GigaOm Radar for Security Service Edge (SSE) v3

Security service edge (SSE) represents a transformative approach to enterprise security that consolidates critical security functions into a unified, cloud-delivered platform. This framework addresses the fundamental challenges organizations face with distributed workforces, cloud adoption, and digital transformation by moving security enforcement closer to users and resources.

SSE combines essential security capabilities, including cloud access security broker (CASB), firewall-as-a-service (FWaaS), secure web gateway (SWG), and zero trust network access (ZTNA) into an integrated solution. This consolidated approach enables consistent enforcement of security policies and threat protection across all access scenarios, regardless of user location or device.

Key Drivers and Evolution

Traditional security architectures are now obsolete due to the normalization of cloud services and hybrid work models. As organizations adopt IaaS and SaaS offerings, their data is increasingly distributed beyond on-prem data centers. Legacy security approaches, anchored to data centers, struggle to effectively protect cloud applications and mobile users.

Core Benefits

SSE delivers several critical advantages:

• Reduced complexity through integration of multiple security functions into a single solution

• Enhanced security through modern capabilities like CASB and ZTNA

• Improved scalability via cloud-based delivery

• Better support for remote access and mobility

• Lower costs through reduced infrastructure maintenance and quantifiable operational efficiency gains

Implementation and Architecture

SSE enables organizations to perform advanced security inspections closer to endpoints through a cloud-delivered solution. It creates a dynamic security perimeter that provides threat protection, data security, and access control across all connection points, leveraging a global network of points of presence (PoPs) to ensure consistent security policy enforcement and sub-25ms latency.

Market Maturity and SASE Convergence

The SSE market has matured rapidly as organizations have simplified their security infrastructure while strengthening their security posture. Organizations are now implementing full secure access service edge (SASE) architectures that integrate security and networking capabilities into a unified solution. The standalone SSE market has largely disappeared, with leading vendors now offering complete SASE solutions that converge software-defined wide-area network (SD-WAN) and SSE into single-vendor platforms. Organizations increasingly favor this consolidated approach to reduce operational complexity and improve visibility.

Strategic Importance

SSE has become increasingly critical as organizations face the:

• Growing sophistication of cyberthreats

• Expanding attack surfaces due to distributed workforces

• Need for consistent security across hybrid environments

• Challenges with traditional VPN-based security

• Requirements for improved user experience and reduced latency

• Critical need for digital experience monitoring (DEM) to ensure security enforcement doesn't degrade productivity

This evolution represents a fundamental shift from traditional perimeter-based security architectures to a more flexible, cloud-native model that aligns with modern business requirements. As organizations continue their digital transformation journeys, SASE solutions built on SSE foundations deliver mature, proven capabilities for a more robust, adaptable, and efficient security posture that scales with business needs while maintaining comprehensive protection across all access scenarios.

This is our third year evaluating the SSE space. This report builds on our previous analysis and considers how the market has evolved over the last year.

This GigaOm Radar report examines 22 of the top SSE solutions. It compares offerings against the capabilities (table stakes, key features, and emerging features) and nonfunctional requirements (business criteria). It provides an overview of the market, identifies leading SSE offerings, and helps decision-makers evaluate these solutions to make a more informed investment decision.

To help prospective customers find the best fit for their use case and business requirements, we assess how well SSE solutions are designed to serve specific target markets and deployment models (Table 1).

For this report, we recognize the following market segments:

• Cloud service provider (CSP): Service providers delivering on-demand, pay-per-use services to customers over the internet, including IaaS, PaaS, and SaaS.

• Network service provider (NSP): A service provider that sells network services (network access and bandwidth) and provides entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, ISPs, telecommunications companies, and wireless providers.

• Managed service provider (MSP): Service providers delivering application, IT infrastructure, network, and security services and support for businesses on customer premises, in the MSP’s data center (hosting), or in a third-party data center.

• Government/public sector: Federal, state/provincial, local government agencies, and public sector organizations responsible for delivering citizen services, maintaining public infrastructure, and enforcing regulatory compliance. These entities typically operate under strict data sovereignty requirements, heightened security mandates, and procurement processes governed by public-sector regulations across on-prem facilities, government cloud environments, and authorized third-party data centers.

• Large enterprise: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

• Small-to-medium businesses (SMBs): Small (fewer than 100 employees) to medium-sized businesses (100-999 employees) with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-prem data center or a colocation facility.

In addition, we recognize the following deployment models:

• On-prem: Consisting of software, hardware, or services installed, run, and managed on an enterprise’s physical, in-house infrastructure, an on-prem deployment usually resides in a data center or colocation facility. In an on-prem setup, the enterprise is responsible for the system's operation, maintenance, and security.

• Private cloud: Used exclusively by one enterprise or organization, private cloud computing resources are physically located in an on-prem data center or hosted by a third-party colocation service provider. Tailored to meet specific requirements, private clouds offer compliance, control, and flexibility.

• Public cloud: Owned and operated by a third-party cloud service provider and delivered over the internet, public cloud providers offer cost-effective, scalable, and reliable on-demand resources for enterprises and SaaS vendors.

