QuickZTNA: the Remote Workforce Security OS.

#The setup: the remote workforce has the same security needs as the office, but the office tools don't fit

There is an operational reality about modern engineering and security teams that almost every CIO has internalised by now and that almost no off-the-shelf security stack has been rebuilt around. The reality is that the workforce is permanently distributed. The engineer in Bengaluru, the designer in Berlin, the on-call SRE in Boston, the contractor in Buenos Aires, and the part-time founder in a coffee shop in Bali are all the same team, and they all need the same level of secure access to the same set of production systems, internal services, and customer data.

The historical security stack was built for the office. Castle-and-moat perimeter security. VPN appliances backhauling traffic to the corporate network. Firewall rules that assumed a single corporate egress. Identity providers wired to the corporate AD. Endpoint-protection agents that assumed managed devices on a corporate network. Each component made sense in the era it was designed for, and each component is structurally a poor fit for the workforce model that has emerged in the past several years.

The first wave of remote-work response was to retrofit the office stack onto the remote workforce. VPN concentrators scaled up to handle the load. The IT team rebuilt the firewall rules to handle the new traffic patterns. The identity provider got SCIM-bridged to the cloud HR system. The endpoint-protection agent got bolted onto the corporate-managed device. The retrofit worked, in the same way that a horse-drawn carriage with an engine mounted on it worked — it got you down the road, but the architecture was wrong.

The second wave is the zero-trust architecture that has emerged over the past three or four years. Tailscale and its peers pioneered the mesh-VPN-with-identity pattern. Cloudflare's Zero Trust stack consolidated it with a broader CDN-and-identity story. Twingate, Netbird, and several smaller vendors round out the choice set. The category works, and the established vendors have built credible products. The category also has gaps that have become more visible as the customer base has matured: the DLP layer is usually a separate vendor, the workforce-analytics layer is usually a separate vendor, the remote-desktop and remote-shell capability is usually a separate vendor, the AI-driven policy authoring is usually a separate vendor (or a manual process that doesn't scale).

QuickZTNA exists because the founders watched their own engineering teams and a growing crowd of mid-market security operators run the zero-trust mesh in parallel with three or four adjacent products and conclude that the right move was to ship the whole stack as one operating system. The bet was simple: one control plane, every layer of secure access, single agent on each device.

#What QuickZTNA actually is, in one paragraph and then in detail

QuickZTNA is a cloud-operated zero-trust mesh platform that runs as a managed SaaS by Ollasoftware. The mental model is closest to Tailscale extended with the DLP, the workforce analytics, and the AI-driven policy surface that customers have historically bought from three or four separate vendors. The customer signs up at the dashboard, runs the install command on each device, and the device joins the customer's tailnet over a WireGuard mesh tunnel — reachable by MagicDNS name, governed by ABAC policies, observable through the unified audit log. There is nothing to install on the platform side; the control plane runs on Ollasoftware infrastructure.

Inside the product there are six composable surfaces. The mesh-networking surface is the foundation — WireGuard P2P with DERP fallback, with two global DERP relays (Bangalore and Frankfurt) that handle the CGNAT and symmetric-NAT peers the direct P2P path cannot reach. The access-control surface ships identity-based policies (ACLs and ABAC) keyed on user, tag, device posture, time of day, country, protocol, and port — evaluated per connection rather than per session, so the access decision adapts to the changing context of the connection.

The AI Operator surface is the distinguishing layer. Customers describe policy changes in natural language ("Block all 0.0.0.0/0 egress from contractors") and the Operator generates the corresponding ACL or firewall rule, shows which machines and users will be impacted, snapshots the current state, applies on explicit confirmation, and exposes a one-click revert for the next ninety days. Every step lands in the audit log. The Operator is powered by Claude underneath; the integration is deliberate rather than incidental — Claude's structured-output discipline and its conservative posture on destructive actions are part of why the team picked the model.

The workforce-analytics surface covers the dimensions the customer needs for visibility into the remote workforce: device posture compliance (is the device updated, is the encryption on, is the EDR running), software inventory (what is installed where), user-risk scoring (signals aggregated across the dimensions the platform observes), DLP for sensitive-data egress, CASB for SaaS-application usage, DEM for digital-experience monitoring, anomaly detection. All from the same agent that runs the mesh; no second agent to deploy.

