Universal Segmentation. Less Risk at Lower Cost.
Simplify secure connectivity across enterprise IT, operational technology, IoT, edge, and cloud – without VPNs, firewall rule changes, or VLAN modifications. Identity-first access for every site, server, and workload.
IT & OT Connectivity Needs Have Outgrown Traditional Networking
OT systems need more connectivity – for vendor support, condition monitoring, analytics, and IT & OT integration. But traditional network-centric approaches expand trust boundaries, increase change-control burden, and create governance sprawl.
The sprawl problem
Each new vendor, OEM, or system integration requires firewall rule changes, VPN deployments, or VLAN modifications – each one triggering change management cycles and adding to the attack surface. Meanwhile each vendor brings their own tunnel and access model, creating inconsistent controls across the enterprise.
- VPNs give excessive access – remote vendors can often reach far more than they need
- Jump servers are operationally complex and create single points of failure
- Open inbound firewall rules expand the OT attack surface and violate IEC 62443 principles
- VLAN changes require security and network reviews – slowing new capability delivery
- Heterogeneous OEM access models — fragmented governance, compounding audit sprawl
- No centralized visibility into who is accessing what, when, from where
The customer connectivity problem
Software and service providers face the same challenge in reverse: every customer deployment requires coordinating firewall rule changes, VPN setup, and IP allowlists on the customer side – triggering lengthy security reviews that delay revenue.
- Customer IT teams required to open inbound ports or deploy VPNs before any connection can occur
- Every customer deployment requires different firewalls, policies, and timelines
- Lengthy security reviews triggered by firewall rule change requests
- Excess access risk – VPN access often broader than necessary for the service being provided
- Operational overhead maintaining IP allowlists and VPN configurations across hundreds of customers
Identity-First Connectivity Across Every Environment
NetFoundry decouples connectivity governance from the underlying network. An outbound-only overlay connects every site, device, and workload – without modifying firewalls, VLANs, or existing network infrastructure.
Simplify and centralize hybrid IT & OT site connectivity
Enable vendor access, telemetry collection, and IT & OT data flows – without opening inbound ports or modifying VLAN configurations. New access paths are created entirely through the NetFoundry overlay, leaving existing OT network infrastructure untouched.
- No inbound ports – outbound-only from the OT environment
- No VLAN or underlay network changes required for new access paths
- Authorized, identity-bound conduits – default deny with service-level access
- Standardize governance across all OEMs and vendors with one policy model
- Available on Siemens network devices as Siemens SINEC Secure Connect
- IEC 62443 aligned: FR-1 (identification), FR-2 (authorization), FR-5 (boundary protection), FR-6/7 (audit)
Replace VPNs with identity-based partner access
Give partners, suppliers, and third parties the exact access they need – no more, no less. Identity-based least-privilege replaces broad VPN tunnels that grant excessive network access.
- No VPNs to deploy, manage, or troubleshoot for partner access
- No open firewall ports or IP allowlists required
- Each partner gets service-level access – only to the specific services they’re authorized for
- Full identity-based audit trail of every partner connection and service call
- Instant access provisioning and revocation – no infrastructure changes needed
- Consistent governance model across all partners regardless of their network setup
Instead of maintaining complex per-partner VPN configurations or firewall exceptions, each partner identity gets a certificate-based connection to only the services they need – centrally managed through NetFoundry’s identity-based policy engine.
“NetFoundry helped us scale faster, safer, and more cost-effectively – eliminating VPN and NAT dependencies.”
Rodrigo Bernardinelli, CEO – Digibee
Deploy at customer sites in minutes, not weeks
Eliminate the deployment bottleneck that costs SaaS providers, MSPs, and software companies weeks of per-customer IT coordination. With NetFoundry, customers don’t need to open a single inbound port.
- Customers deploy a lightweight connector – no firewall changes, no VPN, no IT review required
- Your platform connects to customer environments via outbound-only overlay
- Shorter sales cycles – fewer security objections, simpler security reviews
- Faster revenue recognition – deployments in minutes instead of weeks
- Centralized management of all customer connections from a single control plane
- Works across on-prem, cloud, OT, and IoT customer environments without redesign
NetFoundry Customer Connect embeds Identity-First Connectivityâ„¢ directly into provider platforms. Customers deploy a connector alongside their existing infrastructure – no firewall rule changes, no VPN management, no IP allowlist coordination.
