
Network & Infrastructure Security
Pomerium Zero Trust Proxy
Identity-aware proxy for zero trust access to applications without VPN or client software.
Pomerium Zero Trust Proxy Overview
What it does
Pomerium is an open-source identity-aware proxy platform from Pomerium Inc., founded in 2019 by Bobby DeSimone (former founder of BeyondTrust) and headquartered in Solana Beach, California. The company has raised $18M in total funding, including a $13.75M Series A led by Benchmark in June 2024, with participation from Bain Capital, Haystack, SNR, and angel investors. The platform has achieved significant traction with over 1 billion Docker downloads and serves organizations from individual developers to Fortune 500 companies.
How it works
Pomerium provides clientless, identity-aware access to internal applications, services, and workloads by continuously verifying user identity, device state, and request context before granting access. The platform intercepts and routes traffic through an identity-aware layer, treating each connection as an ongoing series of requests where identity is verified for every action rather than session-based authentication. Available as both self-hosted open source (Apache 2.0 license) and Pomerium Zero (managed control plane with self-hosted proxy), the solution integrates identity providers, implements BeyondCorp zero trust principles, and provides context-aware access decisions based on user, device, location, time, and custom policy rules.
Credentials and traction
Pomerium carries a SOC 2 Type II attestation, displayed on its site as a trust anchor for regulated buyers. The project reports broad traction with over one billion Docker downloads and named users spanning security, education, energy, and financial verticals, including Obsidian Security, Optoro, Crusoe Energy, Traders Club, Stellenbosch University, and Pitt County School District. Adoption ranges from individual developers to Global Fortune 2000 enterprises running self-hosted zero trust.
Key Capabilities
mapped to solution categoriesProvides access to browser-based internal applications through a reverse proxy without requiring a device agent, enabling secure access from unmanaged or contractor devices.
Grants access to individual named applications rather than network segments, users and devices can only reach explicitly authorized applications regardless of network position.
Re-evaluates user and device trust signals throughout an active session, revoking or stepping down access when anomalous behavior is detected, not just at authentication time.
Checks endpoint health (OS patch level, EDR presence, disk encryption, certificate validity) at each access request, enforcing minimum device security standards before granting application access.
Discovers internal applications accessible via VPN or direct network routes that should be brought under ZTNA policy, surfacing unmanaged application access.
Integrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.