What is Zero Trust Network Access?

Where the term came from

Gartner coined "ZTNA" around 2019 to put a name to the category of products that had emerged from Google's BeyondCorp papers and the early Cloudflare Access, Zscaler ZPA, and Akamai Enterprise Application Access offerings. The motivating problem was the same one BeyondCorp was solving inside Google — the traditional VPN model put users "on the network" with broad access, which was both operationally clumsy and a catastrophic compromise vector when any single user's device got popped. ZTNA narrows the grant from "the corporate network" to "this specific application, for this user, right now, on this device."

How a ZTNA request actually flows

Two common shapes. In the agent-based model, the user's device runs a ZTNA client (Cloudflare WARP, Zscaler Client Connector, Tailscale). When the user tries to reach an internal app, the client routes the request through the ZTNA provider, which authenticates the user against the identity provider, checks the device's posture (patched, encrypted, MFA enrolled), evaluates policy, and either proxies the request to the application or denies it. In the agentless model, the user reaches a public URL fronted by an identity-aware proxy that does the same evaluation in the browser, no client needed. Either way, the underlying network containing the application is never directly reachable from the public internet.

What ZTNA is not

ZTNA is one slice of a complete zero trust architecture, not the whole of it. Zero trust as an architectural pattern covers identity, devices, networks, applications, and data. ZTNA primarily addresses the "how do users reach private applications" question. Adopting a ZTNA product without also tightening identity, MFA, device posture, and per-application authorization is the most common way teams end up with a "we bought zero trust" claim that does not survive a pen test.

The vendor landscape in 2026

Zscaler ZPA and Cloudflare Access dominate the enterprise market on the agent-based and agentless ends respectively. Twingate and Tailscale have won meaningful share with smaller engineering teams that prefer self-serve onboarding. Palo Alto Prisma Access, Netskope, and Cisco Duo round out the broader SASE category, which extends ZTNA to also cover web traffic and SaaS-app access. Each makes different tradeoffs in identity provider support, protocol coverage, and operational model — the right choice depends on which IdP you already run, which apps need ZTNA, and how willing the team is to deploy agents on every endpoint.

At QUANT LAB

For clients running modern cloud infrastructure, our default recommendation is to put internal admin consoles, dashboards, and any private application behind an identity-aware proxy from day one — Cloudflare Access and Tailscale both make this nearly free for small teams, and the security improvement over "VPN into the bastion host" is enormous.

Our Active Directory pen-test and network pen-test practices regularly find environments where the ZTNA story on the architecture diagram and the ZTNA story in practice do not match — VPN access still flows around the supposed gateway, or service accounts with broad permissions can sidestep the identity check. Read our zero trust glossary entry for the broader pattern, or book a call if you are scoping a VPN replacement.