If you already pay for CrowdStrike Falcon, you have a real-time picture of how trustworthy each of your devices is right now. Patches, sensor health, login behavior, account hygiene — all rolled into a Zero Trust Assessment score on a 0-100 scale.
What's harder is using that score to actually gate anything. The usual path is one of:
- Buy a full ZTNA suite (Zscaler, Netskope, Palo Alto Prisma Access, Cloudflare Zero Trust), where posture-based access is often packaged into higher per-user tiers.
- Wire ZTA scores into your identity provider's Conditional Access — works for Microsoft 365 / Entra ID resources, not so much for everything else.
- Build a custom integration. Falcon has APIs. Time to write some code.
For organizations smaller than mid-market enterprise, all three are awkward. The first is expensive; the second only covers cloud apps; the third is engineering time you don't have.
When we built HostAnywhere, we wanted the ZTA score to be a first-class condition on access rules. Not a Premium-tier upcharge. Not a "configure your IdP and pray" workaround. Just: this rule applies only if the device's Falcon ZTA score is 70 or higher.
This post walks through how it works.
What HostAnywhere uses from Falcon
Falcon's ZTA score is a single number per device, refreshed continuously by the Falcon sensor based on:
- Sensor health — is the agent installed, running, and reporting?
- OS posture — patch level, security configuration, anti-tamper status.
- Identity posture — login behavior, account configuration, MFA status (if Falcon Identity Protection is also licensed).
- Application posture — installed software, known vulnerabilities.
HostAnywhere polls the Falcon API every 5 minutes and caches the ZTA score for each device that has the Falcon sensor installed. The score becomes a condition you can attach to any Access Control rule.
The score is useful as a policy signal, but it should be treated as one input into access decisions, not as a complete security verdict. It works best combined with least-privilege rules, default-deny policy, and application-layer authentication (SSH keys, service login).
What setup looks like
You need:
- A CrowdStrike Falcon tenant.
- API credentials with read access to the ZTA endpoint (we ship the exact scope list in our docs).
- HostAnywhere on the Developer plan or higher ($9/mo flat).
In the HostAnywhere dashboard, Integrations → CrowdStrike Falcon → paste credentials. We test the connection, pull the list of devices, and match them to HostAnywhere devices using available identifiers such as hostname and device metadata. Mismatches show up as warnings — usually a device that has the Falcon sensor but isn't on the HostAnywhere mesh, or vice versa.
Once it's connected, your Access Control rules grow a new condition: device.posture.crowdstrike.zta_score. You set a threshold; rules apply only when the threshold is met.
Example rule: gate the production NAS
Say you have a production NAS on your mesh and want only laptops with a Falcon ZTA score above 70 to reach it.
The rule reads as:
Allow tag:engineering → device:prod-nas
on tcp/445,tcp/22
when device.posture.crowdstrike.zta_score >= 70
Devices below 70, or devices with no Falcon match at all, do not satisfy the rule. If you have a default-deny at the bottom (the recommended setup), those devices simply can't reach the NAS.
If a device's Falcon score drops to 60 because of an out-of-date OS patch, at the next posture refresh — usually within about 5 minutes — the rule stops matching and access is denied by the default-deny policy. No manual rule change required. The user sees their connection drop, calls IT, and the resolution path is "patch your laptop" — which is the right resolution path.
Why this matters more than it sounds
Most organizations buy CrowdStrike to detect threats. The ZTA score is a byproduct — a continuous trustworthiness signal that already exists in Falcon's backend, useful for far more than the dashboard heatmap most teams use it for.
Wiring it into access control changes the model in a real way. Instead of "we'll detect the breach after it happens," you can reduce the chance of lateral movement by denying access from devices whose posture has degraded. That's the Zero Trust principle in its honest form: don't trust the device just because it's authenticated; trust it only as far as its current state warrants.
The catch was always operational: most ZTNA products that consume Falcon ZTA scores cost more than Falcon itself for small teams. The license math stops making sense.
HostAnywhere's pricing puts this in reach: $9/mo flat for the Developer plan, within plan limits (5 members, 100 devices), with posture and integrations included. Plug in your Falcon credentials, define your rules, done.
