Zero Trust Network Access

One network.
Every exit.

Smart routing, automatic failover, and gateways and DNS you control — plus Pulse Orbit, managed egress you opt into region by region. One identity-aware network across every site, cloud and device. No backhaul. No appliances.

Book a demo → See pricing
Runs in your network · Self-hosted gateways & DNS · Pulse Orbit egress

Application-aware access

Policy follows the app and the identity — not the IP address.

01 · AGENT

It starts on the device.

Every connection begins with a verified identity — the user, the device posture, the app making the request. No identity, no path.

  • SSO identity + device posture check
  • Works on any OS, any network

02 · GATEWAY

Policy is evaluated at the gateway.

Per-app, per-identity rules resolve at the gateway closest to the request. The gateway knows the application — not just an IP and a port.

  • Per-app, per-identity policy
  • No brittle IP allowlists

03 · EGRESS

Egress on your terms.

Leave from your own exit nodes, or hand egress to Pulse Orbit. Pin the region, keep your keys, and decide what gets logged — down to nothing at all.

  • Self-hosted or Orbit egress
  • Region pinning + logging you control

04 · APP

A private path to the app.

The connection lands on the application directly — never exposed to the public internet, resolved through internal, app-based DNS.

  • Apps never exposed publicly
  • Internal / app-based DNS

Pulse Orbit · Managed Egress

Global egress, when you want it.

Egress is a choice. Keep it all in your own network with self-hosted gateways and DNS — or hand it to Pulse Orbit: managed exit regions you opt into one by one, each tagged for data residency and health-checked continuously. Smart routing picks the fastest path, live.

·Opt-in by region ·Data-residency tags ·Smart routing built in
Ready. Find the nearest PoP to you. demo

Your data, your control

We route it.
We never read it.

Egress from your own nodes, pin the region, and decide what gets logged — full, metadata only, or off. Privacy is the default — not an upsell.

·BYO exit nodes ·Region pinning ·Logging you control

Smart routing · The HA in PulseHA

Every path scored.
Every failure survived.

Gateways are ranked on live signals — latency, load, region and priority — and every agent keeps re-measuring its own round-trip times. When a path goes quiet, traffic moves to the next-best gateway in seconds, and the event lands in your audit log.

routes · payments-api re-ranked live
gw-lon-2 score 94 · active
gw-ams-1 score 87 · standby
gw-lon-1 handshake stale
failed over to gw-lon-2 · detected in seconds · ✓ audited
<5 s
Failover detection
6
Live routing signals
30 s
Route re-optimization
0
Apps exposed to the internet

Everything in Network

The whole surface, up front.

Nothing buried behind a sales call. Every plan includes the full self-hosted network.

Application-aware access Lead

Identity- and app-level policy across any port or cloud — no IP allowlists, no network segments to babysit.

payments-api allow internal-db allow legacy-smb blocked

Your data, your control Lead

BYO exit nodes, region pinning, and logging you control — metadata, full, or off.

High availability

Ranked multi-gateway failover, detected in seconds — the HA in PulseHA.

Smart routing

Paths scored on latency, load, region and priority — re-ranked live.

Pulse Orbit egress

Managed exit regions you opt into one by one, each tagged for data residency.

Self-hosted gateways

Deploy at any site or cloud — health, metrics and tunnels in one console.

Internal / app DNS

Private resolution mapped to apps.

Site-to-site

Connect whole networks behind gateways — no appliance mesh to maintain.

SSO & SCIM

SAML, OIDC and Entra auto-login, with SCIM provisioning and JIT.

Test before you trust

Simulate any access decision before it ships.

Pick a user, a device and a service, and watch the decision resolve stage by stage — posture, device, access, egress — with the exact policy that matched. No guessing in production.

policy simulator 
# simulate · who can reach what, and why
user     dana@acme.com
device   macbook-dana · managed
service  payments-api

 posture   ✓ pass  # disk encryption · screen lock
 device    ✓ pass  # managed · agent up to date
 access    ✓ allow # matched policy: eng-payments
 egress    orbit · eu-central # region pinned

decision ALLOW

Built for teams who refuse to compromise.

Level 1K Logo

In real-time game hosting, failures are immediate and unforgiving. Level 1K uses PulseHA to secure infrastructure without sacrificing performance or availability

Microsoft Azure

Built on enterprise-grade infrastructure with security and reliability engineered from the foundation up.

Oliver Chen
James Walker
David Okonkwo
Anna Kowalski
Sarah Mitchell
Nathan Brooks
+1

PulseHA is built by engineers who ship open source, operate production networks, and believe security tooling should earn trust through transparency.

Plans

The self-hosted network ships in every tier.

Run your own gateways, exits and DNS on day one. Pulse Orbit and security unlock at Business and above.

Core

  • Zero trust access
  • Self-hosted exit nodes
  • Pulse Orbit egress
Talk to sales
Recommended

Business

  • Everything in Core
  • Pulse Orbit egress (3 regions)
  • Advanced security & SSO
Talk to sales

Enterprise

  • Everything in Business
  • All Pulse Orbit regions
  • Custom limits & SLAs
Talk to sales

Full feature breakdown on the plans page →

Better together · Business and up

Network pairs with Pulse Security.

Same policy engine, same fabric. Add inline threat defence without adding a single appliance.

  • Inline threat defence on every connection you already route.
  • One policy model — the same identity- and app-aware rules.
  • Unlocks at Business tier and above — no migration, just switch it on.
Explore Security
pulse-security · live events Active
09:42:01 C2 callout · 198.51.100.4 block
09:42:03 payments-api → stripe allow
09:42:06 data exfil · unmanaged host block
09:42:09 eng-payments · internal-db allow