Use Cases

Platform

Resources

Why Secfense

Company

Pre-access protection for VPNs & gateways

Don't replace your VPN. Make it unreachable.

Don't replace your VPN. Make it unreachable.

Ghost enforces default-deny in front of your existing gateways. A network path opens only after organizational verification. Live in about 2 hours, zero migration.

Ghost enforces default-deny in front of your existing gateways. A network path opens only after organizational verification. Live in about 2 hours, zero migration.

WORKS IN FRONT OF:

WORKS IN FRONT OF:

FORTIGATE

FORTIGATE

CISCO ASA

CISCO ASA

PALO ALTO

PALO ALTO

IVANTI

IVANTI

CITRIX

CITRIX

F5

F5

vpn.your-company.com
UNREACHABLE
No route exists for unverified sources
vpn.your-company.com
UNREACHABLE
No route exists for unverified sources

The objection, answered first

Obscurity hopes you won't be found.
Ghost doesn't hope.

Obscurity hopes you won't be found.
Ghost doesn't hope.

Obscurity hopes you won't be found. Ghost doesn't hope.

Security by obscurity relies on a secret: a hidden port, an unlisted URL, a magic knock. The moment the secret leaks, the protection is gone. Ghost has no secret to leak.

Every gateway behind Ghost enforces default-deny at the network edge. There is no handshake, no banner, no login page for anyone, including an attacker who knows your exact address. Knowing where the gateway lives gets them nothing.

A route opens only after a user proves they belong to the organization: a corporate-domain e-mail address or an organization-issued PKI certificate. Then Ghost publishes that user's IP to the gateway allowlist, scoped and temporary.

Invisibility isn't the security mechanism. It's the result of it. This is authenticate-before-connect, the core zero trust principle, applied at the network layer.

Security by obscurity

Security by obscurity

Secfense Ghost

Secfense Ghost

Protection = secret knowledge

Protection = secret knowledge

Protection = cryptographic proof of identity

Protection = cryptographic proof of identity

Static: same trick for everyone

Static: same trick for everyone

Dynamic: per-user, per-session, time-boxed

Dynamic: per-user, per-session, time-boxed

Breaks the moment the secret leaks

Breaks the moment the secret leaks

Nothing static to leak; access is per-user, time-boxed, revocable

Nothing static to leak; access is per-user, time-boxed, revocable

Fails silently

Fails silently

Every access attempt is verified and logged

Every access attempt is verified and logged

The objection, answered first

Every scanner on the internet already knows your login page.

Every scanner on the internet already knows your login page.

MFA protects the login. It doesn't protect the surface. A reachable gateway answers to every scanner, every exploit kit, every zero-day, before any user ever authenticates. That surface is where gateway breaches start.

Ivanti Connect Secure · exploited pre-auth

Citrix NetScaler · CitrixBleed

FortiGate SSL-VPN · recurring RCEs

GlobalProtect · CVE-2024-3400

Next quarter · ???

How it works

Five steps. The order is the point.

Five steps. The order is the point.

Verification happens before reachability. By the time a packet can touch your gateway, its sender has already proven their identity.

01

01

Deny by default

Your gateway drops every packet from the public internet. No handshake, no banner, no attack surface.

Your gateway drops every packet from the public internet. No handshake, no banner, no attack surface.

02

02

User requests access

An employee opens the Ghost access point. Their source IP is detected automatically.

An employee opens the Ghost access point. Their source IP is detected automatically.

03

03

Organizational verification

Membership is proven with a corporate-domain e-mail or an organization-issued PKI certificate.

Membership is proven with a corporate-domain e-mail or an organization-issued PKI certificate.

04

04

Route opens

The verified IP is published to the gateway allowlist. Scoped to that user, that session.

The verified IP is published to the gateway allowlist. Scoped to that user, that session.

05

05

Access expires

The TTL lapses, the allowlist entry is removed, and the gateway goes dark again.

The TTL lapses, the allowlist entry is removed, and the gateway goes dark again.

No revolution, just smart evolution

Deployed in about 2 hours. Nothing gets reorganized.

Deployed in about 2 hours. Nothing gets reorganized.

01

01

About 2 hours to deploy,
not months

About 2 hours to deploy, not months

02

02

Zero changes to your VPN, apps or routing

Zero changes to your VPN, apps or routing

03

03

0 packets answered to unverified sources

0 packets answered to unverified sources

Hours, not
quarters.

Hours, not quarters.

Hours, not quarters.

Ghost sits in front of what you already run. The first gateway is typically protected within about 2 hours, not as a milestone of a multi-quarter migration program.

Your stack stays

FortiGate, Cisco ASA, Palo Alto, Ivanti, Citrix, F5 keep working exactly as they do today. Ghost adds a verification layer, it doesn't replace anything.

Your infrastructure

Deployed in your environment, on-prem or in your cloud. User traffic never routes through anyone else's cloud, ours included.

No network redesign

No new tunnels, no re-architected routing, no agents to mass-deploy across the fleet. Topology stays as it is.

Nothing new for users to learn

One lightweight step before connecting: corporate e-mail confirmation or a certificate already on the device. The VPN client they know stays the same.

Ghost vs SASE / ZTNA suites

One problem solved in hours beats every problem solved someday.

One problem solved in hours beats every problem solved someday.

SASE is a network transformation program. Ghost is a control you switch on. Both can coexist; only one closes your exposure gap this afternoon.

