The honest answer first
Most small businesses do not need full ZTNA. They need good access control — which a managed mesh VPN delivers at a fraction of ZTNA pricing.
The ZTNA category is marketed hard, and the marketing implies every organisation should adopt it. The reality: pure ZTNA's per-resource connector model solves a problem large enterprises with hundreds of internal applications have. A small business connecting a few sites and a handful of systems is paying for granularity it won't use. This guide is the honest version: when ZTNA is worth it for an SMB, when it isn't, and what to buy either way.
What a small business access problem looks like
The typical SMB network-access need, concretely:
- Connect 2-10 branch offices so point-of-sale systems, back-office computers, and shared drives at each site can reach each other and HQ.
- Let a small remote / hybrid team reach internal systems from home or on the road.
- Keep some separation — the POS network shouldn't be reachable from the guest WiFi; contractors shouldn't reach finance systems.
- Not hire a network engineer to run it.
That's a connectivity problem with a policy layer. It is not "we have 200 internal SaaS-style apps and need per-app per-user device-posture-aware authorisation," which is what pure ZTNA is built for. Matching the tool to the actual problem is the whole game.
The cost reality
Pure-play ZTNA is priced per user. For an SMB that's the wrong unit — branches have routers and devices, not just named users. The comparison for a 5-branch business with 40 staff:
| Option | Monthly | Annual | Pricing unit |
|---|---|---|---|
| Twingate Starter | $400 (40 × $10) | $4,800 | per user |
| Cloudflare Zero Trust | $0 (free ≤50 users) | $0 | per user (free tier) |
| Zscaler / Palo Alto | Enterprise quote | typically $5,000+ | per user, enterprise contract |
| MeshWG | ~$21 (5 routers × ₹349) | ~$252 | per router |
Cloudflare's free tier is genuinely competitive for SMBs that fit the per-resource model. For the connect-my-branches model, per-router pricing is structurally cheaper because you have far fewer routers than users.
SMB-friendly options
- Cloudflare Access — free up to 50 users; the strongest free pure-ZTNA option. Good if your problem genuinely is per-resource access and you don't mind the Cloudflare ecosystem.
- Twingate — most polished pure ZTNA; $10/user/month. Worth it if per-resource granularity is a real requirement.
- Pomerium — open-source self-host ZTNA; free software, you run the server.
- MeshWG — managed mesh VPN with per-flow ACL policy; per-router pricing; built for the connect-my-branches SMB shape.
- Tailscale / NetBird — mesh VPN with ACLs; per-user pricing; good for fully-remote teams without physical branches.
Decision framework by size
| Your situation | Recommendation |
|---|---|
| 2-15 staff, 1-3 sites, a few shared systems | Managed mesh VPN (MeshWG). Full ZTNA is overkill. |
| 15-50 staff, multiple branches, POS / back-office separation needed | Managed mesh VPN with ACL policy (MeshWG). Cloudflare Access free tier if the problem is per-app access specifically. |
| 50+ staff, many internal apps, contractors needing scoped access | Evaluate pure ZTNA (Twingate, Cloudflare Access paid). The per-resource model starts earning its cost here. |
| Any size, but a compliance framework mandates per-resource authorisation | Pure ZTNA, regardless of size. The mandate decides. |
| Fully remote, no physical sites, every member has a laptop | Mesh VPN priced per-user (Tailscale, NetBird) or Cloudflare Access free tier. |
Where MeshWG fits
MeshWG is a managed mesh VPN built for the SMB multi-branch shape — the middle three rows of that table. It's not pure ZTNA and we won't claim it is. What it provides:
- Per-flow policy — allow / deny rules by source device, destination device, protocol, and port. The POS network can be made unreachable from guest WiFi; contractors can be denied finance systems. Enforced before traffic reaches the destination.
- No exposed inbound ports — the WireGuard handshake is outbound from each router; resources are never directly internet-reachable. This closes the same attack surface ZTNA's connector model closes.
- Per-router pricing — ₹349 (~$4.20) per router per month, 2 free. A 5-branch business pays ~$21/month for the whole mesh.
