Technical Review by
Craig MacAlpine
Zero trust network access (ZTNA) solutions enable remote users to securely access network resources such as files, servers, and applications. They create identity- and context-based boundaries around network assets or asset groups, hiding the network IP address so that those assets are hidden from public view, and restricting access to them on a zero trust basis.
Before granting a user access, the ZTNA provider authenticates their identity, their device’s identity and health, and the context of their login attempt. Once authenticated, users are given access only to the resource they need in line with the principle of least privilege; to access something else, they must be re-authenticated. This continuous verification helps segment the network, preventing attacks from spreading laterally throughout the network.
To achieve this, ZTNA solutions offer application micro-segmentation, granular role-based access policy configuration, and in-depth reporting into user access and application use. They should also verify that the endpoint security on a user’s device is working properly, and that the operating system is patched. Finally, the best ZTNA solutions offer in-built two-factor or multi-factor authentication (2FA/MFA) or integrations with leading MFA providers, for further security against identity-based attacks and account takeover.
In this article, we’ll explore the top zero trust network access (ZTNA) solutions. We’ll look at features such as app micro-segmentation, user and device authentication, access policy configuration, reporting and analytics, and added security controls. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
Zero trust network access removes the assumption that anyone inside your network should be trusted. Instead of granting broad access once a user connects, ZTNA verifies who the user is, checks that their device meets security standards, and grants access only to the specific applications they need. If a user needs to access a different application, they are verified again. This approach limits the damage an attacker can do if they compromise one account or device.
ZTNA enforces application-level access through an identity-aware proxy or broker that sits between users and resources. Authentication evaluates user identity (via SAML, OIDC, or certificate-based methods), device posture (OS patch level, endpoint protection status, disk encryption), and contextual signals (location, time, network risk). Access decisions are made per-session and per-application rather than per-network segment.
The architecture eliminates inbound connections to the corporate network. Applications connect outbound to the ZTNA broker, which proxies authorized user traffic to specific resources without exposing IP addresses or opening firewall ports. Micro-segmentation isolates applications from each other, preventing lateral movement if a single resource is compromised. Continuous trust evaluation monitors session behavior and can revoke access in real time if risk signals change. Most enterprise ZTNA platforms integrate with identity providers, endpoint detection and response tools, and SIEM/SOAR systems for unified policy enforcement.
This table compares all 11 ZTNA platforms across deployment model and key capabilities.
| Product | Best For | Type | Agentless Option | Device Posture | IdP Integration |
|---|---|---|---|---|---|
|
Twingate ZTNA
|
SMBs to enterprises, VPN replacement
|
Cloud ZTNA
|
Yes
|
Yes
|
Yes
|
|
NordLayer
|
Mid-sized orgs, quick deployment
|
Cloud ZTNA
|
No
|
Yes
|
Yes
|
|
Akamai Enterprise Application Access
|
Global low-latency access
|
Cloud ZTNA (Edge)
|
No
|
Yes
|
Yes
|
|
Aviatrix Cloud Network Security
|
Multi-cloud visibility and control
|
Cloud Network Platform
|
No
|
Yes
|
Yes
|
|
Check Point Harmony SASE
|
Consolidated ZTNA and web security
|
SASE
|
Yes
|
Yes
|
Yes
|
|
Cisco Software-Defined Access
|
Cisco ecosystem enterprises
|
Network ZTNA
|
No
|
Yes
|
Yes
|
|
Cloudflare Access
|
VPN replacement with edge infrastructure
|
Cloud ZTNA (Edge)
|
Yes
|
Yes
|
Yes
|
|
Microsoft Entra ID
|
Microsoft ecosystem identity-driven ZT
|
IAM / ZTNA
|
Yes
|
Yes
|
Yes
|
|
Netskope One Private Access
|
Unified visibility with strong DLP
|
SASE / ZTNA
|
No
|
Yes
|
Yes
|
|
Palo Alto Prisma Access
|
On-prem to cloud policy consistency
|
SASE
|
No
|
Yes
|
Yes
|
|
Zscaler Private Access
|
Large enterprise zero-trust architecture
|
Cloud ZTNA
|
Yes
|
Yes
|
Yes
|
Expert Insights assessed 11 ZTNA platforms across deployment flexibility, access policy depth, device posture verification, identity provider integrations, performance, and real-world customer feedback, evaluating how effectively each enforces least privilege access while maintaining a frictionless experience for remote and hybrid users. This guide was researched and written by Caitlin Harris, with technical review by Craig MacAlpine. Our editorial and commercial teams operate independently; no vendor can pay to influence our reviews. Read our full methodology
Twingate is a remote access provider that focuses on enabling distributed workforces to securely access corporate resources without compromising their productivity. Twingate’s cloud-based ZTNA solution allows IT and security teams to implement a software-defined perimeter and centrally manage user and device access to corporate infrastructure and applications without exposing public gateways or ports, using external hardware, or changing their existing infrastructure. We think it is a good fit for small to mid-sized teams wanting straightforward remote access security with a software-first approach, and for more advanced organizations looking to automate access via IaC.
