GigaOm Radar for Cloud Network Security v3

Cloud network security solutions provide a suite of security services for single-cloud and multicloud environments to prevent unauthorized traffic, access, modification, misuse, or exposure. Cloud network security is entirely software-driven, with vendors orchestrating cloud-native, third-party, or proprietary appliances to enforce security policies and gain visibility over the infrastructure footprint.

Native security appliances in public clouds offer functionalities that are limited because, for example, they lack granularity in policies or have only simplistic filtering capabilities. Many vendors featured in this report offer proprietary alternatives that can be deployed across multiple cloud providers to deliver consistent security across the whole surface area. These functionalities may include firewalls, gateways, load balancers, sandboxes, or network traffic analysis appliances.

Some vendors leverage third-party appliances or provide proprietary ones, such as firewalls, to deliver more advanced functionalities than those available natively in the public clouds. Other vendors orchestrate native solutions, which can still bring considerable benefits with extensive visibility and global policy definitions, often with less disruption and without passing the cost of developing proprietary appliances or licensing third-party solutions to the end customer.

Cloud network security solutions must unify different environments so a solution can deliver its benefits only by following multiple phases, which is a useful yardstick for selecting a solution.

First, the solution needs to gain visibility over the environments that need securing, which includes onboarding activities such as accessing public cloud accounts. Once the requisite permissions are in place, the solution must discover all of the assets within these environments. Across multiple clouds, these should include virtual networking constructs, regions and availability zones, existing security and networking appliances, compute and storage instances, workloads, applications, and other services, such as databases.

Second, the solution needs to create visualizations that reflect the current environment. These can be topological maps that display how networks and workloads communicate and are isolated from each other. If the environment spans multiple cloud providers, the solution should also capture this level of information and create a comprehensive view of the entire cloud estate.

Third, solutions that are able to detect misconfigurations, which include internet-exposed resources, open ports, or policies that are too permissive, will highlight any current configuration issues. To do this, the solution may require a sample of real-world traffic to understand the connectivity across resources and identify potential security risks.

With a clear understanding of the cloud environment, including how entities are connected and how traffic flows, administrators can define security policies across environments more intelligently. 

The policy engine serves as a crucial component, enabling the creation of policies that provide granular control over rules, accommodate elastic workloads, and offer traffic-based recommendations. These policies are essential for securing ingress and egress filtering for north-south (client-server) traffic and for implementing network segmentation for east-west (server-to-server) traffic.

Once policies are defined and the solution is up and running, the tool must continuously reassess and reinforce policies as configurations and workloads in the cloud change. Topology maps and segments must be updated as entities are spun up and down.

Finally, in addition to filtering traffic that enters, exits, and traverses the environment, cloud network security solutions should also inspect and analyze traffic and communication patterns to detect anomalies. This information is useful to identify attempts at obfuscating data exfiltration, command and control attacks, and lateral movement, as well as detecting malware before it enters the network.

This is our third year evaluating the cloud network security space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines nine of the top cloud network security solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading cloud network security offerings, and help decision-makers evaluate these solutions so they can make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well cloud network security solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Small-to-medium business (SMB): Solutions in this category meet the needs of organizations ranging from small businesses to medium-sized companies. For this segment, solutions need to be easy to use and deploy while also being able to scale up and tackle more complex problems as the business grows.

• Large enterprise: Large enterprises have both complex environments and complex requirements, so they require cloud network security tools that are able to provide visibility and control over extensive infrastructure footprints and to enable business logic with minimal friction.

• Regulated industries: These organizations typically include verticals such as finance, healthcare, and government, for which vendors need to support compliance with regulatory standards and bodies.

• Managed services providers: These businesses work with multiple enterprise clients who want to outsource their infrastructure management responsibility. Thus they require solutions with multitenancy features and the ability to manage multiple environments from a single pane of glass.

For this report, we recognize the following deployment models:

• Virtual appliance: This model requires the customer to deploy vendor appliances in environments where the cloud network security solution needs to enforce policies. Form factors can include preconfigured VMs or container images.

• Software only: This model offers customers an installation file that they can install and run on their preferred operating system and compute instance.

• Public cloud image: With this model, appliances are available for purchase through cloud marketplaces and run in a cloud environment.

• Agentless: The solution does not require any installation or management of security or networking appliances.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

The target market reflects the use cases for which each solution is recommended, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Vendor-agnostic integrations

• Service insertion

• Service orchestration

• Log aggregation

• Centralized management

• Cloud awareness

• Software-only solution

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a cloud network security solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Cloud Network Security Solutions.”

Key Features

• Network segmentation: This metric evaluates the solution’s ability to implement this key technique for protecting east-west traffic and minimizing the level of exposure of public-facing resources. Segmentation defines logical network constructs by which only entities within the same segment can communicate with each other.

• Ingress traffic security: This metric evaluates the solution’s ability to provide control over incoming traffic, blocking and filtering malicious or unwanted requests. To protect against outside resources accessing the cloud network, a solution needs to first and foremost manage and orchestrate firewall policies.

• Egress traffic security: This metric evaluates the solution’s ability to secure outbound traffic, which is the stream of requests initiated by cloud identities to external resources. These are requests made to, for example, external payment gateways, API-based services, SaaS services, software updates, and external URLs.

• Policy definition engine: This metric evaluates the solution’s ability to define, manage, and enforce policies that are applied to multicloud environments at a global level. The policy definition engine and interface dictate how easy the solution is to use. 