The identity surface ships SSO via Google, GitHub, OIDC, and SAML, with SCIM 2.0 provisioning for Okta and Azure AD, TOTP MFA, and device-bound refresh tokens. The secrets-vault surface ships AES-256-GCM encrypted secrets with rotation policies, integrated with the agent so there is no second tool to deploy. The developer-platform surface ships 57 REST endpoints and a full Terraform provider for machines, ACLs, DNS, users — GitOps teams manage the network state as code.

#The AI Operator: previewing policy changes before they ship

The AI Operator is the layer most customers point to when explaining why they adopted the platform rather than running the established mesh-VPN-plus-three-other-vendors stack. The reason it matters is operational rather than technical. The cost of a misconfigured ACL or firewall rule in production is high — outages, accidentally-blocked critical services, security regressions that go unnoticed for days. The traditional workflow for high-stakes policy changes is "write the rule, review it carefully, schedule a maintenance window, apply, monitor for breakage, roll back if something is wrong" — a process that is slow enough that teams accumulate technical debt rather than ship the changes that need shipping.

The Operator inverts this. The customer asks in natural language for the change they want. "Block TikTok and Instagram on the Mumbai office network" produces a structured rule (DNS block for `tiktok.com` and `instagram.com`, SNI block for `*.tiktok.com` and `*.instagram.com`, applied to the Mumbai office subnet). Before the rule is applied, the Operator shows the impact preview: which machines, which users, which traffic patterns, which downstream effects. The customer reviews the preview, confirms the change explicitly, and the platform applies it.

The post-apply discipline is the part that distinguishes the platform from a "translate-English-to-rule" tool. Every change auto-snapshots the previous state. The audit log records the natural-language request, the generated rule, the preview output, the confirmation, and the apply result. For the next ninety days the customer can roll the change back with one click — the revert restores the snapshot, audit-logs the revert, and propagates the rollback to every node in the mesh.

The destructive-action discipline is explicit. Changes that could break access — blocks that affect the customer's own access, ACLs that would isolate critical services, firewall rules that would close important egress — require an explicit additional confirmation step that surfaces the specific destructive consequences. The Operator does not "just do the thing" when the consequences are non-reversible-feeling. The five-minute undo window applies to every action regardless of severity; the higher-severity actions get the additional explicit confirmation on top.

Underneath the natural-language surface, the Operator is wired into the platform's structured policy primitives. The customer is not paying for an opaque LLM that generates arbitrary changes; the Operator translates natural-language intent into the platform's typed policy schema, and the typed schema is what actually applies. This is the architectural property that makes the Operator usable in production rather than as a research demo — the LLM's output is constrained by the platform's type system rather than being free-form configuration that the platform tries to parse.

“ Ask in natural language. The Operator generates the rule, shows you who it impacts, snapshots the state, applies on confirm, and lets you revert with one click. Every step audit-logged.

#WireGuard mesh with DERP fallback: how the network actually works

The mesh networking layer is the foundation everything else sits on top of. The platform runs WireGuard tunnels as the encryption primitive — the modern, audited, kernel-fast tunnel protocol that has emerged as the canonical choice for high-performance VPNs over the past several years. The architectural choice the platform made is to run the tunnels as a peer-to-peer mesh wherever the network conditions permit it, with DERP relay fallback for the cases where direct P2P cannot be established.

The P2P path is the cheap and fast common case. Two devices in the customer's tailnet that can reach each other directly (typical office-to-office, typical home-to-cloud, typical cloud-to-cloud) establish a direct WireGuard tunnel between them. The traffic flows directly without transiting the platform's relay infrastructure. The latency is the wire latency between the two devices — typically sub-50ms for in-region paths, the additional cryptographic overhead is single-digit milliseconds.

The DERP fallback handles the cases where direct P2P cannot be established. The most common cause is CGNAT — carrier-grade network address translation that the customer's ISP runs to share a small pool of public IPv4 addresses across many residential connections, with the side effect of making inbound connections to the customer's devices unreachable. The next most common is symmetric NAT — the corporate-firewall pattern that maps outbound connections to ephemeral ports in a way that defeats the conventional NAT-traversal techniques.

For both cases, the DERP relay terminates the tunnel from one side, terminates the tunnel from the other side, and forwards the encrypted traffic between them. The relay never sees the plaintext — the WireGuard cryptography terminates at the device endpoints, not at the relay. The relay is a network bridge for the encrypted packets, not a privacy hole. The platform's two DERP regions (Bangalore for the India and APAC traffic, Frankfurt for the European and EMEA traffic) cover the geographic concentrations where the customer base is densest.