• Hybrid cloud: Enabling data and apps to move seamlessly between two environments, a hybrid cloud combines private, on-prem infrastructure with a public cloud. A hybrid cloud brings compute resources closer to the edge where data resides, reducing latency and increasing reliability while still meeting regulatory compliance and data sovereignty requirements.

• Multicloud: Comprising multiple public cloud services performing different functions, a multicloud deployment allows organizations to take advantage of various public cloud capabilities or geographies. Multicloud deployments may include private clouds, resulting in hybrid and multicloud deployments.

Note: SSE platforms are inherently cloud-delivered services accessed through globally distributed PoPs, rather than through enterprise-deployed infrastructure. Organizations increasingly favor public cloud-based SSE architectures, with growing interest in hybrid models that combine public cloud with vendor-owned data centers to address specific compliance and data sovereignty requirements.

Table 1. Vendor Positioning: Target Market and Deployment Model

Table 1 components are evaluated in a binary yes/no manner and do not factor into a vendor’s designation as a Leader, Challenger, or Entrant on the Radar chart (Figure 1).

“Target market” reflects which use cases each solution is recommended for, not simply whether that group can use it. For example, if an SMB could use a solution but doing so would be cost-prohibitive, that solution would be rated “no” for SMBs.

All solutions included in this Radar report meet the following table stakes—capabilities widely adopted and well implemented in the sector:

• Integrated security functions

• Global SLA-backed cloud platform

• Cloud-native security services

• Identity-based security and access control

• Policy orchestration and automation

• Centralized security management/policy enforcement

• Real-time traffic and file inspection

Tables 2, 3, and 4 summarize how each vendor in this research performs in the areas we consider differentiating and critical in this sector. The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the relevant market space, and gauge the potential impact on the business.

• Key features differentiate solutions, highlighting the primary criteria to be considered when evaluating an SSE solution

• Emerging features show how well each vendor implements capabilities that are not yet mainstream but are expected to become more widespread and compelling within the next 12 to 18 months

• Business criteria provide insight into the non-functional requirements that factor into a purchase decision and determine a solution’s impact on an organization

These decision criteria are summarized below.

Key Features

• Agentless secure access: Agentless secure access enables browser-based zero trust connectivity to internal applications without installing endpoint software, delivering cloud-authenticated access through identity verification and policy enforcement. This approach eliminates deployment complexity, reduces IT overhead, and enables immediate secure access for unmanaged devices, contractors, and BYOD scenarios while maintaining stringent security controls.

• Cloud browser isolation: Cloud browser isolation executes web content in remote, cloud-hosted containers, ensuring that only safe visual renderings are delivered to user devices. This prevents malicious code, zero-day threats, and data exfiltration from compromising network endpoints while enabling secure browsing without impacting the user experience.

• Cloud sandboxing: Cloud sandboxing isolates and safely executes suspicious files, URLs, and code in a virtual environment to detect zero-day threats and malware. By leveraging machine learning and threat intelligence, it identifies malicious behavior before it can impact production systems, ensuring proactive protection against advanced attacks.

• Data loss prevention (DLP): DLP safeguards sensitive information across web, cloud, email, and private applications with encryption and access controls. This ensures data security, visibility, and compliance, preventing unauthorized access or exfiltration while enabling organizations to meet regulatory requirements.

• Multivector threat protection: Multivector threat prevention uses multilayered defenses, including real-time traffic inspection, machine learning, sandboxing, and threat intelligence, to detect and block known and unknown threats. This proactive approach protects against malware, ransomware, and zero-day attacks, ensuring robust security for users and enterprise systems.

• Industry-specific compliance: Industry-specific compliance ensures adherence to regulations such as GDPR, HIPAA, PCI DSS, and SOX by integrating built-in controls, automated reporting, and continuous monitoring. This capability is critical for protecting sensitive data, avoiding regulatory penalties, and maintaining trust across all security services and business operations.

• Next-generation deep packet inspection (DPI): DPI examines network traffic from Layer 2 through Layer 7, including encrypted flows, to detect anomalies and accurately classify traffic from the first packet. This enables real-time visibility and unified security policy enforcement, ensuring robust protection against sophisticated threats.

• Data security posture management (DSPM): DSPM continuously discovers, classifies, and maps sensitive data across hybrid cloud environments, identifying where critical information resides and who can access it. This capability is essential for preventing data breaches, ensuring regulatory compliance, and maintaining visibility into data exposure risks across distributed multicloud infrastructures.

Table 2. Key Features Comparison

Emerging Features

• Generative AI (GenAI) risk management and control: GenAI risk management provides specialized controls for generative AI platforms, preventing sensitive data leakage through large language model (LLM) interactions by inspecting prompts, responses, and file uploads to AI services. This capability is critical as organizations adopt AI tools while maintaining data sovereignty, compliance requirements, and protection against unauthorized exposure of confidential information through employee use of AI.

• Nonhuman identity (NHI) management: NHI management discovers, governs, and secures machine identities, including service accounts, API keys, OAuth tokens, automation bots, and AI agents across enterprise environments. This is critical as nonhuman identities now outnumber human users and represent significant attack vectors when credentials are exposed, stolen, or inadequately controlled.

