ZTNA Pilot (Single App / Group)

Summary. Validate Zero Trust Network Access for one application or a small user group. We configure policy‑based access via your identity provider and a cloud ZTNA gateway to replace or complement VPN for a specific use case, with minimal change risk and a fast rollback plan.

Who it's for. Organisations needing secure, granular access to internal apps without exposing networks or opening broad VPN tunnels.

Per‑app, least‑privilege access to private applications.
Reduced attack surface and simpler access operations.
Auditable access flows and clear incident procedures.
Template and plan for phased rollout.

What’s Included

Scope	Description
Core Inclusions	Discovery workshop: target app, flows, users, security goals; confirm pilot cohort and success criteria. Connect IdP (e.g., Entra ID/Okta) to ZTNA policy engine; enable MFA for pilot users. Publish 1 internal web app or RDP/SSH resource via connector; define baseline policies (who, where, device posture).
Optional Add‑Ons	Device posture checks (OS version, disk encryption, EDR present). SSO header/rewrite support for modern web apps; legacy protocol access via secure connector where feasible. SIEM/syslog forwarding; comms pack (email/how‑to) for pilot users.

Timeline & Deliverables

Note: these are estimates and may vary depending on the tier

Phase	Deliverables
01 — Discover	Extended Discovery (client‑signed), environment read‑in, inventory & stakeholders.
02 — Identify & Mitigate RDC/L	Initial RDC/L register; mitigations, dependencies & constraints agreed.
03 — Plan	Label model, success criteria, test plan, change & rollback plan, schedule.
04 — Implement	Visibility → draft policy; ring‑0 controls; HA & logging verified.
05 — Test	Execute UAT; fix exceptions; ring‑1/2 as per tier; evidence captured.
06 — Close‑out	Close‑out report, scale‑out proposal, next steps.

Service Levels (Summary)

Plan	Coverage	Response / Restore	Governance
Bronze	Business hours (Mon–Fri 08:30–17:30 NZT)	P1: 2h / NBD • P2: 4h / 2BD	Email support • Change log • Close‑out report
Silver	Extended hours (Mon–Fri 08:00–20:00 NZT)	P1: 1h / Same day • P2: 2h / NBD	Weekly check‑in (Std/Plus) • Findings register • Acceptance criteria
Gold	Business + after‑hours (24×7 P1 only)	P1: 30m / ASAP • P2: 1h / Same day	Executive summary • CAB‑ready rollback • Handover pack

Success criteria (from our perspective)

Pilot login success rate ≥ 95% for the cohort
Mean sign‑in time change ≤ +1.0s versus baseline
Zero critical regressions in application functionality
Complete audit trail visible for pilot access events

Prerequisites

IdP: Microsoft Entra / Okta / Google Workspace (admin access; MFA available)
ZTNA platform subscription or trial available (we can assist with setup)
Network: connector egress allowed (NAT/ACL updated as needed); target FQDNs reachable
Target application: URL/host, ports, and two test accounts available; app owner contact confirmed

Assumptions

Cohort size up to ~25 users for the pilot
Devices are corporate‑managed; BYOD posture checks are light‑touch if licensing allows
Low‑risk configuration changes only; rollback path documented
Customer provides admin access to IdP and target application; change window approved.
Pilot limited to a single application OR one user group (up to ~25 users).

Out of scope

Organisation‑wide VPN replacement or global policy migration
Full SASE rollout (SWG/CASB/DLP) beyond pilot scope
New SIEM build or Endpoint EDR licensing/deployment
BYOD policy creation; permanent run/operate beyond pilot scope
Anything not explicitly listed as In Scope

Risks & mitigations (examples)

Legacy auth or headers needed: use ZTNA header mapping or connector‑based access
Connector egress blocked: pre‑check, provide allow‑lists/NAT updates
User friction: comms pack + micro‑training; simple rollback documented

Next steps (after-pilot)

Rollout plan for the next 2–3 applications (or expansion of the pilot group)
Policy patterns catalog and reference architecture
License right‑sizing proposal and production cutover plan

Start the pilot

Start intake — Lite Start intake — Standard Start intake — Plus Extended Discovery

Early Adopter Program (limited): 10% off the pilot package for customers who start by 31-Dec-25. Not combinable with other offers. May be applied as a credit on close‑out.

For pricing, terms and conditions see the Pricing Annex .

Happy with the outcome?

Roll into managed → Network Security Management (Managed)

Related Resources

Service Listing Network Security Management (Managed) SoW Template Pricing Annex • See also: SASE Quickstart, SWG/DNS Pilot