A Unified Zero Trust Access Platform that can Operate as a a Scalable Remote Access VPN, Comprehensive ZTNA/BeyondCorp Platform, an API/AI/MCP Gateway, an ngrok Alternative, a PaaS-like Platform for Secure as well as Anonymous Access
A Unified Architecture for Client-based and Clientless Access
A Unified Scalable Architecture on top of Kubernetes to Provide both Zero-Config Client-based Access over WireGuard/QUIC with Centralized Private DNS as well as Public Clientless BeyondCorp and even Anonymous Access
Provide Dynamic Secretless Access to HTTP-based Resources without sharing API Keys and Access Tokens, PostgreSQL and MySQL Databases without sharing Passwords, SSH Servers without Managing Keys and Certificates, Kubernetes Clusters without sharing Kubeconfigs
Access Control at the Application-layer (L7) (e.g. HTTP paths and methods, Kubernetes namespaces and verbs, PostgreSQL queries, etc...) using Identity-aware Proxies (IAPs) via Context-aware Policy-as-Code via CEL and OPA
Secretless Access your SaaS, not just Internal Resources
Seamlessly Provide Secure Secretless Access for Humans and Workloads to your SaaS APIs without sharing API keys, Access Tokens or OAuth2 Credentials, as well as to Public SaaS PostgreSQL and MysQL-based Databases without Sharing Passwords
A Scalable Platform Built on top of Kubernetes for Automatic Horizontal Scalability and Availability
Centralized, Declarative and Programmable Management
Designed to be Administered like Kubernetes via DevOps/GitOps-friendly Centralized and Declarative Way. The Cluster is furthermore fully Programmable over gRPC.
Seamlessly integrate any OpenID Connect or SAML 2.0 SSO Provider as well as GitHub OAuth2. Force Strong MFA via FIDO2 Phishing Resistant Authenticators into Access Control to Sensitive Resources.
Eliminate Traditional VPN Problems: Use a Single Stable Route instead of Injecting Countless Routes into Your Users' Clients. Effortless Dual-Stack Networking Regardless of the Support at the Upstream. Seamless, Unified, Automatic Private DNS.
Dynamic, Native MFA and Login with FIDO2 Passkey, TPM 2.0 and TOTP
Dynamically Apply Native FIDO2 Passkey/WebAuthn, Time-based one-time Password (TOTP) Authentication and TPM 2.0 Authentication. Enforce Using Attested Hardware-based FIDO2 Authenticators in your Access Control Decisions.
Kubernetes-native identity-aware proxy/gateway architecture with separated PEP/PDP planes, client-based WireGuard/QUIC access, clientless BeyondCorp access, declarative resources, and self-hosted control/data planes.
Decentralized WireGuard P2P mesh with SaaS coordination/control plane for identity, keys, ACLs, posture, and policy. Data path is usually peer-to-peer, with relay/DERP fallback.
Authentication
OpenID Connect
Yes
Via IdP
SAML 2.0
Yes
Via IdP / plan-dependent
GitHub OAuth2
Yes
Via IdP / login options
Native FIDO2 / Passkey
Native means implemented by the platform itself, not merely delegated to an external IdP.
Native
Includes passkey/WebAuthn-style flows and hardware-backed attestation patterns.
No
Delegates MFA to IdP rather than native gateway MFA.
Native TOTP
Yes
No
TPM / Device Trust
Native / hardware-backed
No
Workload Identity
OIDC assertions / workload identity
Federated workload identity
AI Agent Auth
OAuth2 / bearer / workload identity
Aperture / tagged devices / workload identity
AI gateway support is newer/beta-oriented.
Anonymous / Public Access
Yes
Partial
SCIM Provisioning
Automated user/group lifecycle provisioning via SCIM, beyond just login-time IdP federation.
SCIM 2.0 compliant
SCIM / IdP user & group sync
Authorization & Policy
Policy Model
ABAC with CEL and OPA-oriented policy patterns.
ACL/HuJSON policy, grants, tags, and network-level/Layer-3 identity controls.
Policy-as-Code
CEL + OPA
Limited ACLs over HuJSON
Per-Request Authz
For L7 products, this means each HTTP/gRPC/API/K8s request can be evaluated. For overlays, session/connection policy is not counted as per-request. This modeling choice structurally favors L7 gateways over network overlays.
Yes
No
Mesh policy is connection/network-oriented, not L7 per-request authorization.
