Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Contact sales
Log in
© 2025

The State
of Zero Trust

07.2025

//zero trust is dead. long live zero trust.

00//

Introduction

Welcome to the State of Zero Trust 2025 survey results.

We surveyed 1,000 IT, security, and engineering professionals to create a clear baseline of where the industry really stands on secure access and Zero Trust adoption today. Instead of buzzwords, this report focuses on objectivity and clarity through verified survey data and rigorous analysis. We hope it helps surface the biggest gaps, highlight emerging practices that are working, and offer practical direction for where secure access goes next.

But despite every effort to approach the data impartially and transparently, Tailscale is not a neutral observer. We see these challenges every day, and we've built our secure network connectivity platform to address many of them. If you're interested in learning how Tailscale can help solve the secure access issues outlined in this report, visit us at tailscale.com or reach out to our sales team for a demo.

This year's survey showcases the frustrations of teams across the industry, the often half-deployed state of Zero Trust, and the emerging trends like identity-based networking.

Want to read more? Download the full report.

By continuing, I agree to receive news, offers, information about Tailscale products and services, and invitations to surveys, webinars and events from Tailscale. I can unsubscribe at any time. For more information, please see our Privacy Policy.

01//

Reality vs aspiration

Reality: “Is it as dire as it seems?”

Zero Trust has a reputation for being something that is more often talked about than actually implemented. So far, our data shows this is the case.

Mesh gains ground on legacy VPNs

A growing 27% of companies are using peer-to-peer mesh VPNs, and 34% use cloud-delivered ZTNA platforms. Legacy VPNs still own a hearty share of company usage at 41%.

Current secure access and network connectivity tools

Identity and Access Management45%
Traditional VPNs41%
Built-in software firewall and routing37%
Remote desktop or VDI37%
Secure access service edge37%
Zero trust network access34%
Privileged access management32%
Peer-to-peer mesh VPns27%
Device posture management24%
Manually20%
Question: Which of the following tools or platforms does your company currently use to manage secure access and network connectivity? Please select all that apply.

Identity-based access is low

Fewer than a third (29%) of organizations currently use identity-based access as their primary model. Many still operate in a hybrid mode of adding an identity layer on top.

Company policy for system access

IP-based22%
Equal mix of both IP and identity48%
Identity-based29%
Unsure1%
Question: What is your company's overarching policy for controlling system access?

Features that help Zero Trust aren't ubiquitous

Only 56% of companies granted access based on role or need, and 46% via groups or teams. For more granular controls that support Zero Trust, an even lower 33% had just-in-time access (JIT) and 26% followed least privilege (with manual approvals).

Employee access control

Access based on role or need45%
Managed by individual team leads or department heads41%
Fully automated identity-based access37%
Access granted via group or team membership37%
Temporary or time-limited access/JIT access37%
Least privilege with manual approvals34%
No limits on access control3%
Question: How does your company grant employees access to critical business systems (software, platforms, and digital infrastructure)?

Aspiration: “We would, if we could”

Zero Trust adoption could be better, but the problem is not lost on companies. The desire for something better is there.

Low overall satisfaction

Only 1% report being satisfied with their organization's current access and connectivity setup, with the majority citing security (49%) and performance (45%) as the main priorities they want to redesign around, and a notable portion (26%) wanting more automation.

Access and connectivity priorities

Want stronger security49%
Want increased speed and performance45%
Want systems that scale for growth38%
Want to save money33%
Want more usable tools with better UX/UI32%
Want integration with modern tools30%
Need more automation26%
Want better access controls and visibility25%
Question: If you could redesign your company's access and connectivity setup from scratch, what would you prioritize?

New solutions are needed soon

Many IT professionals (42%) believe their current access setups will no longer meet their needs within two years. Companies are moving towards identity-centric solutions with robust security, streamlined operations, and better user experiences.