Secfense Ghost

Secfense Ghost

Typical SASE migration

Typical SASE migration

Time to value

Time to value

About 2 hours

About 2 hours

6 to 18 months

6 to 18 months

Existing VPN & gateways

Existing VPN & gateways

Stay, get protected

Stay, get protected

Replaced or re-architected

Replaced or re-architected

Network changes

Network changes

None; allowlist-based

None; allowlist-based

Full traffic re-routing

Full traffic re-routing

Where user traffic flows

Where user traffic flows

Directly to your gateway

Directly to your gateway

Through the vendor's cloud

Through the vendor's cloud

Where it runs

Where it runs

Your infrastructure

Your infrastructure

Vendor SaaS

Vendor SaaS

Scope

Scope

One job: pre-access exposure

One job: pre-access exposure

Everything, eventually

Everything, eventually

Vendor briefs

Grab the brief for your gateway. Forward it to whoever owns it.

Grab the brief for your gateway. Forward it to whoever owns it.

Two pages each: the exposure history of your product, how Ghost integrates with it, and why this is not security by obscurity. Written for security and network teams.

FortiGate SSL-VPN

FortiGate SSL-VPN

ghost-for-fortigate.pdf

Ivanti Connect Secure

Ivanti Connect Secure

ghost-for-ivanti-connect-secure.pdf

Citrix NetScaler Gateway

Citrix NetScaler Gateway

ghost-for-citrix-netscaler.pdf

Palo Alto GlobalProtect

Palo Alto GlobalProtect

ghost-for-globalprotect.pdf

Cisco ASA / Secure Firewall

Cisco ASA / Secure Firewall

ghost-for-cisco-asa.pdf

F5 BIG-IP APM

F5 BIG-IP APM

ghost-for-f5-bigip.pdf

Don't see your exposed product here?

Don't see your exposed product here?

Exchange, SharePoint, Jira, Confluence or anything else facing the internet - write to us and we'll add Ghost support for your product within 2 days.

Exchange, SharePoint, Jira, Confluence or anything else facing the internet - write to us and we'll add Ghost support for your product within 2 days.

Regulatory tailwind

Attack surface reduction is now a legal requirement.

Attack surface reduction is now a legal requirement.

SASE is a network transformation program. Ghost is a control you switch on. Both can coexist; only one closes your exposure gap this afternoon.

NIS2 · Art. 21

NIS2 · Art. 21

Requires risk-proportionate technical measures, including access control and network security. Removing public reachability of remote-access systems is a direct, demonstrable reduction of risk exposure.

Requires risk-proportionate technical measures, including access control and network security. Removing public reachability of remote-access systems is a direct, demonstrable reduction of risk exposure.

DORA · ICT risk management

DORA · ICT risk management

Financial entities must minimize their ICT attack surface. Ghost removes public reachability and gates every route on verified organizational identity: corporate e-mail domain or PKI certificates.

Financial entities must minimize their ICT attack surface. Ghost removes public reachability and gates every route on verified organizational identity: corporate e-mail domain or PKI certificates.

What Ghost is not

We'd rather you know the limits before the demo.

We'd rather you know the limits before the demo.

Not a patching substitute

An unreachable gateway buys you time and removes opportunistic exploitation, but vulnerable software should still be patched. Ghost shrinks the window; it doesn't close the bug.

Not a full ZTNA platform

Ghost governs who can reach the gateway, not per-application micro-segmentation behind it. If you're heading toward ZTNA, Ghost is a step on that path, not the whole path.

Not magic for every network

Environments behind CGNAT or heavily shared egress IPs need one of Ghost's alternative deployment modes. We'll tell you which one applies to you before you commit to anything.

What Ghost is not

See exactly what attackers see.

Obscurity hopes you won't be found. Ghost doesn't hope.

See exactly what attackers see.

We run a passive scan of your public perimeter, no installation, no access needed, and send you a report within 24 hours: which gateways are visible, since when, and what's currently being exploited in products like yours.

We run a passive scan of your public perimeter, no installation, no access needed, and send you a report within 24 hours: which gateways are visible, since when, and what's currently being exploited in products like yours.

Passive intelligence only (Shodan-class sources). We never probe your systems. Report reviewed by a Secfense engineer before delivery.

Passive intelligence only (Shodan-class sources). We never probe your systems. Report reviewed by a Secfense engineer before delivery.

Passive intelligence only (Shodan-class sources). We never probe your systems. Report reviewed by a Secfense engineer before delivery.

Loading reCAPTCHA...

Secfense Inc.

350 Townsend Street #670, San Francisco, CA 94107, US

Secfense Sp. z o.o.

Dolnych Młynów 3/1 , 31-124 Kraków, EU, VATID: PL6762546545

© Copyright 2026 Secfense. All rights reserved.

Secfense Inc.

350 Townsend Street #670, San Francisco, CA 94107, US

Secfense Sp. z o.o.

Dolnych Młynów 3/1 , 31-124 Kraków, EU, VATID: PL6762546545

© Copyright 2026 Secfense. All rights reserved.

Secfense Inc.

350 Townsend Street #670, San Francisco, CA 94107, US

Secfense Sp. z o.o.

Dolnych Młynów 3/1 , 31-124 Kraków, EU, VATID: PL6762546545

© Copyright 2026 Secfense. All rights reserved.