Customers praise the fast connectivity, easy MFA integration, and connection reliability. The alias feature handles multiple networks with overlapping IP schemes well. The platform’s ease of deployment is consistently highlighted. With that said, certain MDM deployments, specifically Intune, Jamf, and NinjaRMM can be more complex for larger teams.
We think Twingate is well worth considering for small to mid-sized teams wanting VPN replacement without infrastructure complexity. The Terraform support is a real differentiator if your team works with infrastructure-as-code. Twingate also offers a broad range of support options, including priority support for businesses on their Enterprise subscription. For larger enterprise rollouts, we’d recommend testing MDM integration carefully before committing.
NordLayer is a cloud-based ZTNA solution designed for mid-sized organizations that want zero trust without a heavy deployment lift. We think it sits well between lightweight VPN replacements and the heavier enterprise SASE platforms. The NordLynx protocol delivers fast, encrypted connections, and the platform is genuinely easy to get up and running.
Customers praise the quick setup and the interface. Adding users takes minutes, and connection stability gets consistently high marks across deployments. Something to be aware of is that admin role permissions can be restrictive; team admins can’t reset MFA or access certain key settings, which may slow down day-to-day management in larger teams.
We think NordLayer is a strong option for mid-sized organizations wanting zero trust access controls without extensive infrastructure changes. If you need quick deployment, IdP integrations, and device posture checks without the complexity of a full SASE platform, this delivers.
Best for mid-to-large enterprises prioritizing low-latency global access
Akamai Technologies is a cybersecurity company that specializes in cloud-based web and internet security, and content delivery network services. Enterprise Application Access is Akamai’s cloud-delivered ZTNA solution, running on Akamai’s Intelligent Edge Platform with no virtual or physical hardware to manage. We were impressed by the performance and scale this brings to zero trust access. It provides secure access to AWS, Azure, Google Cloud, and SaaS applications, and is best suited for mid-to-large enterprises prioritising low-latency global access.
Customers praise the network performance and DDoS protection capabilities. Microsegmentation and API protection features get positive feedback from security teams. Something to be aware of is that this is enterprise-level pricing, which limits accessibility for smaller organizations. Some users also note that implementation requires a learning curve, and support response times can vary.
We think Akamai EAA is a strong fit for organizations needing reliable, low-latency ZTNA across complex cloud environments. The solution scales well, and integrations with LDAP and Active Directory make it relatively straightforward to deploy and provision. If you already use Akamai services or need edge-optimized performance globally, this integrates naturally into your existing stack.
Best for multi-cloud and hybrid environments needing consistent visibility
Aviatrix is a cloud network security platform built for multi-cloud and hybrid environments. It provides a zero-trust firewall, encrypted connectivity up to 100 Gbps, and unified management across AWS, Azure, Google Cloud, and Oracle Cloud. We think it stands out for organizations managing complex, distributed cloud infrastructure who need consistent security and visibility across providers.
Customers consistently highlight reduced troubleshooting time and simplified management. Documentation gets praise for clarity, and GitOps integration fits modern deployment workflows. Something to be aware of is that feature parity varies across cloud providers, with certain capabilities stronger on some CSPs than others. Initial setup also requires coordination with your cloud teams.
