Reviews and Expert Analysis · industry-kpi

What are the key sales KPIs for the Zero Trust Network Access (ZTNA) Vendors industry in 2027?

👁 0 views📖 1,792 words⏱ 8 min read5/30/2026

Direct Answer

The nine KPIs that actually run a Zero Trust Network Access (ZTNA) Vendor business in 2027 are: Net New ARR ($M), Net Revenue Retention (NRR %), Average Managed Users per Customer (seats), VPN-Replacement Conversion Rate %, Average Connector Latency Added (ms), Identity Provider Coverage Breadth (count of supported IdPs in production), App-Onboarding Velocity (apps live per CSM-week), Gross Margin per Active User per Month ($), and Renewal Rate at 24 Months %.

Together they answer the only three questions a ZTNA CRO is graded on: are we ripping out the customer's VPN fast enough to expand seat count, is the user experience invisible enough that the CIO defends the renewal, and is per-seat gross margin holding as the network team scales bandwidth.

TL;DR
— ZTNA economics rest on VPN displacement velocity and per-user gross margin. The vendors winning in 2026 (Zscaler, Netskope, Cloudflare One, Palo Alto Prisma Access, Cisco Duo+Hybrid) all hit 80%+ VPN replacement by month 18 of a deployment and run $0.40–$0.80 gross margin per active user per month.
Sub-30ms added connector latency is the invisibility threshold — above it, users complain and the renewal is contested. Track the nine KPIs weekly, run quarterly identity-provider coverage reviews, and re-baseline per-user cost-to-serve every 30 days — that is the cadence the leaders converged on after Gartner consolidated ZTNA into the SASE Magic Quadrant in 2024.

Why ZTNA Operates Differently

ZTNA is not classic VPN replacement and not pure SaaS — it is a continuous identity-and-context decision layer sitting between user and application. Four mechanics make it its own category.

The VPN budget is the funding source. Every ZTNA deal lives or dies on whether the customer can defund the legacy SSL-VPN, MPLS circuit, or remote-access concentrator. Forrester's 2026 ZTNA survey shows 74% of net new ZTNA spend is reallocated VPN and MPLS budget, not net new security budget.

Vendors who fail to document VPN-displacement math lose deals to vendors who do.

Latency is the user-experience gate. A user who clicks an app and waits more than 1.2 seconds for first response opens a support ticket. ZTNA adds connector latency on every session — best-in-class vendors add under 20ms through anycast PoP networks; legacy hub-and-spoke architectures add 80–150ms and lose renewal battles to lower-latency competitors.

Identity-provider coverage is the deal-blocker check. A ZTNA that does not support the customer's Okta + Microsoft Entra + Ping Identity + on-prem AD + legacy SAML federation stack is dead at the POC. Coverage breadth is now a procurement-gate criterion at every enterprise.

App-onboarding is the customer-success bottleneck. A typical enterprise has 800–2,500 apps. Migrating each to ZTNA enforcement is a per-app project. Vendors who ship bulk-onboarding tooling (Zscaler's App Discovery, Netskope's One Console, Cloudflare's Tunnel Connector) achieve 6–12x the onboarding velocity of vendors who require manual config per app.

The 9 KPIs, In Depth

1. Net New ARR ($M). Fresh logo and expansion subscription dollars net of contractions but excluding renewals. The ZTNA market grew at ~28% CAGR from 2023 to 2026 per IDC and is the fastest-growing security category. Zscaler disclosed ~$2.3B ARR end of 2026; Netskope ~$760M; Cloudflare One crossed $300M.

2. Net Revenue Retention (NRR %). Subscription dollars retained from the prior cohort plus expansion (seat growth, additional modules, app bundles). Best-in-class ZTNA NRR is 125–135% (Zscaler, Netskope); the median is 112–118%. NRR below 110% in a category growing at 28% means the vendor is losing the expansion battle.

3. Average Managed Users per Customer (seats). Median seats per active customer. 6,800 seats is the enterprise benchmark in 2026; 45,000+ is the Fortune-100 benchmark. Customer seat-growth year-over-year is 18–24% — the leading indicator of renewal expansion.

4. VPN-Replacement Conversion Rate %. Share of the customer's pre-ZTNA legacy VPN concentrators and SSL-VPN seats decommissioned 18 months after go-live. 80%+ is best-in-class. Below 50% means the customer is running ZTNA alongside legacy VPN — the worst outcome for both vendor margin and customer security posture.

