Isn't post-quantum crypto expensive to run?

No. The incremental cost of hybrid X25519 + ML-KEM-768 per tunnel is a few hundred microseconds of CPU and roughly 2 KB of extra handshake traffic. On a production scale of millions of tunnels, the cost is negligible relative to the infrastructure we would run anyway. Putting it behind a paywall would be paywalling a feature that costs us nothing to deliver.

Is the Free tier sustainable if it includes your most advanced feature?

Yes, because the Free tier has real other limits — 100 devices, 3 users. Small teams that grow past those limits upgrade; larger teams buy from day one. The Free tier is a funnel, not a revenue line. Its job is to let small users and evaluators see the actual product without gating the one feature that defines our category stance.

Do competitors offer post-quantum on their free tiers?

As of April 2026, not universally. Most competitors either do not offer post-quantum at all, offer it as an opt-in on paid tiers, or have announced roadmap items. The landscape is moving — check specific vendor documentation. Our commitment is that hybrid PQ stays on every tier, including Free, in perpetuity.

The Free tier is capped at 100 devices and 3 users. For many small teams and all homelabs, these caps are generous enough to run indefinitely. For teams that grow past them, Business tier adds unlimited machines and per-user pricing. The post-quantum configuration is identical across tiers — we do not 'PQ-lite' on Free.

Is this marketing or sincere?

Both. We believe PQ on the Free tier is the right product decision. It is also a marketing differentiator. The two are not contradictory. The test of sincerity is whether we would reverse the decision under pressure — we have publicly committed that hybrid PQ stays on every tier in perpetuity, and this manifesto is the public commitment.

What happens when you raise venture capital and investors want revenue growth?

Every commercial decision, including pricing, is subject to business reality. What we can commit to: the technical capability (hybrid PQ per tunnel) will not be removed from the Free tier. The Free tier's other limits (device count, user count) may change over time based on the market. If we ever need to change the PQ commitment, we will announce it with at least 12 months notice and a migration path.

Why We Ship Post-Quantum on the Free Tier: A Pricing Manifesto

TL;DR

Harvest-now-decrypt-later is a threat model that applies equally to a bootstrapped startup’s sensitive data and to an enterprise’s. Adversaries capturing traffic today do not distinguish between tiers. Gating post-quantum tunnel encryption behind a paid plan says that quantum-safe confidentiality is a premium feature. We disagree, and we built QuickZTNA to ship hybrid X25519 + ML-KEM-768 on every tunnel on every plan — including the Free tier that covers 100 devices and 3 users. The math works because the marginal cost is near zero. The philosophy works because “security-on-the-paid-tier” is a broken product category. This post explains both, and is our public commitment that hybrid post-quantum stays on Free in perpetuity.

Who this is for

Readers who have noticed that most vendors gate post-quantum behind premium tiers. Security professionals deciding whether a vendor’s free tier is meaningful or stripped of the features that matter. Engineering leads evaluating QuickZTNA and wondering if the post-quantum claim is real on the tier they plan to use. Founders thinking about how to position their own products.

The threat is tier-agnostic
The cost is tier-agnostic too
Why this is not “loss-leader marketing”
What security-on-the-paid-tier looks like, and why it is broken
How the Free tier supports the business
The public commitment
What the Free tier actually includes
Where paid tiers add value
The contrarian argument we have heard
How to evaluate whether a vendor’s free tier is meaningful

1. The threat is tier-agnostic

Post-quantum cryptography defends against harvest-now-decrypt-later. An adversary captures encrypted traffic today, stores it, decrypts it once a cryptographically relevant quantum computer exists.

The adversary does not know whether your traffic came from a Free-tier tunnel or an Enterprise-tier tunnel. They do not care. The capture and the future decryption are the same operations regardless of who is paying the VPN vendor.

Consequently: any product tier that does not ship post-quantum is shipping weaker-than-possible confidentiality. If a vendor’s Free tier is classical-only and their Premium tier is hybrid PQ, they are saying: “free-tier users are okay with worse confidentiality”. That is an uncomfortable position to be in.

For a small startup with two founders and a product idea, the threat is real. The idea might become valuable. Competitors or nation-state actors with an interest in early information (patents, trade secrets, business plans) capture traffic the same way whether the founders are on a free tier or not. The idea’s confidentiality horizon is decades.