• Security observability: This metric evaluates the solution’s ability to discover, map, and display security-related constructs, including network segments, security groups, traffic flows, and public-facing assets. 

• Suspicious network behavior detection: This metric evaluates the solution’s ability to find and indicate malicious activity and patterns of anomalous activity. 

• Secure networking for ephemeral resources: This metric evaluates the solution’s ability to secure ephemeral resources such as containers and serverless functions, which pose new security threats. These resources can be infected when they are live, spun up by malicious actors, or fed malicious data. 

• Network misconfiguration detection: This metric evaluates the solution's  ability to identify misconfigurations, vulnerabilities, and misuse. 

Table 2. Key Features Comparison 

Emerging Features

• Exfiltration monitoring: This feature alerts administrators to unauthorized or anomalous data movement across a cloud environment. 

• Planning and modeling: This feature, given a configuration file such as Terraform or YAML, enables the solution to interpret changes before deploying these changes in production and to simulate how the new cloud resources and configurations operate. 

• Extended Berkeley Packet Filter (eBPF): This feature enables the execution of sandboxed programs in a privileged context, such as the OS kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring changes to kernel source code or loading kernel modules.

• Workload authentication and authorization: This feature enables a solution to authenticate and authorize workload identities or nonhuman identities. 

Table 3. Emerging Features Comparison 

Business Criteria

• Zero trust adherence: Cloud network security tools can deliver on the core tenets of zero trust frameworks, including explicit authentication, enforcing least-privilege permissions, continuous verification, and automated response. 

• Ecosystem: A cloud network solution’s ecosystem is determined by the vendor’s partnerships with other relevant networking, security, and cloud providers. By partnering with specialized vendors, cloud network security vendors can provide best-of-breed services, such as securing ingress and egress traffic by leveraging cloud access security brokers or secure web gateways. Observability can be enhanced by using visualization tools such as Grafana. 

• Manageability: Ease of use is achieved, for example, through the availability of low-code/no-code builders, integration with workflow automation tools, topological maps, and data-driven suggestions for improved network security posture.

• DevSecOps suitability: To enhance integration across network, operations, security, and development teams, cloud network security solutions should support the DevSecOps team’s needs for testing, validation, and CI/CD. 

• Cost and licensing: This criterion assesses the manner in which a solution is licensed and priced, ensuring that customers can manage their solution costs transparently and predictably. 

• Support services: To help customers adopt and run the solution at the required scale, vendors should offer comprehensive technical documentation and support services. 

• Interoperability: For a solution to run smoothly across different cloud providers, it should be available in public cloud marketplaces, with any relevant appliances running natively within the cloud environment. Vendors could also provide out-of-the-box integrations with security information and event management (SIEM) solutions, as well as cloud and network observability tools such as Splunk, Datadog, New Relic, or Kentik.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for Cloud Network Security

As you can see in Figure 1, five of our nine vendors are in the Innovation/Platform Play quadrant, with the remaining vendors distributed in the other three quadrants of the chart. While the vendors featured in this iteration of the report are largely consistent with those from last year, some positions have changed, particularly along the Innovation/Maturity axis. In this instance, more vendors are featured in the Innovation half, as they are delivering on the capabilities described in the report’s emerging features.

Vendors in the Feature Play half are focused on specific aspects of security cloud networks, such as security policy management or traffic filtering. In contrast, the vendors in the Platform Play half deliver on a wider range of use cases, including secure networking of ephemeral resources like Kubernetes-orchestrated containers.

The report features a relatively high number of Outperformers, which is mainly attributed to acquisitions and extensive development pipelines. The Forward Movers are displaying slower release cadences than what we expect in this category.

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

AlgoSec: AlgoSec Cloud Enterprise

Solution Overview
The AlgoSec solution automates application connectivity and security policy across hybrid network estates, including public cloud, private cloud, containers, and on-premises networks. AlgoSec delivers cloud network security solutions via its Firewall Analyzer, FireFlow, and AlgoSec Cloud Enterprise. AlgoSec acquired Prevasio, a SaaS cloud-native application protection platform (CNAPP), in late 2022.

AlgoSec Cloud Enterprise provides application-based risk identification and security policy management across multicloud environments. It offers visibility, risk assessment, and central policy management, providing a single pane of glass for network security posture management. The solution can manage network security controls such as security groups and Azure Firewall across multiple accounts, regions, virtual private clouds (VPCs), and Azure Virtual Networks (VNets).

One of AlgoSec’s distinguishing features is its infrastructure as code (IaC) security scanning capability, which produces ”what-if” risks and vulnerability analysis scans within existing source control applications as part of CI/CD pipelines. AlgoBot is another noteworthy feature, an intelligent chatbot that assists with change management processes.

AlgoSec is positioned as a Challenger and Outperformer in the Innovation/Feature Play quadrant of the cloud network security Radar chart.

Strengths
AlgoSec scored well on a number of decision criteria, including:

• Security observability: AlgoSec can discover, map, and display application connectivity and security policies across public clouds, private clouds, and on-premises networks. A real-time network map provides a comprehensive view of security and networking appliances, including firewalls, routers, and switches. AppViz, an add-on product, enables administrators to quickly and easily associate relevant business applications with firewall rules.