5. Average Connector Latency Added (ms). P95 round-trip latency added by the ZTNA layer vs. Direct app access. Under 20ms is best-in-class on anycast architectures (Cloudflare One, Zscaler ZIA-ZPA combined); 30–50ms is acceptable; over 80ms loses renewals.

6. Identity Provider Coverage Breadth. Count of IdPs and federation protocols supported in production. All of Okta, Microsoft Entra, Ping Identity, OneLogin, JumpCloud, AWS IAM Identity Center, Google Workspace, SAML, OIDC, SCIM 2.0 is the baseline.

Best-in-class vendors also support legacy on-prem AD with Kerberos constrained delegation for hybrid scenarios.

7. App-Onboarding Velocity (apps live per CSM-week). Median apps brought under ZTNA enforcement per CSM per week of customer-success time. 8–15 apps per CSM-week is best-in-class with bulk-onboarding tooling. Below 3 is a customer-success cost problem and predicts late renewals.

8. Gross Margin per Active User per Month ($). Vendor gross margin per active seat per month after PoP bandwidth, identity-provider integration cost, and SOC monitoring. $0.40–$0.80 is best-in-class for enterprise SKUs; below $0.20 means the network architecture is not scaling efficiently and competitors will win on price.

9. Renewal Rate at 24 Months %. Logo retention measured at the two-year mark — the cycle where displacement risk peaks. 92%+ is best-in-class for ZTNA; the industry median is 84–88%. Below 80% means the vendor's onboarding velocity or latency profile is losing the experience battle.

flowchart TD A[User Requests App Access] --> B[Identity Provider Check] B --> C{Authenticated?} C -->|No| D[Block and Log] C -->|Yes| E[ZTNA Policy Decision Point] E --> F{Device Posture + Risk Score?} F -->|Bad| G[Step-Up Auth or Deny] F -->|Good| H[Connector Anycast PoP Selection] H --> I{Latency Sub-20ms PoP Available?} I -->|Yes| J[Establish Session Direct App Access] I -->|No| K[Fallback PoP Latency 30-60ms] J --> L[App Response to User] K --> L L --> M[Continuous Session Inspection] M --> N{Anomaly Detected?} N -->|Yes| O[Terminate Session + SOC Alert] N -->|No| P[Session Renewed Per Policy] P --> M O --> Q[Detection Update + Identity Risk Score]

Real Operators

Zscaler is the scale benchmark — ~$2.3B ARR, the largest pure-play ZTNA vendor, with the Zero Trust Exchange platform combining ZIA (internet access) and ZPA (private access). Palo Alto Networks Prisma Access is the SASE incumbent — bundles ZTNA, SWG, FWaaS, and CASB and dominates the firewall-attached deals.

Netskope is the cloud-native challenger with the strongest CASB heritage and ~$760M ARR. Cloudflare One is the anycast network leader with the lowest added latency in independent third-party tests and crossed $300M ARR in 2026. Cisco Duo + Hybrid Mesh is the identity-first ZTNA tied to the Cisco network footprint.

Microsoft Entra Private Access (formerly Microsoft Tunnel) is the Microsoft-stack-native ZTNA bundled with Entra ID Premium. Tailscale owns the developer and SMB segment with the WireGuard-based mesh-VPN-meets-ZTNA model. Twingate competes in the same SMB and mid-market segment.

Banyan Security (now part of SonicWall) brings device-trust ZTNA to channel-led deals. Akamai EAA (Enterprise Application Access) is the CDN-attached option. Appgate is the legacy software-defined-perimeter pioneer still strong in regulated industries.

Forcepoint ONE and Skyhigh Security round out the SSE category.

Failure Modes

The four that quietly kill ZTNA vendors. (1) Letting VPN-replacement velocity stall under 50% — the customer's network team keeps the VPN funded and the vendor's per-seat economics never reach target. (2) Connector latency drifting above 50ms P95 — every help-desk ticket trains the CIO to suspect ZTNA first and the renewal is contested.

(3) Falling behind on identity-provider coverage — even one missing IdP closes the procurement-gate door at the next big deal. (4) Customer-success cost-per-onboard rising faster than ACV — without bulk onboarding tooling, gross margin per seat collapses and pricing power evaporates.

