Xona FAQs

Built from real prospect conversations, below are the most common questions and moments of clarity from teams evaluating secure access solutions for OT.

Xona is designed to replace VPNs in OT environments — not layer on top of them.

Unlike a VPN, Xona doesn’t extend your network or trust model. There’s no tunnel, no lateral movement, and no risk of a compromised endpoint riding in. Instead, Xona gives users isolated access to only the systems they need — with no exposure to anything else.

That said, you don’t need to rip out your VPN on day one. Most customers start by deploying Xona side-by-side with their existing access tools and then phase out the VPN as they build confidence. We’ll help you roll out the platform at your pace — site by site, use case by use case.

Yes, compliance is one of the most common reasons customers choose Xona.

Whether you’re working toward NERC CIP, IEC 62443, TSA SD02E, Saudi OTCC-1, or NIST 800-82, Xona helps you enforce access controls and produce the audit evidence you need, all without disrupting operations.

You get built-in features like multi-factor authentication, role-based access, session recording, file scanning, and real-time logging. That means you can prove who accessed what, when, and how; without chasing logs across multiple systems.

Xona simplifies compliance and makes it sustainable in real-world OT environments.

No agents, plugins, or native software is required. And no special browser is required.

Xona is 100% agentless and runs in any modern web browser. You don’t need to install software on endpoints or reconfigure client machines. We use secure protocol isolation to deliver interactive RDP, SSH, VNC, and web sessions through the browser, without ever establishing a direct connection between the user’s device and the target system.

That means less friction for users, fewer changes to your environment, and no new vulnerabilities introduced by agents or local viewers.

Yes. Xona is fully operational in air-gapped, on-prem, and cloud-restricted environments.

There’s no requirement for internet connectivity, no cloud control plane, and nothing in the software that tries to “phone home.” You can run Xona entirely on-prem as a virtual appliance or physical gateway without punching holes in your network.

Many of our customers are in regulated or remote environments where cloud access isn’t an option. That’s exactly what Xona was built for.

No, Xona doesn’t license per user.

We license based on the number and capacity of Xona Gateway appliances in your environment. Most customers start with one or two appliances and scale up as needed. We also offer flexible licensing models based on the number of assets or access paths, always tied to how your team operates, not how many people log in.

This means you’re not penalized for growth, contractor churn, or seasonal headcount changes, which are common in critical infrastructure. Licensing is based on an annual subscription.

It’s designed to be straightforward, scalable, and aligned to the operational realities of OT environments.

Yes. Xona integrates natively with LDAP, Active Directory, SAML (including Okta and Azure AD), and leading MFA solutions, so you can extend your existing identity stack directly into OT environments.

This means no new user directories, no duplicate credentials, and no reengineering. You get full support for custom roles, RBAC, and identity-based access policies across remote and local users while feeding events into your existing SIEM for unified visibility and audit continuity.

Absolutely. This is where Xona really sets itself apart. While many platforms stop at remote access, Xona delivers the same level of security and oversight for local access as well. Whether a user is connecting remotely or standing at a terminal on the plant floor, every session can be identity-verified, recorded, audited, and controlled.

No more shared logins like “ENG-01.” With Xona, even local users get individual access credentials, role-based permissions, and session-level accountability. Teams gain full visibility into who accessed what, when, and for how long, helping eliminate blind spots in compliance, investigations, and operational oversight.

Yes, Xona includes secure, policy-enforced file transfer specifically designed for OT environments. This feature enables:

  • ICAP-based file scanning with leading AV tools before files reach the OT network
  • Role-based upload/download permissions to tightly control file movement
  • Full audit trail and session recording to ensure accountability and compliance

This allows patch packages, vendor files, and engineering documentation to be transferred into segmented networks without exposing open paths, introducing unmanaged tools, or bypassing change control procedures.

Xona’s file transfer is browser-based, requires no agents, and supports integration into existing workflows enabling fast, secure delivery aligned with OT governance models.

You don’t have to choose. Xona supports both centralized and distributed deployment models.

You can start with a standalone gateway at a single site, perfect for air-gapped or regulated environments. As needs evolve, Xona also supports a centralized management appliance for orchestrating access, policies, and visibility across multiple sites. This flexibility allows teams to scale securely without re-architecting their environment, whether managing one facility or dozens.

Xona supports agentless access to RDP, SSH, VNC, and web interfaces. There’s no need to install software on the user’s machine (no agents, plugins, or proprietary clients required). Access is launched directly from any modern browser through protocol isolation and encrypted delivery. This not only simplifies access but also eliminates direct system exposure, enforces zero-trust principles, and reduces the attack surface.

For OT teams, this means fewer support headaches, no risk from unmanaged endpoints, and full visibility into every session without user endpoints touching the underlying systems.