• User and entity behavior analytics (UEBA): UEBA uses machine learning to establish baseline activity patterns for users and entities and to detect anomalies that may indicate security threats. This proactive approach identifies compromised credentials, insider threats, and data theft attempts, enabling rapid response to mitigate risks.

• Adaptive policy orchestration: Adaptive policy orchestration dynamically adjusts security policies and enforcement actions in real time based on continuous risk scoring, contextual signals, threat intelligence feeds, and behavioral analytics without manual intervention. This automation is essential for responding to rapidly evolving threats while maintaining zero trust principles across dynamic hybrid work environments.

• Digital experience monitoring (DEM): End-user interactions with web, cloud, and private applications are tracked and analyzed to assess performance, availability, and user experience. This is now recognized as critical for SSE success, ensuring that security policies do not compromise seamless, high-performance connectivity while enabling proactive issue identification and remediation, maintaining productivity, and optimizing application performance across distributed work environments.

• Post-quantum cryptography (PQC) integration: NIST-standardized quantum-resistant encryption algorithms are implemented to protect organizational data against future quantum computing threats that will render current RSA, elliptic‑curve cryptography (ECC), and Diffie-Hellman methods vulnerable. This is critical for long-term data security as "harvest now, decrypt later" attacks enable adversaries to capture encrypted data today for decryption once quantum computers become available.

• Autonomous threat response: AI-powered agents independently analyze security events, make decisions, and execute defensive actions at machine speed—including threat isolation, policy modifications, and coordinated response orchestration—without requiring human approval. This capability is critical for combating sophisticated attacks that evolve faster than manual response times can keep pace, reducing breach windows from hours to milliseconds.

• SaaS security posture management (SSPM): SaaS tenant configurations, user permissions, sharing policies, OAuth applications, third-party integrations, and compliance settings are continuously monitored via API integrations to detect and remediate misconfigurations that lead to security vulnerabilities. This capability is critical as organizations adopt dozens of SaaS applications with complex permission models, creating configuration drift and shadow IT risks that traditional security tools cannot address.

Table 3. Emerging Features Comparison

Business Criteria

• Configurability: The solution must provide granular controls to tailor security policies, access controls, and compliance settings to meet specific organizational needs. This flexibility ensures businesses can tailor protection levels to their unique risk profiles, regulatory requirements, and operational priorities without compromising security or the user experience.

• Interoperability: The solution should ensure seamless integration with existing security tools, identity providers, and enterprise systems via standard APIs and protocols. This capability enables bidirectional data exchange for threat intelligence, policy management, and orchestration, fostering a unified and efficient security ecosystem.

• Manageability: The solution should offer simplified security operations through intuitive interfaces, automated workflows, and centralized administration. These capabilities reduce complexity, streamline policy management, and enable IT teams to efficiently oversee and enforce security across all integrated services, enhancing both operational efficiency and security effectiveness.

• Observability: The solution should deliver comprehensive visibility into security events, user behavior, network traffic, and application access through detailed logs and analytics. Critical observability now includes DEM to track application performance, network latency, and user experience metrics, ensuring security policies do not degrade productivity. This capability enables real-time monitoring, efficient troubleshooting, and proactive security posture assessments, ensuring organizations can detect issues early and maintain a robust security posture.

• Performance: An SSE solution should offer low-latency, high-speed security services through a globally distributed cloud architecture with SLA-guaranteed response times. It supports encrypted traffic inspection and high-throughput processing, maintaining seamless user experiences while delivering robust security.

• Resilience: The solution should ensure continuous availability of security services through redundant cloud infrastructure, automated failover, and distributed points of presence. This capability provides uninterrupted protection against threats, even during component failures, network disruptions, or regional outages, safeguarding business continuity.

• Support: Support for an SSE solution should include 24/7 global technical assistance, dedicated account management, and access to training resources to ensure smooth operations and rapid issue resolution. Transparent communication about service updates, security advisories, and platform roadmaps is essential for maintaining trust and alignment with organizational goals.

• Cost transparency: The cost of an SSE solution should be structured around user count, data volume, and selected services, with clear disclosure of any additional expenses for advanced features or support. Transparent pricing helps organizations budget effectively and evaluate TCO relative to their security and operational needs.

Table 4. Business Criteria Comparison

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those positioned closer to the center being judged as having the most complete solution. The chart characterizes each vendor on two axes—balancing Maturity versus Innovation and Feature Play versus Platform Play—while providing an arrowhead that projects each solution’s expected evolution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SSE Solutions

As you can see in Figure 1, Leaders and Outperformers predominantly occupy the platform play hemisphere, spanning both Maturity/Platform Play and Innovation/Platform Play quadrants. This indicates that enterprise SSE deployments require comprehensive capabilities spanning SWG, CASB, ZTNA, firewall, and DLP rather than isolated point solutions.

The complete absence of Leaders in the Feature Play hemisphere, with only one Outperformer, suggests that organizations evaluating SSE solutions may find greater value in vendors offering integrated platform architectures than in those with narrowly focused capabilities. Feature-limited approaches struggle to address the complex security requirements of distributed, hybrid environments.