How long your current setup will meet your organization's needs

My security and access models are already outdated1%
< 1 year7%
1-2 years34%
3-5 years40%
> 5 years16%
Question: How long do you predict your company's current access and connectivity setup will continue to work well for you?

Companies would change for productivity

At 38% of companies surveyed, a major security incident is cited as what would force companies to upgrade. Simultaneously, 30% say that employee complaints about slow or frustrating access would also trigger the same type of change, indicating that better productivity is a strong underlying rationale in any scenario.

What would prompt decision-makers to consider a new approach

A major security incident or breach38%
Employee complaints about slow or frustrating access30%
A compliance requirement or audit finding29%
Pressure from leadership29%
Lower cost than current solution28%
Reduce support tickets, manual work26%
Inability to scale26%
All-in-one solution26%
Tech stack refresh24%
A need for machine to machine connectivity21%
Nothing - our setup works great5%
Question: What would prompt people at your company to consider a new approach to access and connectivity? Please select all that apply.
02//

Frustrations

Connectivity: “Is it just our VPN that sucks?”

Turns out, it's not just you. A lot of companies still use legacy VPNs that are slow and frustrating to use.

Legacy VPNs are slow and frustrating

Of respondents, 90% have one or more issues with their current VPN. Latency issues are a key frustration for 35%, and throughput limitations for 24%. Frustrations are mounting as legacy VPNs struggle to transition to cloud services and remote work.

Current VPN limitations

Security Risks40%
Latency/speed issues35%
High ops Overhead34%
Integration challenges28%
Inability to scale25%
Throughput issues24%
Employee complaints23%
Remote growth struggles20%
Cloud/hybrid incompatible19%
IT works well10%
Question: What are the biggest limitations of your current VPN or network access setup?

Workers are vocal about their frustrations

Employee complaints are a frequent occurrence, with 37% of respondents reporting daily or weekly complaints related to remote access or network security.

Complaint frequency

Daily11%
Weekly26%
Every few weeks18%
Monthly11%
Every few months10%
Rarely17%
Never5%
Question: How often do you hear complaints from employees at your company about how remote access and network security are managed?

Legacy VPN frustrations are on the rise

These frustrations will only grow. 84% of companies report increased throughput needs over the past couple of years. 1-in-10 say their throughput needs have doubled in the past 2 years alone.

Throughput needs increase over time

100% increase11%
50% increase26%
50% increase18%
Stayed about the same11%
Decreased10%
Question: How have your company's compute and throughput needs changed over the past 1–2 years? (For example, processing load, data volume, service traffic, number of systems or environments, etc.)

Tooling: “Wait, how many tools does your team use?”

If you feel like you are using too many tools for networking, that's the common consensus. Consolidation is often the goal, but it has roadblocks.

Everyone is juggling multiple tools and services

A large majority of organizations (92%) juggle multiple solutions for network security. Only 8% rely on a single, unified platform, contributing to fragmentation and inefficiency.

The number of tools or services that companies rely on to manage network security

Only 18%
2-3 tool or services64%
4-520%
> 58%
Question: How many different tools or services is your company relying on to manage networking security?

Tool consolidation is a dream

The ballooning number of tools is a known issue, with 48% of companies actively trying to consolidate tools. However, this comes with issues like resourcing, integration, and lock-in.

Tool consolidation consideration

Want to consolidate48%
Unsure4%
Want to add more tools48%
Question: Is your company trying to consolidate the number of tools you're using for networking security, or are you looking to add more specialized tools?

Management: “How much effort are we wasting?”

It's not just the connectivity and tooling that's affecting everyone; the people managing the networking solutions are also not having a good time.

Balancing security and productivity is hard

The two biggest challenges IT and security professionals cite are balancing security with speed and productivity (32%) and enforcing IT rules, such as dealing with unauthorized tools (31%). Users are often just trying to do their jobs, sometimes by working around security measures.