MagicDNS is the DNS overlay that makes the mesh usable in practice. Every device in the customer's tailnet gets a stable name of the form `..zt.net`, resolvable from any other device in the same tailnet. The customer's scripts, configurations, and runbooks can reference devices by name rather than by IP, which means a device that moves to a different network (the laptop that goes home for the weekend, the cloud instance that gets replaced during deploy) stays addressable by the same name throughout. Subnet routes extend the mesh to cover non-mesh devices behind a mesh-connected gateway; exit nodes route the device's general egress through a designated mesh peer for the use cases that require it.

#ABAC: identity-based policies evaluated per connection

Access-control on the platform is ABAC — attribute-based access control — keyed on the dimensions that matter for the modern remote workforce. The conventional ACL primitive ("user A can reach service B on port C") is a special case of the ABAC surface; the broader pattern lets the customer write policies keyed on user identity, machine tag, device posture, time of day, country, protocol, and port, with the policy evaluated per connection rather than per session.

The per-connection evaluation is the architectural property that distinguishes ABAC from coarser access models. A session-level access decision — "this user is logged in, they can reach the production database" — does not adapt when the context changes during the session. The user who moved their laptop from the office to a coffee shop, or from a managed device to a personal one, retains the same access until the session expires. The connection-level evaluation re-checks the context every time a new connection opens; if the laptop moved, if the device posture degraded, if the time-of-day window changed, the next connection is evaluated against the current state rather than the state at login.

The dimensions the policies can key on are the ones the customer actually wants to use. User identity (the human authenticated through the SSO surface). Machine tag (the role the device plays — `laptop`, `prod-server`, `ci`, `edge` — assigned at enrolment). Device posture (the EDR is running, the disk is encrypted, the OS is up to date — the operational signals the platform's agent collects). Time of day (the maintenance window applies, the after-hours rule kicks in). Country (the device's current network locality, useful for the compliance rules that restrict access from certain jurisdictions). Protocol and port (the conventional network-layer dimension).

JIT (just-in-time) access workflows extend ABAC for the elevated-access use case. The user requests access to a system they don't normally have, the request lands in the admin queue, the admin approves or denies, and on approval the elevated access auto-revokes on the configured schedule (one hour, end-of-day, whatever the policy says). The audit log records the request, the approval, the access window, and the revocation. For the security team that needs to demonstrate auditable elevated-access discipline to an auditor, JIT is the workflow that produces the structured evidence.

The policy authoring surface is the AI Operator described earlier. Customers can author policies through the conventional rule-syntax surface if they prefer (the platform supports the standard ACL DSL), or through the natural-language Operator that translates intent into the typed policy schema. Most customers move toward the Operator after the first month because the iteration speed is meaningfully faster.

#Workforce DLP and analytics — the full SASE story in one agent

The platform extends past the mesh-and-ABAC story into the broader workforce-security surface that customers have historically bought from separate vendors. The integration discipline is that everything runs through the same agent — no second agent to deploy, no second policy surface to learn, no second audit log to correlate against.

Workforce DLP is the data-loss-prevention layer. The platform observes sensitive-data egress through the customer's configured detection patterns (PII formats, financial-data shapes, secrets formats, the policy-defined sensitive content) and applies the configured response — block, alert, watermark, log — when egress matches. The DLP runs in the agent at the device level, which means it works against the conventional egress patterns that a network-only DLP misses (the cloud-storage upload, the SaaS application that bypasses corporate-network DLP, the file share to a personal device).

Device posture and software inventory cover the visibility dimension. The agent collects the standard signals — OS version, patch level, EDR running, disk encryption status, firewall status — and surfaces them in the dashboard alongside the software inventory (what is installed where, when it was installed, what version). For the security team that needs to demonstrate compliance posture across the workforce or hunt for the device that has a vulnerable package installed, this surface is the diagnostic.

User-risk scoring aggregates the signals into a per-user risk score. The score is the function of the dimensions the platform observes — failed-login patterns, device-posture compliance, geographic anomalies, DLP-policy violations, the conventional signals security teams aggregate by hand. The score surfaces in the dashboard and can feed into the ABAC policy evaluation — the user whose risk score has crossed a threshold can be automatically restricted to a tighter access policy until the score recovers.

