BrowZer: The Open-Source Solution for Enterprise-Grade "Clientless" Zero Trust Access
2026-01-29 | NetFoundry Official Site | OpenZiti GitHub
30-Second Quick Judgment
What is it?: BrowZer makes your web apps "invisible" to the internet. Only authorized users can access them through a standard browser without installing any client software. Simply put, it simplifies complex Zero Trust networking into a "just open Chrome" experience.
Is it worth your attention?: If you are an enterprise IT/Security lead tired of VPN headaches, or if you need to provide secure access to internal apps for external partners, this is definitely worth exploring. It's open-source, Cisco just invested in it, and 8 of the top 10 US banks are already using the underlying OpenZiti technology.
Comparison: The main competitors are Cloudflare Access and Zscaler ZPA. BrowZer’s unique selling point is being completely clientless and fully open-source.
Three Key Questions
Is it for me?
Target Users:
- Enterprise IT/Security Teams: Looking to replace VPNs or implement Zero Trust access.
- B2B Companies: Needing to give external partners access to internal systems without forcing them to install software.
- Remote Teams: Employees accessing company resources from various devices.
Does this sound like you?: You are the target user if:
- A partner says, "Our company policy doesn't allow us to install your VPN client."
- The IT department complains, "Managing VPN compatibility across so many different devices is a nightmare."
- Security audits require that "all internal applications must not be exposed to the public internet."
Common Use Cases:
- B2B Collaboration: External vendors accessing your internal systems.
- BYOD Scenarios: Employees working from their own devices.
- Compliance: Apps must be "invisible" and unscannable by external threats.
Is it useful?
| Dimension | Benefit | Cost |
|---|---|---|
| Time | No client installation for users; IT doesn't have to maintain multi-platform VPNs. | Initial deployment is complex; requires 1-2 days to learn OpenZiti concepts. |
| Money | Open-source version is completely free; commercial version is $5-15/endpoint/month. | Self-hosting requires internal DevOps labor costs. |
| Security | Apps are "invisible," making it much more secure than traditional VPNs. | Currently in Beta; requires careful evaluation for production environments. |
ROI Judgment: If you are already using Cloudflare Access or Zscaler and are happy with them, there's no need to switch. However, if you require a fully open-source solution (for compliance) or a completely clientless setup (for B2B), BrowZer is the most mature option available.
Is it user-friendly?
The "Wow" Factor:
- Truly zero-install: Users just open Chrome and log in. IT no longer has to deal with "I can't install the VPN" tickets.
- Total Cloaking: Attackers can't scan your application because it simply doesn't exist on the public internet.
Real User Feedback:
"Ziti allowed us to innovate and drive new business with a competitive edge. Today, Ozone is the only CI/CD tool that automates private cluster deployments across any platform." - Moteesh Reddy, Ozone Technical Lead
Community Forum Feedback: Identity management configuration is a bit complex; every device needs an individual identity certificate. I hope they simplify this. - OpenZiti Discourse
For Developers
Tech Stack
| Layer | Technology | Description |
|---|---|---|
| Frontend | JavaScript, Service Worker, Workbox | Automatically injected into the web app at runtime. |
| Backend | NodeJS (Bootstrapper) | Handles bootstrapping and certificate management. |
| Network | OpenZiti Overlay Network | Proprietary Zero Trust network protocol. |
| Build | Yarn, Babel, Rollup, Mocha | Standard JS toolchain. |
Core Implementation
BrowZer works through the collaboration of three components:
- BrowZer Gateway - An HTTP proxy that establishes a trusted tunnel between the browser and the app.
- Ziti BrowZer Runtime (ZBR) - A JS runtime transparently injected into the target web app.
- Service Worker (ZBSW) - Intercepts all network requests and routes them through OpenZiti.
Unlike traditional VPNs, BrowZer doesn't funnel all traffic through a single gateway; it establishes secure point-to-point tunnels.
Open Source Status
| Repository | Description | Stars |
|---|---|---|
| ziti-browzer-core | Core Components | Open Source |
| ziti-browzer-runtime | JS Runtime | Open Source |
| ziti-browzer-bootstrapper | Bootstrapper Server | Open Source |
Build Difficulty: High. Requires deep understanding of Zero Trust networking, OIDC, and Service Workers. Estimated 6+ person-months to replicate. Since it's already open-source, using or forking it is much more efficient.
Business Model
Open-Core + Commercial SaaS:
- OpenZiti is fully open-source (Apache 2.0).
- CloudZiti provides managed services, charging per endpoint.
Giant Risk
Cisco made a strategic investment in NetFoundry in November 2025. This indicates:
- Industry giants validate this direction.
- Cisco likely won't build a direct competitor in the short term.
- A long-term acquisition is highly probable.