• Policy definition engine: AlgoSec’s FireFlow automates the security policy change lifecycle. It ensures device changes are approved, necessary, and implemented as intended. FireFlow helps network administrators translate business requests into policy changes. FireFlow performs an analysis of the enterprise's devices, routers, and VPNs to determine whether the requested change is needed, identifies the devices that need to be changed, and proposes the rules in the security policy that need changing.  

• Network segmentation: AlgoSec can enable customers to define multiple types of network segments, including multicloud and hybrid cloud segments. The solution supports dynamic segmentation, which updates policies as cloud entities migrate or change.

AlgoSec was classified as an Outperformer given its upcoming development pipeline and feature releases.

Opportunities
AlgoSec has room for improvement in a few decision criteria, including:

• Egress traffic security: While the solution can filter traffic based on URL, fully qualified domain name (FQDN), and domains, it does not currently identify malicious content or perform traffic decryption and analysis. 

• Suspicious network behavior detection: While the solution does not perform deep packet inspection or behavior profiling of individual users or workloads to detect real-time attacks, it can identify and prevent the conditions that enable attacks, such as lateral movement and data exfiltration.

• Workload authentication and authorization: AlgoSec does not currently offer capabilities such as token-based authentication, certificate-based authentication, mutual TLS (mTLS), or the SPIFFE/SPIRE frameworks. 

Purchase Considerations
AlgoSec’s licensing model is based on the number of security devices per environment, cloud VM, or containers and the number of applications to be managed. Support is included in the base licenses, and localized deployment support is available in select countries. 

Resizing is done upon contract renewals. AlgoSec offers follow-the-sun, 24/7 support with comprehensive documentation, a dedicated client success manager, and jump starts to facilitate the onboarding of the customer environment. 

Use Cases
Use cases include application discovery and connectivity management, data center and application migration, DevOps security, firewall audit and compliance, incident response, network segmentation, and security policy change management.

AlgoSec offers an established and comprehensive policy management engine, but the solution does not include security appliances such as firewalls. This means the solution manages and orchestrates customers’ existing security stack, positioning the vendor in the Feature Play half of the Radar chart.

Aviatrix

Solution Overview
Aviatrix is a prominent player in the cloud networking market. Its solution includes the Distributed Cloud Firewall, a proprietary security technology that integrates policy inspection and enforcement directly into native cloud infrastructure and application communication flows. This firewall provides broad traffic visibility without the need for agents or centralized appliances. Aviatrix also offers additional network security features, such as firewall service insertion, traffic encryption, and secure egress capabilities.

The solution supports the deployment and lifecycle management of cloud security gateways in AWS, Azure, Google Cloud Platform (GCP), Oracle Cloud Infrastructure (OCI), and Alibaba. The Aviatrix edge gateways can be deployed in Equinix data centers or on top of VMware or KVM to extend the Distributed Cloud Firewall policy to hybrid cloud and edge locations.  

Aviatrix CoPilot can perform continuous network behavior analysis on cloud workloads on a per-VPC/VNet basis to learn the routine behaviors of the network. CoPilot detects unusual network behaviors to identify threats, outages, high traffic for a planned launch, or other abnormal behavior. Users can opt to receive alerts when anomalies are detected.

Aviatrix is positioned as a Leader and a Fast Mover in the Innovation/Platform Play quadrant of the cloud network security Radar chart.

Strengths
Aviatrix scored well on a number of decision criteria, including:

• Network segmentation: Aviatrix can support multiple flavors of network segmentation. First and foremost, Aviatrix is a multicloud networking solution and can enable segments to be defined across different and same-cloud inter-VPC/VNet flows based on policy. For microsegmentation, Aviatrix Distributed Cloud Firewall can orchestrate security groups in AWS and network security groups in Azure to enable consistent policy enforcement down to the network interface level through native SG/NSG orchestration.

• Egress traffic security: Aviatrix can filter outbound user traffic to restrict access to risky sites and enforce acceptable web use policies by identifying and blocking communications with known malicious IPs using the Proofpoint reputation database. Policies are enforced via Aviatrix gateways using SmartGroups for dynamic, stateful traffic filtering across cloud instances, allowing only specified protocols, ports, and source/destination groups.

• Ingress traffic security: Aviatrix supports Layer 3/4 traffic filtering by controlling IP addresses, ports, and protocols. It also supports domain-based (FQDN) Layer 7 awareness, allowing egress control by hostname. This allows the system to block or allow traffic based on IP address, protocol, port, and FQDN, leveraging ThreatIQ feeds to identify and block known malicious destinations. The solution also enables rate-limiting, alerts for suspicious traffic, and precise firewall policy orchestration. ThreatIQ enhances security by providing real-time threat intelligence feeds that identify and block communication with known malicious IPs and domains, integrating these feeds into Aviatrix policy enforcement.

Opportunities
Aviatrix has room for improvement in a few decision criteria, including:

• Policy definition engine: While Aviatrix offers a robust policy definition engine and CoPilot analyzes real network traffic through flow logs, the solution does not yet automatically recommend new segmentation policies or business-logic-aligned rules based on that analysis. It also does not currently offer a natural language-based policy creation engine.

• Secure networking for ephemeral resources: The solution does not currently analyze configuration files, such as identifying ports that are exposed via the EXPOSE directive in a Dockerfile or the -p argument passed to the Docker run command. Rather, it uses a mechanism based on a multicloud controller and declarative security policies to achieve similar outcomes. 

• Workload authentication and authorization: The vendor could further enhance its capabilities beyond using mTLS and SPIFFE to include certificates and tokens, such as JSON Web Tokens (JWT), as well as implementing credential rotation rules.

