Pricing

No middleman cloud.
No middleman markup.

No add-ons, no vendor cloud, no centralization. Your traffic stays in your infrastructure.

Monthly
Annual Save 17%
Starter
Evaluate zero trust hands-on before you commit.
Free
Up to 3 users, forever
  • Zero Trust Policy Engine
  • 2 devices per user · 2 controllers
  • SSO authentication (Okta, Entra ID)
  • Always-on agent + Smart DNS
  • Full network sovereignty?Your data never passes through Bowtie infrastructure. No middleman, no vendor cloud — traffic stays in your network.
No credit card required
Essentials
Zero Trust private access for teams replacing VPNs.
$10
per user / month
 
  • Everything in Starter
  • Bowtie Private Access (BPA)?Zero trust access to private resources from anywhere — direct encrypted connections, no traffic backhauling through a vendor cloud.
  • Up to 700 users
  • API access + Terraform provider
  • Email & community support
  • Zero-touch NAT traversal
Most Popular
Business
Private Access + Internet Security in a single plan.
$18
per user / month
 
  • Everything in Essentials
  • Bowtie Internet Access (BIA)?DNS-layer filtering and SWG policies enforced locally on the device. No cloud proxy in the path.
  • DNS observability & redirecting
  • Up to 1,000 users
  • Device posture & MDM deployment?Enforce access based on device health, OS patch level, and MDM enrollment via Jamf or Kandji.
  • Email & community support
  • Zero-touch NAT traversal
Enterprise
Full platform with ITAR/CMMC alignment and multi-site deployments.
Custom
Tailored to your deployment
  • Everything in Business
  • Unlimited users, devices, controllers
  • Bowtie Fabric?Site-to-site networking over encrypted WireGuard tunnels. Connect data centers, offices, and cloud VPCs through your controller mesh with zero trust policy enforcement.
  • Multi-controller high availability?Deploy redundant controllers across regions for automatic failover. Production deployments in regulated environments require HA.
  • BGP integration?Dynamic routing with your existing network infrastructure. Announce and receive routes for seamless coexistence with current topology.
  • Compliance reporting & audit exports?Automated reports for ITAR, CMMC, SOC 2, and HIPAA. Export audit logs to your SIEM or archive.
  • SIEM integration
  • Priority support with SLA + shared Slack

See what you'd pay vs. a typical SASE vendor

Most vendors charge separately for private access (ZTNA) and internet security (SWG). Bowtie bundles both.

Monthly
Annual Save 17%
$
Bowtie Essentials
BPA (ZTNA) only
$4,800/yr
$8/user/mo · billed annually
Bowtie Business
BPA + BIA bundled
$9,000/yr
$15/user/mo · billed annually
Typical SASE Vendor
ZTNA + SWG sold separately
$12,000/yr
~$20/user/mo
Middleman tax you avoid with Bowtie
$3,000/yr
Traditional SASE vendors route your traffic through their cloud — you pay for their infrastructure. Bowtie runs inside yours. No middleman means lower cost and full data sovereignty.
Estimates based on listed per-user pricing. No hidden fees, no middleman surcharges.
FeatureStarterEssentialsBusinessEnterprise
Access
Users31,0001,000Unlimited
Devices per user233Unlimited
Controllers244Unlimited
Bowtie Private Access (BPA)
Bowtie Internet Access (BIA)
Bowtie Fabric
Security & Policy
Zero Trust Policy Engine
SSO Authentication
Network Sovereignty
Device Posture Policies
DNS Observability / Redirecting
Infrastructure
Always-on Agent
Smart DNS
API Access
Terraform Provider
Zero-Touch NAT Traversal
Compliance & Observability
SIEM Integration
Enhanced Auditing
Support
Community Support
Email Support
Priority Support + SLA
Shared Slack Channel

Frequently Asked Questions

Never. Bowtie controllers run in your infrastructure, and all traffic flows directly between your devices and your resources. There is no cloud proxy, no inspection point, and no access to your data.
Zero trust access and internet security are two halves of the same problem. Leading SASE vendors charge separately for private access and internet security, often totaling $14-22+/user/month combined. We bundle both in Business because our architecture makes it efficient to deliver, and your security posture shouldn't depend on how many line items you can budget for.
Because Bowtie never routes your traffic through a vendor cloud, there is no structural conflict with ITAR, EAR, CMMC, or other compliance frameworks that restrict where data can flow. Your data stays within your controlled environment.
Fabric enables fast site-to-site networking with zero trust policies using your existing Bowtie controller mesh. Instead of SD-WAN appliances, you get encrypted, policy-driven connections between data centers, offices, cloud environments, and ground stations. Included in Enterprise.
Controllers deploy as lightweight containers or VMs. Agents install on endpoints and connect directly. Most teams are operational within an hour. Enterprise deployments can be managed via Terraform and MDM.
No. The Starter plan is free forever for up to 3 users. Deploy controllers, set policies, and evaluate Bowtie without payment information.

