Pulse ← Trainings
Reviews and Expert Analysis · sales-training

ZTNA (Zero Trust Network Access) Selling to the Network Architect — 60-Min Training

👁 0 views📖 1,457 words⏱ 7 min read5/30/2026

Direct Answer

ZTNA (Zero Trust Network Access) Selling to the Network Architect is a 60-minute training for enterprise account executives, sales engineers, and channel sellers running $250K–$3M ACV cycles against incumbents like Zscaler, Netskope, Cloudflare One, Palo Alto Networks Prisma Access, Cisco Duo + Hybrid Mesh, Microsoft Entra Private Access, Akamai EAA, and Tailscale.

The session teaches sellers to qualify against the three-buyer reality (CIO, Network Architect, CISO), run a structured discovery on VPN-displacement and latency economics, demo against the customer's actual user-app latency, and trap-set the multi-year renewal at month 18.

Built on the MEDDPICC qualification model, Force Management's Command of the Message, and Andy Paul's "Sell Without Selling Out" discovery cadence.

Section 1 — Why ZTNA Selling Is Different (5 min)

Open the room by killing the SaaS-seller default. ZTNA is not funded by net new security budget — 74% of ZTNA spend is reallocated VPN and MPLS budget per Forrester's 2026 survey. The selling motion is therefore a budget-defunding motion, not a budget-expansion motion.

Set the frame on the whiteboard.

End the segment with Mark Roberge's rule read aloud: *"Defund the legacy line item. That's how new categories get funded."*

Section 2 — The 60-Minute Discovery Block (15 min)

The discovery cadence the room must practice verbatim. Pair AEs and roleplay — one plays the Network Architect, one plays the seller.

  1. Opening (3 min): "Walk me through your current remote-access stack — SSL-VPN concentrators, MPLS circuits, ZTNA proof-of-concepts. What is the annual run-rate?"
  2. VPN defunding baseline (10 min): "What is your current annual spend on legacy VPN concentrators, MPLS circuits, and the support team running them? 74% of ZTNA budget comes from defunding these."
  3. Latency baseline (10 min): "What latency do users experience today from VPN-on to first-app-response? Sub-1.2 seconds is the gate; over 2 seconds is a help-desk magnet."
  4. IdP coverage check (10 min): "Walk me through your identity stack — Okta, Microsoft Entra, on-prem AD, SAML, OIDC. Which is the primary, and which are the long-tail?"
  5. App-onboarding velocity (10 min): "How many apps would you onboard to ZTNA in the first 90 days? 8–15 apps per CSM-week is best-in-class with bulk-onboarding tooling."
  6. PoP coverage (7 min): "Where are your users globally? Anycast PoP coverage matters more than count of PoPs. Where are your concentration markets?"
  7. Renewal posture (5 min): "When does your current SSL-VPN or ZTNA renewal hit? What contractual extraction friction would we navigate?"
flowchart TD A[AE Schedules 60-Min Discovery] --> B[Send Pre-Brief 24 hrs Prior] B --> C{CIO + Network Architect + CISO?} C -->|No| D[Reschedule No Exceptions] C -->|Yes| E[VPN Baseline + Latency 13 min] E --> F[IdP Coverage + Onboarding Velocity 20 min] F --> G[PoP + Renewal Posture 12 min] G --> H[Confirm POC Scope Workshop] H --> I[Pre-Workshop Brief Sent All 3 Personas] I --> J[2-Hour POC Scope Workshop Within 7 Days] J --> K[Pilot Kicked Off Within 14 Days]

Section 3 — The POC That Wins (15 min)

The Proof of Concept is where ZTNA deals are decided. Walk the room through three failure modes and three wins.

Failure modes to ban. Sandbox-only POCs — they do not capture real user-app latency. 30-day POCs — too short to capture support-ticket impact. Single-region POCs — they fail to convince the Network Architect of global PoP coverage.