“Our customers don’t need to open a single inbound firewall port for us to manage our software.”
John Wilson, CEO – TZ Limited
Block lateral movement without network redesigns
Traditional microsegmentation requires complex VLAN configurations and ongoing firewall rule management. NetFoundry’s identity-based approach delivers microsegmentation as a policy – not a network architecture change.
- Define access by identity and service – not IP address or network segment
- Default deny: no lateral movement is possible unless explicitly authorized by policy
- Instant policy updates – no firewall rule changes required to adjust segmentation boundaries
- Works across existing networks – no VLAN redesign, no infrastructure changes
- Full visibility into traffic by identity and service – not just IP and port
- Simple to deploy incrementally – add segments progressively without disrupting existing connectivity
Post-breach lateral movement is the main way attackers turn a single compromised endpoint into a full network intrusion. NetFoundry’s policy-based approach makes lateral movement structurally impossible for unauthorized identities – regardless of which network they’re on.
“NetFoundry’s technology enables us to apply the strictest deny-by-default security principles to every user, device and application in our customers’ networks.”
Steve Wulchin, CEO – Freewave
Five Steps to Zero Trust Connectivity
NetFoundry’s approach works the same way across IT, OT, IoT, cloud, and partner environments – replacing network-centric models with identity-based access at every point.
Enable connectivity without underlay network changes
New access paths are created through the NetFoundry overlay – no changes to VLANs, firewall rules, or existing network infrastructure. Change management overhead is eliminated for new connectivity requirements.
Authenticate first, then connect via encrypted conduit
Mutual authentication using X.509 certificates establishes an encrypted conduit only after identity and policy are verified. No network access is granted by default – zero trust from the connection layer up.
Enforce least-privilege access
Access is defined by identity, workload, and service – not IP addresses or network location. Policies can be as granular as individual service endpoints, enabling true microsegmentation without network redesign.
Operate at scale with centralized governance
Centralized policy management and immutable logs support investigation, change control, and audit requirements across all sites, vendors, and OEMs – in a single consistent governance framework.
IEC 62443 alignment for OT environments
NetFoundry maps cleanly to IEC 62443 zones, conduits, and least-privilege requirements – supporting FR-1 (identification and authentication), FR-2 (authorization), FR-5 (boundary protection), FR-6/7 (audit and monitoring), and SR 2.6 (session termination).
Built for Regulated Environments
NetFoundry secures billions of sessions for critical infrastructure on three continents – including multiple Fortune 10 companies. The platform is designed to support the most demanding compliance and regulatory requirements.
2,000+
organizations use NetFoundry
8 of 10
largest US banks connect users to data with NetFoundry
1B+
sessions/month across global redundant infrastructure
100+
global PoPs with 99.95% uptime SLA (Cloud tier)
What You Get with Identity-First IT & OT Connectivity
Zero inbound attack surface
All connections outbound-only from every site. No open ports that attackers can discover, scan, or exploit – from plant floors to cloud environments.
Faster change delivery
New vendor access, data flows, and connectivity requirements provisioned via policy – no firewall rule changes, no VLAN modifications, no change-control cycles.
Centralized governance
One policy model for all sites, vendors, and OEMs. Consistent audit trails by identity and service across every environment – from ICS to cloud.
Works with existing infrastructure
Supports L2/L3 protocols where required. No underlay network changes. Deploy on-prem, hybrid, or cloud architectures – without redesigning what exists today.
Accelerated customer deployments
Software providers deploy to customer environments in minutes, not weeks – no customer IT coordination, no firewall rule requests, no IP allowlist management.
Simplified OEM management
Standardize access governance across all OEM and vendor identities with one platform. Replace per-vendor VPN deployments with a single, auditable connectivity model.
Simplify Your IT & OT Connectivity Today
Learn how NetFoundry enables secure, identity-first connectivity across your enterprise, OT, and partner environments – without changing your existing network infrastructure.