Reporting Cadence

Daily: connector latency P95 by PoP, session-establishment success rate, support-ticket volume tagged ZTNA, onboarding milestone slippage. Weekly: VPN-replacement conversion progress per customer, apps-live-per-CSM-week, identity-provider integration backlog. Monthly: NRR, gross margin per active user, churn by reason code, 24-month renewal pipeline.

Quarterly: full P&L, identity-provider coverage roadmap, PoP-expansion plan, customer NPS by cohort.

flowchart TD A[Daily Network Telemetry] --> B[Latency + Session Success + Ticket Volume] B --> C[Weekly Delivery Review] C --> D[VPN Conversion + Onboarding Velocity + IdP Backlog] D --> E[Monthly Business Review] E --> F[NRR + Margin per User + 24-Month Pipeline] F --> G[Quarterly Product and Board Review] G --> H[IdP Roadmap + PoP Plan + Competitive Map] H --> I[Re-baseline Targets + Onboarding Tooling Investment] I --> A

30/60/90 Day Plan

Days 1–30: instrument the nine KPIs end-to-end. Reconcile session telemetry with seat-billing — they will not match on day one. Establish per-customer VPN-replacement baseline, P95 added latency by PoP, and gross margin per active user. Build the identity-provider coverage matrix against every active deal in the pipeline.

Days 31–60: ship the VPN-replacement dashboard to every CSM with monthly targets. Stand up bulk-onboarding playbooks with the three largest enterprise customers and instrument apps-live-per-CSM-week. Pilot anycast PoP expansion in the two markets where latency is hurting renewals.

Days 61–90: run the first quarterly identity-provider coverage review. Decide which legacy IdPs earn engineering investment and which can be sunset. Re-baseline per-seat gross-margin targets by tier. Brief the CFO on the new margin trajectory and present the PoP-expansion plan to the board with renewal-protection projections.

FAQ

Is VPN-replacement conversion or seat growth the more important KPI? VPN replacement, in the first 18 months. Without it, the customer never frees the budget needed for seat expansion. After month 18, seat growth becomes the dominant NRR driver.

What is an acceptable added latency for ZTNA in 2027? Under 20ms P95 is best-in-class on anycast architectures. 30–50ms is acceptable for most enterprise users. Above 80ms loses renewals because help-desk tickets train the CIO to suspect ZTNA first.

How many identity providers must a ZTNA vendor support to win enterprise deals? All of Okta, Microsoft Entra, Ping Identity, OneLogin, JumpCloud, AWS IAM Identity Center, Google Workspace, SAML, OIDC, SCIM 2.0, plus on-prem AD with Kerberos constrained delegation. Missing any one of these closes the procurement-gate door at most Fortune 1000 deals.

Does ZTNA actually replace VPN or run alongside it? It should replace it. Vendors who achieve 80%+ VPN replacement at month 18 hit margin and renewal targets. Vendors stuck at parallel-run see gross margin per seat collapse and renewal NPS fall.

What is the right per-user gross margin for ZTNA in 2027? $0.40–$0.80 per active user per month is best-in-class for enterprise SKUs. Sub-$0.20 indicates the network architecture is not scaling efficiently and competitors will win on price at the next RFP.

Sources

Gartner — Magic Quadrant for Single-Vendor SASE and Security Service Edge (2026)
Forrester — The Forrester Wave: Zero Trust Edge Solutions (2026)
IDC — Worldwide Zero Trust Network Access Market Forecast (2026)
Zscaler Inc. — Annual Report and Customer Outcomes Disclosures (2026)
Netskope — SASE and ZTNA Customer Benchmark (2026)
Cloudflare Inc. — Cloudflare One Performance and Anycast Architecture
Palo Alto Networks — Prisma Access Customer Outcomes Benchmark
NIST SP 800-207 — Zero Trust Architecture Reference Document
CrowdStrike — Identity and Access Threat Report (2026)
Okta — State of Zero Trust Security Report (2026)

Keep reading

Download:

### Direct Answer

The nine KPIs that actually run a **Zero Trust Network Access (ZTNA) Vendor** business in 2027 are: **Net New ARR ($M)**, **Net Revenue Retention (NRR %)**, **Average Managed Users per Customer (seats)**, **VPN-Replacement Conversion Rate %**, **Average Connector Latency Added (ms)**, **Identity Provider Coverage Breadth (count of supported IdPs in production)**, **App-Onboarding Velocity (apps live per CSM-week)**, **Gross Margin per Active User per Month ($)**, and **Renewal Rate at 24 Months %**. Together they answer the only three questions a ZTNA CRO is graded on: are we ripping out the customer's VPN fast enough to expand seat count, is the user experience invisible enough that the CIO defends the renewal, and is per-seat gross margin holding as the network team scales bandwidth.