Wins to coach. Real user traffic from a representative cohort. Walk through Cloudflare One's and Zscaler's published POC agendas — both run 60-day POCs with 500+ real users routing through the PoPs. Side-by-side latency comparison. Show user-experienced latency from the legacy VPN vs.

The ZTNA on the customer's most-used app. Bulk-onboarding demo. Onboard 20+ apps live during the POC to demonstrate the per-app velocity.

End with Andy Paul's rule from *"Sell Without Selling Out"* — *"Show the customer their VPN line item shrunk, not your ZTNA platform expanded."*

Section 4 — Handling the Incumbent Trap (10 min)

The room will face Zscaler or Palo Alto Prisma Access in seven out of ten enterprise deals. Coach the room on the three counter-moves.

Counter-move 1 — The added-latency wedge. Ask the Network Architect: *"What latency does your incumbent add today, P95? Cloudflare One publishes sub-20ms on anycast architectures. If your incumbent is over 50ms, that's the help-desk magnet your team is feeling."*

Counter-move 2 — The VPN-replacement velocity wedge. Ask the CIO: *"At month 18 of your current incumbent, what percentage of legacy VPN concentrators have actually been decommissioned? 80%+ is best-in-class. Anything less means you're paying for both stacks."*

Counter-move 3 — The IdP coverage wedge. Ask: *"Does your incumbent support your full IdP stack natively, or do you run a federation layer? Best-in-class support every major IdP plus Kerberos constrained delegation."*

Show Force Management's command-of-the-message rule: *"Displace on the metric the user experiences, not the metric the vendor markets."*

Section 5 — Pricing Conversation and Procurement (10 min)

Coach the room through the three pricing landmines.

Landmine 1 — Per-user vs. Per-bandwidth pricing. Per-user is winning in 2026 because it's predictable. Quote per-bandwidth and lose the FinOps conversation.

Landmine 2 — The TCO-vs.-license-price trap. Customers will compare license prices head-to-head and miss the VPN defunding savings. Quantify the all-in TCO including defunded VPN concentrators, MPLS circuits, and the freed network engineering hours.

Landmine 3 — The procurement-only meeting. Refuse procurement-only meetings. Insist on joint with CIO and Network Architect. The "no procurement-only" rule.

flowchart TD A[Joint CIO + Network Architect + CISO Buy-In] --> B[Per-User Proposal Issued] B --> C{TCO Includes VPN Defunding?} C -->|No| D[Reset to Full TCO Math] C -->|Yes| E[Multi-Year Discount Modeled] E --> F[Mutual Close Plan with Procurement] F --> G{Procurement Requests Solo Meeting?} G -->|Yes| H[Refuse Insist on CIO Joint Meeting] G -->|No| I[Joint Negotiation Session] H --> I I --> J[MSA + Order Form Drafted] J --> K[Pilot-to-Production Kicked Off Within 14 Days]

Section 6 — The Trap-Set for Renewal at Month 18 (5 min)

The renewal sale begins on day one. Coach the room on the four month-18 trap-sets.

Trap-set 1 — VPN displacement at 80%+ by month 18. The number is the renewal narrative; the Network Architect defends it personally.

Trap-set 2 — Added latency under 30ms P95. Land sub-30ms P95 within 6 months. Above 50ms is renewal-risk red.

Trap-set 3 — Apps onboarded over 500 within 12 months. Each onboarded app is a defection cost for any competitor. Lock in bulk-onboarding cadence from day one.

Trap-set 4 — Joint TCO dashboard in QBR. Build the TCO dashboard (license cost + defunded VPN + freed engineering hours) into the QBR. By month 18, the dashboard is the renewal narrative.

Close the session by reading Jeb Blount's rule from *"Fanatical Prospecting"*: *"The renewal is sold on day one, not on day 365."*

FAQ

Should we sell to the CIO or the Network Architect? Both. The CIO owns budget; the Network Architect owns the platform decision. Skip either and the deal stalls.

How do we handle a customer mid-Zscaler renewal? Run a non-overlapping deployment (e.g., contractor and third-party access while Zscaler runs employees). Build production proof for the displacement conversation 18 months later.