CASB (Cloud Access Security Broker) covers the SaaS-application surface. The platform classifies the SaaS applications the workforce uses, flags the Shadow IT — applications that are in use without security-team visibility — and applies the configured policies to the sanctioned applications. DEM (Digital Experience Monitoring) covers the application-performance surface from the user's perspective. Anomaly detection covers the unusual-pattern surface for the security operations workflow.

Remote access — both shell and desktop — round out the agent's capability. The administrator can remote-shell into a managed device (with the audit log recording every command), and remote-desktop into the device for the longer-form support workflows. The remote-access surface uses the same ABAC policy primitives as the rest of the platform; access is governed by the same role and policy structure.

#Pricing and the free-forever tier

The pricing surface is structured around per-user tiers with the free-forever pattern at the entry level. The free tier ships up to 5 users on the full feature surface — the mesh, the ABAC, the DLP, the device posture, the AI Operator, the audit log. This is the right tier for the small founder team, the early-stage startup that hasn't yet outgrown the five-user threshold, and the evaluation period that precedes any commercial commitment.

Above the free tier, the platform moves to per-user pricing with the conventional tiering — a Starter tier that adds the operational ergonomics small teams need, a Pro tier that adds the controls mid-market security teams need, an Enterprise contract for the larger deployments. The published rates are competitive with the established mesh-VPN vendors at the per-user pricing dimension and include the DLP and workforce-analytics surfaces that the established vendors typically charge for separately.

Across all the paid tiers, the principle is the one consistent across the Ollasoftware portfolio: every feature on every tier, capacity and operational controls scale with the tier. There is no Pro-only DLP. There is no Enterprise-only AI Operator. The five-user free tier and the thousand-user enterprise contract get the same capability surface; what changes is the user count, the rate-limit ceiling, the operational SLA, and the compliance controls (SCIM provisioning, advanced RBAC, audit-log streaming to a SIEM, dedicated-tenant regional deployment).

The team uses Dodo Payments for the published-tier billing and custom invoicing for the Enterprise contracts. The customer evaluating the platform can self-serve through the free tier and the published paid tiers without speaking to a salesperson; the customer running an enterprise procurement has the option of the custom-contract path through the team directly.

#How QuickZTNA compares to the alternatives

The zero-trust mesh category has a clear set of names and it is worth being direct about how the platform sits against each.

Tailscale is the closest peer and the vendor most prospective customers evaluate the platform against. Tailscale is the canonical mesh-VPN-with-identity product, has a strong developer reputation, and integrates cleanly with the established identity providers. QuickZTNA extends past Tailscale on the workforce-security dimensions: the AI Operator for natural-language policy authoring; the integrated DLP, device posture, software inventory, and user-risk scoring; the JIT-access workflow with auditable elevation. For teams that need only the mesh-VPN-with-identity surface, Tailscale is sufficient; for teams that need the broader workforce-security surface, QuickZTNA consolidates the spend.

Cloudflare Zero Trust is the broader-ecosystem alternative. Cloudflare ships the zero-trust mesh as one slice of a much larger product surface that includes the Cloudflare CDN, the WARP client, the identity proxy, and the various other Cloudflare services. The platform sits more narrowly focused on the zero-trust-workforce-security surface; for teams already deep in Cloudflare and wanting bundled procurement, Cloudflare Zero Trust is reasonable; for teams that want a focused product with the AI Operator and the integrated workforce surface, the platform is the differentiated alternative.

Twingate and Netbird are the closer peers on the focused-zero-trust dimension. Both ship competent mesh-VPN products with credible identity-based access control. The platform extends past them on the AI Operator and the integrated workforce-security stack; for buyers comparing on the core mesh feature, the platform compares favourably on the additional surface.

Zscaler, Netskope, and the broader SASE vendors are the enterprise-tier alternatives that have historically dominated the large-enterprise procurement. They are competent within their tier and structurally heavy for the small-to-mid-market deployments where the platform fits best. The platform is not trying to displace Zscaler at the F500 tier; it is trying to be the right answer for the engineering-and-security teams below that tier that want the SASE feature surface without the SASE procurement footprint.

For DLP specifically, the established vendors include Forcepoint, Microsoft Purview DLP, and Symantec DLP — each of which has its own customer base and its own pricing structure. The platform's DLP is integrated into the same agent as the mesh and the ABAC, which is the operational property that distinguishes it from buying DLP as a separate stack with its own agent and its own dashboard.

