QuickZTNA
Get started free
AI Operator · live · previews policy changes before they ship · See it

The Remote Workforce Security OS.

WireGuard mesh ZTNA + ABAC. Workforce DLP, device posture, software inventory, user-risk scoring. AI Operator previews, applies, and reverts ACL + firewall + policy changes. Free forever for 100 devices.

Start free — no card required Read the 2-minute quickstart

curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh

acme.zt.net · fleet rollout ● 100 connected
$ ansible all -m shell -a "curl -fsSL .../install.sh | ZTNA_AUTH_KEY=$KEY sh"
→ 100 hosts · detecting OS/arch...
→ Downloading ztna v3.2.0 (linux-amd64, darwin-arm64, windows-amd64)
→ Installing service · starting daemon · ztna up
→ WireGuard keypair generated per host
→ Tailnet IPs allocated · MagicDNS registered · ABAC policies pushed
✓ 100/100 devices online in 1m 47s — ZTNA mesh formed
 
$ ztna status
laptop-prod-01 100.64.1.7 · tag:laptop · direct
db-primary 100.64.1.12 · tag:prod-server · 4.2ms
ci-runner-03 100.64.1.18 · tag:ci · 38ms direct
eu-edge-07 100.64.1.31 · tag:edge · derp-lon

Built on open standards · Verifiable crypto · No harvest-now-decrypt-later

ABAC + device posture
GDPR · DPA available
2 global DERP regions (BLR + FRA)
Razorpay · custom invoicing
Open-source Go client

The platform

One control plane. Every layer of access.

Mesh networking, identity, ZTNA policy, AI assistance, and workforce analytics — unified in a single agent.

AI Operator

Previews policy changes before they ship

Ask in natural language: "Block all 0.0.0.0/0 egress from contractors." The AI Operator generates the rule, shows you which machines + users it impacts, snapshots the current state, applies on confirm, and lets you revert with one click. Every step audit-logged.

Preview
impact before apply
Snapshot
auto, every change
1-click
revert any change
Audited
90-day log retention
NL-ACL Policy Drift Incident Response JIT Recs
Mesh networking

WireGuard P2P with DERP fallback

Direct peer-to-peer tunnels wherever NAT allows. Two global DERP relays (Bangalore + Frankfurt) cover CGNAT and symmetric-NAT peers automatically.

AI policy

Natural-language ACLs

"Laptops can SSH to prod 9–6 IST." Done. Powered by Claude.

JIT access

Request · approve · auto-revoke.

ABAC policies

Rules keyed on user, tag, device posture, time of day, country, protocol, and port. Evaluated per connection.

MagicDNS & subnet routes

Every device reachable at <name>.<org>.zt.net. Advertise subnet routes · exit nodes.

Workforce analytics

Workforce analytics, software inventory, user-risk scoring, DLP, CASB, DEM, anomaly detection, remote desktop, remote shell — all from the same agent.

SSO + SCIM 2.0

Google, GitHub, OIDC, SAML. SCIM provisioning for Okta, Azure AD. TOTP MFA. Device-bound refresh tokens.

Secrets vault

AES-256-GCM encrypted secrets with rotation policies. Integrated with the agent — no second tool to deploy.

Terraform + API

57 REST endpoints. Full Terraform provider for machines, ACLs, DNS, users. GitOps your network state.

Setup

Two minutes, not two quarters.

No bastion hosts. No certificates to rotate. No firewall-change requests. No public IPs exposed. Bring your identity provider, run one command, ship.

Read quickstart
01

Issue one auth key

In the dashboard, create a reusable auth key that covers every device you want to enrol. Set an expiry, optional tags, and that's it.

ztna auth-key create --reusable
02

Pipe the installer everywhere

One command on Linux, macOS, and Windows. Works from shell, Ansible, Intune, Jamf, cloud-init. Detects OS, installs service, auto-connects.

curl ... | ZTNA_AUTH_KEY=tskey-auth-xxx sh
03

You're on the mesh

Every device joins your tailnet over a WireGuard mesh tunnel. Reachable by MagicDNS name. ABAC policies + device posture enforced on every connection.

ssh prod-db.acme.zt.net

Zero-trust access for remote workforces. Free forever for 100 devices.