The distribution between Maturity/Platform Play and Innovation/Platform Play quadrants provides buyers with a framework for aligning vendor selection with organizational priorities. Organizations requiring proven stability, established operational track records, and risk-minimized deployments can consider Maturity/Platform Play solutions that emphasize reliability and enterprise-grade implementations. Organizations seeking competitive differentiation through emerging capabilities such as AI-orchestrated security analytics, advanced automation, hyperscaler integration, and next-generation zero trust architectures may explore Innovation/Platform Play solutions that deliver cutting-edge functionality while maintaining the comprehensive platform scope necessary for full SASE convergence.

Note that Maturity does not exclude Innovation. Instead, it differentiates a vendor that enhances existing capabilities from one that innovates by adding new capabilities. Furthermore, with each vendor focusing on different architectures, technologies, target markets, or use cases, positioning in each quadrant is determined as follows:

• Maturity/Platform Play: Vendors in this quadrant offer proven, fully integrated SASE solutions built from the ground up with comprehensive SSE security capabilities (CASB, FWaaS, SWG, ZTNA) and standard baseline features like DLP, Remote Browser Isolation (RBI), sandboxing, and DNS security, along with native or partnered SD-WAN, providing seamless functional and management integration. While these solutions offer the highest level of integration and maturity, they may be less agile in adopting cutting-edge features such as GenAI risk management, PQC, or autonomous threat response than more innovative solutions.

• Innovation/Platform Play: Vendors in this quadrant have achieved full SSE platform capabilities and are actively innovating through emerging features such as GenAI risk management, NHI management, PQC integration, autonomous threat response, and advanced SSPM, demonstrating strong innovation potential and a platform vision. These vendors differentiate through cutting-edge capabilities rather than basic platform completeness, though some emerging features may still be maturing.

• Innovation/Feature Play: Vendors in this quadrant focus on specific use cases or offer SSE solutions with varying degrees of integration, managed through a common UI, allowing for rapid innovation and specialized functionality. However, organizations increasingly prefer single-vendor consolidated platforms, and the best-of-breed multivendor approach faces significant market headwinds as customers seek integrated solutions. The tradeoff is that these solutions may lack comprehensive platform capabilities and full integration across all security functions.

• Maturity/Feature Play: Vendors in this quadrant provide proven networking and security point products managed through a common UI but lack deep functional integration, offering stability and reliability in individual components. Organizations report that stacking multiple tools creates sustainability challenges and visibility gaps, thereby increasing security risks. While these solutions benefit from mature technology, they face significant challenges in delivering the seamless, fully integrated experience the market now demands.

Forward Mover, Fast Mover, or Outperformer classification is based on anticipated execution against the roadmap and vision based on vendor input, and in comparison to industry innovation in general.

When reviewing solutions, it’s important to recognize that there is no single “best” or “worst” offering; each solution has aspects that may make it a better or worse fit for specific customer requirements. Prospective customers should consider their current and future needs when comparing solutions and vendor roadmaps.

INSIDE THE GIGAOM RADAR

To create the GigaOm Radar graphic, key features, emerging features, and business criteria are scored and weighted. Key features and business criteria receive the highest weighting and have the most impact on vendor positioning on the Radar graphic. Emerging features receive a lower weighting and have a lower impact on vendor positioning on the Radar graphic. The resulting chart is a forward-looking perspective on all the vendors in this report, based on their products’ technical capabilities and roadmaps.

Note that the Radar is technology-focused, and business considerations such as vendor market share, customer share, spend, recency or longevity in the market, and so on are not considered in our evaluations. As such, these factors do not impact scoring and positioning on the Radar graphic.

For more information, please visit our Methodology.

Aryaka: Aryaka Unified SASE as a Service

Solution Overview

Founded in 2009, Aryaka provides cloud-first network and security solutions, specializing in SD-WAN and SASE. Aryaka launched Unified SASE as a Service 1.0 in March 2024 (and version 2.0 in November 2025) as an integrated SASE platform that incorporates SSE functionality from its 2021 Secucloud acquisition, which added FWaaS and SWG capabilities.

Aryaka Unified SASE as a Service delivers SSE capabilities through its OnePASS architecture, which performs single-pass traffic inspection across all security functions, including anti‑malware, CASB, DLP, intrusion detection and prevention system (IDPS), next‑generation firewall (NGFW), SWG, and Universal ZTNA powered by Cloudbrink. The solution integrates with third-party cloud security solutions like Palo Alto Prisma Access and Zscaler. Key differentiators include AI-driven observability (AI>Observe) for real-time telemetry, GenAI security (AI>Secure), consistent policy enforcement via Zero Trust WAN with 99.999% availability, and flexible service delivery models (self-managed, co-managed, and fully managed).

Aryaka takes a broad approach to SSE, adding innovative new features such as AI>Observe, AI>Secure, Next-Gen DLP, and Universal ZTNA while incrementally improving fundamental capabilities across antimalware, CASB, IDPS, NGFW, and SWG.

Aryaka is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Aryaka scored well on a number of decision criteria, including:

• Next-generation DPI: Aryaka's OnePASS architecture performs single-pass inspection, examining traffic once while simultaneously applying all security and network policies across the entire SSE stack. The DPI engine automatically identifies over 3,500 applications using first-packet identification, enabling immediate policy enforcement without performance penalties while inspecting traffic from Layer 2 through Layer 7 for comprehensive threat detection and application classification.