For Product Managers
Pain Point Analysis
| Pain Point | Intensity | BrowZer Solution |
|---|---|---|
| VPNs require client installation | High | Browser-only access |
| B2B partners refuse to install software | High | Zero-install required |
| Apps exposed to public scans | Medium | "Dark Mode" cloaking |
| Complex VPN configs/IT tickets | High | Simplified operations |
User Personas
- Enterprise IT/Security Lead: 30-50 years old, responsible for network security, currently frustrated by VPN issues.
- B2B Business Owner: Needs to provide system access to vendors/partners.
- DevOps Engineer: Needs secure access to internal tools (CI/CD, monitoring, etc.).
Feature Breakdown
| Feature | Type | Description |
|---|---|---|
| Clientless Access | Core | Only requires a browser |
| Application Cloaking (Dark Mode) | Core | App is not reachable via public internet |
| OIDC Identity Integration | Core | Supports Azure AD, Okta, etc. |
| Layer 6 Security | Core | End-to-end encryption |
| Hotkey Setup (alt+F12) | Delighter | For debugging purposes |
Competitive Differentiation
| vs | BrowZer | Cloudflare Access | Zscaler ZPA |
|---|---|---|---|
| Client | None required | Optional Agent | Agent required |
| Open Source | Fully Open Source | No | No |
| Pricing | $5-15/endpoint or Free Self-hosted | $7+/user | Enterprise Pricing |
| Network Scale | Self-hosted | 275+ Cities | 73+ Data Centers |
| Best For | B2B, Open-source Compliance | Mid-to-Large Enterprise | Large Enterprise |
Key Takeaways
- Extreme "Zero-Install": Simplifies the complex concept of Zero Trust into "just open your browser."
- Dual-track Strategy: Uses open-source for acquisition and commercial SaaS for monetization.
- Memorable Branding: The "Dark Mode" concept for application cloaking is very sticky.
For Tech Bloggers
Founder Story
NetFoundry is a "slow company"—founded in 2017 and operational by 2019, but it didn't take its first VC check until 2025. It spent six years self-funding, landing massive clients like Oracle, Microsoft, and IBM, and serving 8 of the top 10 US banks.
This is the polar opposite of the "blitzscaling" culture. The founders clearly prioritize technical depth and customer validation over rapid burn rates.
Interesting Angle: Cisco’s strategic investment in late 2025 signals a major consolidation trend in the Zero Trust market.
Controversies & Discussion Points
-
Browser Lock-in: Only supports Chromium (Chrome/Edge/Brave). No support for Firefox or Safari is a major hurdle for some users.
-
The Beta Tag: BrowZer is still in Beta. Using it in production requires confidence, though the underlying OpenZiti is already enterprise-proven.
-
Configuration Complexity: Setting up OIDC, certificates, and Chrome Origin Trials isn't exactly "plug and play." The barrier to entry is high.
-
Open vs. Commercial Balance: How they handle feature parity between the free and paid versions will be interesting to watch.
Hype Data
- Clients: 8 of the top 10 US banks, Oracle, Microsoft, IBM.
- Funding: $15M+ Series A, strategic investment from Cisco.
- GitHub: Very active OpenZiti project.
- Community: Active Discourse forum.
Content Angle Suggestions
- "Is the VPN Dead? This Company Makes Your Apps Completely Invisible."
- "The Open-Source Zero Trust Solution Used by 8 Top Banks."
- "Why Cisco Invested in This 'Slow Company'."
For Early Adopters
Pricing Analysis
| Tier | Price | Features | Is it enough? |
|---|---|---|---|
| Open Source | Free | Full features, self-hosted | Enough for tech-savvy teams |
| Business Basic | $5/endpoint/mo | Managed service | Good for small teams |
| Business Advanced | $15/endpoint/mo | Advanced features | For mid-sized enterprises |
| Enterprise | Custom | 99.995% SLA, 24x7 Support | For large corporations |
Free Trial: 30-day Enterprise trial, no credit card required.
Getting Started Guide
The Fast Way (15-minute experience):
- Visit the ZEDS Sandbox - A multi-tenant dev environment.
- Follow the tutorial to create your first service.
- Experience Zero Trust access firsthand.
Full Deployment (1-2 days):
- Deploy the OpenZiti controller and router.
- Configure your OIDC identity provider.
- Obtain a wildcard certificate.
- Register for Chrome Origin Trials.
- Deploy the BrowZer Bootstrapper.
Learning Resources:
Pitfalls & Gripes
- Browser Limitations: Only Chrome/Edge/Brave. If your users are on Firefox or Safari, this is a dealbreaker.
- Step-Heavy Setup: OIDC + Certificates + Origin Trials. If one step fails, debugging is difficult.
- Learning Curve: OpenZiti has its own vocabulary (Controller, Router, Service, Identity) that takes time to master.
