GigaOm Radar for Secure Access Service Edge (SASE) v3

Secure access service edge (SASE) is a security framework that converges network security functions with software-defined wide-area networking (SD-WAN) capabilities to support the dynamic, secure access needs of organizations. Delivered primarily as a cloud-native service, SASE enables organizations to apply consistent security policies and network management across all users and devices, irrespective of location, providing a robust security posture.

Supporting branch office, on-prem, and remote worker secure access use cases, SASE includes five major technologies: cloud access security broker (CASB), firewall as a service (FWaaS), secure web gateways (SWG), SD-WAN, and zero trust network access (ZTNA), along with additional capabilities such as data loss protection (DLP) and remote browser isolation (RBI). Furthermore, the cloud-native SASE stack applies security and compliance policies in real time, integrating and centralizing the management of services in a cloud-based platform to deliver agility, cost efficiency, and scalability.

The SASE landscape is expanding as enterprises seek an all-in-one networking and security solution. While some vendors offer a single-vendor SASE solution, others partner with third-party niche solution vendors to fill the gaps. With each bringing its unique expertise and capabilities to the SASE framework, vendors offering SASE solutions come from various segments of the IT industry: 

• Established networking and SD-WAN vendors integrating security features into their networking platforms

• Security vendors expanding their portfolios to include network solutions under the SASE umbrella

• Cloud service providers integrating networking and security services into their cloud platforms

• Emerging vendors developing cloud-native SASE solutions from the ground up

• Telecommunications companies offering integrated network and security solutions, including 5G, as the primary transport

Vendors offer single-vendor, hybrid (combining SASE capabilities with existing networking or security solutions), or multivendor SASE solutions that integrate various network and security services and offer different levels of control, security, and flexibility to cater to the diverse needs of organizations. Each solution has unique features and capabilities, with the best choice depending on a buyer's specific requirements and preferences.

While the choice between single-vendor and multivendor SASE depends on an organization's specific needs and circumstances, single-vendor SASE solutions offer simplified management and enhanced security outcomes through a unified approach. On the other hand, multivendor SASE solutions often provide best-of-breed capabilities, risk diversification, and a more flexible approach to securing diverse network environments. For this report, we are considering only single-vendor SASE solutions with support for interim hybrid deployments. 

This is our third year evaluating the SASE space in the context of our Key Criteria and Radar reports. This report builds on our previous analysis and considers how the market has evolved over the last year. 

This GigaOm Radar report examines the top SASE solutions and compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria) outlined in the companion Key Criteria report. Together, these reports provide an overview of the market, identify leading SASE offerings, and help decision-makers evaluate these solutions to make a more informed investment decision.

GIGAOM KEY CRITERIA AND RADAR REPORTS

The GigaOm Key Criteria report provides a detailed decision framework for IT and executive leadership assessing enterprise technologies. Each report defines relevant functional and nonfunctional aspects of solutions in a sector. The Key Criteria report informs the GigaOm Radar report, which provides a forward-looking assessment of vendor solutions in the sector.

To help prospective customers find the best fit for their use case and business requirements, we assess how well SASE solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Cloud service provider (CSP): These are providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS). 

• Network service provider (NSP): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, internet service providers (ISPs), telcos, and wireless providers.

• Managed service provider (MSP): Service providers deliver applications, IT infrastructure, networks, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.

• Government/public sector: Federal, state, and local government agencies require SASE capabilities that meet stringent regulatory frameworks, such as The Federal Risk and Authorization Management Program (FedRAMP) and The Federal Information Security Management Act (FISMA). This also includes government-specific security standards with heightened emphasis on compliance reporting and protection of sensitive citizen data across authorized cloud environments.

• Large enterprise: This refers to enterprises with more than 1,000 employees that have dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

• Small-to-medium businesses (SMB): This includes small businesses (fewer than 100 employees) and midsize businesses (100 to 1,000 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

In addition, we recognize the following deployment models:

• Private cloud: Used exclusively by one enterprise or organization, private cloud computing resources are physically located in an on-prem data center or hosted by a third-party colocation service provider. Tailored to meet specific requirements, private clouds offer compliance, control, and flexibility.

• Public cloud: Owned and operated by a third-party cloud service provider and delivered over the internet, public cloud providers offer cost-effective, scalable, and reliable on-demand resources for enterprises and SaaS vendors.

• Hybrid cloud: Enabling data and apps to move seamlessly between two environments, a hybrid cloud combines private, on-prem infrastructure with a public cloud. A hybrid cloud allows compute resources to be brought closer to the edge where data resides, thereby reducing latency and increasing reliability while still meeting regulatory compliance and data sovereignty requirements.

• Multicloud: Comprising multiple public cloud services performing different functions, a multicloud deployment allows organizations to take advantage of various public cloud capabilities or geographies. Multicloud deployments may include private clouds, resulting in hybrid and multicloud deployments.

• On-prem: This deployment consists of software, hardware, or services installed, run, and managed on an enterprise’s physical, in-house infrastructure, usually in a data center or colocation facility. In an on-prem setup, the enterprise is responsible for the operation, maintenance, and security of the system.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1). 

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Integrated SASE architecture

• Cloud-native architecture

• Identity-based security and access control

• Multivector threat prevention

• Global points of presence (PoPs)

• Multicloud connectivity

• Data loss protection

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating a SASE solution.

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months. 

• Business criteria provide insight into the nonfunctional requirements that factor into a purchase decision and determine a solution’s impact on an organization.

These decision criteria are summarized below. More detailed descriptions can be found in the corresponding report, “GigaOm Key Criteria for Evaluating Secure Access Service Edge (SASE) Solutions.”

Key Features

• Global SLA-backed connectivity: Delivering global SLA-backed connectivity provides measurable performance guarantees, including specific latency commitments, uptime percentages, and jitter specifications, all backed by either owned network infrastructure or contractual agreements with remediation penalties. This is critical for ensuring predictable application performance, enabling business continuity planning, and holding providers accountable for service delivery through financially backed commitments​.

• Dynamic traffic management: Dynamic traffic management leverages AI-powered algorithms for application-aware traffic steering, predictive path optimization, real-time load balancing, and sub-second failover capabilities based on network conditions and application requirements. This capability is critical for ensuring optimal application performance, minimizing latency, and maintaining business continuity by automatically adapting to changing network conditions without manual intervention.

• Threat intelligence and analytics: Advanced threat intelligence and analytics integrate proprietary threat research, machine learning-powered behavioral analysis, real-time threat correlation, and predictive security analytics to identify zero-day attacks and advanced persistent threats. This capability is critical for defending against sophisticated cyber adversaries who use novel attack techniques to bypass signature-based detection systems.

• API-driven automation: API-driven automation exposes comprehensive REST APIs, event-driven webhooks, and infrastructure-as-code capabilities that enable automated policy deployment, configuration management, and integration with DevOps and security orchestration platforms. This capability is critical for reducing manual configuration errors, accelerating deployment timelines, and enabling enterprises to scale security operations efficiently across distributed environments.​

• Sovereign SASE/local data processing: Sovereign SASE/local data processing provides data residency controls, geographic data isolation, local processing capabilities, and jurisdiction-specific compliance automation that meets government and regulatory requirements for data sovereignty. This capability is critical for organizations in highly regulated industries such as healthcare, financial services, and government that must comply with regional data protection laws including GDPR, HIPAA, and CCPA, while maintaining full control over sensitive information.

• Digital experience monitoring (DEM): Digital experience monitoring for SASE solutions provides real-time application performance monitoring, synthetic transaction testing, user experience scoring, and automated remediation capabilities that correlate network and security events with user satisfaction metrics. This capability is critical for maintaining productivity by proactively identifying and resolving performance issues before they impact users, enabling IT teams to balance security enforcement with seamless digital experiences.​

• Edge computing integration: Edge computing integration extends security and networking capabilities to edge locations via lightweight appliances, software containers, or mobile edge computing platforms, reducing latency for real-time applications. This capability is critical for supporting emerging use cases such as IoT deployments, industrial automation, autonomous vehicles, and augmented reality that require ultra-low-latency processing and cannot tolerate traditional cloud backhaul delays.​

• Self-service portal: A self-service portal enables users and administrators to independently manage network security settings, access controls, and application policies. This capability enhances operational efficiency, empowers users, and reduces reliance on IT support for routine tasks, which is crucial for managing security across distributed environments.

Table 2. Key Features Comparison

Emerging Features

• Built-in self-healing: Built-in self-healing in SASE solutions enables automatic recovery from outages or disruptions by switching to alternative transport models and adapting configurations. This capability is crucial for maintaining continuous connectivity, security, and compliance, ensuring business continuity, and minimizing downtime.

• Autonomous security orchestration: SASE solutions leverage artificial intelligence and machine learning to dynamically adjust security policies and coordinate automated incident response across converged networking and security functions without manual intervention. This capability is critical for organizations facing sophisticated, rapidly evolving cyberthreats that move faster than human response times, enabling real-time protection that adapts to changing threat landscapes and business contexts.

• 5G integration and mobile edge computing: 5G integration and mobile edge computing (MEC) support enable organizations to leverage network slicing capabilities that create dedicated virtual networks with guaranteed performance characteristics while extending security functions directly to cellular infrastructure and edge locations. This integration is critical for supporting emerging use cases that require ultra-low latency connectivity, such as autonomous vehicles, remote surgery, industrial automation, and real-time video streaming, which cannot tolerate traditional backhaul delays.​

• Zero-day threat detection: AI-powered zero-day threat detection applies machine learning-driven behavioral analytics, sandbox detonation, and inline anomaly detection to identify and block previously unseen malware and exploit chains across web, SaaS, and private application traffic. This capability is critical because zero-day exploits target unknown vulnerabilities for which no patches or signatures exist, making traditional signature-based defenses ineffective against these sophisticated attacks that can compromise critical data and disrupt operations.​

• Predictive traffic steering: AI-powered predictive traffic steering uses machine learning to analyze historical traffic patterns, network conditions, and application performance to proactively route traffic and adjust bandwidth allocation before congestion occurs. This prevents performance degradation that could disrupt business-critical applications and user productivity.

• Generative cybersecurity AI: Generative cybersecurity AI for SASE leverages generative AI to automatically create security policies, generate threat response playbooks, synthesize threat intelligence reports, and produce customized security configurations tailored to organizational context and risk profiles. This capability is critical for reducing administrative burden and enabling security teams to focus on strategic initiatives rather than manual policy creation and configuration management.​

• Unified agent: SASE solutions with unified agents deploy a single lightweight endpoint client that consolidates multiple functions, including SD-WAN connectivity, security policy enforcement, device posture assessment, and performance monitoring, eliminating the need for separate agents for each capability. This approach reduces endpoint resource consumption, simplifies IT management, eliminates conflicts between competing agents, and delivers a consistent user experience across all locations and devices.​

• Managed SASE: Managed SASE is a service-based approach in which a vendor or trusted MSP provides and manages the SASE solution for organizations. This model is important for businesses seeking to rapidly adopt SASE and leverage its benefits without requiring extensive internal network and security expertise.

Table 3. Emerging Features Comparison

Business Criteria

• Configurability: Configurability enables organizations to customize security policies and adapt network settings to align with their specific risk tolerance and compliance requirements. This configurability ensures the SASE implementation effectively addresses unique business needs while maintaining optimal security and performance.

• Flexibility: Flexibility refers to the solution’s ability to adapt to diverse network configurations and environments, ensuring consistent security and connectivity across various scenarios. This adaptability is crucial for organizations with complex, evolving IT landscapes, enabling them to maintain robust security and performance despite changes in user counts, network traffic, or geographic distribution.

• Interoperability: Interoperability ensures seamless integration with existing infrastructure and compatibility with diverse applications, devices, and systems from various vendors. This capability is essential for maintaining operational continuity, enhancing visibility, and enabling coordinated security and network management across the entire IT ecosystem.

• Manageability: Manageability refers to the centralized control and administration of the entire security lifecycle across all network edges. This capability is essential for simplifying operations, ensuring consistent policy enforcement, and reducing the complexity of managing distributed networks and security functions.

• Observability: Observability comprehensively monitors the health and performance of all components through a unified interface or via integration with third-party tools. This capability is essential for maintaining optimal network performance, ensuring security effectiveness, and enabling rapid response to issues across the distributed SASE infrastructure.

• Performance: Performance encompasses network speed, latency, and throughput, influenced by architecture, edge processing, and component integration. Optimal performance ensures a seamless user experience, efficient application delivery, and effective security enforcement without compromising productivity or introducing vulnerabilities.

• Support: Support encompasses comprehensive assistance, including SLA-based services, expert staff, and tools for documentation, reporting, and maintaining regulatory compliance. Robust support helps ensure a smooth implementation, ongoing optimization, and rapid issue resolution in complex SASE environments.

• Cost transparency: SASE cost models vary from transparent subscription-based pricing to upfront costs with annual maintenance and potential hidden fees. Understanding these pricing structures is crucial for organizations that aim to assess the total cost of ownership accurately and align SASE adoption with their budgetary constraints and long-term IT strategies.

Table 4. Business Criteria Comparison 

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SASE

As shown in Figure 1, Leaders and Outperformers predominantly occupy the Maturity/Platform Play quadrant because they possess both the technical depth and organizational resources necessary to deliver comprehensive, enterprise-grade solutions that span the entire SASE architecture. Their positioning reflects their ability to simultaneously invest in innovative capabilities such as AI-driven threat detection, automated policy optimization, DEM integration, and zero trust implementations while maintaining the extensive platform scope required to address diverse security and networking challenges across distributed, hybrid environments.

Furthermore, the distribution between the Maturity/Platform Play and Innovation/Platform Play quadrants reflects the ways individual vendors approach the market along the Innovation and Maturity axis. Those in the Maturity/Platform Play quadrant emphasize proven, stable platform implementations with established operational track records, prioritizing reliability and enterprise-grade deployment capabilities. Conversely, those in the Innovation/Platform Play quadrant combine platform breadth with cutting-edge capabilities such as AI-driven security analytics, advanced DEM integration, and emerging technologies that differentiate them at the market's innovative edge.

It should be noted that being located in the Maturity half does not exclude innovation. Instead, it distinguishes between a vendor enhancing existing capabilities and another adding new capabilities. With each vendor focusing on different ecosystems, technologies, target markets, or use cases, positioning in each quadrant is determined as follows:

• Maturity/Platform Play: Vendors in this quadrant offer proven, fully integrated platform solutions built from the ground up, with comprehensive capabilities spanning the complete SASE architecture. Their solutions are distinguished by comprehensive features that combine cutting-edge capabilities with deep specialization in specific areas (such as end-to-end visibility into network performance and user experience) and the adoption of proven innovations.