What this doesn't replace
We're being honest:
- This is not Falcon Identity Protection. We use ZTA scores; we don't drive Falcon's identity-side policies. If you need to block risky logins inside Microsoft 365 or your SaaS apps based on Falcon signals, you still want Falcon Identity Protection on top of Entra Conditional Access.
- This is not a full ZTNA suite. We don't terminate browser sessions in a vendor cloud. We don't do per-app proxying for SaaS. We're a secure-access layer for your devices and the services you own — homelab gear, internal apps, dev environments, infrastructure.
- We don't replace Falcon. We consume its score. The Falcon sensor still has to be installed and licensed on each device you want to gate.
- We don't surface every Falcon signal. Today we read the ZTA score. We don't drill into specific findings (CVE counts, sensor uptime, etc.) — that's roadmap.
What's in the Developer plan vs. the alternatives
The relevant comparison isn't "HostAnywhere vs Falcon's pricing." Falcon's price is the same regardless of what you put in front of it.
The comparison is "what's the cheapest way to use Falcon ZTA scores to actually gate access to internal resources?"
At the time of writing, many secure-access and ZTNA products package posture checks into higher per-user tiers. That pricing model can make Falcon-based access control expensive for small teams. HostAnywhere takes a different approach: the Developer plan is $9/month flat (within plan limits) and includes posture conditions and integrations.
| Product | Posture availability | Notes |
|---|---|---|
| Tailscale Premium | Included | Per-user pricing |
| Twingate paid team plans | Included on higher tiers | Per-user pricing |
| Cloudflare Zero Trust | Available depending on plan and posture source | Per-user pricing on paid plans |
| HostAnywhere Developer | Included | $9/month flat for the network, within plan limits |
Vendor pricing and packaging change frequently; check current pricing pages before making budget decisions. The general shape — per-user vs. per-network — is what tends to be stable.
The integration math changes who can afford this. A two-person consultancy gating access on Falcon scores no longer needs a per-user enterprise quote — a flat per-network plan covers the same use case.
Things we learned along the way
A few practical notes that aren't obvious from the docs:
- Pick the ZTA threshold deliberately. A threshold of 50 admits almost everything. 70 is a reasonable default for "decent posture required." 80+ starts to lock out devices that are fine but have minor patches pending. Start at 70 and tune from there based on how often your team's devices actually score.
- Devices without Falcon installed have no score, not a score of zero. A rule that requires
zta_score >= 70will not match a device without the Falcon sensor — it doesn't match because there's no score, not because the score is below threshold. That distinction matters when you're debugging "why can't this device reach the resource?" - Posture stacks with other conditions. A single rule can require both
crowdstrike.zta_score >= 70ANDintune.compliant == true. Useful when you want both checks, and a real fit for hybrid Mac/Windows fleets where Intune covers some devices and CrowdStrike covers all of them. - The Falcon API has rate limits. Our 5-minute poll cycle stays well under them for fleets in the hundreds. If you're at thousands of devices, talk to us — we have a different polling pattern for higher-scale tenants.
- Treat stale posture data deliberately. A cached score is a few minutes old by definition, and if the Falcon API is down or a device hasn't reported recently, the cached score may be stale or missing. In production, decide whether stale or missing Falcon data should fail open (allow under the previous rule) or fail closed (deny until fresh data arrives). For sensitive resources, we recommend fail-closed behavior.
How to try it
Sign in at hostanywhere.io on the Free plan. Connect a couple of devices to your mesh. Upgrade to Developer ($9/mo) to enable posture and integrations.
Connect Falcon under Integrations → CrowdStrike Falcon. Set a test rule with a ZTA threshold. Watch the dashboard.
For a complete walkthrough, see our docs — the CrowdStrike Falcon page covers each step, the required API scopes, and the troubleshooting list for the failure modes we've seen most often.
Try HostAnywhere Free at hostanywhere.io — connect up to 10 devices with no credit card. Upgrade to Developer when you're ready to enable CrowdStrike posture conditions.