QuickZTNA
Get started free
Post-quantum ML-KEM-768 · live on every tunnel · FIPS 203

100 devices on an encrypted mesh in 2 minutes. Quantum-safe.

QuickZTNA replaces your VPN, SSO gateway, and secrets manager with a single post-quantum-encrypted agent. Issue one auth key, run one install command, and your entire workforce is on the tailnet. Free forever for 100 devices.

Start free — no card required Read the 2-minute quickstart

curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh

acme.zt.net · fleet rollout ● 100 connected
$ ansible all -m shell -a "curl -fsSL .../install.sh | ZTNA_AUTH_KEY=$KEY sh"
→ 100 hosts · detecting OS/arch...
→ Downloading ztna v3.2.0 (linux-amd64, darwin-arm64, windows-amd64)
→ Installing service · starting daemon · ztna up
→ ML-KEM-768 + X25519 hybrid keypair generated per host
→ Tailnet IPs allocated · MagicDNS registered
✓ 100/100 devices online in 1m 47s — quantum-safe
 
$ ztna status
laptop-prod-01 100.64.1.7 · tag:laptop · direct
db-primary 100.64.1.12 · tag:prod-server · 4.2ms
ci-runner-03 100.64.1.18 · tag:ci · 38ms direct
eu-edge-07 100.64.1.31 · tag:edge · derp-lon

Built on open standards · Verifiable crypto · No harvest-now-decrypt-later

SOC 2 Type II
NIST PQC FIPS 203
GDPR · DPA available
4 global DERP regions
Razorpay · custom invoicing
Open-source Go client

The platform

One control plane. Every layer of access.

Mesh networking, identity, ZTNA policy, AI assistance, and workforce analytics — unified in a single agent.

Post-Quantum by default

Hybrid ML-KEM-768 + X25519 on every tunnel

Every WireGuard peer-to-peer tunnel uses a NIST FIPS 203 key exchange. The PSK is derived via HKDF-SHA256 from both classical and post-quantum shared secrets — so stored traffic can't be decrypted even if X25519 breaks tomorrow.

< 2 min
100-device fleet rollout
0 ms
user-facing handshake overhead
FIPS 203
ML-KEM-768 compliant
Hybrid
classical fallback per-peer
ML-KEM-768 X25519 ChaCha20-Poly1305 HKDF-SHA256
Mesh networking

WireGuard P2P with DERP fallback

Direct peer-to-peer tunnels wherever NAT allows. Four global DERP relays (India, US East, Europe, US West) cover CGNAT and symmetric-NAT peers automatically.

AI policy

Natural-language ACLs

"Laptops can SSH to prod 9–6 IST." Done. Powered by Claude.

JIT access

Request · approve · auto-revoke.

ABAC policies

Rules keyed on user, tag, device posture, time of day, country, protocol, and port. Evaluated per connection.

MagicDNS & subnet routes

Every device reachable at <name>.<org>.zt.net. Advertise subnet routes · exit nodes · AWS / GCP / Azure firewall sync.

Workforce analytics

Session tracking, DEM, DLP, CASB, anomaly detection, session recording, remote desktop — all from the same agent.

SSO + SCIM 2.0

Google, GitHub, OIDC, SAML. SCIM provisioning for Okta, Azure AD. TOTP MFA. Device-bound refresh tokens.

Secrets vault

AES-256-GCM encrypted secrets with rotation policies. Integrated with the agent — no second tool to deploy.

Terraform + API

57 REST endpoints. Full Terraform provider for machines, ACLs, DNS, users. GitOps your network state.

Setup

Two minutes, not two quarters.

No bastion hosts. No certificates to rotate. No firewall-change requests. No public IPs exposed. Bring your identity provider, run one command, ship.

Read quickstart
01

Issue one auth key

In the dashboard, create a reusable auth key that covers every device you want to enrol. Set an expiry, optional tags, and that's it.

ztna auth-key create --reusable
02

Pipe the installer everywhere

One command on Linux, macOS, and Windows. Works from shell, Ansible, Intune, Jamf, cloud-init. Detects OS, installs service, auto-connects.

curl ... | ZTNA_AUTH_KEY=tskey-auth-xxx sh
03

You're on the mesh

Every device joins your tailnet with a hybrid ML-KEM-768 + X25519 tunnel. Reachable by MagicDNS name, quantum-safe from day one.

ssh prod-db.acme.zt.net

Quantum-safe access. Free forever for 100 devices.