> **TL;DR** — ZTNA economics rest on **VPN displacement velocity** and **per-user gross margin**. The vendors winning in 2026 (Zscaler, Netskope, Cloudflare One, Palo Alto Prisma Access, Cisco Duo+Hybrid) all hit **80%+ VPN replacement** by month 18 of a deployment and run **$0.40–$0.80 gross margin per active user per month**. Sub-30ms added connector latency is the **invisibility threshold** — above it, users complain and the renewal is contested. Track the nine KPIs weekly, run quarterly identity-provider coverage reviews, and re-baseline per-user cost-to-serve every 30 days — that is the cadence the leaders converged on after Gartner consolidated ZTNA into the SASE Magic Quadrant in 2024.

## Why ZTNA Operates Differently

ZTNA is not classic VPN replacement and not pure SaaS — it is a **continuous identity-and-context decision layer** sitting between user and application. Four mechanics make it its own category.

**The VPN budget is the funding source.** Every ZTNA deal lives or dies on whether the customer can defund the legacy SSL-VPN, MPLS circuit, or remote-access concentrator. Forrester's 2026 ZTNA survey shows **74% of net new ZTNA spend is reallocated VPN and MPLS budget**, not net new security budget. Vendors who fail to document VPN-displacement math lose deals to vendors who do.

**Latency is the user-experience gate.** A user who clicks an app and waits more than **1.2 seconds for first response** opens a support ticket. ZTNA adds connector latency on every session — best-in-class vendors add **under 20ms** through anycast PoP networks; legacy hub-and-spoke architectures add 80–150ms and lose renewal battles to lower-latency competitors.

**Identity-provider coverage is the deal-blocker check.** A ZTNA that does not support the customer's Okta + Microsoft Entra + Ping Identity + on-prem AD + legacy SAML federation stack is dead at the POC. Coverage breadth is now a procurement-gate criterion at every enterprise.

**App-onboarding is the customer-success bottleneck.** A typical enterprise has 800–2,500 apps. Migrating each to ZTNA enforcement is a per-app project. Vendors who ship **bulk-onboarding tooling** (Zscaler's App Discovery, Netskope's One Console, Cloudflare's Tunnel Connector) achieve 6–12x the onboarding velocity of vendors who require manual config per app.

## The 9 KPIs, In Depth

**1. Net New ARR ($M).** Fresh logo and expansion subscription dollars net of contractions but excluding renewals. The ZTNA market grew at **~28% CAGR** from 2023 to 2026 per IDC and is the fastest-growing security category. Zscaler disclosed ~$2.3B ARR end of 2026; Netskope ~$760M; Cloudflare One crossed $300M.

**2. Net Revenue Retention (NRR %).** Subscription dollars retained from the prior cohort plus expansion (seat growth, additional modules, app bundles). Best-in-class ZTNA NRR is **125–135%** (Zscaler, Netskope); the median is 112–118%. NRR below 110% in a category growing at 28% means the vendor is losing the expansion battle.

**3. Average Managed Users per Customer (seats).** Median seats per active customer. **6,800 seats** is the enterprise benchmark in 2026; **45,000+** is the Fortune-100 benchmark. Customer seat-growth year-over-year is **18–24%** — the leading indicator of renewal expansion.

**4. VPN-Replacement Conversion Rate %.** Share of the customer's pre-ZTNA legacy VPN concentrators and SSL-VPN seats decommissioned 18 months after go-live. **80%+** is best-in-class. Below 50% means the customer is running ZTNA alongside legacy VPN — the worst outcome for both vendor margin and customer security posture.