We think Aviatrix is well worth considering for enterprises running workloads across multiple cloud providers who need consistent security and visibility. The CoPilot dashboard is a real differentiator for operations teams, and the SmartGroups approach to zero-trust policies is well suited to fast-moving cloud environments.
Best for organizations wanting ZTNA and web security consolidated
Check Point Harmony SASE (formerly Perimeter 81) is a cloud-based zero-trust platform combining ZTNA with a Secure Web Gateway. The platform is cloud-based, so it doesn’t require the maintenance of any external hardware, making it easy to deploy and scale. It supports Windows, Mac, Linux, iOS, Android, and Chromebook operating systems, with agentless options for unmanaged devices. We think it works well for organizations wanting ZTNA and web security consolidated in one platform without managing separate tools.
Customers praise the cloud-native architecture and quick deployment. Policy updates propagate instantly, and the threat prevention capabilities get strong marks. The solution’s helpful, efficient support is highlighted, and the interface makes it a particularly popular product among SMBs. With that said, initial setup complexity increases in hybrid environments with on-prem components. Web content analysis is also limited to 10MB file sizes, which restricts some use cases.
We think Check Point Harmony SASE is a solid choice if you have a hybrid workforce spread across locations and need consistent policy enforcement. The wide OS compatibility, including Chromebook, makes it a strong option for companies with BYOD devices in their fleet. The consolidated approach to ZTNA and web security simplifies architecture, and the automated policy enforcement is good to see.
Best for mid-to-large enterprises already invested in Cisco infrastructure
Cisco is a market-leading provider of solutions that enable and secure remote and hybrid work. Software-Defined Access (SD-Access) is Cisco’s ZTNA solution, designed to enable IT and security teams to configure and enforce access policies across their remote or hybrid workforce. It integrates tightly with Cisco’s broader security suite, managed through Cisco Catalyst Center. We think it works best for mid-to-large enterprises already invested in Cisco infrastructure, where the ecosystem integration adds value that standalone solutions can’t match.
Customers with long-standing Cisco deployments praise the account team relationships and support access. Teams report faster site deployments and simplified code upgrades through automation. Something to be aware of is that some users, particularly those unfamiliar with Cisco’s products, report that initial deployment is complex and requires support from Cisco’s technical team. Documentation gaps can also make unlocking advanced functionality harder than it should be.
We think Cisco SD-Access is well worth considering if you already run Cisco infrastructure and want unified policy control across your environment. The network segmentation and continuous device posture verification are strong, and the automation capabilities help standardise configurations across sites. SMBs interested in the Cisco suite may wish to consider Duo Remote Access, which is aimed at smaller businesses but still offers integrations with Cisco’s other products.
Best for organizations wanting VPN replacement backed by global edge infrastructure
Cloudflare is a cybersecurity provider that aims to secure anything connected to the internet. Designed to augment or replace traditional VPN solutions, Cloudflare Access is Cloudflare’s ZTNA solution that enables remote users to access all apps in their company’s on-prem, public cloud, or SaaS environment. The same infrastructure that handles DDoS protection for much of the internet powers the access layer. We think it suits organizations with capable IT teams who want VPN replacement backed by global infrastructure and strong performance.
Customers describe Cloudflare Access as something that “just works” after deployment. Organizations consolidating from multiple open-source tools appreciate the simplified management, and the Cloudflare team gets high marks for responsiveness. Users praise the strong integrations with identity providers and reliability when it comes to threat prevention. With that said, setup complexity increases significantly in large or distributed environments, and the platform requires experienced IT teams to configure effectively.
We were impressed by the Tunnel-based approach, which eliminates inbound firewall rules and reduces attack surface. Cloudflare Access is delivered via Cloudflare’s globally distributed edge network, giving it the scalability to support organizations of any size with fast connections worldwide. If you already use Cloudflare services or need edge-optimized access across a global workforce, this integrates naturally and the post-quantum security support adds long-term value.
Best for identity-driven zero trust in Microsoft environments
Microsoft Entra ID is an enterprise identity and access management platform delivering SSO, MFA, and conditional access. For organizations already running Microsoft infrastructure, it is the natural IAM choice. We think the adaptive access policies and deep ecosystem integration make it a strong foundation for identity-driven zero trust, particularly when paired with Microsoft Entra Private Access for full ZTNA capabilities.