#The team and the operational substrate

QuickZTNA is built and operated by Ollasoftware, the AI software development company headquartered in Bengaluru that has shipped more than forty AI brands in production over the last four years. The platform is one of the larger backend products in the portfolio by control-plane scale and is the canonical security-product deployment that the broader portfolio relies on internally.

The Go client is open source — the customer can read the agent's implementation, audit what data the agent collects, verify the network behaviour against the documentation, and run a security review against the codebase. The license discipline matters because the agent runs on the customer's managed devices with elevated capabilities; the open-source posture lets the customer verify what the agent actually does rather than rely on the vendor's policy claim.

The control plane runs on the same operational substrate that powers OllaDNS, 24observe, Crawlcrawl, and the broader Rust-and-Go portfolio (async-Rust services where the security-engineering team has standardised on Rust, Go for the agent-side client where the cross-platform deployment story is cleaner, Postgres for the relational store, Caddy for the public-facing edge). The shared substrate is part of why the team can ship the breadth of the platform with a small headcount.

The parent group, Networkers Home, is the cybersecurity and networking training institute that has placed more than forty-five thousand alumni across eight hundred hiring partners since 2007. The institutional context matters here meaningfully — the platform's deep network-engineering primitives, its security discipline, and its operational maturity are anchored on the parent group's two-decade track record in network and cybersecurity training. The team's background includes the disciplines (Cisco, Palo Alto, Fortinet) that produce the operators the platform is built for.

#What is on the roadmap

The team publishes the roadmap on the brand site and updates it as work ships. The visible near-term threads are concrete: an expanded DERP relay footprint beyond the current Bangalore + Frankfurt set (US-East and US-West are the next planned regions, then Tokyo for the broader APAC coverage), deeper Workforce Analytics surface with the user-risk dimensions customer feedback has surfaced, and richer JIT-access workflows that integrate with the customer's existing ticketing systems (Linear, Jira, ServiceNow) for the approval queue.

Underneath those visible features is steady investment in the AI Operator. The current Operator handles the canonical policy-authoring patterns well; the roadmap extends the surface to multi-step operational workflows ("audit my contractor accounts and revoke any that haven't logged in for 30 days"), cross-policy reasoning ("show me every ACL that would be affected if I removed the engineering tag"), and incident-response automation ("a critical device just failed posture, what do you recommend"). The principle is that the Operator should handle the operational workflows that take real time today, not just the policy-translation problem.

On the agent side, the team is investing in the mobile-device deployment story. The current agent supports Linux, macOS, and Windows on the desktop; the mobile coverage (iOS and Android) is on the near roadmap and will close the cross-platform commitment for the customer running fully-remote workforces with mobile-device access.

Pricing during the current phase is the published free-forever tier for up to 5 users plus the per-user paid tiers. The team has signalled that the free-tier user limit may grow over time as the unit economics improve, and that the per-user pricing will stay competitive at every tier.

#How to start

If you run a remote or hybrid engineering team and the security stack you currently run is some combination of VPN-plus-EDR-plus-DLP-plus-CASB-plus-identity-proxy-plus-IT-asset-management, the right next move takes about two minutes. Sign up at quickztna.com (no credit card for the free tier), create a network in the dashboard, run the install command on one device, and watch it join the mesh.

The two-minute claim is verifiable. The dashboard's Quickstart walks through the three steps: issue a reusable auth key, pipe the installer to the device (`curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh`), watch the device come up on the mesh. The installer detects the OS and architecture, installs the service, starts the daemon, generates the WireGuard keypair, allocates the tailnet IP, registers the MagicDNS name, and pushes the ABAC policies. For 100 hosts deployed via Ansible, the team's published example completes in under two minutes.

For deeper evaluation, the free tier covers up to 5 users with the full feature surface — the mesh, the ABAC, the DLP, the device posture, the AI Operator. That is enough for the founder-team evaluation to run for as long as it needs to before any commercial commitment.

For teams that want to evaluate the AI Operator specifically before committing to the platform, the dashboard's demo mode lets the customer try the Operator against a synthetic network without enrolling any real devices. The customer can ask for policy changes in natural language, see the preview output, see how the platform structures the typed rules underneath, and decide whether the discipline matches their expectations.

If you would like the team to walk you through a specific deployment — particularly the migration from an established stack, the integration with the customer's existing identity provider, or the Enterprise contract for a large-scale deployment — the Ollasoftware contact page reaches the engineers who built the platform directly.