L7-Aware Policies
HTTP, gRPC, K8s, DB, SSH, mTLS-related context
No
Zero Standing Privilege / JIT
Indicates strong architectural support for minimizing standing privilege; not an absolute claim that privileged access cannot exist.
Strong
Designed to minimize static privilege through identity/policy-scoped access.
Partial
Access Requests / Approvals
First-class request-and-approve / break-glass workflows (reviewers, time-bound grants), as opposed to static policy alone.
Policy-scoped
Access is policy/identity-scoped and can be time-bound; no first-class ticketed request-and-approve workflow in this dataset.
Tailnet lock / approvals
Device approval and tailnet lock exist; not a PAM-style ticketed request workflow.
Device Posture
TPM/FIDO2/device attributes
Yes
External Signal Integration
Yes
Partial
NIST ZTA Alignment
All data/services as resources
Yes
Partial
Secure communication regardless of network
WireGuard/QUIC and public HTTPS
WireGuard
Per-session / per-request access
Per-request for L7; per-session/connection for tunnels
Per-connection / service-level
Dynamic policy using multiple signals
Yes
Partial
Continuous monitoring / verification
OpenTelemetry-native visibility
Partial
No implicit trust zone
Identity/policy-mediated
Partial
Assume breach / least privilege
Yes
Partial
L7 Protocol Awareness & Secretless Access
HTTP / HTTPS
L7-aware + secretless credential injection
Connects traffic; not L7-aware gateway
gRPC
Native L7 mode
Transport only
SSH
Secretless / embedded SSH patterns
Tailscale SSH
PostgreSQL
Secretless + query-aware policy/logging
Transport only
MySQL
Secretless + query-aware policy/logging
Transport only
Kubernetes
Secretless + verb/resource/namespace policy
No
RDP
TCP passthrough
Transport only
DNS
Native private DNS mode
MagicDNS / DNS features
mTLS / cert injection
Secretless mTLS / cert injection
No
Raw TCP / UDP
TCP and UDP
WireGuard IP connectivity
HTTP Manipulation
With native plugins including Lua, Envoy ExtProc, JSON schema validation, cache, rate limits
No
Transport & Networking
WireGuard Data Plane
Whether the product's own client/data plane is built on WireGuard, versus a proprietary or TLS-based transport.
Kernel / userspace
WireGuard via kernel module, TUN, or unprivileged userspace (wireguard-go) implementations.
Built on WireGuard
QUIC Transport
Product-native QUIC transport/tunneling. Experimental or internal-only QUIC is marked partial.
Full QUIC-based tunneling mode
No
IPv6 Support
Dual-stack
Defaults to IPv6, with selectable IPv4-only or dual-stack cluster network ranges.
IPv6 / MagicDNS
Embedded SSH
Platform provides its own SSH server/CA or SSH implementation, rather than only tunneling an external sshd.
Secretless embedded SSH
Tailscale SSH
NAT Traversal
Via Gateways
Reaches resources behind NAT through Cluster Gateways; client-to-Gateway path rather than a direct P2P mesh.
Core
Direct P2P with NAT traversal; DERP relay fallback.
Visibility, Auditing & Observability
OpenTelemetry-Native
OTLP-native
More precise than saying only product with OpenTelemetry.
No
L7-Aware Access Logs
HTTP/gRPC/K8s/DB/SSH identity-aware logs
No
SSH Session Recording
Yes
No
SIEM Integration
Via OTLP / OTel Collector
Log streaming integrations
Real-Time Streaming
Yes
Partial
Identity in Logs
Yes
Partial
Access Methods
Client-Based VPN / Overlay
WireGuard / QUIC
WireGuard
Clientless Browser Access
Yes
Funnel/Serve and web exposure patterns, not general BeyondCorp
Workload OAuth2 / Bearer
Yes
No
CLI / SDK Access
CLI + gRPC API
tailscale CLI / API
Private DNS
Yes
MagicDNS
Dynamic Configuration
Dynamic Upstream Routing
Yes
No
Dynamic Credential Selection
Yes
No
Secrets Backend Integration
Integration with external secret stores / KMS (e.g. Vault, cloud KMS) or native secretless credential handling.
Secretless injection
Native secretless credential injection; credentials managed as Cluster resources.
No
GitOps / Declarative Config
Kubernetes-like resources / YAML
No
Programmable API
gRPC
Yes
SaaS / Public Cloud API Access
Secretless SaaS API Access
Yes
Aperture for LLM APIs; not generic SaaS API gateway