Customers report strong reliability and stability in production. The integration with other Microsoft tools gets consistent praise for keeping workflows connected. Something to be aware of is that initial setup and configuration complexity requires careful planning. Managing settings can feel overwhelming, especially for teams new to enterprise IAM.
We think Microsoft Entra ID is well worth considering for organizations already invested in Microsoft infrastructure. The risk-based adaptive access is a standout feature, and the integration benefits compound when you run Azure, Microsoft 365, and related services together.
Best for organizations needing unified visibility with strong DLP across SaaS and private apps
Netskope One Private Access is a ZTNA solution within the Netskope One platform, combining zero trust access with DLP and threat protection across SaaS, web, and private applications. We think it stands out for organizations with mature security teams managing complex cloud environments who need unified visibility and strong data protection.
Customers praise the unified approach for simplifying operations. Real-time threat protection and DLP work effectively in hybrid environments, and support teams get consistently high marks for responsiveness. With that said, initial deployment and policy configuration requires significant time and expertise. Some users also report that the client agent occasionally disconnects or enters fail-closed states.
We were impressed by the breadth of the Netskope One platform and the consistency of positive support feedback. If you need unified visibility, strong DLP, and threat detection across SaaS and private applications, Netskope consolidates multiple security functions well.
Best for larger organizations wanting consistent security between on-prem firewalls and cloud access
Palo Alto Networks is a globally recognized and trusted provider of enterprise cybersecurity solutions. Prisma Access, formerly GlobalProtect, is Palo Alto’s cloud-delivered SASE solution combining ZTNA, secure web gateway, and CASB capabilities. It enforces continuous authentication and least privilege access to provide remote users with secure access to corporate applications, including web apps, TCP-based apps, and UDP-based apps. We think it is best suited for larger organizations already invested in Palo Alto infrastructure who want consistent security policies between on-prem firewalls and cloud-delivered access.
Customers describe the solution as stable, secure, and able to scale with minimal operational overhead. Users praise the simplicity with which they can manage user access, and the high levels of security the platform provides. Teams consolidating legacy SWG and VPN services appreciate the unified approach. Something to be aware of is that the platform requires design effort and tuning to achieve optimal performance, and some users note that limited command line access restricts advanced troubleshooting.
We think Prisma Access is a very strong option for organizations with existing Palo Alto investments. The policy consistency between on-prem and cloud is a real advantage, and the sub-app level controls give security teams the control they need. The solution supports diverse environments, both in terms of combining on-prem and SaaS elements, and managed and unmanaged devices, including IoT.
Best for large enterprises needing zero-trust architecture with web threat protection
Zscaler is a market-leading provider of cloud-based web security solutions. Zscaler Private Access (ZPA) is their cloud-delivered ZTNA solution designed to provide secure, frictionless remote access to all private applications, services, and OT/IoT devices running in a public cloud or in a data center. Part of Zscaler’s Security Service Edge (SSE) platform, ZPA’s cloud-based architecture makes it quick to deploy without the need for external hardware. We think it is best suited for larger enterprises needing zero-trust architecture with strong web threat protection as part of a broader SSE strategy.
Customers praise the VPN replacement benefits. Connections run fast with noticeably reduced latency compared to traditional tunnels, and the admin console provides solid visibility. Azure AD integration works smoothly, and documentation and community support help teams get running. Something to be aware of is that network switching can cause repeated connect/disconnect cycles, which disrupts user workflow.
We think Zscaler Private Access is a strong choice for large enterprises wanting VPN replacement with enhanced web security. ZPA is compatible with both managed and unmanaged devices, making it particularly strong for organizations with corporate-issued and BYOD devices in their fleet, or those using third parties and contractors. The hidden application architecture reduces attack surface effectively, and the browser isolation capabilities add a layer of protection that most ZTNA-only tools don’t offer.
Beyond our top 11, these ZTNA solutions are worth considering:
Software-defined perimeter for dynamic, secure remote access.
Simplifies secure access with user- and device-based policies.
Cloud-delivered ZTNA with granular access controls.
