Executive summary

The corporate VPN is dying slowly, and not because the world found a prettier VPN client. It is dying because the thing it used to represent, private access to internal systems, has split into too many jobs for one blunt network tunnel.

A laptop needs to reach a database from a home network. A contractor needs one internal app, not the whole company network. A CI job needs to hit a deployment endpoint for ten minutes. A Kubernetes workload needs to call another private service. An on-call engineer needs SSH. An AI agent needs a private tool without inheriting a human’s broad credentials.

The durable category underneath all of that is an identity-aware private connectivity layer. It is a control plane for people, devices, workloads, services, CI jobs, clusters, vendors, and agents. Its job is to grant narrow access to private resources based on policy.

NIST’s zero-trust architecture gives the policy frame: access is evaluated continuously and should not be granted simply because a subject sits on a network segment. WireGuard gives the lightweight encrypted substrate. Tailscale, Cloudflare Access/WARP/Tunnel, Zscaler Private Access, Twingate, NetBird, Headscale, Teleport, OpenVPN, AWS Verified Access, and cloud-private networking primitives all answer the same basic question in different ways: how do private resources stay private while legitimate identities still reach them?

The central thesis: this market should reward products that move beyond VPN replacement into the access graph. That graph maps who and what can reach each private resource, under which conditions, with what evidence afterward.

Why now

The old model assumed a meaningful inside and outside. Put the employee on the company network and, in practice, the network became the trust boundary. That model was already strained by SaaS and cloud; hybrid work made it visibly wrong. A home laptop, production database, Kubernetes API server, SaaS admin panel, GitHub Actions runner, and vendor engineer do not fit neatly into a castle-and-moat topology.

The technical primitives changed as well. WireGuard made encrypted peer connectivity simpler and faster to deploy than older VPN stacks. Tailscale used WireGuard as a substrate, then added coordination, identity, ACLs, subnet routing, SSH, and Kubernetes integrations.. The tunnel matters. The control plane matters more.

At the same time, security buyers adopted zero trust and SASE language. CISA’s Zero Trust Maturity Model gives public-sector and regulated buyers a way to talk about identity, devices, networks, applications, and data as a coordinated maturity program. SASE vendors then bundled private access with secure web gateway, CASB, firewall-as-a-service, DLP, and remote access. Cloudflare Zero Trust, Zscaler Private Access, Palo Alto Prisma Access, Cisco Secure Access, and Check Point Harmony SASE all sit inside this consolidation wave.

The result is a category pulled from several directions at once. Developers want the VPN pain to disappear. Security teams want least privilege, auditability, and fewer exposed private resources. Procurement wants fewer vendors. Platform teams want access that works for humans and machines. The winning shape has to satisfy all of them without becoming unbearable to use.

What this industry actually is

The private connectivity layer has a simple loop: identify the subject, map it to a resource, then create a safe path.

It starts by identifying the subject. That subject can be a person, device, service, workload, CI job, vendor, or agent. The identity may come from SSO, an MDM posture check, cloud IAM, OIDC, a certificate, a machine identity, or a product-specific enrollment flow.

Then it maps that subject to a resource: an internal web app, SSH host, database, Kubernetes cluster, subnet, private API, SaaS admin tool, edge device, or production service. This is where the category becomes more than networking. The valuable artifact is a graph of identities, resources, groups, tags, posture, and policies.

Finally, it creates a path. That path may be a WireGuard peer-to-peer tunnel, relay, app connector, service edge, cloud-private endpoint, reverse tunnel, or proxy. Cloudflare Tunnel follows the connector pattern: private services create outbound-only connections into Cloudflare’s network rather than accepting public inbound traffic. Zscaler ZPA uses app connectors and service edges to broker access to private applications. Twingate uses connectors and resource policies. Tailscale uses a WireGuard mesh with coordination and ACLs.

So the market is not one product category with one buyer. It is a stack of overlapping substitutes:

  • mesh VPN and identity overlay products;
  • ZTNA brokers and app/resource connectors;
  • SASE/SSE suites;
  • privileged infrastructure access platforms;
  • cloud-native private access primitives;
  • legacy VPNs, bastions, and DIY WireGuard/OpenVPN;
  • app proxies and service-specific access tools.

The boundary is simple: if a product decides who or what can reach a private resource and creates the path to it, it belongs in this report.

