How Broch compares.
Broch is self-hosted — your network, your SSO, your audit log. ngrok and Cloudflare are capable managed services, but both put their edge in your traffic path. Here's the difference, side by side.
Broch, ngrok, and Cloudflare Zero Trust.
| Capability | Broch | ngrok | Cloudflare Zero Trust |
|---|---|---|---|
| Where it runs | Your infrastructure (Docker / Terraform / Bicep); runs independently | ngrok's global cloud | A connector (cloudflared) + Cloudflare's network; needs a Cloudflare account |
| Data sovereignty | Never leaves your network | Transits ngrok's edge, decrypted there by default | Transits Cloudflare's edge, decrypted there |
| Client footprint | A lightweight CLI — no device-wide agent | A lightweight agent — targeted publish | WARP agent routes all device traffic by default |
| Identity sovereignty | Your own IdP (any OIDC), enforced in your deployment | ngrok-managed auth / OAuth integrations | Your own IdP via Cloudflare Access, enforced at Cloudflare's edge |
| Default exposure | Deny-all; targets admin-registered (Service Registry) | Any reachable target; no admin allow-list | Connector sets ingress; no admin-enforced allow-list |
| Log ownership | Your SIEM, no tier gate | Lives in ngrok | In Cloudflare; SIEM export via Logpush (Enterprise) |
| Pricing | $10 per developer seat / mo — flat. You set the seat count; seats auto-assign to developers up to it. No metering, no tier gates. | Usage-metered + per-seat | $7 / user / mo over 50 users — every user counted; SIEM log export needs the Contract tier |
Read the full comparison.
ngrok is a hosted ingress service: fast and certified, but every request transits ngrok's cloud and a developer can forward a tunnel to anything reachable. Broch keeps the path in your network and gates every tunnel through your IdP.
read Broch vs ngrok →Cloudflare Zero Trust is a capable SASE platform with real identity — but it routes your traffic, and your devices, through Cloudflare's edge, and the logs live there. Broch keeps the traffic, the decisions, and the audit trail on your side.
read Broch vs Cloudflare Zero Trust →Run your own tunnels in minutes.
Deploy with Docker, Terraform, or Bicep. Bring your identity provider. Keep your traffic on your side of the line.
ngrok and Cloudflare are trademarks of their respective owners. Broch is not affiliated with or endorsed by either. Comparisons reflect each product's publicly documented behavior at the time of writing (June 2026).