• Innovation/Platform Play: Vendors in this quadrant offer fully integrated platform solutions that emphasize cutting-edge capabilities and rapid innovation. Positioning here indicates a comprehensive platform breadth combined with advanced features such as AI-driven security, explainable artificial intelligence for anomaly detection, and emerging technologies that demonstrate agility in adopting innovations quickly. 

• Innovation/Feature Play: Vendors in this quadrant offer innovative, differentiated capabilities in specific areas (or for select target markets) without the full platform scope of comprehensive SASE solutions. They focus on cutting-edge features and emerging technologies within narrower functional domains, emphasizing innovation and specialization over broad platform integration. 

• Maturity/Feature Play: Vendors that might occupy this quadrant would have established market presence through proven expertise in specific SASE domains or target markets rather than comprehensive platform offerings. They would demonstrate strong technical competency and reliable solutions within specialized focus areas, providing depth over breadth with mature capabilities in targeted use cases.

In addition, the color of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on execution against roadmap and vision, using the vendor’s input from the previous report and its progress relative to overall industry innovation. 

In reviewing solutions, it’s important to keep in mind that there are no universal “best” or “worst” offerings; every solution has aspects that might make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Aryaka: Unified SASE as a Service

Solution Overview
Founded in 2009, Aryaka provides cloud-native SD-WAN and network security solutions, specializing in Unified SASE as a Service. In April 2021, Aryaka acquired Secucloud GmbH (a cloud-based Firewall-as-a-Service and secure web gateway), and in March 2024, it launched Unified SASE as a Service built on its OnePASS architecture and Zero Trust WAN backbone.

Unified SASE as a Service is a cloud-native platform unifying SD-WAN, advanced security, and zero trust access into one globally managed service. Its architecture features a single control plane accessible via the MyAryaka portal, a unified enforcement fabric spanning global PoPs and edge devices, and a private Layer 2 core network that delivers deterministic performance. 

Core components include antimalware, CASB, intrusion detection and prevention system, Next-Generation Firewall (NGFW), SD-WAN services, SWG, Universal ZTNA, and Wide Area Network (WAN) optimization. Key features encompass AI-driven traffic management, application-aware routing, automated policy enforcement, device posture assessment, last-mile management services, multicloud connectivity, real-time threat prevention, SLA-backed global connectivity, and unified observability. Key differentiators are a fully integrated, single-vendor architecture that eliminates policy duplication, a private global backbone that ensures carrier-grade reliability, comprehensive end-to-end visibility across network and security domains, and a fully managed service model with 24/7 support.​​

Aryaka takes a general platform approach to SASE, innovating to add emerging features such as AI-powered observability, next-generation data loss prevention, AI-secured capabilities, and universal ZTNA modes, while integrating features from the 2021 Secucloud acquisition. 

Aryaka is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SASE Radar chart.

Strengths
Aryaka Unified SASE as a Service scored well on a number of decision criteria, including:

• Global SLA-backed connectivity: Aryaka operates a private Layer 2 global core network with over 40 PoPs, delivering deterministic performance and sub-100 ms latency access worldwide. The architecture provides carrier-grade reliability through advanced traffic engineering, fast failover mechanisms, and continuous monitoring with automated ticketing, ensuring consistent connectivity between key metros and regions. 

• Dynamic traffic management: Unified SASE as a Service employs LinkAssure technology, which evaluates multiple network paths using real-time metrics (including latency, jitter, packet loss, and available bandwidth) to automatically steer traffic to optimal paths according to user-defined thresholds. The platform leverages Enea's Qosmos engine, powered by AI and ML, to accurately identify and classify application traffic in real time, enabling customer-defined policies to drive routing, load balancing, and failover decisions. 

• Self-service portal: The MyAryaka portal serves as a comprehensive single pane of glass that provides advanced dashboards, log analyzers, real-time telemetry, detailed reports, and full configuration management for both networking and security functions without requiring provider intervention. The portal implements fine-grained role-based access control (RBAC), allowing organizations to define custom roles and assign them to users across functional domains, with tailored interfaces for network administrators, security teams, and operations staff. 

Opportunities
Aryaka Unified SASE as a Service has room for improvement in a few decision criteria, including:

• API-driven automation: The solution provides centralized configuration and orchestration through the MyAryaka portal, enabling policy deployment, site onboarding, and monitoring management via a unified interface without requiring custom scripting. However, it currently does not offer external REST APIs, infrastructure-as-code interfaces, or webhooks for programmatic automation, relying instead on its fully managed service model, with planned API introduction within the next 12 months.​

• Sovereign SASE/local data processing: Unified SASE as a Service enforces data residency and privacy controls across its global PoPs, allowing policies to block, mask, or log data based on data classification and jurisdiction. However, it does not currently provide sovereign SASE or localized data processing tied to specific geographic boundaries, with primary data residency in San Jose and backup infrastructure in Amsterdam. Regional control-plane data handling and customer-specific data residency options are on the roadmap.​

• Digital experience monitoring (DEM): The solution continuously monitors network performance using LinkAssure technology, which evaluates latency, jitter, packet loss, and available bandwidth across all links to dynamically select optimal paths and ensure consistent application performance. However, it does not include native DEM capabilities today. The solution offers monitoring capabilities, though integrated DEM with end-to-end visibility, experience scoring, and synthetic transaction testing is planned for introduction within 12 months.

Purchase Considerations
Aryaka Unified SASE as a Service operates on a subscription-based licensing model determined by remote user count, site count, and bandwidth tiers per location. Customers can select from 1-, 2-, 3-, or 5-year terms, with pricing locked for the duration and billed quarterly in advance. Service tiers range from SD-WAN and Unified SASE foundations to advanced security bundles that include CASB and DLP, with all tiers incorporating hardware (ANAP devices), software, and fully managed services with 24/7 support. The subscription model offers transparent pricing, with optional add-ons including advanced analytics, extended log retention, and professional services.​

Key purchase considerations include deployment flexibility through physical ANAP devices at branches, virtual instances in customer-managed environments, or per-user ZTNA for remote workforces. Migration complexity is minimized through Aryaka's fully managed service model, which handles network design, configuration, security policy planning, and migration support, enabling rapid global deployments in days. Proof of concept (PoC) capabilities follow a structured three-phase progression: pilot, controlled availability, and general availability. The elastic subscription model allows bandwidth scaling on demand, capacity bursting during peak periods, and permanent expansion without hardware reprovisioning or contract renegotiation.

Use Cases
Unified SASE as a Service addresses a broad range of use cases, including Multiprotocol Label Switching (MPLS) migration and SD-WAN modernization, SaaS and cloud optimization, secure internet access for branches and users, secure remote and private application access, and ZTNA. It delivers consistent policy enforcement, predictable application performance, and unified visibility across distributed users, branch offices, cloud workloads, and hybrid environments, enabling enterprises to simplify operations, strengthen security, and optimize connectivity for globally distributed workforces.

Barracuda Networks: Barracuda SecureEdge

Solution Overview
Founded in 2003, Barracuda Networks provides cloud-first cybersecurity solutions specializing in email protection, network security, data backup, and application security for businesses and managed service providers. In May 2023, it launched Barracuda SecureEdge (formerly CloudGen WAN), a SASE platform that operates in 26 regions worldwide via Microsoft Azure or on-prem as hardware or virtual appliances. 

Barracuda SecureEdge is a cloud-native SASE platform that converges network security and connectivity into a unified solution for distributed users, sites, and devices. The architecture employs a single-vendor design built on CloudGen Firewall technology with globally distributed microservices running on Azure and single-pass inspection processing. Core components include FWaaS, SD-WAN, SWG, and ZTNA. Key features encompass ATP, AI-based content inspection, application-aware routing, Domain Name System (DNS) filtering, DLP, intrusion detection and prevention, Secure Sockets Layer (SSL) inspection, and URL filtering. Key differentiators include flexible deployment across cloud and private edges, integration with Barracuda Managed XDR for automated threat response, MSP-focused multitenant design, ruggedized IoT connectivity, and TINA encryption protocol for resilient connections.​

Barracuda Networks takes a focused approach to SASE, targeting MSPs and SMBs and incrementally improving features through AI-based content inspection, automated extended detection and response (XDR) integration, enhanced DNS filtering, and network DLP.

Barracuda Networks is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the SASE Radar chart.

Strengths
Barracuda SecureEdge scored well on a number of decision criteria, including:

• Sovereign SASE/local data processing: The solution offers multiple sovereignty options, including customer-owned Private Edge Service using SecureEdge Site devices or CloudGen Firewall appliances, in which all user traffic is processed locally on customer-owned hardware, while only management and reporting remain Barracuda-hosted. Customers can also deploy SecureEdge service instances in their private Azure Virtual WAN tenant, and cloud-based edge services operate in 26 regional PoPs, with data processing limited to selected regions and configurable management-region selection for US or EMEA GDPR compliance.​

• Edge computing integration: Barracuda SecureEdge supports edge computing through multiple deployment methods, including containerized SecureEdge Connector deployment on third-party edge compute devices, native containerized workload execution directly on CloudGen Firewall appliances at site locations, and ruggedized SecureEdge Site devices designed for harsh industrial environments. These capabilities enable scenarios such as municipal CCTV deployments, where hundreds of rugged devices provide SD-WAN cloud connectivity for real-time 4K video feeds processed by machine learning-based cloud inspection.​

• Autonomous security orchestration: The solution integrates with Barracuda XDR to deliver automated threat remediation that autonomously disables compromised users and blocks malicious IPs or websites based on XDR detection engine findings without manual intervention. It includes self-healing SD-WAN capabilities that automatically deprioritize less important traffic during link degradation and restore optimal configurations when connectivity recovers, with roadmap plans for expanded autonomous operations, including closed-loop remediation and AI-powered silent fixes with audit trails.

Opportunities
Barracuda SecureEdge has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: Barracuda Networks operates 26 global PoPs and provides coverage with a median round-trip time under 100 ms for 90% of high-income and upper-middle-income population countries, enabling secure access through cloud-delivered edge services and redundant failover support. However, it currently delivers connectivity on a best-effort basis without contractual service-level agreements, with formal 99.5% per-region SLA commitments introduced in December 2025.​

• API-driven automation: Barracuda SecureEdge uses documented APIs for integration with the BarracudaONE platform, enabling centralized policy management, automated provisioning, zero-touch site deployments, and unattended MDM-based agent rollouts for streamlined operations. However, it lacks publicly available APIs for third-party automation and orchestration, with public API access, webhooks, and external integration capabilities designated as roadmap items planned over the next 12 months.​

• Digital experience monitoring (DEM): The solution provides foundational monitoring through unified dashboards, a centralized data lake that aggregates real-time metrics from appliances and agents, log viewers, and scheduled value reporting for operational visibility across deployments. However, it does not yet offer comprehensive DEM with user experience baselines, anomaly detection, or proactive alerting. Advanced AI-driven DEM capabilities, including predictive analytics and automated remediation, is scheduled for Q3 2026.

Purchase Considerations
Barracuda SecureEdge employs a transparent subscription-based pricing model with two primary tiers: site connectivity and SecureEdge Access. Site connectivity is sold per appliance, with one-time hardware costs plus annual subscriptions covering unlimited SD-WAN traffic and all security features. SecureEdge Access is sold per user per month and supports up to 10 devices with unlimited applications, connectors, and security functionality. MSPs benefit from monthly per appliance or per user pricing with no upfront appliance costs and automatic hardware refresh after four years. Four subscription tiers (DNS Access, Private Access, Internet Access, and Premium Access) provide scalability from basic DNS filtering to comprehensive ZTNA, SWG, FWaaS, and DLP capabilities.​

Customers should evaluate deployment flexibility, including cloud-native Edge Services across 26 PoPs, Private Edge Service using customer-owned hardware for data sovereignty, and Azure Virtual WAN integration for private tenant deployment. Migration complexity remains low through zero-touch site deployments, unattended MDM-based agent rollouts, proxy emulation mode for legacy environments, and support for gradual transitions from on-prem to hybrid to cloud-native architectures. Prospective buyers can access demonstration environments and setup tutorials that show how to configure the network in under one hour, though formal PoC capabilities require coordination with Barracuda representatives.

Use Cases
Barracuda SecureEdge addresses a broad range of use cases, including AI-based content inspection, DNS-based filtering, edge computing integration for industrial and IoT deployments, FWaaS, hybrid and multicloud connectivity, managed SASE delivery for MSPs, SD-WAN cloud connectivity, secure internet access, SWG, and ZTNA for remote workforce protection. The solution supports flexible deployment scenarios from on-prem to cloud-native transitions, enabling organizations to secure users, sites, and devices regardless of location while maintaining unified policy enforcement.

Cato Networks: Cato SASE Cloud Platform

Solution Overview
Founded in 2015, Cato Networks provides cloud-native SASE solutions that converge networking and security into a single global platform. In September 2025, Cato Networks acquired Aim Security (AI security protecting third-party and homegrown AI applications), with integration into the Cato SASE Cloud Platform planned for early 2026.

Cato SASE Cloud Platform is a purpose-built, converged, cloud-native architecture that delivers SD-WAN, a global private backbone spanning 90 PoPs, and a complete security service edge (SSE) stack including CASB, DLP, FWaaS, intrusion prevention system (IPS), RBI, SWG, and ZTNA. Built on a single software architecture, it employs the Single Pass Cloud Engine (SPACE), which performs routing, optimization, decryption, and all security inspections in a single pass to minimize latency and ensure consistent policy enforcement. Key features include AI-powered threat prevention with NGAM, autonomous policy management, DEM, DNS security, endpoint protection platform, IoT/OT security, sandboxing, XDR, and zero-touch provisioning managed through a unified console. Differentiators include Cato's own global private backbone with SLA-backed connectivity delivering 99.999% uptime, true convergence without stitching acquisitions together, biweekly automatic updates across all PoPs, elastic self-healing infrastructure, and cloud-scale capacity supporting up to 15 gigabits per second per encrypted tunnel.​

Cato Networks takes a general platform approach to SASE, innovating to add emerging features such as AI and IoT/OT security, enterprise browser, autonomous policies for FWaaS, safe transport layer security (TLS) inspection, and capabilities across AI-powered Storyteller, DEM, and sandboxing.