- 24/7 support, 2-minute onboarding — no network engineer required.
For an SMB whose real problem is "connect my branches securely with sensible separation," this covers it. For an SMB with a genuine per-resource-authorisation mandate, the pure-ZTNA products are the right tools — and that's the honest recommendation when it applies.
When to upgrade to full ZTNA
Three triggers, any one of which justifies the move from mesh VPN to pure ZTNA: a compliance framework explicitly requires per-resource authorisation; you've grown past ~50 staff with many internal applications; or you have a large third-party / contractor population needing tightly-scoped access. Until one fires, a managed mesh VPN with good ACLs is the right level of control — and the right level of spend — for a small business.
Frequently asked questions
Does a small business need ZTNA?
Most small businesses need good access control, not necessarily full ZTNA. Pure ZTNA — every resource behind a connector, every request individually authorised — solves a problem large enterprises with hundreds of internal applications have. A small business connecting a few branch offices and a handful of internal systems usually gets better value from a managed mesh VPN with sensible policy controls, at a fraction of ZTNA pricing. Adopt full ZTNA when a compliance framework requires it, when you have many internal applications with differentiated access needs, or when you handle data sensitive enough that per-request authorisation is genuinely warranted.
How much does ZTNA cost for a small business?
Pure-play ZTNA runs $7-15 per user per month. Twingate Starter is $10/user/month; Cloudflare Zero Trust Standard is $7/user/month (with a generous free tier up to 50 users); Zscaler and Palo Alto are priced for enterprise and typically require a sales conversation. For a 25-person business, Twingate is $250/month / $3,000/year. A managed mesh VPN priced per-machine rather than per-user — MeshWG at ₹349 (~$4.20) per router — covers a 5-branch business for around $21/month, because branches have routers, not dozens of users each.
What is the best ZTNA for small business?
Cloudflare Access is the strongest free option — Cloudflare Zero Trust Free covers up to 50 users, which covers most genuine small businesses at zero cost. Twingate is the most polished paid option if you want per-resource ZTNA specifically. Pomerium is the best self-hosted open-source choice. But for the common SMB shape — connecting branch offices and their devices — a managed mesh VPN (MeshWG) is usually the better-fitting and cheaper answer than any pure ZTNA product, because the SMB problem is typically 'connect my sites securely' rather than 'gate hundreds of apps per-resource.'
What is the difference between ZTNA and a business VPN?
A business VPN authenticates a user once, then places them on a network with broad access. ZTNA authorises every request to every resource individually — no network, just per-resource grants. For a small business the practical question is rarely 'VPN or ZTNA' in the abstract; it's 'what access does my team actually need?' If the answer is 'reach the systems at our other offices,' a managed mesh VPN delivers that directly. If it's 'give 12 contractors access to exactly 3 internal apps and nothing else,' ZTNA's per-resource model fits better.
Can I get ZTNA-level security without paying ZTNA prices?
Largely, yes — a modern managed mesh VPN delivers most of ZTNA's blast-radius reduction without the per-resource connector model. No inbound ports exposed on your resources (the tunnel handshake is outbound), no implicit broad trust (per-flow ACL policy controls which device can reach which), and a much smaller attack surface than a traditional VPN concentrator. MeshWG's policy model — allow/deny by source device, destination device, protocol, and port — covers the practical SMB threat model. It's not per-resource ZTNA, but for most small businesses the gap doesn't change the real-world security outcome.
When should a small business upgrade from mesh VPN to full ZTNA?
Three triggers. First, compliance: a customer contract, a regulator, or a certification (SOC 2, ISO 27001 with a zero-trust control, an industry mandate) explicitly requires per-resource authorisation. Second, scale: you've grown past ~50 employees and accumulated enough internal applications that per-resource device-posture policy genuinely reduces risk. Third, workforce shape: you have a large contractor / third-party population that should reach specific apps and nothing else. Until one of those is true, a managed mesh VPN with good ACLs is usually the right level of control for a small business.
Next steps
If your problem is connecting branches securely, MeshWG's free tier is the fastest way to validate — 2 routers, no card, indefinite.