• ▪ ZIA / ZPA base licence
• + + Sandbox module
• + + DLP module
• + + ZDX digital experience monitoring
• + + Premium data centre fees
• + + Bandwidth overage fees
• + Reported 35% YoY price increases

• ▪ Workforce Identity base
• + + Adaptive MFA (separate SKU)
• + + API Access Management
• + + Identity Governance
• + + Privileged Access
• + + Access Gateway for on-prem
• + Each add-on compounds per-user cost

• ▪ Duo Essentials or Advantage base
• + Premier tier required for device trust
• + ($9/user/mo for full features)
• + + Duo Secure Access (separate)
• + + Cisco ISE for network policy
• + Multiple consoles, overlapping policies

• ▪ Entra ID P1 or P2 base
• + + Intune for device trust ($8/user/mo)
• + + Defender suite for endpoint
• + + Purview for data governance
• + + Global Secure Access
• + M365 E5 can exceed $57/user/mo
• + 4–6 separate admin centers

TAC deploys as a dedicated Secure Virtual Appliance — a true single-tenant architecture where every customer gets their own isolated instance. This scales from a single SVA to a high-availability array to a global array spanning worldwide locations for enterprise deployments.

Unlike multi-tenant SaaS platforms where all customers share infrastructure, TAC provides complete data isolation, no noisy-neighbour performance issues, and full customer control over updates, configuration, and data residency. Zscaler, Okta, Duo, and Microsoft all run on shared vendor-controlled clouds — your policies sit beside thousands of other customers, and a single incident can cascade across the entire platform.

TAC’s reverse-proxy architecture requires only a single encrypted port (up to TLS 1.3) for all application traffic. Organisations can close every other inbound firewall port entirely, eliminating the whole category of unauthenticated remote exploitation. Applications like SharePoint, RDP, and VPN concentrators all require open ports — with TAC, they don’t.

No competitor offers this. Zscaler uses connector tunnels that still create network exposure. Okta has no reverse proxy capability. Duo’s Network Gateway still requires its own exposed ports. Microsoft Application Proxy uses connectors with open ports. TAC is the only platform that can take an organisation from 47+ open inbound ports to one.

TAC deploys on-premises, in a private cloud, in a public cloud, or in any hybrid combination. The customer chooses where their security infrastructure lives — including air-gapped environments. A single SVA, a local HA array, or a globally distributed array for enterprise scale: the architecture adapts to the requirement.

Zscaler, Okta, Duo, and Microsoft are vendor-controlled cloud solutions running on the vendor’s multi-tenant infrastructure. Customers have no choice over data location, infrastructure control, or deployment model. For regulated industries, government environments, or organisations with data residency requirements, this is not acceptable — TAC is the only platform that addresses it.

TAC’s reverse proxy provides full access control for thick-client applications, RDP, SSH, legacy web apps, forms-based authentication apps, and IoT devices — all without any application modifications. This is the biggest gap in the zero-trust market.

Zscaler ZPA handles TCP/UDP traffic but cannot inject authentication in front of applications. Okta requires SAML/OIDC-compatible apps and a separate Access Gateway. Duo’s VPN-less access is limited to web applications. Microsoft Application Proxy supports only web apps with no thick-client or forms-based auth support. Mission-critical legacy systems are simply unprotected by these platforms. TAC protects all of them.

TAC provides built-in SSO across every protected application — cloud, on-prem, legacy, anything — from a single portal. An application running in a datacenter today can be migrated to the cloud tomorrow and users won’t notice. Same menu. Same icon. Same login. This eliminates user disruption during cloud migrations entirely.

Competitors tie SSO to specific protocols (SAML/OIDC) and deployment locations. Moving an application means reconfiguring policies, updating URLs, and retraining users. TAC abstracts application location from the user experience entirely — making it the only platform that gives genuine application portability without user impact.

TAC continuously validates device posture — checking certificates, OS version, patch level, antivirus status, firewall state, disk encryption, domain join, and geolocation — and enforces policy in real time. If a device falls out of compliance mid-session, access is revoked immediately, not at next login.

Zscaler checks posture only via its Client Connector agent (required on every device). Okta requires third-party MDM integration. Cisco Duo’s full device trust is locked behind the Premier tier at $9/user/mo. Microsoft requires a separate Intune licence at $8/user/mo plus Conditional Access P1. TAC delivers all of this as standard — with no agent required.