Purchase Considerations
Aviatrix provides licensing to cloud service provider (CSP) users for the customer IDs required to access the Aviatrix Cloud Network Controller and CoPilot. Billing is node-based, scaling with the number of deployed gateways. Licensing is typically per cloud but can be consolidated under enterprise or marketplace agreements that cover multiple environments.

Use Cases
Aviatrix can support a wide range of use cases, including multicloud and hybrid cloud networking with security services delivered via the distributed cloud firewall product. Moreover, integration with Equinix Network Edge can provide customers with private connectivity between clouds and on-premises environments.

Check Point

Solution Overview
Check Point has bundled and integrated all its various capabilities into one unified security architecture, named Infinity, to manage the security of networks, cloud, internet of things (IoT), endpoints, and mobile devices from a single console. Infinity provides consistent security throughout on-premises, hybrid, public, and private cloud environments, eliminating security gaps created by disparate point solutions. 

Check Point has a new partnership with cloud security provider Wiz, whose advanced risk analysis feeds integrate directly into the Check Point Infinity platform, providing network security teams and CloudGuard customers with actionable recommendations to optimize security coverage and configurations.

CloudGuard Network Security is Check Point’s cloud network security solution that provides advanced threat prevention and network security through a virtual security gateway and consolidated security management across multicloud and hybrid cloud environments. It offers centralized control of network security devices to orchestrate consistent security policies across all supported cloud environments, regions, availability zones, networks, and individual hosts. CloudGuard provides dynamic, real-time polling of a wide range of third-party public and private cloud providers via the CloudGuard Controller feature, enabling the consumption of all relevant cloud entities for use in security policies and the dynamic adjustment to changes. 

Check Point is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the cloud network security Radar chart.

Strengths
Check Point scored well on a number of decision criteria, including:

• Ingress traffic security: Check Point’s CloudGuard WAF detects and blocks malicious traffic and bot patterns using a machine learning (ML) engine that continuously analyzes HTTP/S requests as users visit resources exposed to the public internet. The solution utilizes client-side behavioral analysis to distinguish between human and nonhuman behavior. Once a client connects to a server, CloudGuard WAF uses JavaScript injections to perform client-side behavioral analysis to stop credential stuffing, brute force attacks, and site scraping with advanced bot protection. Malicious traffic and bot patterns can be learned using signatures, heuristics, and contextual ML. 

• Policy definition engine: CloudGuard Controller continuously polls cloud environments for changes and dynamically updates the relevant security policies. Check Point’s security management can define policies using drag-and-drop workflow builders. Policies can be designed to follow business logic and can cover applications, specific use cases, individual users, lines of business, or the entire organization. 

• Security observability: Via the Wiz partnership, the solution offers a context graph that provides an enriched visualization tool to map end-to-end network paths and display an asset’s exposure to the internet, as well as factors contributing to its overall risk profile. The context graph considers various elements, such as the asset’s configuration, network connections, and interdependencies, allowing users to visualize the asset’s position within their cloud environment and understand the overall security impact.

Opportunities
Check Point has room for improvement in a few decision criteria, including:

• Secure networking for ephemeral resources: While the solution has some native capabilities for this key feature, others are only supported by Check Point’s partnership with Wiz.

• Planning and modeling: Check Point does not currently natively simulate how traffic would behave in real-world deployments when configuration or infrastructure changes occur. Some of these features can be available via the Wiz partnership. 

• Workload authentication and authorization: The solution can support the use of capabilities such as mTLS, SPIRE/SPIFFE frameworks, asymmetric key pair authentication, and JWT through third-party integrations, but it does not currently support them natively.

Purchase Considerations
Check Point provides CloudGuard Network Security in multiple licensing tiers depending on the marketplace and solution. Customers can choose among basic, standard, premium, direct, and diamond support packages. The price of the support is tiered based on these packages and is calculated as an added percentage of the solution. 

Check Point offers pay-as-you-go pricing models on multiple cloud marketplaces, allowing customers to scale up and down as needed, based on their usage. Check Point supports the consumption-based model, offering virtual cores per hour on cloud marketplaces. Most prices are publicly available through the cloud marketplaces. A cost calculator is available online.

Use Cases
Check Point CloudGuard  Network Security supports a wide range of use cases, including cloud threat prevention (antivirus, intrusion prevention system (IPS), anti-bot, threat emulation, threat extraction, advanced DNS, zero-day phishing, web application, and API protection), access control, hybrid cloud and multicloud security, north-south and east-west traffic security, risk management, and threat intelligence.

Cisco: Multicloud Defense 

Solution Overview
Cisco Multicloud Defense is a cloud network security solution inherited from the 2023 acquisition of Valtix, a specialized cloud network security company established in 2018.

Cisco Multicloud Defense provides ingress, egress, and east-west security across multiple cloud providers, including Azure, AWS, GCP, and OCI, from a single interface. It offers visibility of cloud environments and enables the creation of cloud-agnostic security policies to apply segmentation and internet security using cloud-native identity (tags) without cloud-specific skills or knowledge. 

Cisco Multicloud Defense is a single product that is integrated with Cisco Security Cloud. While customers can purchase and use Multicloud Defense independently, they benefit from the integrations available through Cisco Security Cloud, such as site-to-site VPNs from Multicloud Defense Gateways and customer sites. Additionally, customers can use objects and dynamic object groups that they’ve created within Cisco Security Cloud for their policies, reducing the need to identify the same object multiple times

Multicloud Defense has two components. First, a SaaS-delivered Multicloud Defense Controller management interface and control plane enables customers to log in to see their cloud deployment, manage policy, and deploy or manage security gateways. Second, a PaaS-delivered Multicloud Defense Gateway service provides deeper visibility while enforcing customer-created policies.