- Beta Risk: It is explicitly labeled Beta; use with caution in production.
Security & Privacy
- Data Storage: Data is end-to-end encrypted via the OpenZiti network.
- Cloaking: Apps are not public-facing; attackers cannot scan or discover them.
- Authentication: Integrates with major OIDC providers (Azure AD, Okta, Auth0, etc.).
- Auditability: Code is fully open-source and available for audit.
Alternatives
| Alternative | Pros | Cons |
|---|---|---|
| Cloudflare Access | Fast global network, easy to use | Not open-source, requires client |
| Zscaler ZPA | Enterprise full-stack | Expensive, requires client |
| Tailscale | Extremely easy to use | Not a pure Zero Trust architecture |
| Self-built VPN | Total control | High maintenance overhead |
For Investors
Market Analysis
| Metric | Data | Source |
|---|---|---|
| 2026 ZTNA Market | $4.84B | Straits Research |
| 2033 Forecast | $14.74B | SNS Insider |
| CAGR | 25-28% | Multiple sources |
| North America Share | 38.62% | GlobalNewswire |
| APAC CAGR | 28.5% (Fastest) | GlobalNewswire |
Growth Drivers:
- Normalization of remote work and poor VPN experiences.
- Enterprises phasing out legacy VPNs.
- Growth of cloud apps rendering perimeter security obsolete.
- Increasingly strict compliance requirements.
Competitive Landscape
| Tier | Players | Characteristics |
|---|---|---|
| Leaders | Cloudflare, Zscaler, Palo Alto | Full-stack security, massive networks |
| Mid-Market | Netskope, Fortinet, Cisco | Enterprise security ecosystems |
| Emerging/Open Source | NetFoundry/OpenZiti | Differentiation through open-source + clientless |
Timing Analysis
Why Now?:
- VPNs are being replaced at scale.
- ZTNA has moved from a concept to a standard procurement item.
- Remote work has created a desperate need for "clientless" solutions.
Tech Maturity:
- BrowZer itself is in Beta.
- However, the underlying OpenZiti has been validated by Oracle, Microsoft, and IBM.
Moat:
- Strong open-source community and ecosystem.
- Endorsement from 8/10 top banks.
- Strategic backing from Cisco.
Funding History
| Round | Amount | Date | Investors |
|---|---|---|---|
| Strategic | $50M+ | Historical | Strategic Investors (currently 10% stake) |
| Series A | $12M | 2025.04 | Led by SYN Ventures |
| Series A (Add-on) | $3M+ | 2025.11 | Cisco Investments |
Total: $15M+ Series A, with historical strategic funding over $50M.
Team Background
- Size: 72 people.
- HQ: Charlotte, NC.
- Founded: 2017.
- Note: Bootstrapped for 6 years before taking VC money in 2025.
Investment Recommendation
Bull Case:
- Validated by top-tier clients (8/10 US banks).
- Strategic backing from Cisco.
- Open-source model lowers the cost of customer acquisition.
- Market CAGR of 25%+.
Bear Case:
- BrowZer is still in Beta.
- Intense competition from giants like Cloudflare and Zscaler.
- Browser limitations may hinder mass adoption.
Conclusion
The Bottom Line: BrowZer is the most mature "clientless" open-source Zero Trust access solution available. It is perfect for B2B scenarios and companies with open-source compliance needs. While the Beta status carries risk, the core technology is already trusted by the world's largest financial institutions.
| User Type | Recommendation |
|---|---|
| Developers | Worth studying; the open-source code is a masterclass in modern networking. |
| Product Managers | Watch the "clientless" and "cloaking" selling points for differentiation. |
| Bloggers | Great story angles: the "slow company," Cisco's investment, and the bank clients. |
| Early Adopters | Try the ZEDS sandbox first; wait for the stable release for production. |
| Investors | High potential, but monitor Beta risks and the competitive landscape. |
Resource Links
| Resource | Link |
|---|---|
| Official Website | https://netfoundry.io/ |
| GitHub | https://github.com/openziti |
| Documentation | https://openziti.io/docs/learn/quickstarts/ |
| Community Forum | https://openziti.discourse.group/ |
| Sandbox | https://zeds.openziti.org |
| Pricing | https://netfoundry.io/pricing/ |
| Free Trial | https://nfconsole.io/signup |
Sources
- NetFoundry Official Documentation
- OpenZiti GitHub
- SiliconANGLE - NetFoundry raises $12M
- PR Newswire - Cisco Investment
- Straits Research - ZTNA Market
- MarketsandMarkets - ZTNA Market
- Cloudflare Zero Trust Blog
- Mattermost Customer Story
- OpenZiti Community Forum
- NetFoundry Pricing
2026-01-29 | Trend-Tracker v7.3