A concrete workflow

Imagine a software company with an internal risk dashboard, a production database, a Kubernetes cluster, and a model-evaluation job.

A sales-ops contractor may need only the dashboard. A staff engineer may need database access only during an approved incident. The CI job should deploy to the cluster without a permanent human credential. The model-evaluation workload may need to call one private service and nothing else. Later, compliance should be able to reconstruct what happened.

A legacy VPN can get everyone onto a network. That is no longer the hard part. The hard part is narrow access that people can actually use, plus evidence of what happened afterward. That is what the private connectivity layer is trying to become.

How the value chain works

The value chain starts with identity. The buyer already has an IdP, cloud IAM, endpoint manager, groups, roles, plus service accounts. A private connectivity product becomes valuable when it turns those identity signals into practical reachability instead of another spreadsheet of exceptions.

Next comes enrollment. A laptop installs a client. A server joins a mesh. A subnet router advertises routes. A Kubernetes operator exposes cluster resources. A connector sits near private apps. A CI job presents workload identity. Teleport Machine ID exists because non-human identities need short-lived credentials and auditable access to infrastructure.

Then the policy layer decides what access means. Tailscale ACLs use users, groups, tags, autogroups, tests, plus grants to define who can reach what. Cloudflare Access policies sit in front of applications and private resources. Teleport roles govern SSH, Kubernetes, database, app, desktop, plus machine access. Zscaler ZPA policies broker private app access through its service edge model.

Finally, the data plane carries traffic. This is where vendors differ sharply. Mesh-first vendors prefer direct peer-to-peer paths where possible, falling back to relays. ZTNA brokers prefer connectors and service edges. Cloud providers prefer private endpoints and provider-native routing. Legacy VPNs extend a network. Bastions centralize administration. Each architecture has a different failure mode and a different control point.

Who buys and who controls the budget

Security teams own the risk story. They care about least privilege, MFA, posture, audit logs, compliance, plus reduced attack surface. That naturally favors ZTNA and SASE framing.

Networking teams care about routing, DNS, split tunneling, availability, plus incident response. They get paged when access breaks.

Platform engineering cares about developer workflows. If the product makes SSH, kubectl, database access, local development, or CI painful, the organization creates exceptions. Those exceptions are where the old perimeter sneaks back in.

Procurement cares about consolidation. If the company already pays for Cloudflare, Zscaler, Palo Alto, Cisco, or Check Point, a standalone mesh vendor has to beat the bundle on usability, coverage, or a resource class the suite handles poorly.

That budget split explains the market structure. SASE vendors sell to centralized security buyers. Tailscale, NetBird, Headscale, Twingate, and Teleport can enter through technical pain, then need governance and compliance features to survive enterprise review.

Incumbents and challengers

Tailscale is the most important case study here, but not because it is the whole category. It matters because it shows the product shape: WireGuard underneath, identity-aware control plane above, with a user experience that makes private networking feel like adding people and resources to a shared graph. ACLs, subnet routers, SSH, device posture, plus Kubernetes support make it broader than a personal VPN.

Cloudflare approaches the category from the edge network and security-service side. Access, WARP, Gateway, plus Tunnel let Cloudflare combine private app access, device client traffic, DNS/security filtering, and outbound/inbound connectivity in one Zero Trust platform. Its advantage is breadth plus a global network. The risk is that platform breadth can feel less purpose-built to infrastructure teams than a mesh-native product.

Zscaler Private Access is the enterprise ZTNA incumbent. Its message is explicitly that applications are hidden from the internet and users connect through policy rather than network extension. Zscaler wins when the buyer wants a mature security platform and service-edge architecture. It is less likely to win because a developer fell in love with the workflow.

Palo Alto Prisma Access, Cisco Secure Access, and Check Point Harmony SASE compete through suite gravity, installed base, and procurement. Check Point’s acquisition of Perimeter 81 is especially telling: a firewall/security incumbent bought a cloud-delivered secure-access company to strengthen its SASE position. The standalone private-access category is strategically valuable enough that incumbents want to absorb it.

Twingate is the clean connector/resource-oriented challenger. It positions against legacy VPN by granting access to specific resources through connectors, with an admin model designed around least privilege. NetBird and Headscale matter because they show how open source pressures the managed control plane. NetBird offers a WireGuard-based open-source platform with managed docs. Headscale offers a self-hosted coordination server compatible with Tailscale clients.