• GenAI risk management and control: Aryaka's AI>Secure capability secures employee access to public GenAI applications and internal GenAI services through centralized policy enforcement and real-time monitoring. The solution blocks prompt injection, token flooding, malicious code, jailbreaks, and URLs, while enforcing content-safety and sentiment controls through intelligent traffic classification, combined with SWG and CASB capabilities, to provide visibility into AI-related data flows.

• Adaptive policy orchestration: Aryaka's OnePASS architecture enforces consistent policies across all SSE functions through distributed enforcement that adapts to user identity, device posture, and network context. The solution integrates with AI>Observe for real-time network observability and analytics, enabling proactive threat monitoring and automated policy enforcement adjustments based on continuous risk assessment across the unified SASE fabric.

Opportunities

Aryaka has room for improvement in a few decision criteria, including:

• Agentless secure access: Aryaka Universal ZTNA provides secure access to applications primarily via an agentless model, using the Cloudbrink client for identity verification and device posture enforcement. However, it lacks native, browser-based, agentless access to internal applications, relying on client installation for continuous zero trust verification and requiring forward proxy or proxy auto‑configuration (PAC) file configurations for clientless scenarios.

• Cloud browser isolation: Aryaka integrated RBI capabilities through a partnership with Menlo Security rather than developing native isolation technology, routing customer traffic from edge devices to Menlo's Secure Cloud Browser before returning to Aryaka's private network. Nevertheless, this integration approach creates architectural dependencies on third-party infrastructure and may introduce latency compared to natively embedded isolation solutions within the unified SSE fabric.

• Cloud sandboxing: Aryaka antimalware provides signature-based threat detection via deep packet inspection against an extensive malware database, with file-based threat protection via MD5 hash fingerprinting for known threats. However, it lacks dynamic behavioral sandboxing that detonates suspicious files in isolated execution environments to observe malware patterns, relying instead on static analysis and reputation-based detection, rather than on advanced sandbox emulation, for zero-day threats.

Purchase Considerations

Aryaka Unified SASE as a Service offers two pricing models, Standard and Enterprise Flex, with the latter including Elastic Subscription and Bandwidth Pooling for regional deployments. The consumption-based structure includes three tiers: SD-WAN, Unified SASE, and Advanced Security. These are priced per site and per user rather than by bandwidth allocation. This simplified packaging eliminates upfront sizing requirements and reduces line-item complexity in quotes, providing predictable all-inclusive pricing without hidden costs or overage charges.

Aryaka provides deployment flexibility through global and regional network options with automatic hub selection via the MyAryaka configuration wizard, supporting both hub-and-spoke and spoke-to-spoke topologies. The Interactive Product Experience (IPX) enables virtual proof-of-concept testing within hours without disrupting existing network operations, allowing remote evaluation of specific SSE use cases before deployment. Migration complexity remains moderate as the managed service model reduces operational overhead, though organizations must assess integration with existing SD-WAN infrastructure and coordinate site-by-site rollouts.

Use Cases

Aryaka Unified SASE as a Service addresses a broad range of use cases, including cloud and SaaS application acceleration, GenAI security and shadow AI governance, global WAN consolidation and modernization, hybrid workforce connectivity with secure remote access, multiprotocol label switching (MPLS)-to-SD-WAN migration, multicloud connectivity with direct cloud onramps, secure access to private applications through Universal ZTNA, and zero trust enforcement across distributed enterprise locations.

Barracuda: SecureEdge Access

Solution Overview

Founded in 2003, Barracuda provides cloud-first security solutions, specializing in email, network, data, and application security. In May 2023, Barracuda launched SecureEdge as an integrated SASE platform, with SecureEdge Access SSE functionality (ZTNA, SWG, and FWaaS) included from inception.

SecureEdge Access is a cloud-native SASE platform integrating Azure Virtual WAN and Barracuda CloudGen Firewall for SD-WAN. Core components include DLP, DNS filtering, FWaaS, SWG, and ZTNA, delivered via agent-based and agentless models. Key features include AI-based content inspection, advanced threat protection (ATP) sandboxing, custom encryption protocols, transport layer security (TLS) interception, URL filtering, and extended detection and response (XDR) integration with a 24/7 security operations center (SOC). Differentiators include access from 90% of countries with under 100ms response time, hybrid cloud-on-prem flexibility, MSP-focused unified management, zero-touch deployment, and unlimited bandwidth with per-user pricing.

Barracuda takes a focused approach to SSE, targeting the education, MSP, state, and local markets, while filling feature gaps with DLP and shadow AI discovery capabilities.

Barracuda is positioned as an Entrant and Forward Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Barracuda scored well on a number of decision criteria, including:

• DLP: The solution integrates DLP across agent-based and agentless deployments within the Premium Access tier, incorporating AI-based content inspection for social media uploads and file transfers. It monitors uploads and downloads via Barracuda Advanced Threat Protection and provides visibility into web traffic patterns, keyword searches, and data exfiltration attempts across all client platforms, including Chromebooks.

• ​Multivector threat protection: SecureEdge Access combines ATP sandboxing, intrusion prevention system (IPS), URL filtering, and TLS inspection into a single-pass architecture that analyzes threats across email, network, and web vectors simultaneously. It integrates with Barracuda XDR and 24/7 SOC for automated threat remediation, sharing analysis results across detection layers to identify emerging variants while pre-filtering known threats at lower layers.