Cato Networks is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Cato SASE Cloud Platform scored well on a number of decision criteria, including:

• Threat intelligence and analytics: The solution combines global-scale visibility with AI/ML-powered analytics, which aggregates 250 external threat feeds and 20 million indicators of compromise (IoCs), refining them via machine learning to eliminate false positives before deploying platform-wide rules. The platform ingests massive volumes of traffic metadata across more than 90 PoPs to detect anomalies, flag malicious indicators, and infer attack campaigns, while its threat intelligence pipeline enables instant blocking with real-time reputation scoring.​

• Digital experience monitoring (DEM): Cato DEM is a native capability built directly into the SASE fabric that collects metrics from Cato Clients, Sockets, PoPs, and the Global Private Backbone without requiring additional sensors or agents. It uses AI/ML models to derive baselines, detect anomalies, and correlate multidomain data into incident narratives that help administrators quickly isolate root causes across Wi-Fi, ISP, backbone transport, or application layers, while enabling Cato to act on detected issues by rerouting traffic within its network.​

• Predictive traffic steering: Cato Networks uses advanced machine learning models to anticipate network degradation (such as latency, packet loss, or congestion) and proactively reroute traffic before users are affected, drawing on continuous telemetry from 90 global PoPs. The AI models forecast potential path degradation before it occurs, with real-time feedback that continuously refines accuracy, providing predictive, self-optimizing intelligence across Cato's private backbone to ensure deterministic performance globally.​

Cato Networks is classified as an Outperformer due to its biweekly release cadence, delivering continuous innovation, integration of Aim Security for AI-native security capabilities, and an aggressive roadmap featuring enhanced capabilities. 

Opportunities
Cato SASE Cloud Platform has room for improvement in a few decision criteria, including:

• Sovereign SASE/local data processing: The solution supports sovereign SASE by enabling jurisdictional traffic and metadata isolation within designated geographic boundaries, with local processing enclaves deployed to constrain sensitive data within specific regions while preserving connectivity to the global SASE fabric. However, it lacks region-specific sovereign offerings for customers requiring complete operational autonomy, prioritizing centralized orchestration over fully localized data residency models that some regulatory frameworks demand.​

• Edge computing integration: Cato SASE Cloud Platform enables high-availability Internet Protocol security (IPsec) connectivity from customer-deployed edge platforms and supports hybrid deployment models in which edge resources interoperate seamlessly with Sockets and on-prem infrastructure, while maintaining automatic lifecycle management. However, it provides limited native support for containerized workloads and edge orchestration frameworks such as Kubernetes, as well as deep integration with edge application lifecycle management platforms for distributed compute architectures.​

• 5G integration and mobile edge computing: Cato Sockets support 5G and LTE as first-class transport links with active-active or failover configurations, continuously measuring performance metrics and dynamically steering traffic while maintaining inline security inspection. However, it lacks native integration with carrier MEC orchestration platforms, standardized APIs for multi-access edge computing frameworks like European Telecommunications Standards Institute MEC, and telco-specific service chaining capabilities that enterprises require for advanced 5G use cases.

Purchase Considerations
Cato SASE Cloud Platform employs a subscription model with bandwidth-capacity-pool licensing, whereby aggregated bandwidth is allocated across multiple sites within pricing groups. Organizations choose SASE Bandwidth Capacity Pool for full SD-WAN and SSE capabilities or SSE Bandwidth Capacity Pool for security-only deployments. Contract terms typically span 12, 24, or 36 months, with bandwidth tiers determining costs. 

Deployment options include Cato Sockets for physical sites, vSockets for cloud environments, and third-party IPsec tunnels for SSE-only scenarios. Zero-touch provisioning and self-service configuration enable rapid site onboarding. Migration complexity is reduced through a cloud-native architecture that eliminates hardware lifecycle management, firmware updates, and appliance sizing. Customers should carefully evaluate bandwidth requirements, understand the single-platform convergence model that replaces multiple point solutions, and leverage free trials to validate performance across their specific use cases before committing to multiyear contracts.

Use Cases
Cato SASE Cloud Platform addresses a broad range of use cases, including AI security governance, cloud and multicloud connectivity optimization, hybrid and remote work enablement, incident detection and response through XDR capabilities, M&A integration with rapid site onboarding, MPLS migration to SD-WAN with global backbone connectivity, secure direct internet access that eliminates backhauling, and security consolidation that replaces multiple point solutions (such as firewalls, VPNs, SWGs, CASBs, and endpoint tools) with a single converged platform managed through unified policies and a single management console.

Check Point: Harmony SASE

Solution Overview
Founded in 1993, Check Point provides cybersecurity solutions specializing in AI-powered, cloud-delivered network security and threat prevention. The company acquired Veriti (threat exposure management) in June 2025 and Lakera (AI-native security) in November 2025. 

Harmony SASE delivers comprehensive network security through a hybrid architecture combining on-device, in-browser, and cloud-based protections for faster internet access. Core components include CASB for SaaS security with shadow discovery and misconfiguration remediation, FWaaS providing ThreatCloud AI-powered threat prevention, SD-WAN with optimized routing for more than 10,000 applications, SWG offering DNS filtering and malware protection, and ZTNA enabling full-mesh connectivity between users, branches, and resources. Key features include AI Copilot for instant recommendations, application control, DLP, two-factor authentication, and URL filtering with wildcard support. Differentiators include Enterprise Browser for agentless, unmanaged device access, hybrid split-tunneling for optimized traffic routing, native Remote Desktop Protocol client support, and an industry-leading 99% threat prevention block rate.

Check Point takes a general-purpose platform approach to SASE, innovating by adding Enterprise Browser for unmanaged devices, expanding data residency, integrating hybrid split-tunneling, and enhancing AI-powered threat prevention capabilities.

Check Point is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Harmony SASE scored well on a number of decision criteria, including:

• Global SLA-backed connectivity: The solution provides a 99.999% network SLA through dual tier-1 connectivity at each of its more than 80 globally distributed PoPs, ensuring optimal performance and resiliency across all locations. Customers can use redundant high-availability tunnels across multiple cloud regions, providing additional resilience for mission-critical connectivity.

• Self-service portal: Harmony SASE includes a multitenanted management portal that exposes all configuration and visibility options through an intuitive interface, enabling customers to quickly deploy and efficiently manage deployments without lengthy onboarding. The portal provides role-based access for administrators and integrates APIs to support automation, delegation, and the orchestration of management and operational tasks.​

• Autonomous security orchestration: The solution employs more than 80 threat analysis engines, including 55 AI-driven engines, that automatically analyze traffic, define security policies, and update them dynamically across all security enforcement points. This comprehensive AI-driven approach achieves a 99% threat-detection and prevention catch rate, validated by third-party testing.

Opportunities
Harmony SASE has room for improvement in a few decision criteria, including:

• Dynamic traffic management: The solution supports dynamic application-aware traffic steering and link load-balancing while employing WAN optimization technologies, including Differentiated Services Code Point tagging, forward error correction (FEC), link aggregation, and VPN traffic acceleration. However, it lacks AI-powered predictive traffic steering that adapts to both changing network conditions and unique application requirements but has innovative congestion control technologies on the 2026 roadmap.​

• Digital experience monitoring (DEM): Harmony SASE continuously monitors network parameters across multiple links and steers traffic per application according to SD-WAN policies to optimize performance for mission-critical applications. However, it does not currently include comprehensive DEM capabilities for end-to-end application performance visibility and user experience analytics, with full DEM functionality scheduled for the 2026 roadmap.​

• Built-in self-healing: The solution continuously monitors connectivity across customer networks and automatically fails over instances within PoPs, links connecting PoPs, and entire PoPs themselves in real time. However, it requires additional monitoring capabilities to enhance early detection and remediation, with these advanced self-healing enhancements planned for future releases to provide more comprehensive automated recovery mechanisms.

Purchase Considerations
Harmony SASE employs a per-user pricing model with tiered service plans (Essentials, Premium, and Complete), while site connectivity is priced by bandwidth. The pricing structure is completely transparent and predictable, with no hidden fees, and consolidates multiple products (including CASB, SWG, and ZTNA) into a unified licensing model. A 30-day free trial provides full functionality access, and educational discounts are available for qualifying organizations. MSSPs benefit from pay-as-you-go licensing options for cost-efficient scaling.​​

Deployment flexibility spans cloud PoPs, dedicated enterprise browsers, in-browser extensions, mobile devices, on-device agents, and on-prem appliances to accommodate diverse use cases. Migration complexity is minimal through standard IPsec connectivity to any third-party device, integration with existing identity providers via Security Assertion Markup Language (SAML) and System for Cross-Domain Identity Management (SCIM), and REST API support. The intuitive self-service portal enables deployment in as little as 15 minutes with role-based administrative access and multitenant capabilities. Technical support includes onboarding services, customer success engineers, and technical account management throughout deployment and operations.​​

Use Cases
Harmony SASE addresses a broad range of use cases, including branch office security with SD-WAN connectivity, BYOD compliance for mobile devices, SaaS security through CASB capabilities, secure internet access via SWG, secure remote access using ZTNA with full mesh connectivity, third-party contractor access through Enterprise Browser, and unmanaged device access for temporary users requiring zero trust policies without persistent agents.​​​

Cisco: Cisco SASE

Solution Overview
Founded in 1984, Cisco provides networking and digital communications technology, specializing in routers, security, and cloud solutions. In December 2024, the company acquired SnapAttack (threat detection and defense). Cisco launched its SASE architecture in March 2021, enabling customers to purchase all core SASE product components in a single offer.

Cisco SASE (previously branded Cisco+ Secure Connect) delivers cloud-native SASE through a globally distributed architecture with regional data center pairs providing high availability. Core SSE components include CASB, Cloud Firewall (Layers 3, 4, and 7), DLP, DNS-layer security, FWaaS, SWG, and ZTNA. Key features encompass intelligent routing between interconnected nodes, MFA with SAML 2.0 authentication, posture-based health checking, remote access log export, and unified sites integration across Catalyst SD-WAN, Meraki AutoVPN, and non-Meraki IPsec connections. Primary differentiators include native integration with Catalyst SD-WAN and Meraki SD-WAN via AutoVPN or IPsec with unified policy management, automatic policy enforcement, and posture-based access control, dynamic Border Gateway Protocol (BGP) or static routing, and a unified dashboard for simplified deployment.​ 

Cisco takes a general platform approach to SASE, integrating acquired solutions (SnapAttack, Splunk) while innovating to add emerging features such as AI Access Protection, Cisco Identity Intelligence (CII) integration, Enterprise Browser, Hybrid Zero Trust Access, and One-SASE convergence. 

Cisco is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Cisco SASE scored well on a number of decision criteria, including:

• Dynamic traffic management: The solution integrates application-aware SD-WAN with a dynamically scalable, high-bandwidth headend architecture that automatically adjusts bandwidth allocation per site up to 500 Mbps bidirectional via AutoVPN technology. It performs intelligent path selection based on real-time network conditions, application requirements, and latency metrics while providing automated interconnected hub routing to optimize application load times through Cisco's global peering relationships.​

• Threat intelligence and analytics: Cisco Talos processes trillions of security events daily from global sensors across millions of endpoints, using artificial intelligence and machine learning to identify attack patterns, vulnerabilities, and zero-day threats before they become widespread. The threat intelligence feed automatically updates every 30 minutes with command-and-control servers, malicious IP addresses, and Tor nodes, while providing continuous anomaly detection and coordinated attack-campaign identification, integrated directly into Secure Connect security enforcement.​

• API-driven automation: The solution provides native automation through REST APIs that enable dynamic connections between environments without manual configuration, reducing operational overhead through programmatic policy enforcement and infrastructure orchestration. It offers comprehensive API capabilities for extracting security data, modifying configurations, automating investigation workflows, and facilitating third-party integrations through a unified management console with real-time telemetry and historical event access.​

Opportunities
Cisco SASE has room for improvement in a few decision criteria, including:

• Sovereign SASE/local data processing: The solution operates through a globally distributed cloud-delivered SSE architecture with regional PoP pairs, ensuring high availability and performance optimization. Cisco Secure Access for Government provides FedRAMP-authorized deployment with continental United States (CONUS) data residency requirements, ensuring that all security processing and logs remain within CONUS for federal compliance. However, it lacks fully sovereign deployment options that ensure security inspection occurs entirely within customer-controlled on-prem or private data center infrastructure.​

• Edge computing integration: Cisco SASE includes Meraki SD-WAN as a native component and integrates with Catalyst SD-WAN to provide intelligent routing and security enforcement at branch locations through AutoVPN and IPsec connectivity. Cisco recently launched the Unified Edge Platform, combining compute, networking, and storage for AI workloads at distributed locations with integrated SD-WAN and virtual Firepower capabilities managed through Intersight. However, it provides limited native integration between SSE security functions and edge computing infrastructure compared to platforms offering embedded MEC orchestration and containerized security workload deployment.​​

• 5G integration and mobile edge computing: The solution delivers cloud-delivered security services through DNS-layer protection, FWaaS, SWG, and ZTNA enforced at global PoPs, with SD-WAN providing intelligent path selection. It supports secure connectivity for distributed users and IoT devices through consistent policy enforcement and telemetry across hybrid environments. However, it lacks native multi-access edge computing architecture integration, 5G network slicing support, and standardized APIs for deploying virtualized security functions within carrier mobile edge computing infrastructure at the 5G edge.

Purchase Considerations
Cisco SASE employs a subscription-based licensing model with tiered service packages that provide progressively enhanced security capabilities, including Foundation Essentials (basic SWG, DNS security, and ZTNA), Foundation Advantage (adding FWaaS, IPS, and DLP), and Complete (including production-level support and VPN capabilities). Licensing is structured per user for remote access and per site for branch connectivity, with bidirectional bandwidth scaling up to 500 Mbps via the cloud-delivered architecture.​

Organizations must consider several deployment prerequisites, including a dedicated Umbrella instance, compatible SD-WAN infrastructure (Meraki MX, Catalyst SD-WAN, or IPsec-capable devices), and internal DNS server configurations. Migration from existing Meraki SD-WAN with Umbrella SIG deployments offers simplified conversion paths through guided workflows, with Meraki customers experiencing streamlined onboarding via AutoVPN integration rather than manual IPsec configuration for third-party devices. PoC capabilities enable testing through the unified cloud dashboard with support for gradual site additions and traffic steering policies.