Built for the founder, the indie ops team, the YC batch, the Fortune 500 pilot. Upgrade to Business ($10 per user /mo — unlimited machines) or Workforce when you're ready — never before.

Start free Compare plans
  • No credit card · no time limit
  • Self-serve SSO + SCIM
  • Free SSH on every tier

FAQ

Common questions about QuickZTNA

Short, factual answers — same content as our docs and blog, summarized.

What is QuickZTNA?
QuickZTNA is the Remote Workforce Security OS — a Zero Trust Network Access platform that connects laptops, servers, containers, and mobile devices into a single encrypted private mesh network. Every connection is authenticated against your identity provider, authorized against ABAC policies + continuous device posture, and encrypted by WireGuard. An AI Operator previews, applies, and reverts ACL + firewall + policy changes. Free for 100 devices and 3 users, forever.
How is QuickZTNA different from Tailscale?
Both are mesh VPN products built on WireGuard. Tailscale focuses on the mesh-VPN primitive; QuickZTNA ships a fuller workforce-security suite in-product: DLP (filesystem + clipboard + SSH text), CASB with approval workflow, workforce analytics, software inventory, user-risk scoring, continuous device posture, and an AI Operator that previews/applies/reverts ACL + firewall + policy changes. Tailscale has greater client ecosystem maturity; QuickZTNA has broader ZTNA + workforce-security depth and free-tier SSH.
Is QuickZTNA free for 100 devices, really forever?
Yes. The Free plan covers 100 devices and 3 users with no trial timer, no credit card requirement. WireGuard-encrypted mesh, MagicDNS, ABAC policies, device posture, DNS filtering, AI assistant, and remote shell (SSH) are all on the Free plan. The plan never expires; upgrade only when you need more users, unlimited devices, or features like SCIM provisioning, workforce analytics, DLP, CASB, or remote desktop.
How fast can I deploy QuickZTNA across my team?
Roughly two minutes per device for an interactive install, or seconds per device for fleet rollouts with pre-authentication keys. The install is one command (curl or PowerShell on desktop, App Store or Play Store on mobile). The client auto-registers with your organization and joins the mesh. For 100 devices via Ansible, Intune, or cloud-init, end-to-end fleet rollout is typically under 2 minutes.
Does QuickZTNA work behind NAT, CGNAT, and corporate firewalls?
Yes. The client only requires outbound HTTPS (TCP/443) to *.quickztna.com — no inbound ports, no firewall changes, no port forwarding. Peer-to-peer connections use UDP NAT traversal where possible; when UDP is blocked by symmetric NAT or strict firewalls, traffic transparently falls back to an encrypted TCP-over-HTTPS relay (DERP) in our two global regions (Bangalore + Frankfurt).
What identity providers does QuickZTNA integrate with?
Every major IdP that speaks OIDC or SAML 2.0: Google Workspace, Microsoft Entra (Azure AD), Okta, Authentik, GitHub, plus generic OIDC for any standards-compliant provider. SCIM 2.0 provisioning for proactive user lifecycle is included on Business and Workforce plans. Multiple IdPs can be active simultaneously for organizations that use different identity sources for employees vs contractors.
Is QuickZTNA SOC 2 compliant?
We offer a GDPR-aligned DPA and sign HIPAA Business Associate Agreements on the Business plan and above. SOC 2 Type II and ISO 27001 certifications are in progress with target completion in 2026.
Can QuickZTNA be self-hosted?
Yes, on the Workforce plan. The control plane runs as a small set of services on your infrastructure with documented requirements (Docker Compose with PostgreSQL, Valkey, and S3-compatible object storage). Client binaries are unchanged between managed and self-hosted deployments. Air-gapped deployments for regulated industries are supported; contact sales@quickztna.com.