost ZTNA activation path for Fortinet shops. Smooth VPN-to-ZTNA migration using existing FortiGate infrastructure. Recognized as Gartner Peer Insights Customers’ Choice. Full protocol support.
Limitations: Full value requires Fortinet ecosystem; limited appeal for non-Fortinet environments. Cloud-native capabilities are less mature than Zscaler or Cloudflare. PoP footprint is smaller than hyperscale cloud vendors. Microsegmentation is not integrated-requires separate FortiGate segmentation policies.
Cloudflare Access
Position: Fast-deployment ZTNA leveraging the world’s largest edge network.
Cloudflare Access delivers ZTNA through 300+ PoPs on the same anycast network used for CDN and DDoS mitigation. Agent-based access uses the WARP client; agentless browser-based access supports unmanaged devices. A free tier covers up to 50 users. Part of Cloudflare One (SSE platform including gateway, CASB, DLP, and email security).
Strengths: Fastest time to value-simplest initial deployment among enterprise ZTNA vendors. Extensive global PoP network minimizes latency. Free tier for testing. Inherent DDoS resilience from the Cloudflare network. Strong SSE bundling.
Limitations: Non-web application support (RDP, SSH, SMB) is less mature than dedicated ZTNA vendors. Enterprise features require higher-tier plans with less transparent pricing. No on-premises deployment option. Microsegmentation is not part of the platform.
Cisco Secure Access
Position: Integrated SSE and ZTNA for enterprises already invested in Cisco networking and security.
Cisco Secure Access combines ZTNA with SSE capabilities, integrating Duo (identity/MFA), SD-WAN, and endpoint security. The solution supports hybrid environments with strong policy integration across Cisco’s networking stack.
Strengths: Deep integration with Cisco networking and security portfolio. Strong MFA and identity verification through Duo. Comprehensive hybrid cloud support. Familiar management experience for Cisco-standardized organizations.
Limitations: Product history spanning multiple acquisitions creates integration complexity and inconsistent user experiences. Pricing is opaque due to bundling with broader Cisco security licenses. Feature parity with pure-play ZTNA vendors lags in some areas (e.g., application discovery, user experience analytics).
Netskope Private Access
Position: Data-centric ZTNA within a broader SSE platform focused on DLP and SaaS security.
Netskope positions Private Access as “Universal ZTNA” for consistent access across cloud, on-premises, and hybrid environments. Strong integration with Netskope’s CASB and DLP capabilities makes it particularly attractive for organizations where data protection is the primary security driver.
Strengths: Best-in-class DLP integration among ZTNA vendors. Consistent policy across SaaS, web, and private application access. Strong visibility into data movement and user behavior. Good fit for data-sensitive industries (finance, healthcare).
Limitations: On-premises connector deployment can be complex. Pricing transparency is limited ($10–18/user/month). Smaller PoP footprint than Zscaler or Cloudflare. Microsegmentation is not part of the Netskope platform.
TerraZone truePass
Position: Unified Zero Trust platform combining ZTNA, microsegmentation, identity isolation, and secure data exchange-with patented reverse-access architecture and full on-premises deployment capability.
TerraZone truePass delivers ZTNA through a platform that natively integrates application access, workload segmentation, identity-based firewall (IDFW), and data protection. The distinguishing architecture is patented reverse-access: internal applications initiate outbound-only connections to the TerraZone Access Gateway, keeping the firewall in a permanent deny-all state with no inbound ports, no listening services, and no discoverable attack surface. The platform supports agent-based and clientless access across HTTP/S, RDP, SSH, SFTP, and SMB (via the proprietary Heimdall protocol that adds Zero Trust controls to file sharing without client-side changes).
Strengths: Only vendor in this comparison offering patented reverse-access where the application infrastructure has zero inbound exposure. Only vendor natively integrating ZTNA and microsegmentation on a single platform-unified north-south and east-west policy without separate products. Full on-premises, cloud, and hybrid deployment-critical for sovereign, classified, and air-gapped environments. Heimdall SMB protocol adds Zero Trust identity-based controls to file sharing natively. Built-in PAM, MFT, and identity isolation reduce vendor sprawl.