• ​Next-generation DPI: The solution performs stateful deep packet inspection on all traffic types using a single-pass architecture that simultaneously applies ATP, IPS, application control, and URL filtering to both clear and encrypted sessions. It decrypts SSL/TLS connections for full inline inspection, detecting advanced threats hidden in encrypted traffic while enforcing minimum TLS versions and cipher suites through dynamic certificate generation.

Opportunities

Barracuda has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides agentless DNS-based web filtering through DNS Access plans, enabling visibility into web traffic, shadow AI discovery, and enforcement of allowed AI tools across any device or network without installing endpoint software. However, it limits agentless capabilities to DNS filtering only, requiring agent deployment for full SWG, FWaaS, and ZTNA functionality in Internet Access and Premium Access tiers.

• ​Cloud browser isolation: SecureEdge Access implements TLS inspection and inline threat detection via ATP sandboxing, analyzing suspicious content in isolated cloud environments before delivering sanitized data to endpoints. Nevertheless, it lacks dedicated RBI technology that renders entire browsing sessions in remote sandboxed containers, preventing zero-day malware from reaching client browsers through pixel streaming or safe content representation.

• ​Cloud sandboxing: SecureEdge Access integrates ATP sandboxing for web traffic, including TLS, leveraging shared threat intelligence from CloudGen Firewall and SecureEdge sites. However, it does not offer standalone cloud sandboxing. Instead, it embeds detonation within inline inspection rather than providing isolated virtualized environments for file detonation.

Barracuda is classified as a Forward Mover due to a slower release cadence, DLP and shadow AI discovery features on the roadmap, limited innovation beyond core SSE functions, and no recent acquisitions that have expanded capabilities.

Purchase Considerations

Barracuda employs simple per-user monthly subscription pricing across four tiers: DNS Access, Internet Access, Premium Access, and Private Access. This includes all-inclusive pricing with no hidden fees, no monthly bandwidth caps, and unlimited bandwidth subject to fair-use policies. A 10-user trial with unlimited functionality enables proof-of-concept (POC) evaluation. Reporting retention varies by tier, ranging from 7 days for DNS Access to 30 days for higher tiers.

SecureEdge Access supports cloud-native SaaS deployments and customer-owned appliance/virtual appliance configurations, with hybrid flexibility. Zero-touch deployment and risk-free hybrid rollout simplify migration from existing VPN infrastructure without requiring replacement of CloudGen Firewall stacks. The solution integrates with Azure Virtual WAN and supports agent-based or agentless models across all platforms, including Chromebooks. Organizations requiring a fully private mode can route ZTNA traffic through on-prem SecureEdge site devices. MSPs benefit from centralized multitenant management.

Use Cases

Barracuda addresses a broad range of use cases, including agent-based secure web access with deeper inspection, a consolidated SSE bundle combining ZTNA, SWG, FWaaS, and DLP, DNS-layer web filtering and reporting, and VPN replacement with ZTNA for private apps. It enables expansion into SASE by extending from user and application security to WAN edge and SD-WAN connectivity using site devices, including Azure Virtual WAN integration. The solution is designed for lean IT teams in the education, MSP, and state and local government markets that require centralized management with zero-touch deployment.

Broadcom: Symantec Network Protection

Solution Overview

Acquired by Broadcom in 2019 and operating under the Symantec brand, Symantec specializes in endpoint protection, DLP, and network security. Broadcom currently offers Symantec Network Protection as a standalone SSE solution that includes SWG, CASB, ZTNA, and DLP, following its divestiture of VeloCloud to Arista in June 2025.

Symantec Network Protection delivers cloud-native SSE via the Google Cloud Platform (GCP) global infrastructure, providing CASB, DLP, SWG, ZTNA, and web isolation. It integrates with third-party SD-WAN vendors, including Cisco, Netskope, Palo Alto Networks, and Zscaler, through standard IPsec/Generic Routing Encapsulation (GRE) tunnels. Core components include advanced threat detection with sandboxing, full SSL/TLS inspection, cloud firewall capabilities, and RBI. Key features include a single-agent architecture deployed via existing Symantec Endpoint Protection clients, eliminating agent sprawl while enabling web protection, ZTNA, and DLP enforcement. Differentiators include Google Cloud WAN Express Connect, which delivers up to 100 times more bandwidth compared with GRE-based competitors; native integration with Microsoft Purview for inline data classification; and persistent digital rights management (DRM) encryption that extends protection beyond perimeter controls.

Broadcom takes a focused approach to SSE, innovating with architectural performance enhancements such as Express Connect integration with Google Cloud WAN, resulting in bandwidth improvements and a 62% reduction in latency.

Broadcom is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSE Radar chart.

Strengths

Broadcom scored well on a number of decision criteria, including:

• Cloud browser isolation: Symantec Web Isolation executes browser sessions in disposable containers in the cloud, sending only safe rendering information to endpoints while blocking web-borne threats. The dual-mode isolation technology automatically selects optimal rendering methods for different webpage classes, providing operational failsafe capability while integrating DLP controls and read-only modes for suspicious sites without requiring detection-based technologies.

