Zero Trust Network Access

Your network.
Your rules.
Your infrastructure.

SovereignCloak replaces your VPN with Microsoft Entra ID-enforced, per-application access over QUIC — deployed entirely inside your own Azure subscription. Your users' traffic never touches a third-party server.

10 min to deploy
0 bytes leave your infra
QUIC TLS 1.3 tunnel
Entra ID native auth
azure-deploy.sh — bash
$47B ZTNA market by 2030
72% orgs replacing VPN now
$4.8M avg. VPN breach cost
$55K+ saved vs. Zscaler / 100 users

"A VPN grants access to your network.
Which means a stolen credential does too."

Lateral movement

Once inside a VPN, attackers can reach any system on the network. Zero Trust grants access to one application at a time.

No identity enforcement

Traditional VPNs authenticate once at the perimeter. SovereignCloak verifies Entra ID identity on every session, every application.

No audit trail

VPNs log connections. SovereignCloak logs every application access, every byte, every group policy decision — in your own infrastructure.

You need this if your organisation...
Is on Ivanti, Pulse, or Cisco AnyConnect VPN Recently had a VPN-related breach or audit finding Already uses Microsoft 365 / Entra ID Has a compliance rule blocking third-party cloud routing IT team of 2–20 with no dedicated SASE team Needs SSH / RDP access without a browser proxy

From command line to Zero Trust in under 10 minutes

Three steps. No PhD in networking required.

Step one

Deploy the gateway

Run bash azure-deploy.sh from Azure Cloud Shell. Provisions a VM, installs Docker, pulls container images, configures Caddy TLS, and hardens the port — all automatically.

azure-deploy.sh · ~10 min · one command
Step two

Connect Entra ID

Enter your Tenant ID and Client ID — the same App Registration you already use. The gateway validates JWTs and reads group memberships. No new identity system, no new passwords.

Uses your existing Microsoft Entra tenant
Step three

Define policies

In the admin dashboard, map domains to target IPs and restrict access by Entra security group. Deploy the Windows agent to your fleet. Users access resources transparently — no VPN client, no manual connection.

Per-application · per-group · per-session

The only ZTNA that never sees your traffic

SaaS ZTNA vendors route your employees' traffic through their global network. We don't. We can't.

Capability SovereignCloak Zscaler ZPA Cloudflare Access Tailscale WireGuard
Traffic stays in your infra Always Routes via Zscaler cloud Routes via Cloudflare ⚠ Coord. server in cloud Yes
Microsoft Entra ID native JWT + groups ~ Requires SAML bridge ~ Requires IdP connector ⚠ OIDC plugin required No identity layer
QUIC / TLS 1.3 transport Native QUIC ~ TLS 1.2 fallback Yes WireGuard UDP only WireGuard UDP
Transparent proxy (all apps) DNS + TCP intercept ~ Agent required per app ~ Browser-only without agent ⚠ Subnet router needed Network-level only
Per-application access control Domain + group Yes Yes ⚠ ACLs (network-level) Network-level only
SPA dark port (zero attack surface) UDP 443 dark Discoverable
One-time licensing (no per-user SaaS fee) BYOL $15–30/user/month Per-seat subscription $6–18/user/month Free (OSS)
Deploy to your own Azure subscription ARM template ⚠ Coord. server stays SaaS ~ Manual setup
100 users on Zscaler ZPA costs ~$60,000/year — routed through their cloud, logged on their servers, priced per seat forever. SovereignCloak runs on your infrastructure, bills as a flat annual license, and saves regulated organisations $55,000+ per year while eliminating vendor cloud dependency entirely.

Built for security engineers, not marketing decks

QUIC + TLS 1.3 Tunnel

0-RTT reconnection after network changes. Performs better than TCP-based VPNs on lossy connections. No port-forwarding required.

RFC 9000

SPA Dark Gateway

UDP 443 is hidden behind iptables DROP by default. A 40-byte HMAC-SHA256 packet opens the firewall for 30 seconds — the port is invisible to scanners.

Single-Packet Auth

Entra Group Enforcement

Each route policy maps to a specific Entra security group. JWT group claims are verified per-stream. Users only see domains they're authorised to access.

Per-stream auth

Transparent TCP Proxy

WinDivert intercepts DNS and TCP at the kernel level. Every app — browsers, curl, Python, legacy ERP — routes through the tunnel without any configuration changes.

Layer 4 · all apps

Session Audit Logs

Every access event — granted, denied, terminated — is logged with user identity, domain, bytes transferred, and group decision. SIEM webhook export included.

SIEM webhook

Admin Kill Switch

Terminate any active user session from the dashboard in real time. The gateway closes the QUIC connection immediately. Useful for incident response or offboarding.

Real-time termination

Your data never leaves your perimeter. Literally.

SovereignCloak
Runs in your Azure subscriptionControl plane, gateway, and all traffic stays within your environment. No vendor can access it.
Compliance perimeter unchangedHIPAA, PCI-DSS, RBI, DPDP — data never crosses to a third-party network. Your auditor sees your infrastructure only.
One-time licensePay once. No monthly per-user fees that scale against you as your team grows.
You own the private keyTLS certificate is generated on your VM and never leaves. Cert fingerprint is pinned in the endpoint agent.
SaaS ZTNA (Zscaler, Cloudflare)
Traffic routes through vendor cloudYour employees' requests transit the vendor's global network before reaching internal resources.
Vendor can see your access patternsThe vendor observes which domains your users access, when, and from where — even if they don't log content.
Per-user monthly fees$15–30 per user per month. A 100-person team costs $18,000–36,000/year before negotiation.
Vendor outage = your outageIf the vendor's PoP goes down, your access goes down. Your control plane is their control plane.

When data residency is non-negotiable

Healthcare

Patient data never leaves your infrastructure. HIPAA and DPDP compliance without changing your perimeter.

HIPAA · DPDP · SOC 2

Financial Services

RBI and PCI-DSS require data to stay within defined geographic boundaries. Our self-hosted model keeps it there.

RBI · PCI-DSS · SOX

Government

Sensitive government workloads cannot transit commercial clouds. SovereignCloak deploys to on-prem or sovereign cloud regions.

DFARS · CMMC · Data sovereignty

Legal & Defence

Privileged communications and classified workloads require zero vendor visibility. Your infrastructure, your eyes only.

ABA Rules · Privileged access

One-time license. Unlimited time.

No monthly fees that scale against you. Pay once per deployment, not per user per month.

Starter
Up to 25 users
Ideal for small teams and pilot deployments
1 gateway deployment
Unlimited route policies
Entra ID authentication
Session audit logs
Email support
Enterprise
Up to 500 users
For regulated industries with compliance requirements
Unlimited gateway deployments
Multi-region support
Custom Entra configuration
Full audit log export
Deployment assistance
SLA-backed support

Ready to replace your VPN?

Send us your name and work email. We'll send you a trial license and walk you through a 10-minute deployment on your own Azure subscription.