Welcome to the Zenarmor User Guide
Zenarmor SASE Anywhere Architecture™ — Security That Runs Where You Do
What Is Zenarmor?
Zenarmor is a software-defined, hardware-agnostic network security platform built for the way organizations actually operate today, distributed, hybrid, and always in motion. It delivers a complete Secure Access Service Edge (SASE) stack in a single, lightweight, portable software engine that can be deployed on any gateway, cloud instance, or endpoint device, in minutes, not months.
Unlike traditional security solutions that force your traffic through distant vendor-controlled infrastructure, Zenarmor enforces security at the source, directly on the device, at the network edge, or in the cloud, wherever your users and workloads actually are.
In one sentence: Zenarmor is the industry's first single-app, single-stack SASE platform that enforces Zero Trust natively at the endpoint, edge, and cloud, no PoPs, no proprietary hardware, no complexity.
The Problem With the Way Security Has Been Done
Modern networks have fundamentally changed. Your users work from home offices, coffee shops, branch locations, and client sites. Your applications live in AWS, Azure, SaaS platforms, and private data centers simultaneously. The traditional security perimeter is gone.
Yet most traditional Next-Gen Firewall and VPN solutions, as well as modern SASE solutions, were designed with a fundamental architectural constraint: they require all of your traffic to be backhauled through either the vendor's cloud Points of Presence (PoPs) or a centralized concentration point before it can be inspected, filtered, and forwarded to its destination.
This creates a cascade of real-world problems.
In the case of modern SASE solutions, this could mean:
- Added latency: Traffic detours through a distant PoP, degrading user experience and productivity.
- PoP outages: When a vendor's data center or PoP goes down, users are forced to connect to a more distant node or, worse, bypass security entirely.
- Shared infrastructure risks: PoPs are shared among multiple enterprise tenants, including gateway IP addresses. One bad actor on shared infrastructure can compromise the reputation of your traffic.
- No control over exit geography: Your traffic may be routed through regions with unfavorable privacy laws or regulatory environments.
- Data sovereignty concerns: TLS inspection and traffic analysis happen inside the vendor's cloud, meaning your data leaves your boundaries.
- Patchwork integrations: Many cloud-only SASE vendors assembled their platforms through rushed acquisitions, resulting in disconnected dashboards, interoperability issues, steep learning curves, and deployments that drag on for months.
- Bandwidth throttling and overage charges: Some cloud-only SASE solutions cap bandwidth or charge unpredictable overage fees based on usage.
A similar issue occurs with traditional VPNs forwarding traffic to a central firewall for inspection; it can cause:
- Additional Latency - the farther the user is from the VPN concentrator, the more the user experience suffers, often causing them to bypass the VPN entirely.
- VPN Concentrator Overload - VPNs are often configured for occasional or limited use. However, with the increasing need for remote work, businesses can quickly outgrow traditional VPN services.
- Expensive to Operate and Upgrade - Appliances can become outdated or fail to scale with increased demand, making upgrades and replacements costly.
- Security Issues - While VPN tunnels are generally encrypted, they don't provide significant additional security beyond that. Application policy control and user context are typically only available in ZTNA and SASE solutions.
These aren't edge cases. They are structural limitations baked into these architectures' delivery model, and they create a dangerous incentive: users who bypass enforcement entirely, exponentially increasing organizational risk exposure.
The Zenarmor Approach: Plug.SASE.Everywhere™
Zenarmor was built from the ground up to solve these problems through a fundamentally different architectural philosophy: Plug.SASE.Everywhere™.
Instead of routing your traffic to a vendor-controlled cloud for inspection, Zenarmor brings the entire SASE enforcement stack directly to where your traffic originates, the endpoint, the network edge, or your cloud environment. Security follows your users. Your data never has to leave your defined boundaries to be protected.
This is not a modified version of a cloud-only architecture. It is a purpose-built, distributed enforcement model.
Zenarmor SASE Anywhere Architecture™
At the core of Zenarmor is the SASE Anywhere Architecture™, a Single-App, Single-Stack, Single-Pass processing engine that runs natively across every deployment surface.
Single-App
The entire SASE stack, NGFW, SWG, ZTNA, CASB, DPI, AI-driven threat detection, and analytics, is packaged into a single unified software application. There are no separate agents, no disconnected modules, and no multi-vendor orchestration required.
Single-Stack
All security functions operate within one integrated processing pipeline. There is no chaining of disparate security services, no patchwork integrations, and no fragmented management consoles inherited from rushed acquisitions.
Single-Pass
Packets are inspected once and evaluated against all relevant security controls simultaneously. This delivers comprehensive protection without the performance penalty of sequential, multi-stage inspection pipelines.
Where Zenarmor Runs
Zenarmor is hardware-agnostic and platform-agnostic, running on virtually any x86 or ARM64 hardware or virtual environment without requiring specialized appliances.
| Deployment Surface | Supported Platforms |
|---|---|
| Network Gateways | OPNsense, pfSense, FreeBSD, OpenWRT |
| Linux Servers & Cloud | Ubuntu, Debian, Amazon Linux, AWS, Azure, GCP |
| Endpoints | Windows, macOS, Linux, Android, iOS |
| MDM-Managed Fleets | Microsoft Intune, JAMF |
Zenarmor is the first SASE platform in the industry to deploy the full SASE enforcement stack natively on endpoint devices, with all inspection and control happening locally on the device's network interface. No cloud dependency required for enforcement.