Current challenges for IT and Security teams

Balancing security with speed and productivity32%
Enforcing IT rules31%
Integrating new tools with existing systems29%
Supporting a hybrid or remote workforce28%
Managing user access across many tools or systems27%
Migrating to or managing cloud infrastructure26%
Responding to cybersecurity threats or incidents26%
Maintaining or replacing legacy systems25%
Budget constraints or reduced resources25%
Understaffed24%
Lack of automation24%
Support tickets16%
None of the above6%
Question: What are the biggest challenges your company's IT & security teams are dealing with right now?

Manual processes are more common than automation

A majority of organizations (68%) still rely on manual processes to manage network access. This creates complexity, friction, and security gaps.

Manual vs automatic access controls

Manually by the IT Team37%
Fully automated and identity based22%
Manually by the Security team17%
Manually by the Network Engineering team14%
Self-serve with approval required9%
No formal process1%
Question: How are firewall rules or network access controls (ACLs) managed at your company?
03//

Ramifications

Security: “At least we're secure, right?”

For all the frustrations of networking security solutions, one would expect good security results. Unfortunately, this isn't the case.

Security incidents are common

A large majority (88%) report at least one security incident over the past two years. This includes misuse of privilege (24%) and bypassing security protocols (22%). 1-in-3 companies report security incidents from employee error, which is even more common than system or network failure.

Causes of security incidents

Employee Error33%
System or network failure30%
Phishing or social engineering attack29%
Weak or reused passwords28%
Vulnerability in software26%
Malware or ransomware24%
Unauthorized access by staff24%
Failure to follow security protocols22%
Lost or stolen device21%
Compromised third-party vendor20%
Inadequate access controls18%
DDos attack18%
No known security incidents12%
Question: To your knowledge, has your company had security incidents from any of the following causes over the past 1-2 years?

Remote network security concerns

Organizations worry about VPN connections being “always on”, with 38% concerned about VPNs being left open. Another 38% of respondents worry about unmanaged personal devices connecting.

Causes of concern for remote network security

Employees using personal or unmanaged devices38%
Always-on VPN connections38%
Lack of visibility32%
Manual tasks required to manage access32%
Difficulty enforcing security policies32%
Employees bypassing security policies32%
Inability to scale28%
No major concerns10%
Question: What concerns you about how your company handles remote network security?

Infrastructure access is shaky

A majority of respondents (76%) report gaps in their infrastructure access.

Concern for infrastructure access

Highly secure24%
Somewhat secure35%
Average23%
Somewhat vulnerable12%
Highly vulnerable7%
Question: Overall, how secure do you think your company's approach to managing infrastructure access is?

Former employees aren't getting their access revoked

After leaving their companies, 68% of respondents report retaining access to their former employers' systems. Many companies don't have automation or centralized visibility into who has access.

Retaining access that should have been revoked

Yes, for a few days22%
Yes, for a few weeks27%
Yes, for a few months13%
Yes, for a year4%
Yes, longer than a year2%
No, my access was removed immediately32%
Question: Have you ever retained access to a previous employer's infrastructure, systems, or software after leaving?

Productivity: “At least we're productive, right?”

You might assume that network security would act transparently for a seamless experience. Unfortunately, negative productivity impacts are common.

Developers don't feel understood

More than 2-in-3 developers and engineers say IT/security teams don't understand how they work and what they need to build fast and effectively. Nearly 1-in-4 say IT/security outright block productive workflows.

Perception of IT and security

They understand it very well31%
They understand it somewhat30%
They don't really understand how we work16%
They create friction or block productive workflows22%
Question. How well do your company's IT and security teams understand how you work and what you need to move fast and build effectively?

Network security feels disconnected from development

Furthermore, half of the respondents say their company's security rules feel disconnected from supporting modern development practices.

Perception of security policies

Agree50%
Disagree50%
Question: The security rules at my company feel disconnected from how modern development actually works

Onboarding takes longer for IT

It takes a lot of time for IT teams to onboard a new user onto networking systems, with 35% saying it takes more than a day.