For a homelab user, the threat is smaller but not zero. Home routers, personal servers, and family communications over a VPN are protected by whatever crypto the VPN uses. Classical crypto is vulnerable to the same future decryption. A VPN that only offers PQ to paying customers is saying “your family’s privacy is worth less”.

Neither position is defensible.

2. The cost is tier-agnostic too

The second argument for post-quantum on Free is purely mathematical: the cost of delivering it is approximately zero.

2.1 CPU cost

ML-KEM-768 keygen, encapsulate, decapsulate each complete in well under a millisecond on a modern commodity server. At a handshake rate of thousands per second, the aggregate CPU cost is low single-digit percent of what is spent on other handshake work. Our actual measured load: ML-KEM operations are a rounding error on our coordination-server CPU utilisation.

2.2 Bandwidth cost

Hybrid handshake adds approximately 2,272 bytes per handshake vs classical. For a tunnel that rekeys every 120 seconds, this is roughly 16 KB per hour per tunnel. At 100,000 active tunnels, aggregate incremental bandwidth is 1.6 GB per hour. On modern infrastructure this is negligible cost.

2.3 Engineering cost

Initial engineering to implement hybrid PQ was significant — reading FIPS 203, integrating Go’s crypto/mlkem, building the PSK derivation, adding dashboard visibility, writing the docs. Ongoing cost is the same as maintaining any other crypto component: monitor upstream library releases, patch on CVE, update on standard revisions.

None of these costs scale with tier. The same code runs the Free tier and the Enterprise tier. Splitting them would cost engineering time for no benefit.

2.4 Infrastructure cost

DERP relays, coordination plane, audit log retention — these scale with overall usage, not with whether tunnels are hybrid or classical. A Free-tier tunnel consuming DERP bandwidth is the same cost whether it is hybrid PQ or classical.

2.5 Sum

At the scale of our Free tier (100 devices, 3 users per account), the marginal cost of shipping hybrid PQ per account is measured in dollars per year of infrastructure, dominated by other costs (storage, bandwidth, control plane). Putting PQ behind a paywall would be charging for something that costs us essentially nothing to deliver.

3. Why this is not “loss-leader marketing”

A loss leader is a product sold below cost to attract customers who then buy more profitable products. Hybrid PQ on our Free tier is not a loss leader because it does not cost us meaningfully more than classical PQ would.

What it is: a product decision consistent with the principle that security-relevant features should not be paywalled.

If we priced the Free tier at zero specifically to capture market share and then raised prices, the PQ decision would be cynical. Our Free tier has real limits (100 devices, 3 users) that define its sustainable place in the product line. Teams that grow past those limits upgrade; teams that do not, do not. We are not losing money on the Free tier in the sense that requires subsidy from the paid tiers.

4. What security-on-the-paid-tier looks like, and why it is broken

A pattern we see in vendor pricing pages across security-adjacent categories:

Free tier: basic encryption, shared across all users.
Starter tier: stronger encryption, specific attestations, MFA on more users.
Business tier: advanced security features (SSO, FIDO2, compliance reports).
Enterprise tier: the crypto you actually want — FIPS-validated modules, post-quantum, HSMs, compliance with every regime.

The implicit logic: security improves as you pay more. The explicit logic: security costs more to deliver so it must be paid for.

Neither is uniformly true. Some security features genuinely cost more (session recording at scale, global compliance attestations, 24×7 incident response SLAs). Others cost the same across tiers (encryption algorithm choice, MFA enforcement).

Gating the latter creates a class structure where “you get real security if you pay us more”. For features that cost the same to deliver, this is rent extraction, not value delivery.

The cleaner model: tier on features that actually cost more (support SLAs, advanced attestations, customisation, session recording at scale). Bundle on the Free tier the features that define whether the product is what it claims to be.

5. How the Free tier supports the business

We need a business. The Free tier is part of it, not a charity.

5.1 Funnel

Most users evaluate products before buying them. A meaningful Free tier lets engineers try QuickZTNA without procurement approvals. If they like it and their team grows past 100 devices or 3 users, they upgrade. Without a Free tier, the evaluation path is a sales call.

5.2 Credibility

“We ship PQ on every tier” is a credibility claim. A vendor that only ships its best crypto to paying customers has a credibility problem with engineers, who notice this pattern and interpret it correctly.

