Saturday, 4 July 2026

ZTNA Buyer's Guide: What to Demand Before You Sign


Most ZTNA demos look the same: a polished console, instant policy toggles, zero perceptible lag. Then you deploy in production and discover the agent consumes 400MB of RAM, every request bounces through a data center 80ms away, and the controls you actually need are locked behind an enterprise tier you didn't budget for.


This guide gives you the criteria, the pricing comparison, and the exact RFP questions to cut through vendor theater before you sign anything.



What Should a Good ZTNA Solution Actually Do?

The baseline capability is table stakes, but the differentiators are where deals go wrong. A solid zero trust network access implementation has to pass three tests that most vendors quietly fail.

Latency That Holds Up After the Demo

On-device security processing is the only architecture that doesn't add a round trip. When traffic routes through a vendor's data center for inspection, you're betting your user experience on that data center's uptime, capacity, and geographic proximity. Vendors rarely disclose average latency under real load during evaluations.


Demand proof: run your own benchmarks with the agent installed on a representative device, not a pre-staged demo machine. A secure web gateway that runs inspection locally -- on the endpoint itself -- eliminates the data-center bottleneck entirely. Performance stays consistent whether the user is in headquarters or a hotel room in Singapore.

Pricing That Doesn't Hide the Real Number

Per-seat pricing sounds simple until you realize "seat" means different things to different vendors. Some count active devices. Some count directory users. Some count concurrent connections. The number in the initial quote rarely matches what you pay once you add SSL inspection, DLP, or cloud app controls.


Demand a complete all-in price per endpoint that includes every feature you plan to use on day one. If a vendor can't give you a single transparent figure, that's a signal worth heeding before contract negotiations start.

A Single Console, Not a Collection of Products

ZTNA that only covers private access leaves your web traffic unprotected. When the web gateway, private access controls, and DLP policies live in separate consoles from separate vendors, you're stitching together a security stack instead of running one. Policy drift, coverage gaps, and slow incident response follow.


Evaluate whether the platform gives you web controls and private access in one unified view. Switching between tools to enforce a single policy doubles your operational overhead and creates windows where enforcement lags.

No Proprietary Lock-In at the Connector Layer

Vendor connectors that only function inside the vendor's own infrastructure are an architectural moat. Migrating away means ripping connectors from every on-prem resource you've protected. Ask specifically whether the connector protocol is standard or proprietary, and what a full migration would cost in engineering hours before you're locked in.



How Do ZTNA Pricing Models Compare?

Most buyers evaluate features first and pricing second. That order is expensive. The pricing model determines what you actually pay at scale -- and how exposed you are at renewal.


Model

What You Pay For

Common Hidden Cost

Per-seat (user)

Directory users, active or not

Idle accounts inflate count

Per-connection

Concurrent sessions

Traffic spikes drive overages

Per-feature tier

Base platform + add-ons

Core controls gated to enterprise tier

Per-device

Active endpoints

Transparent when all features included


The per-device model is the only one that maps directly to your hardware inventory -- an asset list you already maintain. Every other model requires a mapping exercise that introduces error and gives the vendor negotiating leverage at renewal.


Any vendor that sells an swg capability as a separate add-on is signaling that the architecture wasn't designed as a unified platform. Bolt-on security modules run on their own update cycles, fail independently, and route to separate support queues when something breaks.


Ask whether the sase platform you're evaluating uses a single agent or requires multiple agents to coexist on the endpoint. Multiple agents mean multiple failure points and potential conflicts with your existing EDR.



How Do You Scope a ZTNA RFP Correctly?

A well-scoped RFP forces vendors to commit to specifics rather than answer at the level of marketing copy. These are the questions worth including.


Architecture


  • What percentage of inspection happens on the endpoint vs. in your data centers?

  • What is mean latency for SSL inspection under 500 concurrent connections on a mid-range laptop?

  • What is your agent's memory footprint at idle and under peak load?

  • Does a single agent handle both web filtering and private access, or are they separate processes?


Pricing


  • Provide an all-in per-device price including SSL inspection, URL filtering, DLP, and cloud app controls.

  • List every feature gated above the quoted tier.

  • What are your overage terms if we exceed the licensed device count mid-term?


Lock-in and migration


  • What connector protocol do you use for private access resources?

  • If we terminate the contract, how long do we retain access to configuration exports?

  • Do you support coexistence with third-party VPNs and EDRs without agent conflicts?


Compliance and support


  • Provide your most recent SOC 2 Type 2 report.

  • What is your SLA for policy push latency from console change to endpoint enforcement?

  • What is your expected response time for P1 incidents?


Vendors who hesitate on architecture questions are the ones whose demos rely on optimized lab conditions. Production is not a lab.



Frequently Asked Questions

What is the difference between ZTNA and a VPN?

A VPN grants broad network access once a user authenticates. ZTNA grants access only to specific resources based on identity, device posture, and context -- and re-evaluates trust continuously. A compromised credential on a ZTNA architecture doesn't open the entire network the way it does on a traditional VPN.

What should buyers look for when evaluating an SSE platform?

An sse platform should deliver web security, private access, and data controls from a single console with a single agent. Separate agents for each function create conflicts with endpoint detection tools and leave policy gaps when rules fail to sync across modules. Unified architecture is the criterion that separates purpose-built platforms from bundled point products.

Are there ZTNA vendors that run security on the endpoint instead of a data center?

Yes. Endpoint-first architectures run SSL inspection and policy enforcement directly on the device, so traffic never detours through a vendor data center. Vendors like dope.security have built their entire platform around this model, which means performance holds regardless of data center geography or capacity constraints.

How do you avoid vendor lock-in when buying ZTNA?

Demand standard connector protocols and a documented migration path before signing. Request a data export sample during the evaluation period. Proprietary connectors that only work inside the vendor's cloud are the most common source of lock-in -- migrating them means re-engineering access to every internal resource you've protected.



The Cost of Getting This Decision Wrong

A three-year ZTNA contract signed after a favorable demo is three years of living with whatever the vendor didn't disclose. Latency complaints compound. Pricing surprises land at every renewal. Security gaps from a fragmented web and access stack turn into incident reports.


The vendors who can answer every RFP question above with specific, documented numbers are the ones worth shortlisting. The ones who redirect to a custom demo are the ones to pressure harder -- or remove from consideration.


No comments:

Post a Comment