Enforza exists to give cloud teams the egress, ingress and east-west control they actually need — the capability of the cloud-native firewall and more — at a fraction of the cost, deployed their own way. No per-GB data-processing tax. No six-figure platform you will half-fill. The control you need, in the gap between the two.
Securing a cloud network had become a choice between two bad deals: pay the cloud firewall a tax that scales with your traffic forever, or buy an enterprise platform you will never fully use. We built the third option.
Cloud networking moved fast; cloud network security did not move with it fairly. The hyperscalers' own firewalls do the job, but they meter you per gigabyte — so the cost of protecting your network rises every time you move more data, not every time you write more policy. The enterprise firewall vendors do far more, but at a price and a complexity built for a different era, where most of what you buy is never switched on.
Enforza is the firewall in between. It runs as a single lightweight Linux VM inside your own cloud network, governs egress to the internet, ingress into your network, and east-west traffic between your networks, and is billed at one flat per-firewall rate — with no per-GB charge at all. The same capability as the cloud-native firewall, and more, for a predictable line you can forecast.
Most cloud teams feel squeezed from both sides. Enforza is built precisely for the space in the middle.
To secure egress on a hyperscaler you stack a NAT gateway and a managed firewall — each metered per gigabyte, on top of a per-hour and often per-availability-zone fee. The bill scales with the traffic you push, not the policy you write. Protecting more, or moving more data, costs more every month — indefinitely.
The alternative is a mega-NGFW platform — hundreds of features, a six-figure invoice, and a licence metered by vCPU and instance size. Most teams switch on a fraction of it and pay for all of it. Half used, fully paid for. It is more firewall than a cloud network needs, at a price a cloud team cannot justify.
More than the cloud-native firewall. Far less — and far cheaper — than an enterprise NGFW platform. We are clear about our scope on both axes; that fairness is the point.
We are not a Palo Alto, Fortinet or Check Point mega-NGFW, and we do not claim to be. We are the way to replace your cloud-native firewall without going full-blown enterprise security vendor — the real control most organisations need, between the cloud tax and the six-figure platform.
We have been at this since 2023, and we have evolved toward what cloud teams actually want — adding the control that matters, removing what does not, and building our own engine for speed.
Enforza starts while exploring a secure replacement for cloud NAT gateways, founded by Neil Briscoe — who previously co-founded Cloud Gateway, the UK's first SASE platform.
The NAT-gateway concept grows into a full firewall with identity-aware FQDN filtering — across every cloud and on-premise, not one provider.
A fully automated platform ships, with a deliberately simplified pricing model. Features are added — and removed — based on real usage: lean by design, never half-used and fully paid for.
A lifecycle refresh adds the Cloud Controller console for GUI-driven teams and white-label capability for partners — and Enforza reaches its 100th customer.
Work begins on our own single-pass packet classification and verdict engine — built to classify each flow once, in microseconds rather than milliseconds, for high performance and low overhead on the same standard Linux network primitives everyone uses.
Development of the GitOps workflow: firewall policy as code, reviewed in a pull request and gated by the same compliance checks before it ships — for platform-engineering teams who keep policy where the rest of their infrastructure lives.
A ground-up rework of the Cloud Controller console — the same fleet, policy and live-log experience on a faster, more scalable foundation.
The new engine, Cloud Controller and pipeline integration go into beta testing together — proven against real fleets before general release.
The new architecture ships. On the same standard Linux network primitives, the single-pass engine classifies each flow once in microseconds — a measured p99 of around 49.5 µs first-packet — then enforces in-kernel at line rate, 98.5% fast-path, with zero dropped packets across our throughput runs. High performance, low overhead, built for cloud.
Like every firewall, Enforza sits on the same proven, standard Linux network primitives — that common ground is the honest opener. What is different is what we built on top. Our single-pass packet classification and verdict engine classifies each flow once, in microseconds — a measured p99 of around 49.5 µs first-packet on a standard VM — then enforces it in-kernel at line rate, with 98.5% of packets never leaving the kernel and zero dropped across our throughput runs. It is a cloud NVA engineered for the cloud, not an on-prem box bolted onto it.
Around that engine, the things that matter to a cloud team are made simple: one flat per-firewall price with no per-GB tax; a choice of running policy as code through a GitHub pipeline or by hand in the Cloud Controller console, same firewall underneath; log export to your own SIEM, never via our cloud; and a control plane that is outbound-only, so there is no management port on the security device to expose. Compliance is built in — 25 frameworks and 210 firewall-applicable controls, advise or enforce on every publish. That is the difference: the control you actually use, built for the cloud, at a price you can defend.
Trust is the conversion lever, so these are commitments we can stand behind — not slogans.
Enforza covers the egress, ingress and east-west control most organisations actually need — identity-aware L7, secure NAT, threat hardening, compliance — and deliberately stops there. The roughly 98% you use, none of the bloat you do not. We are aware of our scope and proud of it.
One flat per-firewall line. No per-GB data-processing tax, no per-rule tiers, no charge by CPU, instance size, protected IP or protected device. Your firewall should not bill you for how much it protects, or how hard it works. Predictable, like buying a box.
Log export streams to your own SIEM and never passes through Enforza's cloud. The firewall instance runs inside your network, on a VM you own. We manage the policy and the fleet; we do not sit in the path of your traffic or your logs.
The firewall instance has no inbound management port and no admin UI to expose. Its control plane is outbound-only to the Enforza cloud — it manages up, never in. There is nothing reachable on the security device to find, harden or stand a VPN in front of.
Run it as policy-as-code through a GitHub pipeline, or drive the Cloud Controller console by hand. Same firewall NVA underneath, same billing. We do not make you adopt a workflow to adopt a firewall.
Our performance numbers are measured on standard VM sizes and quoted as conservative floors, not marketing ceilings. Our cost comparisons are directional and dated against published vendor rates. If a proof point does not exist yet, we do not invent one.
The capability of the cloud-native firewall and more, at a flat per-firewall price, on any cloud — GitOps or console, logs to your own SIEM. Start free, no card.