Limitations: Smaller global PoP footprint than hyperscale cloud vendors (Zscaler, Cloudflare, Palo Alto)-organizations with 50,000+ globally distributed users should validate latency in their specific regions. Less brand recognition than the major SASE vendors-CISOs may face internal resistance when proposing a less well-known vendor. No native CASB or secure web gateway-organizations needing full SSE consolidation (ZTNA + SWG + CASB + DLP in one cloud service) will need to pair TerraZone with a complementary SWG/CASB solution. Pricing is not publicly listed-requires direct engagement.
Appgate SDP
Position: Enterprise-grade software-defined perimeter with dynamic trust models for regulated industries.
Appgate SDP uses continuous authentication that adjusts in real time based on user behavior, device compromise signals, and environmental risk. It supports microsegmentation across cloud, on-premises, and hybrid environments and provides granular audit trails built for regulatory compliance.
Strengths: Most dynamic context-aware access policies in this comparison. Built-in microsegmentation. Strong compliance reporting mapped to HIPAA, PCI DSS, GDPR. Good fit for highly regulated industries.
Limitations: Smaller market presence and partner ecosystem than the major SASE vendors. Implementation complexity-requires dedicated security engineering resources for deployment and tuning. Agentless access options are more limited than some competitors. Steeper learning curve for policy design.
Vendor Comparison Matrix
Criterion | Zscaler ZPA | Palo Alto Prisma | Fortinet ZTNA | Cloudflare Access | Cisco Secure Access | Netskope Private Access | TerraZone truePass | Appgate SDP |
Deployment | Cloud | Cloud | On-prem + Cloud | Cloud | Cloud + Hybrid | Cloud | On-prem, Cloud, Hybrid | On-prem, Cloud, Hybrid |
Agent + Agentless | Both | Both | Both | Both | Both | Both | Both | Agent-focused |
No inbound ports | Yes (inside-out) | No | No | No | No | No | Yes (patented reverse-access) | Yes (SDP model) |
Application invisible to internet | Partial | No | No | No | No | No | Full | Partial |
Non-web protocols | RDP, SSH | Full | Full | Limited | RDP, SSH | RDP, SSH | Full (incl. SMB Heimdall) | Full |
Integrated microsegmentation | No | No | No | No | No | No | Yes | Yes |
Integrated PAM | No | No | Add-on | No | No | No | Yes | No |
On-premises deployment | No | No | Yes | No | Limited | No | Yes | Yes |
Global PoP count | 150+ | 100+ | Growing | 300+ | 30+ | 75+ | Regional | Regional |
CASB/SWG bundling | Yes (SSE) | Yes (SASE) | Yes (FortiSASE) | Yes (Cloudflare One) | Yes (SSE) | Yes (SSE) | No | No |
Approx. pricing | $15–25/u/mo | $12–20/u/mo | Included w/ FortiGate | Free–$10+/u/mo | Bundled | $10–18/u/mo | Contact vendor | Contact vendor |
Decision Framework
The best ZTNA solution is the one that matches the enterprise’s specific scenario. The following mapping connects common enterprise requirements to the most appropriate vendor approach.
Cloud-first SASE consolidation (ZTNA + SWG + CASB in one platform): Zscaler, Palo Alto Prisma, Cloudflare, or Netskope. These vendors deliver ZTNA as part of broader SSE/SASE platforms optimized for organizations that want to consolidate multiple cloud-delivered security functions under one vendor.
Existing Fortinet infrastructure: Fortinet Universal ZTNA provides the fastest and lowest-cost activation path-ZTNA is built into FortiGate and FortiClient at no additional licensing cost.
Existing Cisco infrastructure: Cisco Secure Access offers the tightest integration with Cisco networking and Duo identity services.
Fastest time to value for cloud-native deployment: Cloudflare Access. Simplest deployment model, free tier for testing, and the largest edge network for latency-sensitive deployments.
Data-centric security with strong DLP: Netskope Private Access. Best-in-class data loss prevention integration for organizations where data classification and movement control are the primary security drivers.
Classified, sovereign, or air-gapped environments where data cannot traverse third-party cloud infrastructure: TerraZone truePass or Appgate SDP. Both offer full on-premises deployment. TerraZone’s reverse-access architecture provides the additional advantage of zero inbound exposure-essential for environments where even the possibility of external reconnaissance is unacceptable.