**5. Average Connector Latency Added (ms).** P95 round-trip latency added by the ZTNA layer vs. Direct app access. **Under 20ms** is best-in-class on anycast architectures (Cloudflare One, Zscaler ZIA-ZPA combined); **30–50ms** is acceptable; over 80ms loses renewals.

**6. Identity Provider Coverage Breadth.** Count of IdPs and federation protocols supported in production. **All of Okta, Microsoft Entra, Ping Identity, OneLogin, JumpCloud, AWS IAM Identity Center, Google Workspace, SAML, OIDC, SCIM 2.0** is the baseline. Best-in-class vendors also support legacy on-prem AD with Kerberos constrained delegation for hybrid scenarios.

**7. App-Onboarding Velocity (apps live per CSM-week).** Median apps brought under ZTNA enforcement per CSM per week of customer-success time. **8–15 apps per CSM-week** is best-in-class with bulk-onboarding tooling. Below 3 is a customer-success cost problem and predicts late renewals.

**8. Gross Margin per Active User per Month ($).** Vendor gross margin per active seat per month after PoP bandwidth, identity-provider integration cost, and SOC monitoring. **$0.40–$0.80** is best-in-class for enterprise SKUs; below $0.20 means the network architecture is not scaling efficiently and competitors will win on price.

**9. Renewal Rate at 24 Months %.** Logo retention measured at the two-year mark — the cycle where displacement risk peaks. **92%+** is best-in-class for ZTNA; the industry median is 84–88%. Below 80% means the vendor's onboarding velocity or latency profile is losing the experience battle.

```mermaid
flowchart TD
    A[User Requests App Access] --> B[Identity Provider Check]
    B --> C{Authenticated?}
    C -->|No| D[Block and Log]
    C -->|Yes| E[ZTNA Policy Decision Point]
    E --> F{Device Posture + Risk Score?}
    F -->|Bad| G[Step-Up Auth or Deny]
    F -->|Good| H[Connector Anycast PoP Selection]
    H --> I{Latency Sub-20ms PoP Available?}
    I -->|Yes| J[Establish Session Direct App Access]
    I -->|No| K[Fallback PoP Latency 30-60ms]
    J --> L[App Response to User]
    K --> L
    L --> M[Continuous Session Inspection]
    M --> N{Anomaly Detected?}
    N -->|Yes| O[Terminate Session + SOC Alert]
    N -->|No| P[Session Renewed Per Policy]
    P --> M
    O --> Q[Detection Update + Identity Risk Score]
```

## Real Operators

**Zscaler** is the scale benchmark — ~$2.3B ARR, the largest pure-play ZTNA vendor, with the Zero Trust Exchange platform combining ZIA (internet access) and ZPA (private access). **Palo Alto Networks Prisma Access** is the SASE incumbent — bundles ZTNA, SWG, FWaaS, and CASB and dominates the firewall-attached deals. **Netskope** is the cloud-native challenger with the strongest CASB heritage and ~$760M ARR. **Cloudflare One** is the anycast network leader with the lowest added latency in independent third-party tests and crossed $300M ARR in 2026. **Cisco Duo + Hybrid Mesh** is the identity-first ZTNA tied to the Cisco network footprint. **Microsoft Entra Private Access** (formerly Microsoft Tunnel) is the Microsoft-stack-native ZTNA bundled with Entra ID Premium. **Tailscale** owns the developer and SMB segment with the WireGuard-based mesh-VPN-meets-ZTNA model. **Twingate** competes in the same SMB and mid-market segment. **Banyan Security** (now part of SonicWall) brings device-trust ZTNA to channel-led deals. **Akamai EAA** (Enterprise Application Access) is the CDN-attached option. **Appgate** is the legacy software-defined-perimeter pioneer still strong in regulated industries. **Forcepoint ONE** and **Skyhigh Security** round out the SSE category.

## Failure Modes

The four that quietly kill ZTNA vendors. **(1) Letting VPN-replacement velocity stall under 50%** — the customer's network team keeps the VPN funded and the vendor's per-seat economics never reach target. **(2) Connector latency drifting above 50ms P95** — every help-desk ticket trains the CIO to suspect ZTNA first and the renewal is contested. **(3) Falling behind on identity-provider coverage** — even one missing IdP closes the procurement-gate door at the next big deal. **(4) Customer-success cost-per-onboard rising faster than ACV** — without bulk onboarding tooling, gross margin per seat collapses and pricing power evaporates.