5.3 Category signal

Putting hybrid PQ on Free signals that we think hybrid PQ is the baseline, not a premium. That signal matters for the industry conversation. Every competitor that charges more for PQ has to explain why their Enterprise tier is the floor.

5.4 Homelab and student users

A meaningful share of our Free-tier base is homelab operators, students, and individual developers. They are not going to convert to Business tier — they are not supposed to. Their role is advocacy, feedback, and ecosystem contribution. Treating them well is an investment, not a cost.

6. The public commitment

As of April 2026, we publicly commit:

Hybrid X25519 + ML-KEM-768 will be the default on every tunnel, on every tier, including Free, in perpetuity.
We will not introduce a “PQ opt-in” or “PQ premium” that would make Free classical-only.
If we ever need to change this commitment due to business reality, we will announce at least 12 months in advance with a migration path, and we will explain the reason publicly.
The PQ configuration on Free is identical to the PQ configuration on Business and Workforce — same algorithm, same parameter set, same rotation cadence, same audit visibility.

This commitment is hosted at this URL. It is not in our terms of service — TOS terms can change unilaterally. It is here in the blog, with our names on the byline, indexable by search engines and citable by our users.

7. What the Free tier actually includes

Current Free tier (confirm on /pricing for any updates):

100 devices per organisation.
3 users per organisation.
Hybrid X25519 + ML-KEM-768 on every tunnel.
ACL policies (attribute-based).
Device posture enforcement.
SSO with FIDO2/WebAuthn.
TOTP and WebAuthn MFA.
DNS filtering.
4 global DERP relays for NAT fallback.
Community support.

What is not on Free: session recording (Business tier feature because of storage cost), advanced workforce analytics (Business/Workforce), SLA-backed support (Business/Workforce), self-host option (Workforce only), BAA (Business/Workforce).

The split is along lines of “what does this feature actually cost us to deliver”. Post-quantum does not meet that threshold.

8. Where paid tiers add value

Business tier ($10/user/month, unlimited machines, 60-day trial):

Session recording and playback.
Workforce analytics (with user consent dialog on each device).
Priority email support with SLA.
Compliance reports (SOC 2, HIPAA, ISO, etc.).
SCIM provisioning.
SIEM export.
BAA on request.

Workforce tier (custom pricing):

Self-host option.
Custom SLAs.
Dedicated support.
EU or US infrastructure regions as required.
Custom compliance attestations.
Integration with specific EHR / enterprise systems.

The progression is “more features + more support + higher SLA” — not “better crypto”.

9. The contrarian argument we have heard

“But if Free-tier users get the good crypto, what is the incentive to upgrade?”

Two answers.

First: the Free tier is limited to 100 devices and 3 users. A growing team outgrows those limits. Crypto is not the upgrade driver; scale is. This is the right upgrade signal.

Second: the argument assumes users upgrade to get features they could not otherwise access. In our model, users upgrade when they need features that genuinely cost more (session recording, SCIM, enterprise support). That model is more honest and we think it is more sustainable.

“But competitors who charge for PQ will eat your lunch by having a bigger sales team.”

Maybe. We accept the risk. A vendor that wins by selling the same crypto at higher prices is not winning on product; they are winning on sales ops. We would rather compete on product.

10. How to evaluate whether a vendor’s free tier is meaningful

Five questions to ask of any vendor whose free tier you are evaluating.

Is the encryption identical on Free and paid? If not, the free tier is a feature-gated demo.
Is MFA available on Free? No-MFA free tiers are security theatre.
Are audit logs exportable from Free? If not, you cannot move to a paid tier without losing history.
Are the limits reasonable for the stated use case? 10 devices for a team-collaboration tool is not meaningful.
Are you certain the free tier will remain free? Is there a public commitment, or could the vendor pull the rug on three months notice?

Free tiers are a spectrum. The best ones are full-featured with scale limits. The worst ones are stripped-down demos dressed up as free products. Evaluate accordingly.

Try QuickZTNA

The fastest verification of the commitment above is five minutes: sign up for Free, add two devices, run ztna status -v. You will see kex=hybrid-x25519-mlkem768 on every established tunnel. Same as the paid tiers. Our whole argument is that this is the right default, and that defaults should not be paywalled.