Cisco is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the cloud network security Radar chart.

Strengths
Cisco scored well on a number of decision criteria, including:

• Ingress traffic security: Cisco uses TLS certificates and can act as both a reverse proxy and a forward proxy for flows. Multicloud Defense Gateways can protect backend web servers hosting API services against Layer 7 denial-of-service (DoS) attacks. Web protection profiles are a collection of WAF rules that can be used to evaluate web-based transactions to ensure the traffic is not malicious. The solution can leverage Trustwave Rules from ModSecurity, based on intelligence gathered from real-world investigations, penetration tests, and research, to provide an advanced level of protection for specific web applications and frameworks. 

• Egress traffic security: Cisco’s inline security protections defend against external attacks, prevent egress data exfiltration, and thwart the lateral movement of attacks. Multicloud Defense Gateways include functionality for TLS decryption, intrusion detection systems (IDS), IPS, WAF, antivirus filtering, data loss prevention (DLP), FQDN/URL filtering capabilities, and load balancing. 

• Security observability: The Cisco Multicloud Defense Discovery service provides real-time visibility into currently deployed resources in onboarded cloud accounts. Additionally, it provides an interface into VPC flow logs and DNS logs, offering a comprehensive view of the cloud deployment. Multicloud Defense Controller uses a pub-sub model to get updates on cloud resources and keep track of changes. Using Multicloud Defense Discovery, users can view the attributes of their resources and their interconnections. Flow Analytics provides overall visibility into the traffic seen, processed, and protected by Multicloud Defense Gateways. 

Opportunities
Cisco has room for improvement in a few decision criteria, including:

• Network misconfiguration detection: While Cisco Multicloud Defense can deliver these capabilities via the 2025 Wiz partnership, it does not currently offer native misconfiguration detection capabilities. Customers must therefore deploy another product for this capability.

• Suspicious network behavior detection: Cisco Multicloud Defense integrates with Cisco Talos, which provides real-time threat feeds that include categorization of malicious IP addresses and domain names. However, it does not currently offer native capabilities for detecting unexpected communication patterns.

• Workload authentication and authorization: While Cisco can currently authenticate and authorize workload identities using the cloud-native identity of metadata key-value pairs, it does not support features such as mTLS or the SPIFFE/SPIRE frameworks.

Purchase Considerations
Cisco Multicloud Defense utilizes a consumption-based licensing model, based on the number of gateway hours required, and can be scaled up or down as needed. There are two tiers of licensing: advanced and premium. Support is included on both tiers. The product offers both manual and automatic scale-up and scale-down capabilities, which can be adjusted according to usage.

Multicloud Defense has published a Gateway Hours Estimator, which helps estimate the number of hours needed based on the number of VPCs and the deployment type chosen by the customer.

Use Cases
Cisco Multicloud Defense can cater to a wide range of use cases, including ingress security to protect against traffic originating from the internet, egress security to protect against data exfiltration, and command and control. It can also secure east-west traffic patterns, act as a reverse proxy, and provide IDS/IPS capabilities, GeoIP restrictions, and DLP. Cisco’s solution can help deliver protection for single-cloud, multicloud, and hybrid cloud environments. 

F5: Distributed Cloud Services

Solution Overview
F5 Distributed Cloud Services provides a full-stack (Layer 3 through Layer 7) SaaS-based solution that connects, delivers, secures, and operates both networks and applications in a cloud-agnostic manner. The solution consists of web app and API protection (WAAP), cloud networking connect, and application layer service networking components.

F5 Distributed Cloud WAAP includes a range of security services as part of its broader product portfolio, including web app firewalls, Layer 3 and Layer 7 distributed denial of service (DDoS) protection, bot defense, API discovery and protection, and web app scanning.

F5 Distributed Cloud Network Connect connects and secures networks across clouds. It abstracts the complexity of networking and security enforcement across cloud providers, on-premises data centers, and edge sites. It simplifies operations and streamlines segmentation, policy enforcement, and visibility across a distributed cloud environment. 

F5 Distributed Cloud App Connect connects and secures applications across clouds, on-premises, and edge locations without worrying about the underlying networking. It discovers apps across Kubernetes clusters, VMs, or legacy server environments and advertises them securely with enterprise-grade WAF and API protection, publicly or privately. It acts as a secure reverse proxy for enforcing consistent app security policies across a distributed cloud environment. It simplifies operations and maximizes visibility for applications.

F5 acquired the shift-left API security company Wib in January 2024 and plans to integrate its capabilities  with the F5 Distributed Cloud Services portfolio. Several new features will become available, such as code scanning, compliance reporting, automatic API testing, and domain API scanning.

F5 is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the cloud network security Radar chart.

Strengths
F5 scored well on a number of decision criteria, including:

• Network segmentation: F5 can enable VPCs/VNets and on-premises networks to be grouped or isolated into different routable domains to define network segments. This approach can achieve multicloud segmentation, same-cloud segmentation, and microsegmentation. Layer 3/4 to Layer 7 policy enforcement is based on tags, label selectors, VPCs/VNets, IP addresses, ports, interfaces, virtual networks, and other similar criteria. An enhanced firewall enables users to allow, deny, or forward traffic to a network functions virtualization (NFV) service based on label selector, IP addresses, global networks, and other factors. 