Built for CISOs. Loved by engineers. Trusted by Ops.

Ready to unify and harden your network security stack?

Pricing

Maximize Security, Spend Efficiently

Leveraging Bowtie’s distributed overlay network and no middleman architecture enables more efficient pricing vs industry standard.

Basic
Free
Forever
Up to 3 users

Users are individuals accessing resources from a company or BYOD device.

2 devices/user

Devices are user hardware or servers running the Bowtie software to connect from anywhere to your private resources.

2 controllers

Each of your network locations (sites) should have one or more Bowtie Controllers to create microtunnels between your private resources and your user’s devices.

Zero Trust Policy Engine

Access Control Policies let you allow authenticated access to private resources by user or device characteristics.

Always-on agent

Bowtie runs in the background of your devices and navigates network changes seamlessly to always connect.

Smart DNS

DNS resolution lives on the client and can navigate various changes to your network shape.

Network Sovereignty

Local-first principles guide Bowtie's design. You own your data; Bowtie has no access to your resources.

SSO Authentication

Connect to any SSO provider such as Okta or Entra ID.

Access Today
Essentials
$11
Per User/Month
Bowtie Private Access (BPA)
Bowtie Internet Access (BIA)
Up to 1000 users

Users are individuals accessing resources from a company or BYOD device.

3 devices/user

Devices are user hardware or servers running the Bowtie software to connect from anywhere to your private resources.

4 controllers

Each of your network locations (sites) should have one or more Bowtie Controllers to create microtunnels between your private resources and your user’s devices.

Zero Trust Policy Engine

Access Control Policies let you allow authenticated access to private resources by user or device characteristics.

Always-on agent

Bowtie runs in the background of your devices and navigates network changes seamlessly to always connect.

Smart DNS

DNS resolution lives on the client and can navigate various changes to your network shape.

Network Sovereignty

Local-first principles guide Bowtie's design. You own your data; Bowtie has no access to your resources.

SSO Authentication

Connect to any SSO provider such as Okta or Entra ID.

API Access

Bowtie delivers API-first software with automation top of mind. Seamlessly integrate with existing automation tools, like Terraform.

Terraform Provider

Bowtie provides a functional Terraform provider ready to help you spin up your first deployment.

Email / Community Support

Best effort support via email/site chat and access to public Slack community.

Get Started
Enterprise
Custom
Contact us
Bowtie Private Access (BPA)
Bowtie Internet Access (BIA)
Unlimited users

Users are individuals accessing resources from a company or BYOD device.

Unlimited devices

Devices are user hardware or servers running the Bowtie software to connect from anywhere to your private resources.

Unlimited controllers

Each of your network locations (sites) should have one or more Bowtie Controllers to create microtunnels between your private resources and your user’s devices.

Zero Trust Policy Engine

Access Control Policies let you allow authenticated access to private resources by user or device characteristics.

Always-on agent

Bowtie runs in the background of your devices and navigates network changes seamlessly to always connect.

Smart DNS

DNS resolution lives on the client and can navigate various changes to your network shape.

Network Sovereignty

Local-first principles guide Bowtie's design. You own your data; Bowtie has no access to your resources.

SSO Authentication

Connect to any SSO provider such as Okta or Entra ID.

API Access

Bowtie delivers API-first software with automation top of mind. Seamlessly integrate with existing automation tools, like Terraform.

Terraform Provider

Bowtie provides a functional Terraform provider ready to help you spin up your first deployment.

Priority Support (including Slack)

Priority support with SLA and a shared Slack channel for ongoing support and refinement.

MDM Deployment

Deploy agents via MDM providers such as Jamf and Kandji.

Device Posture Policies

Leverage device posture to inform policy decisions, including JIT decisions.

SIEM Integration

Log events directly to your SIEM.

Enhanced Auditing

With Bowtie operating locally on the device, access advanced audit details to help meet compliance demands.

DNS Observability / Redirecting

Bowtie makes overriding public DNS records simple and gives you information otherwise not available in a distributed environment.

Zero Touch NAT Traversal

Limited hardened public internet boundary can establish microtunnels to your infrastructure without port forwarding or exposing controllers publicly.

Get Started

Built for CISOs.
Loved by engineers.
Trusted by Ops

Ready to unify and harden your missions stack?

Get a demo
Download