Onboarding speed

Instantly (fully automated)23%
A few hours42%
A few days28%
More than a week7%
I'm not sure / don't have visibility into this1%
Question: How long does it usually take to provide new employees with access to networked systems and applications needed for their role?

Going to market is slower

Twice as many employees at companies using a legacy VPN say they are slower than average to bring new products to market.

Comparative speed in developing and launching

Much faster than average10%
Faster than average33%
About average41%
Slower than average12%
Much slower than average5%
Question. How quickly can your company develop and launch new products compared to other similar companies in your industry?
04//

Hurdles to improvement

Social: “Is this a user issue?”

Users within a network security system are imperfect and can make mistakes. However, we are seeing situations where systems have become so frustrating that users are intentionally bypassing security.

Circumventing security measures

Just to stay productive, a large majority of respondents (83% overall and 87% of developers) are willing to resort to circumventing security measures.

Methods of security circumvention

Used a personal device to access internal systems32%
Downloaded or installed unapproved software or tools28%
Stored company credentials in a personal notes app, text file, or password manager27%
Moved a service or tool to a public port or endpoint25%
Circumvented MFA or security prompts (e.g., used a remembered device or persistent session)25%
Found a backdoor or workaround to skip access controls25%
Created an unofficial integration or script to bypass approval steps25%
Shared a password or login with a coworker24%
Used someone else's credentials to access a system23%
None of the above17%
Question: Which of the following have you ever done to speed up access or work around internal security or access processes?

Third-party SaaS isn't safe either

Specifically, when looking at access to third-party SaaS tools, 24% said SaaS controls are easy to bypass.

Restrictions on third-party SaaS tools

Yes, IT enforces strict controls57%
Somewhat, but employees can easily work around it24%
Somewhat, but employees can request new tools16%
No, employees are free to use any tools they want2%
Question: Does your company monitor and restrict access to third-party SaaS tools?

It happens more often with legacy VPNs

28% of employees at legacy VPN-using companies report higher instances of colleagues bypassing the infrastructure. Non-legacy-VPN companies report only 20%. Broken access or inconsistent access is reported in 25% respondents for legacy VPN users, and 15% for non-legacy-VPN users. Across the board, 30% report frustration in managing access methods across legacy and modern systems.

Systems and tools frustrations

Networking issues when working remotely34%
Slow connections32%
Having to use multiple different access methods for different systems30%
It prevents smooth collaboration with other teams26%
Employees try to bypass the infrastructure26%
Constantly changing firewall rules or IP allowlists25%
Too many manual steps or tickets25%
Access is inconsistent or breaks unexpectedly24%
I lose time switching between tools or environments19%
I don't have the access I need to test, ship, or debug15%
I don't have any frustrations9%
Question: What do you find frustrating about how your company manages your access to company systems and tools?

Team: “What can our leadership do to help?”

Indicators show that while leaders care, they may be missing easy wins for their team. This is true for tangible steps towards progress, but also for influencing the perception of how committed a company is to improving.

Perception of preparedness is a sliding scale

63% of non-management employees think they are fairly or very well-equipped to detect unauthorized tools and workarounds, while the number is higher for executives at 80%. This indicates a misalignment in perception and an opportunity for leadership communication to bridge that gap.

Perceived preparedness

Very well equipped31%
Fairly equipped41%
Somewhat equipped23%
Not well equipped5%
Not equipped at all1%
Question: How well equipped is your company to detect unauthorized tools or access workarounds?

Improvement delays are common, and leadership can address them

When it came to the cause for delays in security improvements, 35% of respondents pointed to the cost of resources, 39% to leadership priorities, and 42% to the risk of workflow disruption. Once again, many causes identified by employees can be opportunities for better alignment and signaling from management.