Teleport belongs in the report because many valuable private resources are not “networks” in the user’s mind. They are SSH sessions, Kubernetes clusters, databases, desktops, internal apps, and machine identities. Teleport’s docs make that scope explicit: infrastructure access, Kubernetes Access, Database Access, and Machine ID are all part of the product surface. This is the privileged-access version of the same thesis: resource-level control beats broad network reachability.

OpenVPN, WireGuard DIY, bastions, plus app proxies remain real substitutes. Buyers do not always need a category-leading product. They sometimes need “good enough, already understood, and nobody gets fired for it.”

Business models and margin pools

The attractive profit pool appears to be the control plane, not the tunnel itself. Tunnels and proxies are necessary, but policy, resource inventory, identity integration, posture, audit logs, approvals, admin workflows, plus compliance evidence create switching cost.

Tailscale’s pricing makes this visible: the paid product is not WireGuard itself; it is the managed tailnet, users, devices, policy, integrations, support, and enterprise controls. Cloudflare, Zscaler, Palo Alto, Cisco, and Check Point monetize private access as part of a larger security stack. Teleport monetizes the high-value infrastructure-access workflow where auditability and session governance justify premium spend.

Open source and DIY compress the bottom of the market. A technical team can run WireGuard, OpenVPN, Headscale, NetBird, bastions, cloud VPNs, or private endpoints. That does not destroy the category. It defines where the paid product has to earn its margin. Paid vendors need to sell governance, usability, reliability, support, audit, plus integration, not just packets.

Regulation and constraints

Zero trust has become a management framework. NIST SP 800-207 and CISA’s maturity model give buyers language for access decisions, identity, device posture, network segmentation, application access, plus data protection. That helps vendors because the budget can be justified as architecture modernization rather than a point VPN replacement.

The catch is that private connectivity becomes critical infrastructure. If the system fails, engineers may not reach production. If policy is wrong, sensitive resources become reachable by the wrong identities. If logs are weak, compliance teams may struggle to reconstruct access. If the data plane depends on third-party relays, buyers may ask about data residency, sovereignty, latency, and incident response.

Inspection requirements can also pull buyers back toward SASE suites. Some organizations want private access, secure web gateway, DLP, firewall, CASB, browser isolation, plus logging in one enforced path. A mesh-first product that is wonderful for engineers may still lose if the security architecture requires centralized inspection.

Technology shifts

WireGuard is the most important shift. It made encrypted connectivity easier to embed, manage, and reason about. But the category’s defensibility comes from everything around the tunnel.

SSO and SCIM made group-based access maintainable. MDM and endpoint security made device posture usable. Kubernetes made infrastructure ephemeral. CI/CD made machine users normal. Cloud private endpoints made cloud-local private access a default pattern. Service edges and tunnels made it possible to hide private applications behind outbound connectors.

AWS Verified Access is an example of cloud-native zero-trust application access. AWS PrivateLink, Azure Private Link, and Google Private Service Connect are examples of private connectivity primitives that solve specific provider-local problems. They are substitutes for parts of the market, not full replacements for an identity-aware cross-environment layer.

AI agents are a new reason to care, but they are not a new architecture by themselves. An agent is another non-human principal that may need private access to tools, services, data, and production systems. That is serious, but it is not magic. The relevant primitives are machine identity, scoped policy, short-lived credentials, audit logs, plus resource-level controls. Teleport Machine ID is closer to the right mental model than a chatbot-specific VPN.

Adoption blockers

The first blocker is migration. Companies have VPN groups, firewall rules, IP allowlists, bastions, SSH keys, service accounts, plus habits. Replacing the corporate VPN sounds clean until every exception appears.

The second blocker is ownership. Security may buy the product, networking may operate it, platform may depend on it, developers may judge it, and compliance may audit it. A product that leaves any of those groups unhappy gets routed around.

The third blocker is protocol coverage. Browser app access is comparatively easy. SSH, databases, Kubernetes, RDP, UDP, private APIs, local development, plus CI are harder. This is why Teleport, Tailscale, and cloud-private primitives keep showing up in the same customer conversations even though they look different on a category slide.