TAC integrates natively with Active Directory, LDAP, SQL databases, Azure AD, multiple directories simultaneously, and custom identity sources — with no migration required. You keep your existing identity infrastructure exactly as it is.

Competitors require you to adopt their identity model. Okta wants to become your identity provider. Microsoft requires Azure AD for full Entra functionality. Zscaler’s identity integrations are limited in scope. TAC adapts to your environment rather than forcing your environment to adapt to it — removing one of the largest barriers to zero-trust adoption.

TAC bundles MFA (all seven methods: FIDO2, SMS, OTP, SafeLogin, TOTP, push, hardware tokens), SSO, device posture, AI agent governance, reverse-proxy enforcement, identity federation, and 24×7 support into a single per-user licence. No add-on modules. No bandwidth fees. No redundancy surcharges.

Zscaler layers sandbox, DLP, and ZDX modules on top of the base licence with reported 35% year-over-year price increases. Okta charges separately for Adaptive MFA, Identity Governance, API Access Management, and Privileged Access. Cisco Duo’s Premier tier is $9/user/mo for full device trust. Microsoft’s full zero-trust stack can reach $20+/user/mo or $57/user/mo for M365 E5. TAC eliminates the add-on game entirely.

Zscaler routes traffic through its multi-tenant cloud via lightweight connector agents that maintain persistent outbound tunnels. Zscaler ZPA handles TCP/UDP but cannot inject authentication in front of applications — it only tunnels traffic. Thick-client, legacy, and IoT applications fall entirely outside its scope. Pricing has seen reported 35% year-over-year increases with sandbox, DLP, ZDX, and premium DC fees layering on top.

• ✕No true port closure — connector tunnels remain
• ✕Cannot inject auth in front of applications
• ✕No thick-client, legacy, or IoT support
• ✕Shared multi-tenant cloud — no isolation
• ✕Reported 35% YoY price increases + module fees
• △Device posture requires Client Connector on every endpoint

Okta is an identity platform, not a network proxy. It federates modern cloud applications via SAML and OIDC but has no capability to protect applications that don’t support those protocols. On-prem and legacy coverage requires the separate Access Gateway, which still needs direct network access to your applications and cannot reduce port exposure. Every advanced feature — Adaptive MFA, Identity Governance, API Access Management, Privileged Access — is a separate paid SKU.

• ✕No reverse proxy — cannot close inbound ports
• ✕Requires SAML/OIDC from the application
• ✕Legacy and thick-client apps unsupported natively
• ✕Access Gateway for on-prem is a separate product
• ✕Adaptive MFA, Governance, and PAM are all add-on SKUs
• △Full zero-trust posture requires assembling multiple products

Duo is strong on MFA but the Duo Network Gateway still requires its own exposed ports — there is no true port closure. Full device trust is gated behind the Premier tier at $9/user/mo. A complete zero-trust posture requires Duo + Secure Access + ISE: three separate products, multiple admin consoles, and compounding licence costs. Thick-client and legacy application support is minimal.

• ✕Duo Network Gateway still exposes inbound ports
• ✕Full device trust locked behind Premier tier ($9/user/mo)
• ✕Complete ZTA requires Duo + Secure Access + ISE
• ✕Three products, multiple consoles, overlapping policies
• ✕Minimal thick-client and legacy application coverage
• △Licence costs stack significantly across the product suite

Microsoft’s platform is tightly coupled to Azure AD and the Microsoft 365 ecosystem. Application Proxy and Global Secure Access use connector agents creating outbound tunnels — not true port closure. Real device trust requires a separate Intune licence at $8/user/mo. A complete zero-trust stack spans Entra, Intune, Defender, Purview, and Global Secure Access across 4–6 separate admin centers, with M365 E5 licensing exceeding $57/user/mo. Organisations outside the Microsoft ecosystem face a forced Azure AD migration.

• ✕Connector agents required — no true port closure
• ✕Real device trust requires Intune ($8/user/mo separate)
• ✕Tightly coupled to Azure AD — migration required
• ✕Thick-client and non-web apps need complex workarounds
• ✕Full ZTA: Entra + Intune + Defender + Purview + GSA
• △M365 E5 can exceed $57/user/mo — 4–6 admin centers