## Reporting Cadence

**Daily:** connector latency P95 by PoP, session-establishment success rate, support-ticket volume tagged ZTNA, onboarding milestone slippage. **Weekly:** VPN-replacement conversion progress per customer, apps-live-per-CSM-week, identity-provider integration backlog. **Monthly:** NRR, gross margin per active user, churn by reason code, 24-month renewal pipeline. **Quarterly:** full P&L, identity-provider coverage roadmap, PoP-expansion plan, customer NPS by cohort.

```mermaid
flowchart TD
    A[Daily Network Telemetry] --> B[Latency + Session Success + Ticket Volume]
    B --> C[Weekly Delivery Review]
    C --> D[VPN Conversion + Onboarding Velocity + IdP Backlog]
    D --> E[Monthly Business Review]
    E --> F[NRR + Margin per User + 24-Month Pipeline]
    F --> G[Quarterly Product and Board Review]
    G --> H[IdP Roadmap + PoP Plan + Competitive Map]
    H --> I[Re-baseline Targets + Onboarding Tooling Investment]
    I --> A
```

## 30/60/90 Day Plan

**Days 1–30:** instrument the nine KPIs end-to-end. Reconcile session telemetry with seat-billing — they will not match on day one. Establish per-customer VPN-replacement baseline, P95 added latency by PoP, and gross margin per active user. Build the identity-provider coverage matrix against every active deal in the pipeline.

**Days 31–60:** ship the VPN-replacement dashboard to every CSM with monthly targets. Stand up bulk-onboarding playbooks with the three largest enterprise customers and instrument apps-live-per-CSM-week. Pilot anycast PoP expansion in the two markets where latency is hurting renewals.

**Days 61–90:** run the first quarterly identity-provider coverage review. Decide which legacy IdPs earn engineering investment and which can be sunset. Re-baseline per-seat gross-margin targets by tier. Brief the CFO on the new margin trajectory and present the PoP-expansion plan to the board with renewal-protection projections.

## FAQ

**Is VPN-replacement conversion or seat growth the more important KPI?** VPN replacement, in the first 18 months. Without it, the customer never frees the budget needed for seat expansion. After month 18, seat growth becomes the dominant NRR driver.

**What is an acceptable added latency for ZTNA in 2027?** Under 20ms P95 is best-in-class on anycast architectures. 30–50ms is acceptable for most enterprise users. Above 80ms loses renewals because help-desk tickets train the CIO to suspect ZTNA first.

**How many identity providers must a ZTNA vendor support to win enterprise deals?** All of Okta, Microsoft Entra, Ping Identity, OneLogin, JumpCloud, AWS IAM Identity Center, Google Workspace, SAML, OIDC, SCIM 2.0, plus on-prem AD with Kerberos constrained delegation. Missing any one of these closes the procurement-gate door at most Fortune 1000 deals.

**Does ZTNA actually replace VPN or run alongside it?** It should replace it. Vendors who achieve 80%+ VPN replacement at month 18 hit margin and renewal targets. Vendors stuck at parallel-run see gross margin per seat collapse and renewal NPS fall.

**What is the right per-user gross margin for ZTNA in 2027?** $0.40–$0.80 per active user per month is best-in-class for enterprise SKUs. Sub-$0.20 indicates the network architecture is not scaling efficiently and competitors will win on price at the next RFP.

## Sources

- Gartner — Magic Quadrant for Single-Vendor SASE and Security Service Edge (2026)
- Forrester — The Forrester Wave: Zero Trust Edge Solutions (2026)
- IDC — Worldwide Zero Trust Network Access Market Forecast (2026)
- Zscaler Inc. — Annual Report and Customer Outcomes Disclosures (2026)
- Netskope — SASE and ZTNA Customer Benchmark (2026)
- Cloudflare Inc. — Cloudflare One Performance and Anycast Architecture
- Palo Alto Networks — Prisma Access Customer Outcomes Benchmark
- NIST SP 800-207 — Zero Trust Architecture Reference Document
- CrowdStrike — Identity and Access Threat Report (2026)
- Okta — State of Zero Trust Security Report (2026)

Was this helpful?

⌬ Apply this in PULSE

Industry KPIs · SaaSThe 9 sales KPIs that matter for SaaS

Related in the library