The fourth blocker is bundle pressure. If a company already pays for Zscaler, Cloudflare, Palo Alto, Cisco, or Check Point, the standalone product has to justify incremental spend. Better developer experience can help justify that spend, but security still needs governance.

The fifth blocker is policy complexity. The old VPN’s flaw was broad access. The new system’s flaw can be unreadable access. If the organization cannot answer “who can reach this resource and why?” the private connectivity layer becomes less trustworthy.

Where control/profit accrues

Control tends to accrue to the access graph. A durable product knows identities, devices, workloads, resources, names, routes, policies, posture, sessions, plus logs. That graph becomes the place where access is requested, approved, automated, and audited.

The economic value should tend to follow control. A vendor that merely moves packets competes with open source and cloud primitives. A vendor that owns the graph can sell enterprise policy, compliance, discovery, approvals, posture, session governance, plus resource-specific workflows.

This is why the category may not collapse into one winner. The access graph looks different by buyer segment. A startup may want Tailscale. A regulated enterprise may default to Zscaler or Palo Alto. A developer-heavy company may combine Cloudflare Access, Tailscale, and Teleport. A cloud-centric team may use AWS Verified Access and PrivateLink. A sovereignty-sensitive team may self-host Headscale or NetBird.

Winners, losers, and company archetypes

One promising standalone archetype is a mesh-first control plane that tries to stay simple while adding governance. Tailscale is the archetype, but the challenge is to move upmarket without becoming the very enterprise software it originally made unnecessary.

The strongest suite archetype is the SASE/SSE vendor that makes private access good enough for engineers while satisfying security consolidation. Cloudflare has a credible developer story; Zscaler has deep security-enterprise credibility; Palo Alto, Cisco, plus Check Point have platform and channel gravity.

The strongest specialist archetype is the privileged infrastructure-access platform. Teleport can win where the resource is not “the network” but production infrastructure, databases, clusters, plus machine identities.

Open-source challengers have a different shape. Headscale and NetBird pressure pricing and create trust with technical buyers, but they need support, governance, or managed offerings to capture enterprise economics.

The most exposed products are broad network-extension tools that remain static, IP-centric, and weakly tied to identity. Traditional VPN can persist for years because migration is painful, but persistence is not the same as strategic control.

Bull case / bear case

The bull case is that private connectivity becomes the default access layer for everything private. Not just remote employees, but servers, containers, CI jobs, databases, Kubernetes clusters, edge fleets, vendor environments, plus AI agents. In that world, the category expands from VPN replacement to access governance for the private enterprise graph.

The bear case is that the category fragments. SASE suites take the security budget. Cloud providers take cloud-local access. PAM vendors take privileged sessions. Open source takes technical teams. IAM and secrets managers absorb machine/agent access. A standalone private connectivity layer may remain useful without becoming the dominant budget line.

The most likely outcome is plural. There is no single replacement for the VPN because the VPN used to hide multiple jobs inside one blunt tool. Those jobs are separating: user-to-app, user-to-network, user-to-infrastructure, workload-to-workload, CI-to-resource, vendor-to-resource, and agent-to-tool.

What would change my mind / watch next

Watch whether mesh-first products add governance while preserving usability. The moment a simple product becomes policy sludge, the door reopens for suites.

Watch whether SASE vendors improve developer and infrastructure workflows. If they solve SSH, Kubernetes, databases, CI, private APIs, plus machine identity elegantly, standalone vendors face a harder enterprise path.

Watch whether cloud-native private access becomes multicloud and identity-rich enough to compete outside one provider’s boundary.

Watch whether machine identity and AI-agent access become explicit product surfaces. The signal is not marketing about agents. It is practical support for short-lived credentials, scoped private reachability, audit logs, approval workflows, plus resource-level policy.

Watch acquisitions. Check Point buying Perimeter 81 showed that secure private access is strategic to incumbents. More acquisitions would suggest the control plane is too important for suites to leave independent.

The category is easy to underestimate because the first use case often sounds mundane: replace the VPN, connect a subnet, hide an app, make SSH easier. But those are just entry points. The real prize is the private access graph for the modern company. Whoever owns that graph sits between identity, infrastructure, security, developer workflow, plus the next wave of machine actors. That is a better business than a VPN client. It is also much harder to build.

Sources / further reading