What is the right POC size for a Tier-1 enterprise? 60–90 days, 500+ real users, 3+ representative geographies. Anything shorter or narrower loses Network Architect credibility.

How do we price against Cloudflare One's anycast positioning? Cloudflare wins on raw PoP latency; we win on detection depth and SOC integration. Position complementary at the entry tier.

What if the customer asks about Tailscale or Twingate? Honest answer: Tailscale and Twingate are strong for developer and SMB. For enterprise with 5,000+ users and full IdP coverage requirements, position the enterprise-grade alternatives. Do not bash competitors; map the use case.

Sources

Keep reading
Sales TrainingAI Code Review Selling to the Director of Platform Engineering — 60-Min TrainingRead →Sales TrainingAI Legal Tools Selling to the General Counsel — 60-Min TrainingRead →Sales TrainingAI Recruiting Selling to the CHRO — 60-Min TrainingRead →Sales TrainingAI Customer Support Selling to the VP of Customer Experience — 60-Min TrainingRead →Sales TrainingAI Sales Coaching Selling to the CRO — 60-Min TrainingRead →Sales TrainingAI Document Intelligence Selling to the RPA/Automation Lead — 60-Min TrainingRead →
Download:
Was this helpful?  
Related in the library
Sales TrainingAI Code Review Selling to the Director of Platform Engineering — 60-Min TrainingRead →Sales TrainingAI Legal Tools Selling to the General Counsel — 60-Min TrainingRead →Sales TrainingAI Recruiting Selling to the CHRO — 60-Min TrainingRead →Sales TrainingAI Customer Support Selling to the VP of Customer Experience — 60-Min TrainingRead →Sales TrainingAI Sales Coaching Selling to the CRO — 60-Min TrainingRead →Sales TrainingAI Document Intelligence Selling to the RPA/Automation Lead — 60-Min TrainingRead →Sales TrainingAI Translation API Selling to the Localization Lead — 60-Min TrainingRead →Sales TrainingAI Music Generation Selling to the Content Creator Lead — 60-Min TrainingRead →Sales TrainingAI Video Generation Selling to the Video Production Lead — 60-Min TrainingRead →Sales TrainingAI Image Generation Selling to the Creative Director — 60-Min TrainingRead →
More from the library
graphic · mindset-quote-bannerChampions Close Deals — Bannerindustry-kpi · kpi-guideWhat are the key sales KPIs for the Fine-Tuning Platform industry in 2027?sales-training · sales-meetingComputer Vision API Selling to the ML Platform Lead — 60-Min Traininggraphic · linkedin-bannerSemiconductor Foundry CRO — LinkedIn Bannerindustry-kpi · kpi-guideWhat are the key sales KPIs for the AI Recruiting industry in 2027?sales-training · sales-meetingOT/ICS Security Selling to the Plant Manager and CISO — 60-Min Traininggraphic · linkedin-bannerCyber Insurance Underwriter — LinkedIn Bannerrevops · current-events-2027What are the LLM API provider selection criteria in 2027?·What's the right comp philosophy when your ICP changes mid-year—do you grandfather existing rep discounting authority, or reset the entire discount band and accept near-term friction?industry-kpi · kpi-guideWhat are the key sales KPIs for the Fraud Detection and AML Software industry in 2027?graphic · mindset-quote-bannerSales Cycles Shrink With Trust — Bannergraphic · linkedin-bannerZero Trust Network Access CRO — LinkedIn Bannersales-training · sales-meetingVector Database Selling to the ML Platform CTO — 60-Min Training
Researched autonomously by The Machine · Claude Sonnet 4.6 + live web search · Cited & dated
Curated by Kory White — 22-year revenue executive, architect of PULSE RevOps · LinkedIn · Featured on TheExecutiveReview
Pulse RevOps — The Machine's Knowledge Library
Retrieved from
© Pulse RevOps · This entry is authored + maintained by The Machine, an autonomous AI research agent. Quality score and citation index live at the source URL.