• Multivector threat protection: Broadcom correlates threat intelligence across email, endpoint, network, and web control points through its unified platform, detecting stealthy threats using behavioral analysis, cloud-hosted sandboxing with customizable profiles, and IPS. The multilayer inspection combines emulation and virtualization to capture malicious behavior across mobile and desktop environments, and to coordinate real-time blocking before malware reaches users.

• Industry-specific compliance: The solution maintains certifications including FedRAMP, FISMA, GDPR, HIPAA, ISO 27001, PCI DSS, and SOC 2 Type II, supporting regulatory compliance reporting and continuous security assessments. Control Compliance Suite automates procedural compliance monitoring across physical and virtual assets, providing readiness assessments, policy lifecycle management, and technical evidence collection for demonstrating ongoing adherence to data protection regulations.

Opportunities

Broadcom has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides agentless ZTNA that supports native protocols such as secure shell (SSH) and Remote Desktop Protocol (RDP) through integration with third-party posture assessment tools, including OPSWAT, for continuous device compliance evaluation. However, it relies on external integrations rather than native capabilities, limiting seamless deployment compared to vendors with built-in agentless assessment engines.

• DSPM: Broadcom offers cloud security posture management (CSPM) via IaaS Securlets, providing infrastructure control plane visibility and DLP capabilities to monitor data flows across cloud environments. Nevertheless, the solution focuses primarily on traditional DLP and CASB-based data protection rather than the comprehensive automated data discovery, classification, and risk assessment across multicloud datastores that dedicated DSPM tools provide for sensitive data exposure analysis and remediation workflows.

• GenAI risk management and control: Symantec Enterprise Cloud provides visibility into GenAI application usage through content-generation category filtering, business-readiness ratings, and DLP controls to prevent data exfiltration in AI conversations. However, the controls focus on blocking unsanctioned AI services and applying policy-based restrictions rather than on granular prompt inspection, contextual response filtering, or AI-specific threat models that address emerging risks such as jailbreaking, model manipulation, or sensitive data embedding in training requests.

Purchase Considerations

Broadcom uses subscription-based licensing with multiyear commitments, typically two to three years. Broadcom bundles SSE components, including CASB, DLP, SWG, and ZTNA, into consolidated packages with pricing based on user or endpoint counts rather than individual module purchases. The pricing structure emphasizes volume-based tiering with limited discounting, and contracts typically include co-termination clauses that align all licenses to a single renewal event. Perpetual licenses are no longer offered.

Migration from existing security solutions requires deploying endpoint agents for full functionality, though agentless browser-based access is available for limited use cases. Broadcom provides structured POC programs with defined success criteria, typically conducted in single-site deployments to limit scope before expansion. Customers should negotiate price protections against annual increases and cross-product discounts when purchasing multiple Broadcom solutions, as well as flexibility to adjust quantities over multiyear terms. Support tiers vary, with smaller organizations often relegated to self-service options.

Use Cases

Broadcom addresses a broad range of use cases, including cloud application visibility and control for sanctioned and unsanctioned services, compliance enforcement through URL filtering and policy management, DLP across endpoints and cloud environments, remote workforce security with ZTNA and VPN replacement, shadow IT discovery and control, threat protection against malicious websites and content, unsafe browser activity mitigation through isolation, and zero trust access to corporate resources in hybrid environments.

Cato Networks: Cato SSE 360

Solution Overview

Founded in 2015, Cato Networks provides a cloud-native SASE platform that converges networking and security into a single global service. Launched in July 2022, Cato SSE 360 is a fully managed SSE solution that operates over a high-performance private backbone. In September 2025, the company acquired Aim Security (AI security).

Cato SSE 360 utilizes Cato’s Single Pass Cloud Engine (SPACE) architecture and integrates with IPsec-enabled third-party SD-WAN solutions or Cato Socket SD-WAN appliances. Core components include CASB, DLP, FWaaS with ATP (IPS and next-generation antimalware), RBI, SWG, and ZTNA, all converged on a global private backbone. Smart DLP features machine learning-based behavioral monitoring for anomaly detection across business applications. Key differentiators include comprehensive visibility and control beyond traditional SSE architectures by securing internet, WAN, and cloud traffic (rather than only web and SaaS traffic), enabling unified optimization and security for all enterprise traffic types within a converged cloud network.

Cato Networks takes a targeted SASE platform approach, innovating beyond traditional SSE boundaries and adding emerging features such as AI security, AI security posture management, endpoint detection and response (EDR), and endpoint protection platform (EPP) while continuously improving its unified platform.

Cato Networks is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Cato Networks scored well on a number of decision criteria, including:

• Agentless secure access: The solution provides browser-based clientless access through its Enterprise Browser Extension, enabling ZTNA for BYOD and unmanaged devices without client installation. Applications are published via a web portal with integrated single sign-on (SSO) and MFA, requiring minimal setup while enforcing granular access policies and protecting against threats through cloud-delivered security.