Integrated ZTNA as part of a secure access service edge platform.
Zero trust access with threat protection for private applications.
ZTNA pricing varies based on deployment model, user count, and whether the platform is standalone or part of a broader SASE/SSE suite. Per-user pricing is the most common model for cloud-delivered solutions. The prices below reflect publicly available starting points where disclosed.
| Product | Starting Price | Billing | Link |
|---|---|---|---|
|
Twingate ZTNA
|
Free (Starter); from $5/user/month
|
Monthly / Annual
|
|
|
NordLayer
|
From $8/user/month
|
Monthly / Annual
|
|
|
Akamai Enterprise Application Access
|
Contact for quote
|
Annual subscription
|
|
|
Aviatrix Cloud Network Security
|
Contact for quote
|
Annual subscription
|
|
|
Check Point Harmony SASE
|
From $10/user/month
|
Annual subscription
|
|
|
Cisco Software-Defined Access
|
Contact for quote
|
Subscription
|
|
|
Cloudflare Access
|
Free tier; from $7/user/month
|
Monthly / Annual
|
|
|
Microsoft Entra ID
|
Included with Microsoft 365; standalone from $6/user/month
|
Monthly / Annual
|
|
|
Netskope One Private Access
|
From ~$9/user/month
|
Annual subscription
|
|
|
Palo Alto Prisma Access
|
Contact for quote
|
Annual subscription
|
|
|
Zscaler Private Access
|
From ~$6/user/month
|
Annual subscription
|
|
These are the evaluation and operational steps we recommend when selecting and deploying a ZTNA solution.
Network-level access defeats the purpose of zero trust by granting broader reach than users need, increasing lateral movement risk.
SSO and MFA integration quality varies between providers; testing with your actual IdP prevents authentication friction during rollout.
Unmanaged devices accessing corporate resources need posture verification to prevent compromised endpoints from reaching sensitive applications.
Organizations that require agent installation on every device create friction for external users and may not be able to enforce agents on contractor devices.
Coarse segmentation limits the effectiveness of zero trust; sub-app level controls prevent overprivileged access within individual applications.
ZTNA adoption fails when the client experience on Mac, Linux, mobile, or Chromebook is significantly worse than Windows.
ZTNA platforms that integrate with your SIEM, EDR, and SOAR tools create unified visibility; standalone deployments create gaps.
Organizations planning to consolidate SWG, CASB, and ZTNA should evaluate platforms that bundle these capabilities rather than deploying standalone ZTNA.
Regulated industries need detailed access logs and session records; verify the platform meets your specific compliance standards before deploying.
Per-user pricing that looks affordable at 50 users can escalate significantly at scale, especially when DLP, browser isolation, or advanced analytics require premium tiers.
The ZTNA market has evolved well beyond simple VPN replacement. Modern platforms now combine identity-driven access with DLP, threat detection, and browser isolation as part of broader SASE and SSE strategies. The right choice depends on your existing infrastructure, the complexity of your cloud environment, and whether you need a lightweight access solution or a full security platform.
Organizations already invested in specific ecosystems like Cisco, Palo Alto, or Microsoft will find the most value in solutions that extend those investments, while teams starting fresh should evaluate deployment simplicity and time to value alongside feature depth.
Zero trust network access solutions enable remote users to securely access resources on their corporate network. They do this by creating an identity- and context-based boundary around individual network assets—such as files, servers, or applications—or groups of assets. If a user wants to access an asset, the ZTNA solution must first verify their identity and the context of their access attempt in line with pre-defined policies. If the user passes these checks, they’re granted permission to access only the requested asset or asset group. If they want to access another asset, the ZTNA solution must re-verify them.
The micro-segmentation employed by ZTNA solutions also gives admins continuous, real-time visibility into which users are accessing which assets and when. This enables them to quickly identify and anomalous activity, as well as identify applications that are rarely used or redundant, to help save subscription costs.