• Secure networking for ephemeral resources: The solution can secure ephemeral resources by integrating with Kubernetes and operating as a Kubernetes ingress controller. This ensures the solution can cater to applications in both VMs and containerized form factors to ensure an end-to-end security stack for both types of workload. Dynamic segmentation is supported via cloud-native labels and selectors.

• Security observability: F5 Distributed Cloud Services has the ability to discover, map, and display security-related constructs, including network segments, security groups, traffic flows, and exposed assets. App Connect enables users to securely discover and deliver required APIs only to relevant consumers, reducing the blast radius by preventing exposure of the entire application or workload instance. Visualizations are continuously updated as configurations change. The solution highlights the internet exposure of critical cloud assets, supports trace routing, and maps end-to-end service-to-service network paths to and from cloud resources. 

F5 was classified as an Outperformer, considering the acquisition of MantisNet and the 2024 acquisition of Wib.

Opportunities
F5 has room for improvement in a few decision criteria, including:

• Policy definition engine: F5 has a solid policy definition engine, but it could be further enhanced by developing capabilities to analyze real-world traffic and identify overly permissive policies, as well as simulate the impact of new policies on traffic patterns.

• Network misconfiguration detection: The solution does not currently detect misconfigurations, such as security groups allowing inbound SSH traffic from 0.0.0.0/0, access keys that are older than 90 days, or internet-exposed resources.

• Extended Berkeley Packet Filter (eBPF): Following the acquisition of eBPF-based observability provider MantisNet, F5 could implement these capabilities natively to get kernel-level visibility into system events.

Purchase Considerations
F5 Distributed Cloud Services is typically sold on multiyear subscriptions, with a yearly true-up based on usage. Customers purchase access to the core F5 Distributed Cloud Services package, which grants access to security features like threat campaigns, IP reputation, Layer 3 through Layer 7  DDoS/DoS, and service policies on regional edge sites. Customers can then add features based on their security requirements, such as web app and API protection, API discovery, bot defense, web app scanning, and WAF. The core package provides security via a traditional SaaS model, with no security services deployed locally.  Customers can also add F5’s Customer Edge (CE) nodes for local security deployment. 

Use Cases
F5 Distributed Cloud Services can deliver a wide range of security use cases, such as network segmentation, securing network access, and securing public access to the network. It can also deliver on use cases such as application security, real-time web application protection, AI workload security, and egress and ingress security. It provides end-to-end visibility across single-cloud, multicloud, and hybrid cloud environments. 

Trend Micro: Cloud One*

Solution Overview
As part of the Trend Micro One unified cybersecurity platform, Trend Micro Cloud One is a cloud network security solution that detects unknown cyber assets and protects unmanaged entities in cloud environments. Trend Micro Network One combines risk analysis with Trend Micro Vision One for north-south and east-west protection.

As part of Trend Micro’s Zero Day Initiative, Cloud One leverages the Trend Micro Research unit to gather relevant threat intelligence, enabling the discovery and blocking of sophisticated cyberthreats in cloud architectures. Trend Micro Research has more than 500 investigators worldwide, enabling customers to protect against, detect, and respond to threats faster and with greater knowledge. The service can help safeguard against multiple threat vectors, offering comprehensive protection that includes virtual patching, vulnerability shielding, exploit blocking, and defense against known and zero-day attacks.

The solution helps customers achieve PCI compliance by ensuring continuous network compliance and audit readiness, enabling monitoring of traffic and restricting access to essential domains and locations.

Trend Micro Cloud One works in tandem with Vision One to deliver intelligent detection and response capabilities. Through Trend Micro Vision One, the network telemetry from an enterprise network sensor is analyzed alongside other sensor telemetry to surface actionable information. 

Trend Micro offers a stable and consistent solution with incremental updates on core features such as egress traffic filtering.

Trend Micro is positioned as an Entrant and Forward Mover in the Maturity/Feature Play quadrant of the cloud network security Radar chart.

Strengths
Trend Micro scored well on a number of decision criteria, including:

• Ingress traffic security: Trend Micro’s Cloud One offers in-line, real-time threat protection for all inbound TLS-encrypted IPv4 traffic. Trend Micro agents receive the encrypted flow, decrypt it, inspect it, re-encrypt it, and then send it on to its destination. Users can integrate Network Security’s TLS capability with their existing infrastructure’s certificate management offerings. 

• Policy definition engine: The solution can run outbound attack simulations. A security policy determines what course of action to take whenever traffic triggers a filter. Cloud One includes a set of recommended filters, some of which have preset responses when a packet matches a filter. Customers can optimize their security policy by customizing the functionality of filters and policies to enable only those filters relevant to the environment and fine-tuning the responses for maximum effectiveness.

• Egress traffic filtering: Trend Micro offers features such as geolocation filtering, including a default geolocation package that enables users to block incoming and outgoing IPv4 requests according to countries or regions. Domain name filtering is a type of reputation filtering that helps control the traffic entering and exiting a network. Cloud One enables users to control traffic by creating and managing a list of FQDNs that have permitted inbound and outbound access to their environment.

Opportunities
Trend Micro has room for improvement in a few decision criteria, including:

• Network segmentation: Trend Micro allows customers to create virtual segments in public cloud environments and register them in the Cloud One management interface. However, it does not provide any further definition or management capabilities for network segmentation.