Use Cases
Cisco SASE addresses a broad range of use cases, including branch office connectivity through native SD-WAN integration, hybrid work enablement with consistent security across locations, private application access via client-based and clientless ZTNA, secure internet access with cloud-delivered firewall and SWG, and zero trust network access with identity-based authentication and posture evaluation for remote and branch users accessing SaaS, IaaS, and private data center resources.

Cloudflare: Cloudflare One

Solution Overview
Founded in 2009, Cloudflare provides web security, performance, and content delivery services, specializing in DDoS protection, CDN, and zero trust network access. In April 2025, the company acquired Outerbase (database and AI capabilities). Cloudflare launched its comprehensive SASE platform, Cloudflare One, in October 2020.

Cloudflare One is a single-vendor SASE platform built on a globally distributed network spanning more than 330 cities, using a single-pass inspection architecture in which all traffic processing occurs in a single pass. Core components include CASB for SaaS visibility and data protection, FWaaS for network security, SWG for web filtering, and ZTNA for application access control. Key features encompass DNS filtering, DLP, identity-based policies, WAN connectivity, and remote browser isolation. Key differentiators include fully integrated services running on every server across Cloudflare's network, programmable infrastructure delivering unified networking and security convergence, and expanding capabilities beyond traditional SASE definitions to address AI security and multicloud automation.​

Cloudflare takes a general platform approach to SASE, innovating to add emerging features such as AI security primitives, monitor groups for advanced health checks, post-quantum cryptography, and on-demand security reports.

Cloudflare is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Cloudflare One scored well on a number of decision criteria, including:

• Global SLA-backed connectivity: Cloudflare operates on an Anycast-based network spanning 330 cities across 125 countries, with 449 Tbps of network capacity and 13,000 interconnects, enabling any server to provide full service functionality on a given IP address with built-in redundancy and enterprise-grade SLA guarantees. The architecture includes 50 private interconnects with Amazon, Google, and Microsoft, plus a fiber backbone supporting standards such as IPv6 and RPKI for consistent global performance.​

• API-driven automation: Cloudflare One provides comprehensive API coverage and infrastructure-as-code via Terraform providers, enabling organizations to automate configuration management, policy deployment, and security provisioning while reducing manual tasks by up to 80%. The programmable control plane supports CI/CD pipelines with GitHub Actions integration, dynamic routing configurations, and API-based operations, such as SSH certificate authority generation, for streamlined multicloud deployments.​

• Edge computing integration: Cloudflare Workers operate on every server across all data centers in the global network, enabling distributed serverless compute with GPU-accelerated AI inference, D1 database access, Durable Objects for stateful storage, and Queues for background jobs. Workers integrate directly with SASE components, including ZTNA access controls, DLP scanning, SWG filtering, and FWaaS inspection, while providing programmable infrastructure for custom security logic at the edge without centralized deployment.

Opportunities
Cloudflare has room for improvement in a few decision criteria, including:

• Threat intelligence and analytics: The solution integrates Cloudforce One threat intelligence, processing 81 million HTTP requests and 67 million DNS queries per second to provide real-time attack data, attacker-attributed events, and automated threat analysis through the AI-powered threat events platform. However, it primarily focuses on network-layer threats visible via Cloudflare's infrastructure rather than providing comprehensive endpoint detection and response analytics, requiring third-party SIEM integrations for unified cross-platform threat correlation.​

• Sovereign SASE/local data processing: Cloudflare One provides regional services that enable data localization across defined regions, including Austria, Brazil, France, Italy, Saudi Arabia, Switzerland, and Taiwan, using software-defined regionalization to restrict traffic inspection within jurisdictional boundaries or to exclude specific geographies. However, it functions as an add-on feature rather than a core platform capability, supports only a limited subset of global regions with various configuration caveats, and lacks comprehensive sovereign cloud infrastructure compared to vendors that offer dedicated in-country SASE deployments with local data residency guarantees.

• Digital experience monitoring (DEM): The solution includes synthetic application monitoring for HTTP GET requests and traceroute tests, network path visualization with hop-by-hop telemetry, and endpoint monitoring for CPU and RAM utilization and for identifying resource-intensive processes. However, it offers less comprehensive session replay capabilities, limited application performance management depth, and fewer advanced troubleshooting features compared to specialized DEM vendors with mature endpoint analytics and business transaction monitoring.

Purchase Considerations
Cloudflare One follows a tiered subscription model with seat-based pricing across Free, Standard, and Enterprise plans. It offers bundled SASE packaging that consolidates workspace security services with network services, including WAN and Firewall. Organizations can begin with a free PoC plan to validate capabilities before committing to paid tiers. Enterprise plans include custom pricing with guided onboarding, training, 24/7/365 support, SLA guarantees, and network prioritization. The pricing structure eliminates per-request charges and scales with organizational value rather than feature complexity.​

Deployment options include manual installation for smaller organizations or managed deployment via MDM tools like Intune and JAMF for enterprise-scale rollouts. Migration complexity varies based on existing infrastructure, though Cloudflare's progressive adoption model allows organizations to gradually consolidate up to 10 point solutions, potentially reducing the total cost of ownership. The device client supports Windows, macOS, Linux, iOS, Android, and Chrome OS, with unified management via a single control plane. Customers should evaluate integration requirements with existing identity providers, assess Regional Services needs for data residency compliance, and consider the anycast architecture's implications for sovereign deployment requirements.​

Use Cases
Cloudflare One addresses a broad range of use cases, including branch-office connectivity replacing MPLS, cloud application security via CASB, data loss prevention, remote browser isolation, remote workforce connectivity with zero trust access, SaaS application protection, a secure web gateway for filtered internet access, and VPN replacement for private applications. It consolidates security and networking through a unified control plane for enterprises managing distributed workforces, hybrid cloud infrastructure, and global operations.

Ericsson: NetCloud SASE

Solution Overview
Founded in 1876, Ericsson specializes in 5G networks, cloud infrastructure, and enterprise wireless systems managed via AI-powered cloud platforms. In April 2024, Ericsson launched NetCloud SASE, an integrated zero trust private and internet access service with cellular-optimized SD-WAN.

NetCloud SASE is a unified, cloud-native platform that delivers fully integrated zero trust security and networking services. The architecture features a single-pass design with a common policy engine, a unified data lake, and a converged management plane, eliminating multiple policy lookups and reducing latency. Core components include CASB, Content Disarm and Reconstruction (CDR), FWaaS, Hybrid Mesh Firewall, RBI, SD-WAN, Secure Connect, SWG, and ZTNA (both client and clientless). Key features include 5G optimization with cellular-centric traffic steering, application persistence, autonomous remediation via AIOps, dynamic WAN link bonding, forward error correction, intelligent traffic steering, microtunnel architecture to prevent double encryption, and moving-target defense for IP obfuscation. Key differentiators include agentic AI integration with the AI-based NetCloud Virtual Assistant, cellular-optimized performance via inline traffic measurements, a cloud-agnostic architecture enabling rapid PoP deployment, and network slicing support for 5G SA.​

Ericsson takes a focused approach to SASE, innovating to add emerging features including agentic AI integration, application persistence, clientless ZTNA with isolation, enhanced LEO satellite monitoring, and microtunnel expansion.

Ericsson is positioned as a Leader and Outperformer in the Innovation/Feature Play quadrant of the SASE Radar chart.

Strengths
NetCloud SASE scored well on a number of decision criteria, including:

• Dynamic traffic management: The solution employs continuous path monitoring that collects performance measurements for each overlay path and evaluates cellular signal strength for each WAN profile. Application-aware steering identifies traffic up to Layer 7 and routes flows based on business criticality, while intelligent WAN bonding replicates application flows across member links for added resiliency or distributes them based on assigned weights for granular control.​

• Edge computing integration: NetCloud SASE SD-WAN appliances support SDK applications and host container images from any Docker container registry with best-in-class container orchestration within NetCloud for downloading, monitoring, restarting, and deleting applications from a single pane of glass. Strategic collaboration with compute vendors such as Supermicro delivers advanced edge AI capabilities, combining 5G connectivity with edge AI platforms for retail, factories, and healthcare to rapidly deploy pretrained AI models and computer vision at the network edge.​

• 5G integration and mobile edge computing: The solution is optimized around 5G with support for network slicing, allowing customers to select and steer traffic across multiple 5G SA network slices using SD-WAN technology. All Ericsson routers support 5G or LTE, with ultra-low latency requirements addressed through intelligent link bonding in flow duplication mode, which sends duplicate packets across multiple diverse links. The solution provides cellular-centric SD-WAN optimizations, including traffic steering based on cellular attributes, inline traffic measurements, and dynamic URSP provisioning for multislice deployments.

Ericsson is classified as an Outperformer due to its monthly agile release cadence, innovation in agentic AI integration, clientless ZTNA with isolation, enhanced satellite monitoring, and roadmap expansion of microtunnels across SASE infrastructure.

Opportunities
NetCloud SASE has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: The solution’s high-availability, elastic cloud infrastructure offers autoscaling, load balancing, and redundancy at every layer, including servers, data centers, and connections. It uses geolocation services to automatically route users to the nearest access point, while load balancing ensures a consistent user experience regardless of demand. However, it relies on public cloud IaaS providers rather than operating a dedicated private backbone network, which may limit control over end-to-end performance guarantees compared to vendors with owned infrastructure.

• Threat intelligence and analytics: NetCloud SASE continuously monitors emerging threats using antivirus, CDR, Intrusion Detection System (IDS)/IPS, and RBI technologies while ingesting real-time data from multiple sources to generate risk scores for domains and applications. Curated signatures focused on LTE and 5G use cases eliminate noise while isolation technology air-gaps risky web content and unmanaged devices from corporate assets. However, it lacks proprietary threat intelligence feeds and advanced AI-powered zero-day threat detection capabilities, with network detection and response features planned for future implementation.

• Self-service portal: The solution currently supports API-driven provisioning for devices, licensing, subscriptions, routers, network sites, and private applications, with tag-based bulk policy configuration. It includes comprehensive cloud management with intuitive dashboards, zero-touch deployment, and over-the-air OS upgrades. However, it offers limited self-service functionality for end users, with plans for users to request access to resources via an administrator-mediated request access button rather than a fully autonomous self-service portal.

Purchase Considerations
NetCloud SASE offers subscription-based pricing with 1-, 3-, or 5-year terms, including cloud management, 24/7 support, and on-demand training. Network services like SD-WAN and Secure Connect are priced per site or router with 500 GB pooled data credits included (excluding IoT deployments, for which network services include unlimited credits), while Advanced web security and ZTNA are priced per user. Licenses are available in standard and premium tiers, with premium unlocking hybrid mesh firewall capabilities and AI-driven insights. On-prem deployments follow identical licensing but require headend infrastructure without included data credits.​ Organizations must budget separately for cellular data plans and consider data usage monitoring capabilities. 

Customers should evaluate deployment options: cloud-delivered, customer-hosted, or hybrid, based on regulatory requirements. The customer-hosted option requires installing a service gateway virtual appliance, though a simplified plug-and-play appliance is planned for organizations with limited IT resources. Migration complexity is reduced through zero-touch deployment with preregistered devices and optional carrier SIMs, while the zero trust foundation simplifies replacing legacy VPNs and private APNs. 

Use Cases
NetCloud SASE addresses a broad range of use cases, including branch offices with all-wireless infrastructure, first responders requiring mission-critical connectivity, IoT device management and security for hard-to-secure endpoints, mobile environments including fleet vehicles and mass transit, remote access for privileged IT and third-party contractors, replacing legacy VPNs and private APNs with zero trust connectivity, secure remote work for distributed employees, temporary sites where wired connections are unavailable, and vehicles requiring continuous cellular connectivity.

Forcepoint: Forcepoint ONE*

Solution Overview
Founded in 1994, Forcepoint provides cybersecurity solutions, specializing in data security and zero trust. In February 2022, the company launched its cloud-native SASE platform, Forcepoint ONE. In April 2025, Forcepoint acquired Getvisibility (AI-powered data security posture management and data detection and response), strengthening real-time visibility and control over data risks in hybrid cloud and GenAI environments.

Forcepoint ONE is a cloud-native SASE platform built on AWS with more than 300 PoPs, delivering auto-scaling infrastructure and 99.99% uptime. The architecture integrates three core components: CASB for SaaS application control, SWG for web filtering, and ZTNA for private application access. Key features include data-in-motion scanning, GenAI security controls with ChatGPT Enterprise Compliance API integration, RBI for threat isolation, shadow IT discovery, and unified endpoint agent management. Its data-first differentiator uniquely embeds enterprise DLP policies across all channels via single-console management, enabling consistent data security enforcement.​

Forcepoint takes a general platform approach to SASE, integrating acquired data security posture management (DSPM) capabilities from Getvisibility and innovating with emerging GenAI security features, including AI mesh classification technology, ChatGPT Enterprise API integration, and real-time risk assessment across generative AI platforms.

Forcepoint ONE is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SASE Radar chart.

Strengths
Forcepoint ONE scored well on a number of decision criteria, including:

• Global SLA-backed connectivity: The solution leverages AWS infrastructure with more than 300 PoPs globally, delivering a 99.99% uptime SLA and processing latency under 100 ms for most requests. It employs auto-scaling technology that accommodates traffic surges while maintaining consistent performance, combined with an on-device SWG architecture that minimizes cloud-routed traffic and achieves up to 95% effective bandwidth utilization.

• Threat intelligence and analytics: Forcepoint ThreatSeeker Intelligence analyzes up to 5 billion requests daily from more than 155 countries, using the Advanced Classification Engine with eight modular defense assessment areas, including big data analytics, sandboxing, and machine learning. It continuously monitors web content, documents, executables, and streaming media under the supervision of Security Labs researchers, distributing real-time threat classifications and generating an average of 3.2 threat intelligence updates per second globally.​

• API-driven automation: Forcepoint ONE CASB integrates with more than 800,000 cloud applications via APIs, enabling automated data-at-rest scanning, policy enforcement, and remediation across SaaS and IaaS environments. The platform provides a REST API for programmatic DLP policy management, enabling automated integration with SIEM, SOAR, and business intelligence solutions for incident management and policy synchronization across development and production environments.