Unified ZTNA + microsegmentation without multi-vendor integration: TerraZone truePass or Appgate SDP. Both integrate north-south (user-to-application) and east-west (workload-to-workload) controls natively, eliminating the policy gaps that occur when separate ZTNA and microsegmentation products are stitched together.
Maximum attack surface elimination: TerraZone truePass. Patented reverse-access architecture ensures the firewall is in permanent deny-all state-no ports, no services, no discoverable infrastructure. For organizations where the primary threat model includes nation-state reconnaissance and targeted attacks against internet-facing infrastructure, this architectural advantage is decisive.
Regulated industries with complex compliance requirements (healthcare, finance): Appgate SDP, TerraZone truePass, or Netskope. Each provides strong audit trail capabilities and compliance reporting, with different strengths-Appgate for dynamic risk-based policies, TerraZone for unified platform audit across ZTNA/microsegmentation/PAM, and Netskope for data-centric compliance.
Common ZTNA Deployment Mistakes
Replicating VPN access patterns through ZTNA. Organizations that map their VPN’s broad network access into ZTNA policies gain marginal security improvement. ZTNA’s value comes from granular, per-application access control-define policies at the application level, not the network level.
Covering only web applications. If the ZTNA deployment supports web apps but forces VPN fallback for RDP, SSH, or SMB, the organization operates two parallel access systems-doubling management overhead and leaving the VPN attack surface intact.
Ignoring east-west traffic. ZTNA controls who reaches the application. Without microsegmentation, a compromised application session can pivot laterally to other systems on the same network segment. ZTNA and microsegmentation are complementary-not alternatives. Organizations evaluating ZTNA should simultaneously evaluate how they will enforce identity-based segmentation for workload-to-workload communication, whether through the same vendor or an integrated solution.
Underestimating identity hygiene. Stale accounts, shared credentials, over-provisioned roles, and weak MFA undermine ZTNA regardless of the vendor. Clean identity infrastructure is a prerequisite, not an afterthought.
Choosing based on brand alone. The largest ZTNA vendors excel at specific scenarios (cloud-first, SASE consolidation) but may be poor fits for others (on-premises, classified, legacy protocol support). Match the vendor’s architecture to your actual environment-not to analyst rankings that reflect different buyer profiles.
Implementation Best Practices
Start with one high-value application. Migrate 100–200 users accessing a single business-critical application before expanding. This surfaces integration issues at low blast radius.
Run ZTNA in parallel with VPN during migration. Allow VPN fallback while expanding ZTNA coverage. Gradually narrow VPN access until full decommission.
Define policies by application sensitivity. Group applications by data classification and apply proportional controls-stricter for sensitive data, streamlined for low-risk tools.
Assemble a cross-functional team. ZTNA touches networking, identity, application architecture, and compliance. Siloed implementation creates policy gaps between these domains.
Test for bypass scenarios. Penetration testing should specifically target ZTNA: discovering hidden applications, escalating through misconfigurations, and exploiting gaps between ZTNA and legacy access methods.
How to Read This Guide
This comparison reflects publicly available vendor capabilities as of early 2026. The ZTNA market is evolving rapidly-vendors release new capabilities quarterly, and market positioning shifts through acquisitions (notably Palo Alto’s agreement to acquire CyberArk in 2025, signaling PAM as a platform-native capability). Re-evaluate vendor capabilities against these criteria at least annually.
No single vendor dominates every evaluation criterion. The enterprises that select ZTNA successfully are the ones that clearly define their requirements first-infrastructure type, application portfolio, compliance mandates, threat model, and operational maturity-and then match those requirements to the vendor whose architecture and capabilities align most closely.
The criteria and decision framework in this guide are designed to support that process regardless of which vendor ultimately fits best.
One final consideration: the ZTNA decision is not permanent. Most enterprises start with a primary use case-VPN replacement, contractor access, or cloud application security-and expand coverage over time. The vendor you select should support this incremental approach, allowing you to start with a focused deployment and scale without rearchitecting. Evaluate not just where the vendor is today, but where their roadmap aligns with your security strategy over the next two to three years. The strongest ZTNA investment is one that grows with your Zero Trust maturity, not one that locks you into a static configuration.