• Suspicious network behavior detection: Trend Micro can deliver features such as virtual patching, vulnerability shielding, and exploit blocking. However, it does not analyze traffic to detect unusual traffic patterns and respond accordingly upon detection.

• Secure networking for ephemeral resources: Trend Micro does not integrate with or ingest container-specific data such as Kubernetes logs.

Trend Micro was classified as a Forward Mover, given its relatively lower rate of recent development compared to the market and feature releases since the last iteration of the report.

Purchase Considerations
Each Trend Micro Cloud One account has a subscription that determines how the customer is billed and which services it can access. Pay-as-you-go billing allows customers to subscribe to Trend Cloud One and only pay for what they deploy and use. Billing is based on usage of the service, reported on an hourly basis. Pay-as-you-go billing for all Trend Cloud One services is currently available through the AWS Marketplace listing. For the network security functions, the cost is calculated based on gigabytes of traffic inspected.

Use Cases
Trend Micro can deliver on use cases related to east-west, ingress, and egress traffic filtering through in-line intrusion prevention and decryption, which provides real-time inspection and blocking of traffic in all directions. It can also deliver AI service access for public and private generative AI services, as well as secure web gateway (SWG), cloud access security broker (CASB), and zero trust network access (ZTNA) solutions to secure users across the network, web, cloud, and private applications.

Tufin

Solution Overview
Tufin provides policy-based network and cloud security via a central control plane and zero-touch automation. Tufin’s offering is available in three tiers: SecureTrack+, SecureChange+, and Enterprise. The solution is designed to facilitate the design and implementation of changes across on-premises, cloud, and SASE environments, including AWS, Azure, GCP, and VMware. It can unify network security with an automated policy engine, and provide visibility into application connectivity, dependencies, and access policies. 

Tufin’s product tiers each offer increasing feature sets. SecureTrack+ offers Firewall and Security Policy Management. SecureChange+ provides Security Change Automation. Enterprise offers Zero-Touch and Zero-Trust Network Security.

Tufin provides a stable solution that offers consistent, incremental updates for core features, including a policy definition engine and network misconfiguration detection.

Tufin is positioned as a Challenger and Outperformer in the Maturity/Feature Play quadrant of the cloud network security Radar chart.

Strengths
Tufin scored well on a number of decision criteria, including:

• Policy definition engine: Tufin’s automatic policy generator (APG) helps optimize firewall rule bases using traffic history to design least-privilege rule sets that block communications from systems that don’t regularly require access. The APG can accelerate the creation of a rule base for new firewalls or add an interface to a firewall. The APG analyzes firewall logs to determine business practices and replaces overly permissive rules with more granular ones. Tufin customers can run an APG job on a rule that monitors real-world business traffic for a specified period and then suggest a recommended set of rules to reduce the permissiveness of the existing rule. The APG can be run on an entire firewall rule base, a specific section, or just one rule. The rule lifecycle management feature integrates Tufin with configuration management databases to map network owners, identify inactive owners for rule reassignment, and orchestrate certification across the right set of rule owners. It can identify and remove network objects (such as servers, subnets, or IP ranges) that are no longer in use due to hardware replacement or changes in network architecture. 

• Security observability: Tufin creates topology views by connecting to network devices, such as multiple-vendor firewalls, routers, next-generation firewalls (NGFWs), software-defined networks (SDNs), and cloud services, retrieving all routing tables as well as accounting for common network technologies, such as NAT, multiprotocol label switching (MPLS), and IPSEC VPN. This vendor-agnostic network topology map provides centralized visibility and control, both on-premises and in the cloud.

• Network misconfiguration detection: Tufin’s vulnerability-based change automation module enables customers to expand risk-based access request workflows to reflect the results of vulnerability scan results. Administrators can automatically check source and destination assets for known vulnerabilities prior to granting access or connectivity. 

Tufin was classified as an Outperformer given its development pipeline, with multiple features, such as an AI-based policy definition engine or AI-based capabilities to identify IPs and subnet associations.

Opportunities
Tufin has room for improvement in a few decision criteria, including:

• Ingress traffic security: While the solution can define ingress traffic policies, it relies on the underlying security infrastructure for filtering capabilities.

• Egress traffic security: Just as with ingress traffic security, the solution’s egress traffic security capabilities are dependent on the customer’s stack and cannot define more sophisticated filtering or inspection policies. 

• Suspicious network behavior detection: Tufin does not currently offer capabilities to detect suspicious behavior such as port scanning, sweeping, or DNS-based threats.

Purchase Considerations
Tufin offers a usage-based pricing model for devices and applications. Licenses include unlimited users. The three tiers offer incremental feature sets. Tufin is available in the AWS and Azure marketplaces. Premium Support offers 24/7 round-the-clock call handling, troubleshooting, and problem resolution.

Use Cases
The solution can deliver on use cases such as firewall optimization, rule management and cleanup, firewall audit, regulatory compliance, network change automation, digital transformation, and firewall migration. 

Tufin offers a mature and comprehensive policy management engine, but the solution does not include security appliances such as firewalls. This means the solution manages and orchestrates customers’ existing security stack, positioning the vendor in the Feature Play half of the Radar chart.

VMware (Broadcom): vDefend Distributed Firewall

Solution Overview
VMware vDefend Distributed Firewall is a software-defined Layer 7 firewall for securing multicloud traffic across virtualized workloads. It provides stateful firewalling with IDS/IPS, sandboxing, and network traffic analysis. The solution distributes the firewalling to each host to support network segmentation, prevent lateral movement, and automate policy in a vastly simpler operational model.