Opportunities
Forcepoint has room for improvement in a few decision criteria, including:

• Dynamic traffic management: Forcepoint Secure SD-WAN provides dynamic application steering that uses application fingerprinting and destination certificate validation to identify traffic, while evaluating link performance metrics (bandwidth, jitter, and latency) for optimal routing. However, the solution relies primarily on the SD-WAN components for dynamic path selection rather than embedding sophisticated real-time traffic steering capabilities natively within the platform, limiting autonomous traffic optimization for cloud-delivered security services.​

• Sovereign SASE/local data processing: Forcepoint ONE operates on AWS infrastructure with global PoPs and supports compliance with data sovereignty requirements through configurable privacy settings that align with regional data protection laws. However, it processes traffic through centralized cloud gateways rather than offering dedicated regional data processing nodes or local breakout options for organizations with strict data localization mandates requiring in-country inspection and policy enforcement.

• Self-service portal: The solution provides an administrative management portal with dashboard monitoring, policy configuration, traffic logging, user provisioning through Active Directory sync or local management, and REST API access for administrators. However, it lacks comprehensive end-user self-service capabilities for tasks such as password resets, access request workflows, temporary policy exemptions, or device registration, requiring administrative intervention for most user-facing configuration changes.

Purchase Considerations
Forcepoint ONE employs a per-user, annual subscription model with a minimum of 100 users and a 12-month contract term. It offers modular pricing with Cloud Security Edition, bundling SWG, CASB, and ZTNA capabilities. Additional functionality is licensed through add-ons, including CASB API scanning, DLP SSE applications, RBI, dedicated API Nodes, IaaS scanning per GB, and posture management per account. All subscriptions are nonrefundable and noncancelable after purchase, requiring careful capacity planning before commitment.​

Forcepoint ONE deploys exclusively as a cloud-delivered SaaS service on AWS infrastructure, eliminating on-prem options while enabling rapid provisioning. The platform supports agent-based and agentless architectures, with agentless capabilities valuable for BYOD and unmanaged devices. Migration complexity varies based on DLP policy maturity, though customers can leverage established frameworks. Implementation packages are available, though initial configuration can be challenging for smaller teams. Prospects should request PoC environments to validate policy migration workflows and assess learning curves for the centralized management console. 

Use Cases
Forcepoint ONE addresses a broad range of use cases, including cloud application data protection via CASB, data loss prevention across channels, GenAI security controls, private application access through ZTNA, remote browser isolation for threat containment, SaaS security posture management, threat detection and malware protection, web filtering and access control, and zero trust network access for BYOD and unmanaged devices.

Fortinet: Fortinet Unified SASE*

Solution Overview
Founded in 2000, Fortinet specializes in network security, endpoint protection, and cloud security through its Security Fabric platform. In May 2025, the company acquired Suridata (SaaS security posture management to enhance third-party SaaS security), and launched Fortinet Unified SASE's sovereign SASE capabilities and GenAI features.

Fortinet Unified SASE integrates networking (Secure SD-WAN) and security (FortiSASE) functions into a single cloud-native platform powered by FortiOS. 

Fortinet Unified SASE converges networking and security into a cloud-native platform built on FortiOS. The architecture integrates Secure SD-WAN with FortiSASE, deployed across more than 150 global PoPs with a 99.999% SLA and managed via a unified console. Core components include CASB (inline and API-based), DLP, FWaaS, RBI, sandboxing, SWG, and Universal ZTNA. Key features include AI-powered FortiGuard threat intelligence, DEM, a single unified agent, thin-edge support for agentless devices, and sovereign SASE deployment options. Key differentiators include a single operating system powering all organic components, unified management via FortiManager, bidirectional SD-WAN integration, continuous ZTNA posture checks, and flexible FortiFlex licensing.

Fortinet takes a general platform approach to SASE, innovating with features such as an agentless ZTNA web portal, GenAI integration with FortiManager, sovereign SASE deployment, and thin-edge offloading from FortiAP/FortiExtender.

Fortinet is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Fortinet Unified SASE scored well on a number of decision criteria, including:

• Threat intelligence and analytics: FortiGuard Labs provides AI-powered threat intelligence that continuously updates Unified SASE by analyzing data from millions of global devices and sensors, using machine learning to detect threats in real time. The FortiGuard service powers all organic security components within a single operating system, delivering advanced threat detection with automated policy enforcement and comprehensive analytics via FortiAnalyzer integration, which visualizes log data for pattern identification and threat hunting.​​

• Sovereign SASE/local data processing: Fortinet Unified SASE offers Sovereign SASE deployment where customers control data routing and security inspection locations through Fortinet-owned, partner-operated, or customer-owned data centers. Each PoP includes the full security stack with dedicated access per customer, ensuring optimal bandwidth, and customers can select log storage locations, retention periods, and dedicated egress IPs to meet strict regulatory requirements in the finance, government, and healthcare verticals.​​

• Digital experience monitoring (DEM): FortiSASE DEM monitors end-to-end user experience from endpoints to applications, tracking performance metrics such as CPU, disk usage, jitter, latency, memory, packet loss, response times, and throughput. It provides comprehensive coverage for cloud connections and local network issues, with real-time visibility into application performance and user device health, enabling proactive issue resolution before productivity is impacted.

Opportunities
Fortinet Unified SASE has room for improvement in a few decision criteria, including:

• API-driven automation: The solution provides REST APIs, SCIM integration for identity management, and Terraform support for infrastructure-as-code provisioning, enabling programmatic configuration management and third-party tool integration for automated workflows. However, it lacks advanced API orchestration capabilities for complex multistep automation workflows compared to platforms with dedicated API orchestration engines and more extensive prebuilt automation libraries for common operational tasks.

• Edge computing integration: Fortinet enables thin-edge security by offloading traffic from FortiAP access points and FortiExtender devices to FortiSASE cloud inspection, providing agentless device protection at remote locations without additional appliances. However, it provides limited native integration with containerized edge computing platforms, edge AI workloads, or Kubernetes clusters at edge locations compared to competitors that offer dedicated edge compute orchestration and microservices-based edge security frameworks.​

• 5G integration and mobile edge computing: Fortinet Unified SASE supports 5G as a transport option within SD-WAN for flexible connectivity and can utilize LTE/5G connections for backup and primary links. However, it lacks deep integration with mobile edge computing infrastructure, 5G network slicing orchestration, or specialized capabilities for ultra-low-latency applications that require direct MEC platform connectivity.

Purchase Considerations
Fortinet Unified SASE employs a consumption-based pricing model through FortiFlex, offering per-user subscription licensing with three bundles: Standard (core SSE functions including CASB, DLP, FWaaS, RBI, SWG, and ZTNA), Advanced (adds DEM, Forensics, SOCaaS integration, and dedicated public IPs), and Comprehensive (includes Advanced features plus access to Google Cloud PoPs), bundling all essential security services into single SKUs rather than requiring separate purchases for individual components. FortiManager is required for centralized management of SD-WAN and cloud-delivered security, while FortiGate appliances handle branch SD-WAN connectivity.​

Key purchase considerations include deployment options for cloud-delivered FortiSASE, on-prem Sovereign SASE for data sovereignty requirements, or hybrid models combining both approaches. Organizations already using FortiGate devices benefit from simplified bidirectional SD-WAN integration that can be completed in minutes, while third-party SD-WAN environments (currently Meraki, with expanded vendor support planned) require additional testing and configuration. PoC capabilities include trial licensing bundles and zero-touch provisioning for rapid deployment testing. 

Use Cases
Fortinet Unified SASE addresses a broad range of use cases, including branch office connectivity with secure SD-WAN capabilities eliminating costly MPLS requirements, hybrid workforce security providing remote users secure access to corporate and SaaS applications regardless of location, multicloud environments securing data and traffic across different cloud providers while ensuring compliance, thin edge deployments leveraging FortiAP access points and FortiExtender for agentless device security at smaller locations, and zero trust access delivering context-aware application access with Universal ZTNA for both on-prem and cloud resources.

HPE Aruba Networking: HPE Aruba Networking SASE*

Solution Overview
Founded in 2002, HPE Aruba Networking provides enterprise networking solutions, specializing in wireless, wired, and secure edge infrastructure. In September 2020, HPE acquired Silver Peak, (SD-WAN technology); in January 2023, Axis Security (a cloud-native SSE platform); and in July 2025, Juniper Networks (data center, routing, and AI-native security). HPE Aruba Networking SASE evolved via SD-WAN and SSE integration. 

HPE Aruba Networking SASE delivers unified connectivity and security through a cloud-native architecture that integrates EdgeConnect SD-WAN and HPE Aruba Networking SSE into a single automated platform. The architecture spans more than 500 global edge locations across AWS, Azure, and Google Cloud, with smart routing that simultaneously connects to five PoPs to determine optimal paths. 

Core components include CASB, DEM, EdgeConnect SD-WAN with integrated NGFW, SSE, SWG, and ZTNA delivered through a single policy engine managed via HPE Aruba Networking Central. Key features include AI-powered network access control with machine learning device profiling, business intent overlays with AppExpress for application-aware path selection, First-Packet iQ for real-time application classification across more than 10,000 applications, adaptive DDoS protection, and integrated WAN optimization. Key differentiators include multicloud resilience with automatic failover between cloud providers, unified policy management across all SSE services via a single SSL inspection, agentless and agent-based ZTNA support for protocols, and automated SD-WAN-to-SSE tunnel orchestration.

HPE Aruba Networking takes a general platform approach to SASE, integrating features from the Juniper Networks acquisition while innovating through AI-powered capabilities, including Agentic Mesh, SASE Copilot, and Universal ZTNA across campus and cloud.

HPE Aruba Networking is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SASE Radar chart.

Strengths 
HPE Aruba Networking SASE scored well on a number of decision criteria, including:

• Dynamic traffic management: HPE Aruba Networking SASE employs First-Packet iQ to classify more than 10,000 applications and 300 million web domains on the first packet, enabling intelligent traffic steering to cloud, data center, or SSE based on business intent policies. AppExpress continuously monitors Apdex scores through synthetic polling and real-time observations, automatically selecting optimal paths across diverse transports while adaptive forward error correction and POC correct packet loss and reorder out-of-sequence packets without impacting user experience.​

• API-driven automation: HPE Aruba Networking SASE provides an API-first management plane that covers connectors, applications, SSL exclusions, tags, tunnels, and web categories, with event log streaming for external systems, identity sync via SCIM, and staged commits for safe deployments. EdgeConnect SD-WAN exposes comprehensive REST APIs for automating business intent overlays, firewall policies, routing, and templates, complemented by an event-driven notification service that pushes alerts, audit logs, and performance events to external platforms, enabling infrastructure-as-code workflows through blueprint exports and zero-touch provisioning.​

• Self-service portal: HPE Aruba Networking Orchestrator-SP delivers a cloud-hosted, multitenant management platform enabling administrators to autonomously configure connectivity and security policies, monitor performance, onboard endpoints and sites, and initiate break-fix actions without provider intervention. It combines RBAC with REST APIs, event-driven webhooks, and built-in DEM telemetry, allowing both enterprise IT and MSP teams to integrate policy deployment with CI/CD pipelines, ITSM, and SOAR systems while maintaining centralized governance across network and security layers. 

Opportunities
HPE Aruba Networking SASE has room for improvement in a few decision criteria, including:

• Sovereign SASE/Local data processing: The solution enables administrators to set policies that ensure data and metadata flagged for regionalization remain within the PoP serving that geographic area, preventing cross-border transfers. However, it lacks a dedicated sovereign cloud infrastructure independent of hyperscalers and does not offer comprehensive on-prem PoP deployment options that regulated industries require for complete data sovereignty.​

• Digital experience monitoring (DEM): HPE Aruba Networking SASE collects real-time telemetry, measuring CPU utilization, connectivity status, DNS resolution times, and path latency, while SSE PoPs capture latency, packet loss, throughput, and application response times. However, it lacks comprehensive synthetic transaction monitoring capabilities and currently supports DEM only for limited traffic types, with plans to expand coverage to all SWG and ZTNA flows.​

• Autonomous security orchestration: The solution provides API-first management via REST APIs for connectors, applications, firewall policies, and templates, complemented by event-driven notification services that push alerts to SOAR, SIEM, and ITSM platforms. However, it lacks fully autonomous security orchestration capabilities, with the planned SASE Copilot intended to provide automated security recommendations and vulnerability identification without immediate execution authority.​ 

Purchase Considerations
HPE Aruba Networking SASE employs a software subscription-based licensing model with a minimum 12-month commitment. EdgeConnect SD-WAN licenses are tiered as Foundation and Advanced, priced by device type and bandwidth capacity, with optional add-ons for WAN optimization and advanced security features. HPE Aruba Networking SSE uses per-user licensing across four tiers: Foundation (ZTNA only), Foundation Plus (ZTNA and SWG), Advanced (adds CASB and DEM), and Advanced Plus (includes advanced DLP). Site-based SWG bandwidth subscriptions are available separately for unmanaged devices, enabling agentless protection via 10 Mbps dedicated tunnels.​​

Prospective customers should consider the two separate management consoles (one for EdgeConnect SD-WAN and another for HPE Aruba Networking SSE) until planned GUI integration is complete. Migration benefits from automated SD-WAN-to-SSE tunnel orchestration, zero-touch provisioning, and configuration templates supporting IaC workflows. HPE Aruba Networking offers 30-day evaluation subscriptions and supports multivendor SSE integration if organizations prefer incumbent security providers. 

Use Cases
HPE Aruba Networking SASE addresses a broad range of use cases, including branch security and firewall consolidation, cloud-first organization support with optimized multicloud connectivity, coffee shop networking enabling secure direct internet access for remote workers, MPLS dependency reduction through dynamic path selection, secure third-party contractor access with agentless ZTNA capabilities, Universal ZTNA extending zero trust principles across remote and on-prem environments, and VPN replacement delivering identity-driven least-privilege access policies.

iboss: Zero Trust SASE

Solution Overview
Founded in 2003, iboss provides cloud-based network security solutions, specializing in zero trust SASE technology. In May 2024, the company integrated Zero Trust SSE with Zero Trust SD-WAN to create Zero Trust SASE. In October 2025, it launched the iboss MSSP SASE Platform, a purpose-built variant offering multitenant management, pooled licensing, and seamless billing integration.

Zero Trust SASE is a cloud-native platform built on containerized architecture with core components including CASB, DLP, RBI, SD-WAN, SWG, and ZTNA. The architecture consolidates all security and networking functions into unified containers deployed across 100 PoPs globally, processing 150 billion daily transactions with sub-100 ms latency and multicloud redundancy. 

