BastionZero is a name that appears in both cryptocurrency and cybersecurity contexts. Originally a blockchain security startup focused on enabling traders to maintain custody of their assets while trading on exchanges, the company later pivoted to infrastructure security and was acquired by Cloudflare. This guide explains what BastionZero is, its key technologies, how it evolved, and what users should know.
BastionZero is a cybersecurity company that originated in the cryptocurrency space. It was founded by Sharon Goldberg and Ethan Heilman, who initially launched the company as Commonwealth Crypto in 2018[reference:0]. The company's early mission was to develop technology that would allow traders to maintain custody of their coins while trading on a cryptocurrency exchange[reference:1].
In 2020, the company rebranded as BastionZero and pivoted away from the cryptocurrency industry, applying its cryptographic security expertise to the broader problem of securing access to computer servers and other infrastructure[reference:2][reference:3]. The company raised approximately $7.5 million in funding, including a $6 million seed round led by Dell Technologies Capital[reference:4][reference:5].
In May 2024, BastionZero was acquired by Cloudflare, a major network and security provider[reference:6][reference:7]. Its technology is now being integrated into Cloudflare's Zero Trust Network Access (ZTNA) platform as Cloudflare Access for Infrastructure[reference:8].
BastionZero is not a cryptocurrency or a blockchain project with a native token. It is a cybersecurity technology company that originally focused on crypto custody solutions before pivoting to zero-trust infrastructure access. Any "BastionZero token" listings on third-party sites are not affiliated with the official company.
BastionZero's foundational technology is built around a cryptographic protocol called MRZAP (Multi-Root Zero Trust Access Protocol)[reference:9]. This protocol provides a secure "bastion as a cloud service," eliminating single points of compromise in infrastructure access[reference:10].
The core principle of BastionZero's approach is zero trust. In a zero-trust model, clients do not have any standing credentials[reference:11]. Instead:
This approach is designed to prevent attacks like the 2001 Fluffy Bunny hacking group, which exfiltrated long-lived SSH credentials and used them to compromise targets[reference:15]. By using short-lived tokens, the attack surface is significantly reduced.
BastionZero's unique security model uses multiple independent roots of trust to control access to infrastructure targets[reference:16]. This means that even if one root of trust is compromised, the others remain secure, eliminating single points of failure[reference:17][reference:18].
Traditional VPNs and bastion hosts create a single point of compromise. If an attacker breaches that point, they can access everything. BastionZero's architecture distributes trust across multiple independent roots, making it much harder for an attacker to gain comprehensive access.
Before becoming an infrastructure security company, BastionZero (then Commonwealth Crypto) focused on a critical problem in the cryptocurrency industry: exchange custody risk.
When traders use a centralized exchange, they typically deposit their coins into the exchange's wallet, giving the exchange custody of their assets. If the exchange is hacked or becomes insolvent, traders can lose their funds. BastionZero's original technology aimed to solve this by allowing traders to maintain custody of their coins while still trading on an exchange[reference:19][reference:20].
This technology was particularly valuable for institutional traders and high-net-worth individuals who wanted to trade on exchanges without exposing their entire holdings to exchange risk.
BastionZero's crypto custody technology is no longer actively developed as a standalone product. The company pivoted away from the cryptocurrency industry in 2020[reference:24], and the original product is maintained only for legacy customers[reference:25]. New users interested in crypto custody solutions should research current offerings from other providers.
In 2020, BastionZero's founders made a strategic decision to pivot away from the cryptocurrency industry[reference:26]. According to Sharon Goldberg, the cryptocurrency industry was "very small" at the time, and the team wanted the opportunity to build something that any engineer could use[reference:27].
The pivot involved applying the same cryptographic security principles to a much larger problem: securing access to computer servers and infrastructure[reference:28]. The company built a zero-trust software platform designed to protect access to a company's infrastructure, eliminating the need for traditional VPNs, bastion hosts, and SSH and Kubernetes key management[reference:29].
In May 2024, BastionZero was acquired by Cloudflare[reference:30][reference:31]. The acquisition brought BastionZero's technology and team into Cloudflare, where it is being natively rebuilt as Cloudflare Access for Infrastructure[reference:32].