Core Security Capabilities
Zenarmor delivers a complete, integrated SASE and SSE capability set:
- Deep Packet Inspection (DPI): Layer 7 traffic analysis that identifies applications, protocols, and content, not just ports and IP addresses
- AI-Driven Threat Detection: Real-time identification of malware, phishing, command-and-control (C2) traffic, and anomalous behavior.
- Secure Web Gateway (SWG): Web filtering and policy enforcement for internet-bound traffic across all users and locations.
- Zero Trust Network Access (ZTNA): Identity- and context-aware access control that grants users access only to what they need, enforced at the point of access, not at a distant cloud proxy.
- Cloud Access Security Broker (CASB): Visibility and control over SaaS application usage, including shadow IT detection.
- Firewall-as-a-Service (FWaaS): Next-generation firewall capabilities delivered as a software-defined service across all deployment nodes.
- TLS/SSL Inspection: Encrypted traffic inspection performed locally within your network boundaries; your decrypted traffic never touches the vendor's cloud.
- Application Visibility & Control: Granular identification and policy enforcement at the application level, across all traffic flows.
- Security Analytics & Reporting: Centralized visibility into users, devices, applications, and threats across the entire distributed environment.
Zero Trust, Without the Complexity
Zenarmor enforces Zero Trust natively, at the point of access, not at a distant PoP or proxy. Policies are applied based on user identity, device posture, location context, and application type, regardless of whether the user is on-premises, remote, or roaming.
Identity provider (IdP) integration is built in, supporting:
- Microsoft Azure Entra ID
- Google Workspace
- Okta
- Any SAML 2.0-compatible provider
- Zenarmor's built-in authentication for organizations without an existing IdP
This means Zero Trust enforcement is accessible to organizations of every size, not just enterprises with mature identity infrastructure.
Centralized Management: Zenconsole
All Zenarmor deployments, regardless of scale, geography, or deployment surface, are managed through Zenconsole, a cloud-based, multi-tenant management platform.
Figure 1. Zenconsole Cloud Portal
Zenconsole provides:
- Centralized policy management across all gateways and endpoints
- Multi-node monitoring with real-time visibility
- User, device, and application-level traffic analytics
- Security reporting and compliance dashboards
- Global Deployment UI for provisioning new nodes via a simple one-time installation script
Why Zenarmor Is Different: Head-to-Head
| Capability | Modern Cloud-Only SASE | Traditional VPN/NGFW | Zenarmor Plug.SASE.Everywhere™ |
|---|---|---|---|
| Traffic Inspection Location | Vendor PoP (cloud) | Distant HQ or Datacenter | Local - endpoint, edge, or your cloud |
| Latency Impact | 20–300ms added via PoP backhaul | 20-300ms via backhaul | < 2ms - inspection at source |
| Data Sovereignty | Data processed in vendor cloud | Data Processes at HQ or DC | Data stays within your boundaries |
| TLS Inspection | Vendor decrypts your traffic | Decryption happens at distant HQ or DC | Decryption happens locally |
| Hardware Requirements | Often requires proprietary appliances or agents | Often requires proprietary appliances or agents | Runs on any x86/ARM64 hardware or VM |
| Endpoint Protection | Typically agent-only, cloud-dependent | Depends on backualing | Full SASE stack runs natively on the endpoint |
| IoT / OT / Legacy Device Support | Limited or unsupported | Limited or unsupported | Fully supported via gateway deployment |
| Deployment Time | Weeks to months | Weeks to months | Minutes |
| Bandwidth Costs | Consumption-based overages common | Consumption-based overages common | No cloud bandwidth charges |
| PoP Outage Risk | High - users may bypass security | Concentrator outage could apply | Eliminated - no PoP dependency |
| Management | Often multi-console (patchwork acquisitions) | Often multi-console (patchwork acquisitions) | Single unified console (Zenconsole) |
| Licensing Model | Complex, consumption-based | Complex, consumption-based | Simple, predictable subscription |
Deployment Flexibility: On Your Terms
Zenarmor's brownfield-friendly architecture means you do not need to rip and replace your existing infrastructure. It integrates with existing firewalls, SD-WAN, and network infrastructure, and supports incremental adoption:
- Start with remote access: Deploy endpoint protection first.
- Expand to branch offices: Add gateway nodes without new hardware.
- Extend to cloud workloads: Deploy as virtual instances on AWS, Azure, or GCP.
- Mix and match: Combine deployment types to match your specific performance, cost, and compliance requirements.
Available Editions
Zenarmor offers tiered editions to match the needs of any organization:
| Edition | Best For |
|---|---|
| Free Edition | Home users, small environments, evaluation |
| Home Edition | Personal and household networks |
| Business NGFW Edition | SMB and branch network protection |
| SSE Edition | Security Service Edge for distributed teams |
| ZTPA Edition | Zero Trust Private Access for secure resource connectivity |
| SASE Edition | Full-stack SASE for enterprise and mid-market organizations |
Subscriptions are available through the Zenconsole Cloud Portal or through authorized Zenarmor channel partners.
The Bottom Line
The SASE market is projected to exceed $25 billion by 2027 (Gartner), yet the dominant cloud-only delivery model carries structural limitations that create real operational and security risks for organizations every day.
Zenarmor's Plug.SASE.Everywhere™ approach is not an incremental improvement on the cloud-only model; it is a fundamentally different architecture that eliminates the latency, data sovereignty issues, PoP dependency, and complexity problems that cloud-only SASE vendors cannot solve by design.
Security should run where your users and workloads are. With Zenarmor, it does.
Zenarmor is developed by Sunny Valley Cybersecurity, Inc.
Headquarters: Cupertino, CA | EU Office: Frankfurt am Main, Germany
zenarmor.com | [email protected] | +1 (650) 288-4488