Zero trust network access, more commonly referred to as “ZTNA”, is a security solution that secures corporate assets by creating individual identity- and context-based boundaries around them, or groups of them. With ZTNA in place, the network IP address is hidden. This means that network assets, such as applications, are hidden from public discovery. Additionally, access to network assets is restricted by the ZTNA provider; trust is conditional. Before a user is granted access, the ZTNA provider verifies that user’s identity and the context of their access attempt in line with admin-configured policies. If they pass these checks, the user is granted only enough authority to access the requested asset or asset group, based on admin-configured roles—rather than to the entire network, as with traditional network perimeters. If the user wants to access another asset or asset group, the ZTNA provider re-verifies them.
Thanks to this continuous verification, ZTNA not only helps prevent attackers from gaining access to the network in the first place, but also prevents the spread of cyberthreats laterally through the network if an attacker does manage to gain access, greatly limiting the amount of damage they’re able to do before they’re detected.
With a ZTNA solution implemented, organizations can enable their users to seamlessly and securely access all of the data and applications they need for work, without having to grant them access to the entire network or expose those assets to potentially unsecure internet connections.
Traditionally, organizations have relied on virtual private networks (VPNs) to establish a secure connection between their remote users and the corporate network. Enterprise VPNs create a private network across a public internet connection, essentially creating an encrypted tunnel between the user and the network. They anonymize the user by hiding their IP address and prevent any third parties from spying on users by encrypting data. They also usually require the user to authenticate themselves via multi-factor authentication (MFA) before establishing the connection.
However, once authenticated, the user has free access to the entire corporate network. This means that, if an attacker gains access to a remote user’s credentials and logs into their VPN, or even just intercepts a user’s VPN connection, they too can access the entire company network.
ZTNA solutions differ from this by only giving users access to the resources they need, when they need them—and nothing more. This enables ZTNA solutions to prevent attacks from spreading laterally through the network should an attacker manage to gain initial access. This greatly limits the amount of damage an attacker can do if they compromise a user’s account.
TL;DR: if a VPN builds a wall around the castle of your network to keep out the bad guys, a ZTNA solution places a guard on every door within the castle.
There are five key features that you should look for when shopping for a ZTNA solution:
There are a lot of reasons why you might want to consider implementing a zero trust network access solution, or switching from your traditional VPN to ZTNA. Here are some of the top benefits of ZTNA:
Most businesses should consider implementing ZTNA, and there are two specific use cases where it should be a critical part of your security architecture.
The first of those is businesses with a distributed workplace. Modern networks and workplaces are incredibly distributed: they have both personal and corporate devices, they have on-premises and cloud applications, and they have remote and on-site employees. ZTNA offers protection for each of those attack surfaces, while also enabling productivity through remote and hybrid work.
The second use case is businesses with a complex supply chain or that work with lots of third parties. Third parties are often granted much higher permissions than they need to do their jobs, and they also tend to work via personal or unmanaged devices. This makes them the perfect target for an attacker trying to access company data. But with ZTNA, you can ensure that they are only granted the access they need, as well as verify the identities of any third parties that you are granting access to—and their devices.
Further reading on network security from Expert Insights — buyers' guides, comparison articles, and platform-specific shortlists.
Joel is the Director of Content and a co-founder at Expert Insights; a rapidly growing media company focussed on covering cybersecurity solutions.
He’s an experienced journalist and editor with 8 years’ experience covering the cybersecurity space. He’s reviewed hundreds of cybersecurity solutions, interviewed hundreds of industry experts and produced dozens of industry reports read by thousands of CISOs and security professionals in topics like IAM, MFA, zero trust, email security, DevSecOps and more.
He also hosts the Expert Insights Podcast and co-writes the weekly newsletter, Decrypted. Joel is driven to share his team’s expertise with cybersecurity leaders to help them create more secure business foundations.
Craig MacAlpine is CEO and Founder of Expert Insights. Before founding Expert Insights in August 2018, Craig spent 10 years as CEO of EPA Cloud, an email security provider that rebranded as VIPRE Email Security following its acquisition by Ziff Davis, formerly J2Global (NASDAQ: ZD) in 2013.
Craig is a passionate security innovator with over 20 years of experience helping organizations to stay secure with cutting-edge information security and cybersecurity solutions.
Using his extensive experience in the email security industry, he founded Expert Insights with the singular goal of helping IT professionals and CISOs to cut through the noise and find the right cybersecurity solutions they need to protect their organizations.