Key features include AI-powered continuous adaptive access with per-request authorization using NIST 800-207 trust algorithms, autonomous threat detection through multilayered AI/ML models analyzing behavioral patterns and zero-day exploits, unlimited SSL/TLS inspection without performance degradation, and real-time prompt inspection for generative AI applications. Key differentiators are an AI-native architecture embedded from inception, continuous zero trust authorization that extends beyond authentication to every user-resource interaction, and native browser isolation that automatically inherits all security policies.

iboss takes a general platform approach to SASE, innovating to add emerging features such as AI-powered CASB with dual-risk scoring, AI chat monitoring with DLP enforcement, agentic AI for autonomous security operations, and integrated DSPM.

iboss is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Zero Trust SASE scored well on a number of decision criteria, including:

• Threat intelligence and analytics: The solution leverages multiple specialized AI/ML models trained on 150 billion daily transactions to identify zero-day exploits, polymorphic malware, and advanced persistent threats without relying on signatures. Machine learning-powered behavioral analytics establish baseline patterns across users, devices, and applications to detect anomalies indicating account compromise, credential theft, and novel attack techniques by correlating threat signals across all security functions.​

• API-driven automation: Comprehensive REST APIs and event-driven webhooks enable automated policy deployment, real-time configuration management, and infrastructure-as-code capabilities within a unified containerized platform architecture. This provides consistent policy and configuration control across all users, devices, and cloud environments through a single interface, with deep integration with identity providers, cloud applications, DevOps toolchains, and SIEM systems to enable streamlined, secure DevSecOps practices.​

• Autonomous security orchestration: AI-powered dual risk scoring independently evaluates application risk and data sensitivity to dynamically assign and enforce adaptive policies without manual intervention. Autonomous agents perform threat triage, root cause analysis, and execute automated remediation workflows that isolate compromised devices, revoke access, and contain lateral movement within three to five minutes compared to the industry average of more than 30 minutes, with a self-healing security posture that continuously adjusts configurations based on attack patterns.​ 

iboss is classified as an Outperformer due to its rapid innovation velocity, delivering AI-powered CASB with signatureless detection, GenAI security monitoring, and agentic, autonomous operations through continuous platform enhancements.

Opportunities
Zero Trust SASE has room for improvement in a few decision criteria, including:

• Sovereign SASE/local data processing: The containerized architecture enables the deployment of policy enforcement points within customer-managed data centers or specific geographic locations, ensuring data remains within jurisdictional boundaries and supports compliance with government and regulatory data sovereignty requirements. However, it lacks a comprehensive sovereign cloud infrastructure across all global regions, limiting deployment flexibility for organizations with strict multijurisdictional data residency mandates that require complete processing isolation across multiple sovereign territories.​

• Digital experience monitoring (DEM): Zero Trust SASE provides real-time analytics and telemetry, covering application usage, latency metrics, bandwidth utilization, and network performance with AI-driven behavioral analytics for anomaly detection across all security and networking functions. However, it offers less specialized DEM capabilities than competitors with dedicated DEM modules that provide synthetic transaction monitoring, endpoint performance metrics, application-specific user experience scoring, and proactive experience optimization that predict degradation before user impact occurs.​

• 5G integration and mobile edge computing: The solution offers native 5G security integration with production deployment for Verizon customers, providing SIM-based authentication, optimized mobile performance, and distributed edge security across 100 global PoPs, supporting mobile edge computing workloads and IoT devices. However, it currently supports only single-carrier integration (compared to competitors offering multicarrier 5G partnerships that provide broader cellular network coverage) and lacks advanced 5G network slicing integration and private 5G network security capabilities that are planned for roadmap delivery.

Purchase Considerations
iboss Zero Trust SASE offers a simple per-user subscription pricing model with three tiers (Core, Advanced, and Complete), enabling modular licensing of individual components or comprehensive bundles. Pricing includes unlimited bandwidth and throughput, with AI capabilities embedded across all tiers at no additional cost. ​​

Key purchase considerations include deployment flexibility with cloud-native, hybrid, or on-prem gateway options supporting data sovereignty requirements. Migration complexity is minimal, with production deployment achievable in days without extensive network rearchitecture, using a 60-second SASE setup wizard for initial configuration. PoC capabilities include beta and early access programs for testing upcoming features. Organizations should evaluate the purpose-built unified architecture versus acquisition-assembled competitors, FedRAMP and StateRAMP authorization for government agencies, containerized sovereign SASE capabilities for jurisdictional compliance, and single-vendor operational simplicity versus multivendor complexity. 

Use Cases
Zero Trust SASE addresses a broad range of use cases, including browser isolation for contractor access, call center security, data center consolidation, healthcare compliance (HIPAA and PHI protection), legacy VPN replacement, manufacturing IoT/OT security, Microsoft O365 performance optimization, proxy appliance consolidation, shadow IT discovery, sovereign SASE for government and regulated industries, VDI replacement, and education deployment. The platform serves distributed workforces, remote users, branches, and unmanaged devices across multiple industry verticals.

Netskope: Netskope One SASE

Solution Overview
Founded in 2012, Netskope provides cloud security software, specializing in SASE and SSE solutions that protect applications, websites, and data from cyberthreats. In October 2024, the company acquired Dasera (data security posture management). Netskope One SASE, a unified single-platform SASE solution, was launched in August 2022. 

Netskope One SASE is a cloud-native, fully converged single-vendor SASE solution that unifies CASB, FWaaS, SD-WAN, SWG, and ZTNA via the Netskope Zero Trust Engine. It leverages the NewEdge Network, the world's largest private security cloud, to optimize connectivity with single-pass architecture processing in under 15 ms. Core elements include the Netskope One Client, Netskope One Console, Netskope One Gateway, and SkopeAI-powered Cloud Orchestrator for AI-driven automated operations, C2 beacon detection, and network performance diagnostics. The platform offers advanced data protection with DLP and DSPM, comprehensive threat prevention, IoT Device Intelligence, Cloud Risk Exchange with partner integrations, Cloud TAP for advanced forensics via full packet capture, and DEM Enterprise for end-to-end monitoring. Key differentiators include its unified SASE client, which eliminates multiple agents; extensive NewEdge infrastructure with the lowest end-to-end latency; and context-aware AppQoE supporting more than 85,000 applications.​

Netskope takes a general platform approach to SASE, innovating with AI-powered capabilities, including Copilot for Private Access and MCP server, while integrating DSPM from Dasera.

Netskope is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Netskope One SASE scored well on a number of decision criteria, including:

• Global SLA-backed connectivity: Netskope’s NewEdge Network provides industry-first SLAs guaranteeing less than 10 ms latency for non-decrypted traffic and less than 50 ms for encrypted traffic across more than 75 regions, with over 10,000 network adjacencies to more than 750 Autonomous System Numbers. Route Control technology with NewEdge Traffic Management 2.0 automatically detects disruptions using endpoint and network telemetry, then reroutes traffic to optimal data centers within seconds without manual intervention.​

• Threat intelligence and analytics: SkopeAI leverages AI/ML-driven user and entity behavior analytics (UEBA), with more than 50 trained models and more than 100 detectors, for inline and API inspection to identify anomalous behavior, compromised accounts, and data exfiltration. Cloud Threat Exchange enables bidirectional IOC sharing across endpoint security, CASB, DLP, firewalls, IPS, SIEM, and SOAR platforms, while global threat labs provide continuous threat intelligence across file types, geographic regions, and industry segments.​

• API-driven automation: REST API v1 and v2 provide CRUD operations for alert management, application onboarding, infrastructure provisioning, policy enforcement, and quarantine file management across network events, application events, and audit logs. Cloud Exchange modules (CLS, CRE, CTE, and CTO) deliver automated log export, multisystem risk score normalization, bidirectional threat intelligence sharing, and ITSM ticket orchestration through more than 100 prebuilt integrations with multitenant support.

Opportunities
Netskope One SASE has room for improvement in a few decision criteria, including:

• Sovereign SASE/local data processing: The solution delivers data sovereignty compliance through more than 20 Traffic Management Zones across at least 120 full-compute data centers in more than 75 regions, supporting configurable data residency policies for a large number of regions and countries. Where a NewEdge Traffic Management Zone is not available for a given compliance-based region, security inspection occurs in nearby, low-latency data centers rather than via a fully isolated in-country processing infrastructure, which may not satisfy stringent sovereign cloud requirements mandating complete geographic data containment.​

• Digital experience monitoring (DEM): Netskope One DEM Enterprise provides comprehensive visibility through Synthetic Monitoring Augmentation for Real Traffic methodology, combining real user monitoring analytics, enterprise stations for site-specific monitoring, and SkopeAI-powered ML diagnostics across SD-WAN, SASE gateways, and application layers. However, it demonstrates limited mobile and BYOD coverage, with iOS and Android applications not consistently routing through proxy infrastructure; it lacks parity between desktop and mobile feature sets; and it provides minimal offline endpoint monitoring for unmanaged devices.​

• Edge computing integration: The solution supports flexible traffic on-ramping through client software, SASE gateways, SD-WAN appliances, and private connections to NewEdge infrastructure with containerized security function processing. However, it lacks native MEC integration, does not deploy compute resources at telco network edges or IoT deployment sites, and does not support edge-native application workload orchestration or Kubernetes-based edge computing frameworks required for distributed edge processing architectures.​

Purchase Considerations
Netskope One SASE follows a subscription-based SaaS pricing model with annual or multiyear contracts typically spanning 1 to 3 years. Pricing is determined by two primary levers: the size of the customer's employee base and the number of product modules consumed, with per-user licensing as the standard approach. The platform is sold predominantly through a channel-driven field sales motion targeting large enterprises, meaning most transactions are brokered by partners rather than direct sales representatives, affecting negotiation dynamics and procurement timelines.​

Purchase considerations include extensive deployment flexibility with hardware and virtual gateway form factors supporting cellular, micro-to-large branches, data centers, and multicloud environments. The platform accommodates both single-vendor and dual-vendor SASE deployments, enabling phased migrations alongside existing infrastructure. Migration complexity varies based on the scope of modules adopted, with unified client deployment simplifying desktop administration but requiring coordination across networking and security teams. Four-tiered multitenancy support enables managed service provider implementations, while PoC programs typically involve deployment testing across representative user populations and branch locations to validate performance and integration requirements.

Use Cases
Netskope One SASE addresses a broad range of use cases, including branch connectivity optimization, cloud and SaaS application security, data loss prevention across endpoints and networks, digital experience management, hybrid workforce enablement, IoT/OT device protection, remote user secure access, secure private application access through ZTNA, secure web gateway functionality, VPN replacement for legacy infrastructure, and zero trust network architecture implementation. The platform supports foundational SASE deployments, distributed workforce scenarios, and comprehensive SSE requirements across enterprise environments.

Palo Alto Networks: Prisma SASE*

Solution Overview
Founded in 2005, Palo Alto Networks provides AI-powered cybersecurity platforms, specializing in network security, cloud protection, and SASE solutions. In July 2025, it completed the acquisition of Protect AI (AI application and model security) and announced the pending acquisition of CyberArk (identity security). 

Prisma SASE is a cloud-delivered platform integrating autonomous digital experience management (ADEM), CASB, FWaaS, SD-WAN, and ZTNA 2.0 into a single service. The architecture consists of globally distributed security processing nodes (SPNs) connected via an encrypted backbone, service connection corporate access nodes (SC-CANs) for internal resource access, and centralized management through Strata Cloud Manager with autonomous AI agents. 

Core components include next-generation CASB with SaaS Security Posture Management (SSPM) for AI agents, a cloud SWG with ML-based threat prevention, endpoint DLP with AI-augmented classification, FWaaS delivering inline inspection across all ports and protocols, Prisma Access Browser 2.0 neutralizing web threats at the browser level, Prisma SD-WAN providing application-defined routing, and ZTNA 2.0 enforcing identity-based least-privilege access. Key differentiators include more than 140 pretrained ML classifiers for data protection, ADEM hop-by-hop visibility across underlay and overlay paths, including non-Palo Alto Networks SD-WAN deployments, AI Canvas for natural-language telemetry queries, dedicated SaaS-based SSPM monitoring AI agents and copilots, and last-mile data protection.​

Palo Alto Networks takes a general platform approach to SASE, innovating to add emerging features like AI agent SSPM, AI-augmented DLP classification, Prisma Access Browser 2.0 web threat neutralization, and ADEM for standalone SD-WAN.

Palo Alto Networks is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SASE Radar chart.

Strengths
Prisma SASE scored well on a number of decision criteria, including:

• Threat intelligence and analytics: The solution integrates Advanced DNS Resolver (ADNSR), delivering globally distributed, low-latency DNS resolution with Precision AI-powered protections that inspect every DNS request and response in real time, covering twice as many DNS threats as competitors while maintaining centralized visibility through Strata Cloud Manager. It deploys AI and ML algorithms to continuously gather threat intelligence, monitor network activity for anomalous behavior, and provide AI-assisted recommendations with automated remediation workflows that proactively identify and block advanced threats.​

• Digital experience monitoring (DEM): ADEM provides SASE-native end-to-end visibility with segment-wise insights across the entire service delivery path, monitoring all segments from endpoint to application for GlobalProtect mobile users and all WAN paths (active and backup) for Prisma SD-WAN remote sites. It identifies baseline metrics for each monitored application, provides hop-by-hop visibility across underlay and overlay paths, including non-Palo Alto Networks SD-WAN deployments, and delivers insights that quickly isolate degraded segments across endpoint, Wi-Fi, LAN, ISP, Prisma Access, or application layers.​

• Predictive traffic steering: The solution uses a flow- and session-based approach that examines transactional success and failure statistics, incorporating factors such as Mean Opinion Scores for real-time traffic, server response times, TCP initiation, and Layer 7 elements to perform automated asymmetric flow correction across underlay and overlay paths. It automatically splits branch prefixes into more specific routes advertised to different core BGP peers to prevent loops, ensures longest-prefix preference, and performs auto-path correction by analyzing session flow patterns to dynamically redirect traffic based on observed return paths.​ 

Opportunities
Prisma SASE has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: The solution delivers SLA-backed 99.999% uptime across all services, with security processing latency under 10 ms worldwide, leveraging a multicloud architecture combining AWS and GCP infrastructures and dedicated compute resources at globally distributed SPNs, all connected via an encrypted backbone. However, it does not provide explicit end-to-end network connectivity SLAs for application performance beyond the Prisma Access infrastructure itself, as connectivity quality depends on third-party ISP and cloud provider networks that lie outside Palo Alto Networks' direct control.​

• API-driven automation: Prisma SASE provides a configuration orchestration API for third-party SD-WAN integration, ADEM APIs for digital experience telemetry access, and supports Terraform-based infrastructure-as-code workflows for cloud security posture management and account onboarding with common SASE authentication. However, it requires organizations to work with multiple API frameworks across management platforms (Panorama versus Strata Cloud Manager), doubling integration efforts and introducing complexity for automated workflows spanning both on-prem and cloud-managed deployments.​

• Sovereign SASE/local data processing: The solution supports data residency compliance by allowing organizations to select specific geographic regions for traffic processing, adhering to sovereignty laws such as APRA CPS 234, GDPR, and SOCI Act requirements through regional SPN deployment options. However, it routes traffic through transnational cloud-based services that rely on AWS and GCP infrastructure rather than dedicated sovereign cloud instances with localized data processing, creating potential compliance challenges for organizations that require all authentication, logging, and inspection to occur within national borders.

