Zero Surface Architecture
Make zero the new default
The Zero Surface Architecture is our answer to a fundamental problem in modern networking: traditional networks are exposed by default.
Devices can talk to each other. Services listen on public IPs. The LAN is flat. VPNs and firewalls try to contain the sprawl, but the architecture itself assumes trust – and attackers exploit it.
Zero Surface changes that completely
It eliminates the surface area attackers rely on by defaulting to no connectivity at all, unless explicitly permitted by policy. There is no static perimeter. No lateral movement. Just ephemeral, policy-bound connections that form when needed.
This is the architectural model behind evolving ZERO. It’s how we converge connectivity and security into a single platform that’s dynamic, encrypted, and invisible unless allowed.
What it replaces
Flat, any-to-any networks
Static tunnels and permanent VPNs
Trusted internal zones
Hub-and-spoke topologies
Exposed public IPs and default routing
What it becomes
All connections are outbound and authenticated
Every flow is encrypted, ephemeral, and policy-driven
Devices, apps, and users are microsegmented by default
Up-and-out routing replaces internal mesh
Nothing is reachable unless explicitly allowed
How it works
Zero Surface begins with a deny-all stance. There is no default connectivity. LAN devices cannot see each other. Remote sites don’t auto-connect. There are no exposed ports, even across the WAN.
From there, access is built up dynamically:
ZTNA
ZTNA governs user and device access based on identity, posture, and policy.
Encrypted tunnels
Encrypted tunnels form only when allowed – scoped to a single session or resource.
Secure Web Gateways
All internet traffic is directed through Secure Web Gateways, with full policy and logging.
Segmented and restricted
IoT, OT, and unmanaged devices are segmented and restricted to only what they need – by port, IP, or identity.
Legacy tools
Legacy tools can be placed behind app connectors or access gateways to enforce Zero Trust rules even within the LAN.
The result is a network fabric with zero ambient trust – one where connectivity is temporary, encrypted, and fully observable.
Why it matters
Reduces attack surface to near-zero
No open ports. No discoverable infrastructure. No idle services to scan.
Prevents lateral movement by design
Devices can’t talk unless policy allows it – even on the same LAN.
Built for real-world infrastructure
Works across remote sites, mobile devices, cloud workloads, and legacy networks.
Policy replaces perimeter
Every flow is authorised, encrypted, and auditable – no matter where it originates.
No rip and replace
Can run alongside existing infrastructure and identity providers, or replace it wholesale.
Use cases
Replace static VPNs with dynamic, policy-based access
Secure internal apps with ZTNA and posture-aware authentication
Enforce least-privilege for IoT, VoIP, and unmanaged devices
Block lateral movement within LANs and between sites
Deliver encrypted access to SaaS, cloud, and internal services from any location
Simplify segmentation without managing VLANs, ACLs, or static rules
Start small, or go full fabric
Organisations can adopt the Zero Surface Architecture incrementally:
Deploy a single EVX node at a branch to replace VPN and firewall rules
Use ZTNA to secure internal apps without exposing networks
Move one user group off VPN using identity-based access with posture checks
Or go all in:
Deploy EVX across sites
Replace SD-WAN with intelligent encrypted overlays
Build a fully integrated, identity-aware fabric across LAN, WAN, and cloud
Make every access request ephemeral, encrypted, and verifiable
Built into evolving ZERO
The Zero Surface Architecture isn’t a bolt-on – it’s how evolving ZERO is built from the ground up:
Secure Access Fabric
The encrypted transport layer that enforces micro-segmentation and policy
ZTNA & App Access
Identity-based access to apps, with posture and session enforcement
Secure Web Gateway
Inline filtering and control of internet traffic
Zero Trust Segmentation
Identity- and intent-based flow control across all network layers
Encrypted Overlays
Replace traditional SD-WAN with flexible, dynamic tunnels
Organisations can adopt the Zero Surface Architecture incrementally:
The Up and Out Topology defines how Zero Trust networks should behave structurally. Instead of assuming mutual reachability, it isolates every node in its own segment and allows only outbound connections to explicitly authorised destinations.
Endpoints exist in their own isolated space (/32s)
All traffic is outbound to the platform for enforcement
No peer-to-peer flows, no default routes, no exposed services
The topology underpins multiple components of evolving ZERO, including Zero Trust Segmentation, ZERO SD-WAN, and the Zero Trust Guest Gateway.