The solution analyzes traffic at every host to monitor all traffic flows, identify malicious traffic on a per-hop basis, and apply virtual patching to ensure unpatched servers inside the data center cannot be exploited. To support DevSecOps practices, vDefend Distributed Firewall adopts a security-as-code approach, utilizing an API-driven, object-based model.

VMware is positioned as a Challenger and Forward Mover in the Innovation/Platform Play quadrant of the cloud network security Radar chart.

Strengths
VMware scored well on a number of decision criteria, including:

• Policy definition engine: The solution supports dynamic policy orchestration, enabling administrators to define consistent firewall policies across multiple environments. Policies are maintained throughout workload lifecycles, including migrations. The solution provides policy recommendations, automates policy mobility, and ensures that new workloads automatically receive the appropriate security policies. The solution’s architecture can support extensive microsegmentation use cases and deliver on zero trust principles. 

• Ingress traffic filtering: The solution can protect internal network applications against known malicious IP addresses on the internet and bot traffic. The list of malicious IP addresses is dynamically updated on a frequent basis from the VMware global threat intelligence network. 

• Suspicious network behavior detection: VMware vDefend Advanced Threat Prevention, an add-on to VMware vDefend Distributed Firewall, incorporates multiple detection technologies and logic to identify suspicious network behavior. These technologies include distributed IDS/IPS, network sandbox, and network detection and response (NDR). The network sandbox is a secure isolation environment designed to detect malicious artifacts in the data center. It analyzes the behavior of objects, such as files and URLs, to determine if they are benign or malicious.

Opportunities
VMware has room for improvement in a few decision criteria, including:

• Network misconfiguration detection: VMware can apply virtual patching but does not currently identify internet-exposed Kubernetes services, security groups allowing inbound SSH traffic from 0.0.0.0/0, access keys older than 90 days, or identity and access management (IAM) policies that are too permissive.

• Exfiltration monitoring: While the solution has the ability to detect exfiltration of data as part of a ransomware attack, using security controls such as NTA (Network Traffic Analysis) and IDS, it does not currently identify transfers of sensitive data such as credit cards and personal information.

• Egress traffic security: While VMware’s solution provides some outbound traffic security via FQDN and other Layer 7 protocols, it does not currently analyze content or inspect traffic.

VMware was classified as a Forward Mover given its slow release cadence and small number of year-on-year developments for the features described in the report.

Purchase Considerations
vDefend Distributed Firewall is intended for organizations needing to implement access controls for east-west traffic within the network (microsegmentation) but not focused on threat detection and prevention services. vDefend Distributed Firewall with Threat Prevention is intended for organizations needing access control and select threat prevention features for east-west traffic within the network. vDefend Distributed Firewall with Advanced Threat Prevention is intended for organizations needing a firewall and all advanced threat prevention features for east-west traffic within the network. NSX Firewall for Bare Metal Servers is for organizations needing an agent-based network segmentation solution for bare metal workloads.

Use Cases
VMware vDefend Distributed Firewall can cater to a wide range of use cases, including network segmentation, application segmentation, microsegmentation, zero trust networking, compliance, ransomware protection, and simplified DMZ security. The solution provides protection for east-west and north-south traffic and features well-developed modules for intrusion detection and prevention based on behavioral analysis.

The network is the point of entry for any attacker, which means it needs to be the first line of defense. Cloud network security services are solutions, not products. In other words, they can be delivered via various products as long as they address the problems of networking securely in a cloud environment.

This is why the vendors featured in this report come from three different backgrounds. 

The security services providers are the easiest ones to qualify. These vendors need to rearchitect traditional firewalls and IDS/IPS appliances to fit the cloud. They also need to develop observability and visualization capabilities, which were not particularly important to on-premises deployments. These vendors often offer cloud network security solutions as part of a comprehensive cloud security platform and tend to excel in features such as suspicious network behavior detection and exfiltration monitoring.

Cloud networking solutions provide both networking and security capabilities within a single solution. While security vendors can improve the posture of existing networking constructs, cloud networking vendors can define entirely new networks and secure them simultaneously. It’s also worth noting that all these vendors tend to have particularly high scores for network segmentation, partly due to the ability to define new networks within the cloud.

Network security policy managers have a distinct set of features with particularly strong observability, misconfiguration, and simulation capabilities. These solutions are less invasive, as they orchestrate only existing appliances without imposing architectural changes, and they can help enterprises reach the low-hanging fruit for improving their security posture.

In summary, cloud network security encompasses a diverse ecosystem of vendors approaching the problem from different angles—security service providers reimagining traditional defenses for the cloud, cloud networking vendors integrating connectivity and protection at the infrastructure level, and policy management vendors enhancing visibility and control without disrupting existing architectures. Together, these approaches reflect a shift from isolated products to adaptable, service-based solutions designed to secure the network as the first and most critical line of defense in the cloud.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Andrew Green is an enterprise IT writer and practitioner with an engineering and product management background at a tier 1 telco. He is the co-founder of Precism.co, where he produces technical content for enterprise IT and has worked with numerous reputable brands in the technology space. Andrew enjoys analyzing and synthesizing information to make sense of today's technology landscape, and his research covers networking and security.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2025 "GigaOm Radar for Cloud Network Security" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.