Purchase Considerations
Prisma SASE employs a subscription-based tiered licensing model with separate SKUs for mobile users and remote networks, priced per unique user or per site bandwidth allocation. The Base tier includes CASB inline, FWaaS, Prisma Access Browser, SWG, and ZTNA, while Pro adds ADEM, AI Ops, and 1-year log retention. Cortex Data Lake licenses for extended retention are sold separately based on the terabytes stored.​​

Key purchase considerations include deployment flexibility through a cloud-delivered global architecture that requires no on-prem hardware, though migration complexity increases for organizations with existing SD-WAN or security infrastructure due to configuration rearchitecture across the Strata Cloud Manager or Panorama management platforms. Organizations can request PoC trials with full enterprise features. Customers should verify that SaaS inline security and Prisma Access Browser SKUs are included in quotes, as these require explicit ordering despite being included in the Base tier. 

Use Cases
Prisma SASE addresses a broad range of use cases, including AI agent security and governance with dedicated SSPM for SaaS-based agents and GenAI app discovery; data protection across managed and unmanaged devices with endpoint DLP and browser-based last-mile controls; digital experience management with ADEM for SaaS and private applications; hybrid workforce security combining secure internet access and secure cloud access; mergers and acquisitions with multitenant isolation and flexible licensing; retail and branch connectivity with SD-WAN and ZTNA 2.0 integration; and secure private access for remote workforces through zero trust network access.

Roqos: Roqos SASE

Solution Overview
Founded in 2014, Roqos provides enterprise-grade cybersecurity and networking solutions powered by patented OmniVPN technology. The company develops its own product portfolio, including Roqos Core appliances, Roqos SASE applications for Windows, MacOS, and Linux, Public SASE cloud, and PrivateSASE for private cloud deployments. 

Roqos SASE offers a distributed SASE architecture that eliminates the need for overlay networks, enabling direct site-to-site connectivity via patented OmniVPN® technology. The architecture separates the control plane (cloud-based Roqos Cloud) from the data plane (Roqos Core appliances), ensuring that all traffic processing occurs at the edge rather than in centralized clouds. Core components include Roqos Core physical and virtual appliances running open source software, including Debian Linux, SASE applications for endpoint devices, and cloud-based management with multitenant capabilities. Key features include asset management, CountryBlock, DNS filtering, dynamic path selection, FWaaS, IPS, local microsegmentation, NGFW, SD-WAN with load balancing, Universal ZTNA for local and remote users, and vulnerability scanning using OpenVAS. Key differentiators include PrivateSASE for private data center deployments, patent-pending agentless local microsegmentation, edge-based processing without customer data traversing provider networks, and integrated vulnerability scanning bundled directly into appliances.​

Roqos takes a focused approach to SASE, targeting SMBs and government organizations by incrementally improving SD-WAN features while filling security feature gaps with planned DLP and TLS inspection capabilities.

Roqos is positioned as a Challenger and Forward Mover in the Innovation/Feature Play quadrant of the SASE Radar chart.

Strengths
Roqos SASE scored well on a number of decision criteria, including:

• Sovereign SASE/local data processing: PrivateSASE operates entirely within customer data centers or private clouds, allowing government organizations and privacy-sensitive enterprises to maintain complete data sovereignty without routing sensitive traffic through public cloud infrastructure. This architecture addresses regulatory requirements by eliminating external data processing while delivering comprehensive FWaaS, IPS, SD-WAN, and ZTNA capabilities through locally deployed Roqos Core appliances that perform all security functions at the customer's physical location.​

• Edge computing integration: Roqos SASE implements all security and networking functions directly on Roqos Core appliances at customer edge locations rather than in centralized cloud infrastructure, ensuring low latency, enhanced performance, and complete customer privacy, as no data packets traverse Roqos networks. The architecture uses patented OmniVPN technology to establish direct site-to-site connections without an overlay network, while Roqos Core appliances running Debian Linux locally execute IPS, DNS filtering, NGFW, CountryBlock, OpenVAS vulnerability scanning, and network monitoring with ntopng, an open source, web-based network traffic monitoring tool.​

• Self-service portal: Roqos SASE provides a cloud-based web application with intuitive policy-based management that abstracts complex networking configurations, allowing administrators to create security policies using device names, groups, locations, and schedules rather than requiring IP address or subnetting knowledge. The multitenant portal offers automated device discovery, real-time alerting via email and browser notifications, RBACs, click-to-connect OmniVPN configurations without manual OpenVPN or WireGuard setup, and automatic detection of IP conflicts and DHCP server issues. 

Opportunities
Roqos SASE has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: The solution uses patented OmniVPN technology to establish direct site-to-site connections between customer locations, bypassing provider-managed overlay networks and eliminating intermediary infrastructure while maintaining secure, encrypted tunnels for all intersite communications. However, it does not provide global SLA-backed connectivity guarantees since the architecture relies on customer-selected ISPs for underlying connectivity rather than operating a proprietary global PoP network with contractual uptime commitments.​

• Dynamic traffic management: Roqos SASE implements dynamic path selection capabilities that monitor line utilization, latency, and link failures to automatically route traffic across Ethernet, 4G and 5G, and WiFi-as-WAN connections with configurable failover priorities, load balancing, and application-based traffic prioritization. However, it currently implements traffic steering based on network events and customer-defined thresholds rather than advanced AI-powered predictive analytics, with machine learning-based self-steering scheduled for delivery in 2026.​

• Threat intelligence and analytics: The solution provides comprehensive threat prevention by running IPS, DNS filtering, IP filtering, and wire-speed CountryBlock locally on all Roqos Core appliances, with automatic signature updates at 4:00 AM daily and manual zero-day protection deployment from the Roqos SOC. However, it lacks advanced threat intelligence analytics capabilities, including behavioral analysis, anomaly detection, and ML-based threat correlation, which are currently under development for delivery in Q2 2026.​

Roqos is classified as a Forward Mover due to its bimonthly release cadence, focusing on incremental SD-WAN enhancements, while critical SASE features like DLP, TLS inspection, and advanced threat analytics remain in development for 2026 delivery.

Purchase Considerations
Roqos SASE offers two transparent pricing structures. The Roqos Core-based model charges for physical or virtual appliances plus annual SASE service subscriptions, with PrivateSASE requiring separate software and service fees. Alternatively, device-based pricing applies monthly or yearly charges per endpoint for organizations using SASE applications on Windows, macOS, or Linux devices. 

Roqos SASE supports multiple deployment options, including hybrid cloud, multicloud (AWS today, with Azure and Google Cloud planned), on-prem via PrivateSASE, and private cloud installations. Migration complexity is reduced via open source architecture with standard APIs, enabling integration with existing infrastructure without forklift upgrades. The platform offers click-to-connect OmniVPN configurations, eliminating the need for manual setup. The solution targets SMBs, government agencies, and managed service providers rather than large enterprises. Month-to-month contracts with trial periods facilitate PoC evaluations before long-term commitments.

Use Cases
Roqos SASE addresses a broad range of use cases, including branch office connectivity with SD-WAN; government and privacy-sensitive deployments requiring on-prem PrivateSASE; IoT and security camera management; MPLS replacement with direct site connections; MSP multitenant service delivery; remote workforce access through Universal ZTNA; and small-to-medium business cybersecurity featuring integrated asset management, network segmentation, and vulnerability scanning capabilities.

T-Mobile: T-Mobile SASE

Solution Overview
Founded in 1994, T-Mobile provides wireless communications and broadband services, specializing in 5G network technology. In September 2023, the company launched T-Mobile SASE's T-SIMsecure and Security Slice, leveraging Versa technology, and in May 2025, it launched T-Mobile SASE with Palo Alto Networks, which integrates Palo Alto Networks' Prisma SASE 5G platform as a managed offering.

T-Mobile SASE is built on a 5G standalone architecture, integrating Palo Alto Networks' Prisma SASE and Versa platforms with T-Mobile's nationwide network. Core components include T-Mobile Security Slice (dedicated network segment), T-SIMsecure (SIM-based authentication), and cloud-delivered security functions. Key features include Private Access using ZTNA for application connectivity and Secure Internet Access delivering SWG, CASB, and next-generation firewall protection. Key differentiators include hardware-level security through SIM cards; IoT device protection; T-SIMsecure, which uses International Mobile Equipment Identity and International Mobile Subscriber Identity for clientless SIM-based authentication; and T-Mobile Security Slice, the first dedicated network slice for commercial SASE in the US, providing traffic isolation and enhanced performance on 5G SA-enabled devices.​

T-Mobile takes a focused approach to SASE, innovating with industry-first capabilities such as SIM-based authentication and Security Slice, while integrating Palo Alto Networks' Prisma SASE platform to expand its mobile-centric enterprise security portfolio.

T-Mobile is positioned as a Challenger and Fast Mover in the Innovation/Feature Play quadrant of the SASE Radar chart.

Strengths
T-Mobile SASE scored well on a number of decision criteria, including:

• Threat intelligence and analytics: T-Mobile SASE integrates Palo Alto Networks' Prisma SASE 5G platform, providing cloud-native threat prevention with advanced analytics across endpoints, SaaS applications, and internet traffic through CASB, FWaaS, and next-generation firewall capabilities. The 5G standalone architecture includes built-in encryption, which protects interfaces, subscriber identities, control planes, and user data planes, while mitigating downgrade attacks that exploit legacy protocols.​

• Digital experience monitoring (DEM): T-Mobile SASE provides comprehensive visibility and performance monitoring across the security architecture through Palo Alto Networks' Prisma SASE integration, enabling organizations to maintain strict security policies while monitoring endpoint protection status. The Security Slice, leveraging Versa technology, delivers dedicated network segmentation with traffic isolation, enabling performance baselines and analytics for applications that require deterministic latency and optimized data flows among devices, edge infrastructure, and cloud resources.​

• 5G integration and mobile edge computing: T-Mobile SASE leverages Edge Control on 5G-Advanced with distributed user plane functions and network slicing, enabling cellular traffic to exit locally into enterprise MEC environments with ultra-low latency. The architecture supports policy-based traffic steering via on-net interconnects to hyperscaler edge zones from AWS, Azure, and Google Cloud, delivering private-network-like performance while routing local traffic securely without traversing the public internet. 

Opportunities
T-Mobile SASE has room for improvement in a few decision criteria, including:

• Sovereign SASE/local data processing: The solution leverages the Versa Sovereign SASE architecture, which processes data on T-Mobile's own infrastructure to meet data residency and regulatory requirements, while Edge Control enables organizations to process data within their existing private cloud or on-prem infrastructure for ultra-low-latency applications. However, it maintains service provider control over the SASE infrastructure rather than enabling customers to deploy and operate SASE functions entirely within their own data centers, limiting organizations requiring complete operational independence and direct infrastructure ownership for all security inspection and policy enforcement capabilities.​

• Self-service portal: T-Mobile SASE integrates with T-Platform, a unified management portal that provides account-level dashboards and reporting across Advanced Network Solutions, Business Internet, IoT devices, security solutions, and wireless connectivity, with visibility into multiple product portfolios. However, it primarily provides basic network management, monitoring, and reporting capabilities rather than granular self-service configuration for SASE security policies, requiring customers to engage T-Mobile specialists via the TFB tech support portal for advanced security rule modifications, threat analytics customization, and operational policy changes.​

• Generative cybersecurity AI: T-Mobile SASE with Palo Alto Networks incorporates Precision AI's generative capabilities through copilots that use natural language interfaces to simplify the user experience, summarize threat intelligence from controlled datasets, and reduce mean time to resolution for security incidents. However, it provides generative AI primarily for threat intelligence summarization and interface simplification rather than autonomous security policy generation, conversational incident investigation with contextual recommendations, or AI-assisted remediation playbook creation that would enable security teams to query complex threats using natural language and receive automated response strategies. 

Purchase Considerations
T-Mobile SASE operates on a managed service subscription model bundled with T-Mobile Business connectivity services. The solution is offered in two variants: the original Versa-based platform and T-Mobile SASE with Palo Alto Networks, both leveraging T-Mobile's 5G Standalone network infrastructure. Pricing is structured around per-device or per-user licensing, integrated with T-Mobile's wireless plans. Customers must engage T-Mobile Business representatives for customized quotes based on specific organizational requirements, device counts, and security feature selections.​

Key purchase considerations include a deployment architecture that requires T-Mobile 5G connectivity for full functionality, with Security Slice capabilities limited to 5G SA-enabled devices. Migration complexity is reduced through T-SIMsecure's clientless authentication for SIM-equipped devices, though non-T-Mobile devices require software client installation. The Palo Alto Networks variant requires no additional hardware or equipment installations. Organizations should evaluate their existing carrier relationships, device compatibility with T-Mobile's network bands, and geographic coverage requirements, as the solution depends on T-Mobile network integration.

Use Cases
T-Mobile SASE addresses a broad range of use cases, including field services and frontline worker connectivity, government agency network security, IoT device and router protection for endpoints unable to support traditional SASE software, remote workforce access to corporate applications and data, and secure internet connectivity for distributed enterprises. The solution serves organizations requiring hardware-based authentication, mobile employee productivity, protection against cyberthreats, including malware and ransomware, and zero trust network access without client software installation across diverse endpoint types.

Versa: Versa Unified SASE

Solution Overview
Founded in 2012, Versa offers converged networking and security capabilities through services run from its VersaONE Universal SASE Platform. All platform capabilities are integrated in a single-stack software architecture with flexible deployment options. The architecture combines a global SASE fabric of more than 100 PoPs interconnected via an application-aware, high-speed backbone.