As of 2026, BastionZero as a standalone product is not available for new customers. Organizations interested in the technology should explore Cloudflare Access for Infrastructure, which incorporates BastionZero's zero-trust principles.
The table below contrasts BastionZero's zero-trust approach with traditional infrastructure access methods like VPNs and bastion hosts.
| Feature | BastionZero / Cloudflare Access for Infrastructure | Traditional VPN / Bastion Host |
|---|---|---|
| Security model | Zero trust with short-lived tokens | Perimeter-based with long-lived credentials |
| Single point of compromise | Eliminated via multiple independent roots of trust | Yes (the VPN or bastion host itself) |
| Credential lifetime | Short-lived tokens (expire quickly) | Long-lived SSH keys or passwords |
| MFA requirement | Required for each access attempt | Often only at initial login |
| Cloud-native | Yes, designed for cloud and hybrid environments | Often legacy, on-premise focused |
| Infrastructure targets | Servers (SSH, RDP), Kubernetes, databases[reference:36] | Limited to network-level access |
Note: This comparison is based on BastionZero's documented architecture. Actual implementations may vary. Always verify current capabilities with the official provider.
If you are evaluating zero-trust infrastructure access solutions (including Cloudflare Access for Infrastructure, which incorporates BastionZero's technology), use this checklist to assess your options.
Whether you are researching BastionZero's original crypto custody technology or its current zero-trust infrastructure solutions, here are common pitfalls to avoid.
Alex is a systems administrator looking to secure access to his company's Kubernetes clusters. He reads about BastionZero's zero-trust technology and searches for "BastionZero product." He finds a third-party site listing a "BastionZero token" with a market cap and price, and almost invests in it, thinking it's the company's native cryptocurrency.
What Alex should have done: He should have visited the official BastionZero website (www.bastionzero.com) or documentation (docs.bastionzero.com) to understand that the company does not have a token. He would have discovered that the standalone BastionZero product is no longer available for new customers and that the technology is now part of Cloudflare Access for Infrastructure[reference:48].
Lesson: Always verify information from official sources. Third-party cryptocurrency listings may be completely unrelated to the actual company.
While BastionZero's technology offers significant security advantages, it is important to understand its limitations and the risks associated with any infrastructure access solution.
This guide provides educational information only. It is not financial, legal, or tax advice. Always conduct your own research and consult with qualified professionals before adopting any security solution or making investment decisions.
Quick answers to common questions about BastionZero and its related technologies.
BastionZero is a cybersecurity company that originally focused on allowing traders to maintain custody of their coins while trading on an exchange. It later pivoted to zero-trust infrastructure access and was acquired by Cloudflare in 2024[reference:52][reference:53].
No. BastionZero is a technology company, not a cryptocurrency project, and does not have a native token[reference:54]. Some third-party sites list a "BastionZero" token, but this is not an official project from the company and should be treated with caution.
MRZAP (Multi-Root Zero Trust Access Protocol) is a cryptographic protocol developed by BastionZero that provides secure "bastion as a cloud service," eliminating single points of compromise in infrastructure access[reference:55].
The cryptocurrency industry was relatively small, and the founders wanted to build a product that any engineer could use. They applied their cryptographic expertise to the broader problem of securing access to servers and infrastructure[reference:56].
In May 2024, BastionZero was acquired by Cloudflare[reference:57]. Its technology is being natively rebuilt as Cloudflare's Access for Infrastructure service, a Zero Trust Network Access (ZTNA) solution[reference:58].
The original BastionZero product is maintained only for existing legacy customers[reference:59]. New customers are directed to Cloudflare's Access for Infrastructure service, which integrates BastionZero's technology[reference:60].
Zero-trust security is a model where clients do not have standing credentials. Each time a user wants to access a target, they must prove their identity via SSO and MFA, receiving a short-lived token that expires quickly, limiting attack surfaces[reference:61].
BastionZero was founded by Sharon Goldberg and Ethan Heilman[reference:62]. Goldberg is an associate professor of computer science at Boston University[reference:63], and Heilman is a cryptologist with a Ph.D. from Boston University[reference:64].