Deploy on the asset
The Zenarmor engine runs directly on endpoints, gateways and cloud VMs. Enforcement happens at the asset, not at a remote node.
Architecture Philosophy
Security that lives where your infrastructure does
Traditional network security architectures enforce traffic at a centralized point, a cloud gateway or vendor-operated PoP. That means every connection your users and workloads make has to travel to that enforcement point first, then continue to its destination.
Zenarmor works differently. The enforcement engine runs directly on your endpoints, gateways and cloud VMs exactly like any other application you would deploy on networked infrastructure. Traffic is inspected locally, at the asset, before it goes anywhere.
Every capability in one application
ZTNA, mesh VPN, SWG, NGFW, CASB, TLS inspection, DNS filtering and IPS are integrated into a single application. No service chaining.
One control plane
Every enforcement point is managed from Zenconsole. One policy engine. One place to configure, monitor, and audit everything.
Instant deployment
Initial deployment takes minutes. Most teams go live the same day. No network redesign required.
Centralized Management
Distributed enforcement. Zero management complexity.
Every enforcement point; whether it's an endpoint, a gateway, or a cloud VM, is managed from a single place. It doesn't matter whether you have three enforcement points or three hundred. From Zenconsole you see everything, control everything and change anything instantly.
One policy engine
Write a policy once. It applies across every enforcement point: endpoints, gateways and cloud VMs without adaptation or duplication. Policies can be scoped globally, by asset group, by location or by identity.
Real-time propagation
Policy changes reach every enforcement point in seconds. No manual synchronization, no staged rollout, no enforcement gap.
Full topology visibility
See every asset running Zenarmor, how they are connected and their current enforcement status in real time.
Unified telemetry
Logs, alerts and traffic telemetry from every enforcement point flow into a single view, regardless of where the event originated.
Core Components
The architecture, layer by layer
A composable platform where each component is independently deployable yet fully coordinated.
Control Plane
Zenconsole
Centralized policy authoring, orchestration, and telemetry across every enforcement point. If Zenconsole is temporarily unreachable, every enforcement point continues operating on its locally cached policy, inspection never stops.
PoliciesIdentityTelemetryTopology
Branch & Site
Edge gateways
The Zenarmor engine deployed on gateway hardware or virtual appliances at site boundaries. Protects every device on the network segment, including those that can't run an agent.
VPC / Workload
Cloud enforcement
The Zenarmor engine deployed as a virtual instance inside your cloud environment. East-west traffic between workloads is inspected locally, nothing leaves your cloud environment for security processing.
User Device
Endpoint enforcement
The Zenarmor engine deployed as a lightweight agent on user devices. Policies are cached locally, enforcement continues even when the device is offline.
ZTNA
ZTNA fabric
Identity-aware encrypted mesh for private access and site-to-site connectivity. Direct peer-to-peer encrypted connections wherever possible, relay fallback where NAT prevents direct connectivity. Relay nodes never hold encryption keys.
Zenarmor's Difference
Inspection at the asset. Zero backhaul.
When enforcement runs on the asset itself, traffic never travels to a remote node for inspection. The latency and bandwidth costs of centralized enforcement simply don't exist.
| Features |  | Centralized enforcement |
|---|---|---|
| Enforcement location | The asset itself | Remote cloud PoP |
| Backhaul required | No | Yes |
| Round-trip latency penalty | 0ms | 20–300ms per connection |
| Inspection overhead | 0.2ms | Variable |
| Cloud egress charges | No | Yes |
| Offline enforcement | Yes | No |
Unified Platform
Every capability. One application.
There's no architectural difference between running Zenarmor on a gateway versus an endpoint versus a cloud VM; it's the same application, with the same capabilities, managed from the same control plane. All capabilities are active through a single inspection pass. No service chaining between discrete engines.
ZTNA
Mesh VPN
NGFW
SWG
CASB
TLS Inspection
DNS Filtering
IPS
Application Control
Deployment Flexibility
Plug & Secure Anywhere
Deploy the same architecture across every environment in your organization, without compromise.
Remote workforce
Agent deployed on user endpoints. Full security stack enforced locally, wherever the device connects. No VPN backhaul required for internet traffic.
Branch networking
Engine deployed on gateway hardware or a virtual appliance. Protects every device on the segment, including those without agent support. Transparent bridge or routed mode, no network redesign required.
Cloud workloads
Virtual enforcement instance deployed inside the VPC. East-west and north-south traffic inspected locally. No cloud egress for security processing.
Architecture Outcomes
Built for operational reality
Inspection Overhead
< 0.2ms
Security processing at the enforcement point, regardless of which capabilities are active.
Time to First Enforcement
Minutes
From deployment to active protection. Most teams go live the same day.
Backhaul Cost
$0
No traffic routing to remote enforcement nodes means no cloud egress charges for security inspection.
Enforcement Continuity
99.999%
Local policy caching ensures inspection continues independent of control plane availability.
Choose how you’d like to get started.
Start a free trial or contact us.