Versa Unified SASE is built on the Versa Operating System (VOS), which enables single-pass traffic inspection across all security and networking functions, enhancing performance and enabling unified policy enforcement. Core components include CASB, DLP, FWaaS, IDS/IPS, NGFW, SD-LAN, SD-WAN, SWG, and ZTNA, all delivered natively without acquired or third-party integrations. Key features include AI-powered analytics (VersaAI), application-aware routing, AIOps automation, behavioral anomaly detection, GenAI firewall controls, multitenant isolation, sandboxing/ATP, and a unified data lake for threat intelligence and policy orchestration. Key differentiators include natively developed components on a single OS versus multivendor service chaining, sovereign deployment options enabling on-prem or private cloud operation, sub-100 ms global latency with 99.99% uptime SLA, true multitenancy across control, data, and management planes supporting 256 tenants, and Zero Trust Everywhere principles extending across WAN, branch, and IoT environments.​

Versa takes a general approach to SASE, innovating with emerging features, including AI-powered security enhancements, an enterprise browser, integrated endpoint DLP, MCP Server for AI integration, private and sovereign deployment options, and SASE on SIM and 5G Edge.

Versa is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SASE Radar chart.

Strengths
Versa Unified SASE scored well on a number of decision criteria, including:

• Sovereign SASE/local data processing: The solution enables granular data residency control, allowing organizations to define precisely where traffic inspection, policy enforcement, and logging occur within specific jurisdictions. It supports dedicated sovereign deployments in government, private, or sovereign cloud environments, where both the control and data planes are fully contained, ensuring sensitive data remains within defined geopolitical boundaries and minimizing cross-border data movement.​

• Digital experience monitoring (DEM): Versa Unified SASE provides comprehensive DEM through both passive monitoring of real user traffic and active synthetic testing from multiple vantage points. VersaAI and Versa Advanced Network Insights (VANI) apply machine learning to build dynamic baselines, detect anomalies, and correlate performance metrics across network, security, and application layers, linking experience degradations to specific security events or policy changes for rapid root cause identification.​

• Self-service portal: The solution delivers a mature, role-based multitenant portal with true separation of control, data, and management planes at the architectural level. This plane-level isolation ensures each tenant operates as a fully independent instance with its own policies, telemetry, and analytics without data leakage, supporting thousands of tenants with comprehensive APIs for zero-touch provisioning and automation-first operations.​

Versa is classified as an Outperformer due to continuous innovation, adding emerging features such as the Enterprise Browser, GenAI Firewall, GraphML endpoint detection, an MCP server for AI integration, and SASE on SIM deployments.​ 

Opportunities
Versa Unified SASE has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: Versa operates a global SASE fabric with more than 100 PoPs strategically colocated near major cloud and SaaS providers, utilizing policy-based routing and application-level SLAs for mission-critical traffic. However, it maintains contractual performance agreements individually with each hyperscaler rather than offering formalized joint multi-party SLA frameworks that provide unified, transparent service-level commitments spanning both Versa infrastructure and partner carrier networks under a single customer-facing guarantee.​

• Threat intelligence and analytics: Versa Unified SASE combines multisource threat intelligence with VersaAI and VANI engines for behavioral analysis, real-time correlation, and predictive analytics, including coverage of GenAI-driven risks and zero-day threats. However, it currently relies on third-party feeds and collaborative sharing communities rather than operating a proprietary global threat research network with dedicated analyst teams continuously hunting emerging threats and publishing original research.​

• Generative cybersecurity AI: Versa offers VerboGPT, an intelligent chatbot assistant using natural language processing, AI, and machine learning to answer questions, automate troubleshooting, verify configurations, and execute diagnostic commands. The platform applies generative AI to identify malicious behaviors in real time and enhance operational excellence across security and networking functions. However, it provides primarily operational assistance rather than autonomous security analyst capabilities that independently investigate complex threats, generate incident response playbooks, or conduct deep forensic analysis without human guidance. 

Purchase Considerations
Versa Unified SASE offers flexible consumption models, including user-based, concurrent usage, and bandwidth-based licensing to accommodate diverse organizational needs. Customers can choose from tiered hardware appliances for branch deployments or fully cloud-delivered services, with multitenancy support enabling service providers to serve multiple customers from a single instance. ​​Enterprise agreements can be customized based on deployment scale, feature requirements, and service-level needs, supporting both direct purchase and managed service provider delivery models.

Organizations must evaluate three deployment options: cloud-delivered via shared gateways, private deployment with dedicated infrastructure, or sovereign deployment for air-gapped environments with complete customer control. Migration complexity varies based on existing infrastructure, though zero-touch provisioning and API-driven automation simplify transitions from legacy MPLS and multivendor stacks. Versa supports proof-of-concept deployments across deployment models, with customers reporting successful pilots in defense, financial services, and retail sectors before full rollout. Key considerations include evaluating data residency requirements for sovereign options and understanding multicloud integration capabilities for hybrid environments.

Use Cases
Versa Unified SASE addresses a broad range of use cases, including branch and remote site connectivity, cloud application security, consolidation of security functions, critical infrastructure protection, data protection and compliance, IoT/OT network security, MPLS replacement and network modernization, secure access to private applications, secure collaboration tools, secure internet access, secure remote access, sovereign deployments for regulated industries, threat prevention, and third-party partner access.

Zscaler: Zscaler Zero Trust SASE*

Solution Overview
Founded in 2008, Zscaler provides cloud-based security, specializing in zero trust architecture. In August 2025, Zscaler acquired Red Canary (managed detection and response), and in November 2025 it acquired SPLX (AI asset discovery and governance). In January 2024, Zscaler launched Zero Trust SASE, which operates in more than 150 data centers globally via its Zero Trust Exchange (ZTE) platform.

Zscaler Zero Trust SASE combines the company's AI-powered SSE platform with Zero Trust SD-WAN, leveraging the ZTE platform. The architecture eliminates implicit trust through direct-to-cloud connections, using an adaptive AI engine that continuously assesses risk based on telemetry from 500 trillion daily signals and third-party intelligence. The platform extends zero trust protection beyond users to devices and server traffic, eliminating the need for additional firewalls and edge routers at branches, factories, and warehouses, reducing complexity and cost while enhancing security. Core components include AI-powered IoT device discovery and classification, integrated gateway capabilities, plug-and-play appliances, a zero trust network overlay, and a cloud-based management console for centralized policy management. Capabilities encompass CASB, DLP, FWaaS, SWG, and ZTNA with centralized cloud-based management, granular forwarding policies, and integrated cyberthreat and data protection. Key differentiators include its single-vendor approach, AI-driven security, and elimination of traditional firewalls and VPNs. 

Zscaler takes a general approach to SASE, innovating with AI-powered segmentation, enhanced GenAI protections with prompt visibility, microsegmentation for cloud workloads, and zero trust branch connectivity while integrating acquisitions.

Zscaler is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SASE Radar chart.

Strengths
Zero Trust SASE scored well on a number of decision criteria, including:

• Threat intelligence and analytics: Zscaler ThreatLabz analyzes 500 trillion daily signals from one of the world's largest security clouds, blocking 9 billion threats per day while integrating more than 40 industry threat intelligence feeds for comprehensive analysis. The platform leverages AI-powered real-time risk assessments and reverse engineering of malware samples to track advanced nation-state actors and cybercrime TTPs, providing extensive telemetry that creates a competitive advantage.​

• API-driven automation: Zscaler OneAPI provides a unified programming interface with a common endpoint (api.zsapi.net) that encompasses all platform resources, eliminating the need to manage multiple product-specific APIs. The architecture incorporates OAuth 2.0 standards and fine-grained RBAC for API clients, registering them as first-class citizens in ZIdentity, enabling auditable tracking and monthly addition of new automated functions.​

• Digital experience monitoring (DEM): Zscaler Digital Experience (ZDX) delivers end-to-end visibility (from devices across networks to applications), utilizing AI-powered root-cause analysis that processes multiple signals and machine learning from past experiences. The platform significantly reduces mean time to resolution through automated anomaly detection, incorporates ISP Insights with global network health monitoring, and integrates with ServiceNow via robust APIs.​ 

Opportunities
Zero Trust SASE has room for improvement in a few decision criteria, including:

• Global SLA-backed connectivity: Zscaler provides 99.999% availability, measured by transactions lost, with proxy latency under 100 ms, operating across redundant global infrastructure with automatic failover and georedundancy across multiple data centers. However, it offers only 99.9% availability for certain services, such as cellular and ZPA Private Service Edge, which permits up to 525 minutes of annual downtime, and SLA guarantees focus on service availability rather than comprehensive network path performance.​

• Sovereign SASE/local data processing: Zero Trust SASE employs federated architecture with regional policy enforcement nodes, country-based logging for data residency compliance, and geolocalization capabilities that route traffic within geographic boundaries to comply with regulations like GDPR. However, it maintains centralized control-plane components with regional distribution still under exploration, and key management using customer-provided HSMs for regional storage is still in development rather than fully operational.​

• Built-in self-healing: The solution enables auto-remediation via API-driven workflows that automatically resolve misconfigurations, policy violations, and performance issues, while ZDX Device Remediation allows administrators to run vetted scripts across hundreds of devices simultaneously. However, it requires manual workflow configuration with third-party integration platforms like SIEM or ITSM tools to establish remediation logic and detection criteria rather than providing fully autonomous self-healing capabilities out of the box.​

Purchase Considerations
Zscaler Zero Trust SASE employs subscription-based pricing structured across tiered platform bundles (Essentials, Business, and Transformation) that combine SSE and SD-WAN components. Contracts are available in 12-, 24-, or 36-month terms, with discounts of up to 17% for longer commitments. Pricing scales by user count, with minimum thresholds for specific tiers, such as the Business Edition, which requires more than 500 users. The model includes allocations for browser isolation bandwidth, data retention periods, workload protection, and private access ratios that vary by tier, with higher tiers unlocking advanced capabilities like extended log retention and enhanced DLP.​

Deployment leverages cloud-native delivery with zero-touch provisioning for plug-and-play branch appliances and client connectors for endpoint devices. Migration complexity increases as legacy VPN, firewall, and SD-WAN infrastructure is replaced with Zscaler's unified architecture, requiring careful planning for network redesign. The single-vendor SASE framework simplifies integration but necessitates commitment to Zscaler's proxy-based approach rather than traditional networking models. Organizations should evaluate bandwidth allocations per user tier, verify that minimum user count requirements align with their size, and assess their readiness to eliminate existing security point products during the transition.

Use Cases
Zscaler Zero Trust SASE addresses a broad range of use cases, including branch-office connectivity, cloud application access, data center modernization, factory and warehouse protection, hybrid workforce enablement, IoT/OT device security, remote user access, and workload protection across multicloud environments. The solution replaces legacy VPNs and firewalls while securing inbound and outbound connectivity for distributed locations, providing consistent policy enforcement for users, devices, and applications regardless of location.

The SASE market has reached a consolidation phase, with enterprises increasingly favoring unified platforms from single vendors over multivendor architectures assembled through APIs and cross-launched consoles. Organizations are prioritizing simpler purchasing processes, tighter policy management, and lower operational costs by integrating advanced networking and cloud security capabilities into cohesive platforms. This shift reflects broader recognition that "stitched-together" solutions introduce integration complexity and visibility gaps that undermine the fundamental promise of SASE. 

Defining Market Trends 

Digital experience monitoring has emerged as a critical capability that distinguishes leading platforms from traditional security-only approaches. Native DEM integration addresses the visibility challenge inherent in SASE architectures, where traditional monitoring tools can’t see into or through SSEs. By unifying insights across network, application, endpoint, and security management domains, integrated DEM enables teams to optimize performance and security in the context of the actual user experience while eliminating the finger-pointing that characterizes multitool troubleshooting.​

AI-driven automation is transforming SASE from a consolidation exercise into an intelligent operational platform. Practical applications include automated policy management that identifies redundant or conflicting security rules before they create gaps; real-time application discovery and risk assessment that adjust policies without manual intervention; and proactive threat detection that adapts to new attack patterns. AIOps integration extends these benefits to complex IT operations, automating issue detection and predictive analytics to reduce mean time to resolution while freeing administrators from routine troubleshooting tasks.​

The most frequently cited business benefits driving adoption of SASE include enhanced visibility into traffic and remote locations, simplified IT operations through platform consolidation, and support for digital transformation initiatives like mergers and acquisitions. Cost optimization remains important, but enterprises increasingly emphasize improved observability and reduced complexity as primary decision factors.​

The Buyer Journey

Successful SASE adoption requires a structured evaluation process that addresses technical capabilities, organizational readiness, and long-term strategic alignment. The journey spans awareness of platform options, rigorous evaluation of vendor capabilities, and validation through proof-of-concept deployments.​

Critical milestones include:

• Conducting readiness assessments that document current network and security architecture, identify legacy tool gaps, and clarify cloud adoption posture

• Evaluating platform architecture coherence, distinguishing natively integrated solutions from vendors that assemble capabilities through acquisitions​

• Defining specific use cases beyond remote access, including IoT/OT security, M&A integration needs, and digital transformation requirements​

• Validating vendor coverage, security service breadth, and support quality through thorough provider evaluation

Critical Success Factors

Rigorous selection criteria must balance technical depth with operational simplicity and business alignment. Avoid the common pitfall of rushing deployment without sufficient planning or selecting providers solely based on feature checklists rather than organizational fit.​

Organizations should prioritize:

• Cloud-native architecture built for scalability and distributed workforces rather than retrofitted legacy infrastructure​

• Unified management capabilities that deliver central policy control and comprehensive network visibility from a single console​

• Security breadth encompassing advanced threat defense, data protection capabilities, and compliance support for relevant regulatory frameworks​

• Transparent pricing models that accommodate growth without unexpected licensing penalties​

• Vendor reputation validated through customer case studies, PoC trials, and a track record of support responsiveness​

• Training and skill development resources to ensure IT teams possess capabilities for effective deployment and ongoing management​

• Regular evaluation processes that monitor system performance and security effectiveness rather than treating SASE as a set-and-forget solution​

The Bottom Line

Platform consolidation is accelerating across the SASE market, creating strategic urgency for organizations still operating fragmented multivendor environments. Organizations should begin their evaluation by conducting a thorough readiness assessment, defining clear deployment objectives, and engaging vendors for hands-on PoC validation. The convergence of networking and security into unified cloud-delivered platforms represents a fundamental architectural shift. Organizations should position themselves to capitalize on simplified operations, enhanced visibility, and reduced complexity that define next-generation infrastructure.

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Secure Access Service Edge (SASE)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.