Causes of delays to security or networking upgrades

Risk of disruption to workflows or integrations42%
Leadership or organizational priorities39%
Cost or resource constraints35%
Recent or ongoing rollout of other tools34%
Unclear business case or uncertain ROI33%
Lack of clear direction or suitable solutions31%
Current security measures considered sufficient18%
No known delays10%
Question: Which of the following has ever been a reason to deprioritize or delay networking or security upgrades at your company?
05//

What's next

Tailscale’s predictions

So we have all these numbers and visualizations, what's next? There are some common trends and a clear direction we at Tailscale see for the future.

IP design will be supplanted with access and identity-first networking. The old perimeter-based model will be replaced, and every instance of access will be authenticated as a baseline of “Never trust, always verify”.

Legacy VPNs are demonstrably issue-prone as seen in the data, and while they won't disappear, there are better options. Peer-to-peer mesh architectures that are identity-aware will be the new default.

AI in particular will play a role, given its ubiquity. This will be true for both defenders of security who use AI for anomaly detection and risk scoring, and attackers generating phishing attempts and scanning for poor security configurations. Companies themselves will bet big on AI, investing in GPU clusters and shared model training infrastructure that will require modern networking tools for performance and security.

And this is just the tip of the iceberg. For even more insights, including the evolution of security and engineering culture, the extension into edge and IoT environments, and the move towards modularity, we recommend checking out our full report. You can download the report below.

Want to read more? Download the full report.

By continuing, I agree to receive news, offers, information about Tailscale products and services, and invitations to surveys, webinars and events from Tailscale. I can unsubscribe at any time. For more information, please see our Privacy Policy.

06//

Recommendations

Tailscale's recommendations for leaders

Here's what you can start acting on if you're a CIO, CISO, CTO, Engineering Manager, Security Manager, or IT Manager—our recommendations are heavily rooted in our trend analysis in the previous section.

Access and identity-first networking needs to be the core of your access control model. It's no longer enough to have old perimeter-based models that rely on broad access. Start by auditing your current critical infrastructure. As a baseline, gauge your level of integration with identity providers, and determine if access is granted based on roles and attributes.

If you rely on legacy VPNs for remote access, it's time to upgrade to a more modern solution. Aim to pilot a new solution, starting by identifying the pain points of your current setup. Find a solution that offers easy deployments (like Tailscale). Start building the case for upgrading by gathering data.

Then dig even deeper. Look into onboarding and offboarding processes, take stock of your stack of internal network security tools, and ultimately gauge how your technical teams feel about your current solution. Modern security should be invisible and effortless, and understanding how your colleagues are engaging with networking security can yield benefits beyond building an immediate case for structural improvement. Gain a more nuanced understanding of what is frustrating people, and they'll join your cause as champions.

All of this is just the start towards a bigger, company-wide win from spearheading an upgrade in networking security. For these types of insights and more, including recommendations on implementing just-in-time and least privilege access, download our full report below.

Want to read more? Download the full report.

By continuing, I agree to receive news, offers, information about Tailscale products and services, and invitations to surveys, webinars and events from Tailscale. I can unsubscribe at any time. For more information, please see our Privacy Policy.

07//

Methodology

All statistics and insights in this report are based on Tailscale's 2025 Secure Access and Zero Trust Adoption Survey, conducted with 1,000 IT, security, and engineering professionals across the United States and Canada, representing a range of industries. Management-level employees comprised about two-thirds of the sample, including twenty-three percent from the C-suite. Nearly half of the respondents work at enterprise firms. Data was collected from April 21 to 28, 2025.

Survey respondents by seniority

Executive or VP23%
Director24%
Manager26%
Lead7%
Senior8%
Mid6%
Entry6%

If you'd like to review the full methodology or explore the raw survey data, please reach out to our communications team at press@tailscale.com. To learn more about Tailscale and our approach to Zero Trust, visit us at tailscale.com or reach out to our sales team for a demo.

Want to read more? Download the full report.

By continuing, I agree to receive news, offers, information about Tailscale products and services, and invitations to surveys, webinars and events from Tailscale. I can unsubscribe at any time. For more information, please see our Privacy Policy.