§ BROCH vs NGROK

Broch runs your tunnels on your own infrastructure. ngrok runs them on its cloud.

Both get a public URL to a service behind your firewall. The difference is where your traffic goes to get there — and whether your security team can answer for it.

deploy Broch read the docs

§ THE SHORT VERSION

Broch is self-hosted. It runs inside your own cloud account or on-prem, every tunnel is opened through the identity provider you already run, and your traffic never leaves your network — decrypted only on servers you control. Deny-all by default: nothing is exposable, not even localhost, without an admin-assigned policy. Every tunnel carries a name from your IdP, and every event lands in your own SIEM. Nothing new in your vendor data-path, nothing new in your audit scope, no third party between your users and your services. ngrok is mature and certified — but it’s a hosted service: on its cloud every request transits ngrok’s edge, decrypted there by default, and a developer can forward a tunnel to anything reachable, with no org-level policy over the target.

§ SIDE BY SIDE

Broch vs ngrok, line by line.

Capability	Broch	ngrok
Where it runs	Your infrastructure — Azure, AWS, on-prem (Docker / Terraform / Bicep); runs independently	ngrok’s global cloud
Client footprint	A lightweight CLI that runs the specific tunnels you ask for — no device-wide agent	A lightweight agent that publishes the services you configure — same targeted model, on ngrok’s network
Data sovereignty	Traffic never leaves your network	Every request transits ngrok’s edge, decrypted there by default (ngrok’s cloud service)
In your vendor data-path?	No — software you run, not a service in the path	Yes — ngrok is a processor in your traffic path
Compliance burden	Inside your existing audit (self-hosted) — no vendor to assess	ngrok is a vendor you must assess (they hold SOC 2 Type 2 to support this)
Identity sovereignty	Your own IdP (any OIDC: Okta, Entra ID, Auth0); access granted to IdP roles/groups, enforced in your deployment; no unauthenticated tunnels	ngrok-managed auth / their OAuth integrations
Default exposure	Deny-all — no tunnel without an admin-assigned policy (localhost included); non-loopback targets must be admin-registered (Service Registry); revoke and live tunnels drop	Developer points the agent at any reachable target, public internet included; no admin allow-list
User attribution	Every tunnel’s activity tied to the IdP identity that created it — in your own SIEM	—
Log ownership	Generated in your infra, streamed to your SIEM (Datadog, Seq, OpenTelemetry, stdout), no tier gate; method/path/status/user — not headers or bodies	Full HTTP requests/responses pass through ngrok; logs live in ngrok
Transport	Open standards you can inspect — SSH (RFC 4251–4254) over WebSocket, OIDC/JWT, YARP	Agent + relay to ngrok’s edge
Pricing	Flat per developer seat ($10/seat/mo) — you set the seat count, seats auto-assign up to it, no metering	Usage-metered — endpoint-hours, requests, data transfer, policy units, + per-seat on team plans

§ WHY TEAMS MOVE

Five reasons sovereignty-bound teams move from ngrok to Broch.

Your regulated traffic shouldn’t transit a third party — at all.

Broch keeps the entire data path inside your perimeter — decrypted only on servers you control, with no vendor edge in the middle. No processor to assess, no DPA to negotiate, no new box in your audit diagram; Broch runs on your servers like your database does. ngrok is certified and encrypts in transit, but on its cloud every request still crosses ngrok’s edge, decrypted there by default — and end-to-end encryption only keeps ngrok to ciphertext; the traffic leaves your network either way. For PCI-scoped webhook data, ePHI, or anything under a data residency rule, “encrypted through the vendor” isn’t “it never left our network.”

SSO at creation — every tunnel tied to an IdP identity.

Every Broch tunnel is opened through the IdP you already run — Okta, Entra ID, Auth0, any OIDC provider — and an admin-assigned policy has to permit it (deny-by-default). The tunnel and its activity are logged and attributed to the IdP identity that created it. So when your security team asks “who exposed what, and when,” there’s a name on it — not an anonymous URL.

Deny-by-default, not expose-by-default.

With Broch, a developer with no admin-assigned policy can expose nothing — not even their own localhost. An admin grants a policy to permit loopback; to reach anything beyond it — a database, an internal API, another host — the admin registers that target in Broch’s Service Registry and names it in the policy. The grant is live: revoke it and the developer’s running tunnels drop. Access tunnels are deny-all until an admin grants an endpoint to an IdP group. Broch reaches only what an admin registered.

ngrok inverts the burden. A developer can point a tunnel at “any address or URL reachable from the agent” — their own docs — a database, an admin panel, a whole other website. ngrok can limit which inbound public URL a developer gets, but nothing checks the destination.

Audit and operational logs stream to your SIEM, in real time.

Broch emits structured events as they happen — every tunnel, every policy decision, every admin change, plus operational logs — straight to your own logging stack (Datadog, Seq, OpenTelemetry, stdout). They land in your SIEM live, retained and alerted on by your own tools. The record of who did what is generated in your infrastructure and stays there — nothing to pull from a vendor dashboard, nothing that lived in someone else’s cloud first.

see what Broch logs, and how the rest of the security model works →

Licensed per seat — and we don’t track your users.

Broch is licensed per developer seat. You set the seat count; seats auto-assign on first use, up to that count — nobody hand-picks who gets one. Hit the limit and the developer gets a clear message; an admin raises the count from the console and it applies live, prorated. And per-user pricing would mean counting your people; we don’t. What Broch reports for licensing is a seat count, never an identity. Your user list isn’t our business — the same way your traffic isn’t.

compare Broch, ngrok & Cloudflare side by side → Broch vs Cloudflare Zero Trust →

§ READY?

Run your own tunnels in minutes.

Deploy with Docker, Terraform, or Bicep. Bring your identity provider. Keep your traffic and your keys on your side of the line.

deploy Broch read the docs

ngrok is a trademark of its respective owner. Broch is not affiliated with or endorsed by ngrok. Comparisons reflect ngrok’s publicly documented behavior at the time of writing (June 2026).