Built for the founder, the indie ops team, the YC batch, the Fortune 500 pilot. Upgrade to Business ($10 per user /mo — unlimited machines) or Workforce when you're ready — never before.

Start free Compare plans
  • No credit card · no time limit
  • Self-serve SSO + SCIM
  • ML-KEM-768 on every tunnel

FAQ

Common questions about QuickZTNA

Short, factual answers — same content as our docs and blog, summarized.

What is QuickZTNA?
QuickZTNA is a Zero Trust Network Access platform with post-quantum cryptography on every tunnel. It connects laptops, servers, containers, and mobile devices into a single encrypted private mesh network. Every connection is authenticated against your identity provider, authorized against your access policy, and encrypted with hybrid X25519 + ML-KEM-768 (FIPS 203) key exchange. Free for 100 devices and 3 users, forever.
How is QuickZTNA different from Tailscale?
Both are mesh VPN products built on WireGuard. The core difference is cryptography: QuickZTNA uses hybrid post-quantum key exchange (X25519 + ML-KEM-768) on every tunnel by default, on every plan; Tailscale uses classical X25519 only as of May 2026. QuickZTNA also ships a fuller ZTNA feature set in-product (compliance reports, session recording, DLP, CASB, workforce analytics) where Tailscale focuses on the mesh-VPN primitive. Tailscale has greater client ecosystem maturity; QuickZTNA has post-quantum encryption and broader ZTNA depth.
Is QuickZTNA free for 100 devices, really forever?
Yes. The Free plan covers 100 devices and 3 users with no trial timer, no credit card requirement, and no encryption downgrade. Hybrid post-quantum key exchange is enabled on every tunnel on Free, identical to paid plans. The plan never expires; upgrade only when you need more users, unlimited devices, or features like SCIM provisioning, compliance reports, or session recording.
How fast can I deploy QuickZTNA across my team?
Roughly two minutes per device for an interactive install, or seconds per device for fleet rollouts with pre-authentication keys. The install is one command (curl or PowerShell on desktop, App Store or Play Store on mobile). The client auto-registers with your organization, negotiates a post-quantum tunnel, and joins the mesh. For 100 devices via Ansible, Intune, or cloud-init, end-to-end fleet rollout is typically under 2 minutes.
Does QuickZTNA work behind NAT, CGNAT, and corporate firewalls?
Yes. The client only requires outbound HTTPS (TCP/443) to *.quickztna.com — no inbound ports, no firewall changes, no port forwarding. Peer-to-peer connections use UDP NAT traversal where possible; when UDP is blocked by symmetric NAT or strict firewalls, traffic transparently falls back to an encrypted TCP-over-HTTPS relay in one of four global regions.
What identity providers does QuickZTNA integrate with?
Every major IdP that speaks OIDC or SAML 2.0: Google Workspace, Microsoft Entra (Azure AD), Okta, Authentik, GitHub, plus generic OIDC for any standards-compliant provider. SCIM 2.0 provisioning for proactive user lifecycle is included on Business and Workforce plans. Multiple IdPs can be active simultaneously for organizations that use different identity sources for employees vs contractors.
Is QuickZTNA SOC 2 compliant?
Yes. We hold a SOC 2 Type II report covering Security, Availability, and Confidentiality trust principles. The report is available under NDA via security@quickztna.com. We also conform to FIPS 203 for ML-KEM-768, offer a GDPR-aligned DPA, and sign HIPAA Business Associate Agreements on the Business plan and above. ISO 27001 certification is in progress with target completion in 2026 Q3.
Can QuickZTNA be self-hosted?
Yes, on the Workforce plan. The control plane runs as a small set of services on your infrastructure with documented requirements (Docker Compose with PostgreSQL, Valkey, and S3-compatible object storage). Client binaries are unchanged between managed and self-hosted deployments. Air-gapped deployments for regulated industries are supported; contact sales@quickztna.com.