For many years, zero trust network access (ZTNA) has been framed as a replacement for perimeter-based security. But in practice, many implementations of ZTNA rely on legacy ideas such as frequent re-authentication, network-level trust zones, and complex VPN architectures.ThreatLocker says it is redefining ZTNA by shifting zero-trust enforcement to the endpoint itself, binding access not just to credentials, but to verified devices and tightly controlled pathways."Access now requires three things: valid credentials, an approved device, and connection through a secure, ThreatLocker-managed broker," said ThreatLocker CEO and Co-Founder Danny Jenkins as the new feature was launched. "If one step is missing, access is denied, drastically reducing the impact of phishing attacks.”As users, applications, and infrastructure become more distributed in enterprise environments, this reinvention of ZTNA may offer a more practical and scalable way to secure network access without adding friction or complexity.These controls let organizations create tightly scoped access pathways tailored to specific roles and use cases. For example, a remote employee might be allowed to access a particular internal application only during business hours, using a company-approved laptop and a defined protocol.By enforcing these policies at the device level and filtering connections through a secure broker operated by ThreatLocker, the platform eliminates unnecessary exposure.The protocol even works on smartphones managed by ThreatLocker. During a keynote address at the company's most recent annual Zero Trust World conference in March, Jenkins demonstrated that no one could break into his email account even if they had his username and password."I have 100,000 invalid logins on my email account every day," Jenkins said as he tried to log into his own account from an unmanaged phone. "When you get phished, no one is going to get into your account unless they actually have one of your devices."These network controls not only impede a potential attacker's lateral movement within a network but also supports compliance requirements by enforcing least-privilege access in a measurable and auditable way.
Taking deny-by-default to the network
At the core of ThreatLocker's platform is a deny-by-default philosophy: Nothing is allowed unless explicitly permitted. With the Zero Trust Network Access feature, that same principle is extended from applications and endpoints to the network layer itself.Rather than assuming trust once a user is authenticated, ThreatLocker enforces access decisions based on a combination of user identity, device validation, and predefined policy. Access is granted only when all three conditions are met. Valid credentials alone will not be enough if the device or connection cannot be verified.This mirrors the approach seen in passwordless authentication systems like passkeys, in which identity is tied to trusted hardware. By cataloging approved devices and treating them as enforcement points, ThreatLocker ensures that network access is intentional, contextual, and continuously verified.The result should be a dramatic reduction in the potential attack surface, particularly regarding credential-based attacks like phishing or the theft and reuse of session tokens.Limiting network connections
One of the defining strengths of ThreatLocker's ZTNA model is its granular policy control. Organizations are not limited to binary allow-or-deny decisions; instead, they can define precisely how, when, and where access may be permitted.Administrators can specify:- Which users and devices are authorized
- Which internal resources can be accessed
- Which ports and protocols are allowed
- Optional time-based restrictions and device-posture requirements