• Multivector threat protection: Cato Networks IPS integrates AI and machine learning models to detect domain generation algorithms, domain squatting, and brand impersonation in real time while autonomously aggregating more than 250 threat intelligence feeds via an AI-based reputation system. Virtual patching capabilities protect against emerging common vulnerabilities and exposures (CVEs) across internet and WAN traffic by inspecting all TLS-encrypted traffic with elastic cloud resources, preventing ransomware delivery, command-and-control communication, and lateral movement.

• Next-generation DPI: The Cato Networks proprietary DPI engine performs application-level classification beyond port and protocol analysis, leveraging context-aware features such as app ID, device fingerprint, URL classification, and user authentication within the SPACE architecture. Cloud-native architecture provides unlimited inspection capacity for all traffic, including encrypted TLS, without requiring fine-tuning of signature sets or imposing traffic limitations due to resource constraints.

Cato Networks is classified as an Outperformer due to continuous platform innovation, including AI and machine learning-powered threat detection, Enterprise Browser Extension for agentless ZTNA, and expanding GenAI security capabilities.

Opportunities

Cato Networks has room for improvement in a few decision criteria, including:

• Industry-specific compliance: The solution maintains certifications, including ISO 27001, ISO 27018, ISO 27701, PCI DSS v4.0 Level 1, and SOC 1/2/3 attestations, while its DLP incorporates machine learning-powered image classification to detect regulated content, such as medical scans and payment cards, to support HIPAA, GDPR, and PCI DSS requirements. However, it lacks preconfigured compliance templates, industry-specific policy frameworks, and dedicated vertical workflows for healthcare, finance, and government, as offered by some competitors, to accelerate regulatory alignment and audit readiness.

• DSPM: Cato Networks DLP provides AI-driven data classification across more than 350 predefined data types, machine learning-powered image classification for sensitive visual content, and LLM-based document categorization to identify tax forms, financial records, and medical documents in network traffic. Nevertheless, it focuses on data in motion rather than providing dedicated DSPM capabilities for discovering, classifying, and continuously monitoring the data security posture across multicloud data stores, SaaS repositories, and unstructured data lakes, with automated risk scoring and remediation workflows.

• NHI management: The solution provides API access controls via administrator-generated tokens with IP restrictions and comprehensive audit trails for configuration changes, as well as device-based authentication and authorization for network access. However, it does not offer dedicated NHI management capabilities for discovering, cataloging, rotating, and governing service accounts, API keys, machine identities, certificates, secrets, and workload identities across cloud platforms and applications with behavioral analytics and lifecycle automation.

Purchase Considerations

Cato Networks employs a subscription-based pricing model, with licensing based on per-site aggregated bandwidth and total ZTNA users. Contracts are available in 12-, 24-, and 36-month terms, with transparent, predictable costs. The single-vendor architecture eliminates the need for separate licensing for SWG, CASB, ZTNA, FWaaS, and DLP modules, reducing TCO compared with multiproduct SSE deployments that require individual component licensing and integration.

Cato Networks offers 30-day trial licenses that enable a full evaluation of the solution before deployment. Organizations can deploy Cato SSE 360 as a standalone solution by integrating it with existing third-party IPsec-enabled WAN edge appliances, enabling a gradual SASE migration without requiring immediate infrastructure replacement. Migration complexity is reduced through a cloud-native architecture, eliminating the need to deploy on-prem hardware for remote users and branch offices that connect directly to Cato PoPs. Customers should evaluate bandwidth requirements for each site, as throughput capacity directly affects monthly subscription costs.

Use Cases

Cato Networks addresses a broad range of use cases, including branch office security consolidation, clientless remote access for BYOD scenarios, hybrid and multicloud connectivity, hybrid work environments, incident detection and response through integrated XDR capabilities, MPLS-to-SD-WAN migration with security transformation, optimized global application access, secure direct internet access eliminating appliance-based firewalls, and security consolidation replacing multiple point solutions. Organizations can deploy Cato SSE 360 standalone or as a pathway to full SASE transformation.

Check Point: Check Point SASE

Solution Overview

Founded in 1993, Check Point provides enterprise cybersecurity, specializing in network, cloud, and endpoint security. Check Point SASE (formerly branded as Harmony SASE) launched in 2023 as a full SASE solution following the acquisition of Perimeter 81's SSE offering. The company acquired Veriti (multivendor exposure management) in June 2025, Lakera (AI/LLM security) in November 2025, and Cyata (agentic AI discovery), Cyclops cyber asset attack surface management (CAASM), and Rotate (MSP talent) in February 2026.

Check Point SASE delivers converged CASB, DLP, FWaaS, SWG, and ZTNA through a hybrid architecture combining cloud-based security, on-device protections, browser extensions, and dedicated enterprise browser capabilities across more than 85 global PoPs. The solution integrates with Check Point NGFW and SD-WAN appliances to unify policies. Key features include adaptive policy orchestration, autonomous threat response via ThreatCloud AI and Infinity Playblocks, GenAI protection with LLM-based DLP and identity threat detection and response (ITDR), SSPM covering more than 20 SaaS platforms, and threat-emulation sandboxing. Differentiators include direct connectivity bypassing PoPs, full-mesh networking, more than 50 AI-driven threat engines, and sub-10 ms processing latency.

Check Point takes a general platform approach to SSE, innovating with emerging features such as adaptive policy orchestration, autonomous threat response, GenAI protection, and SSPM, while addressing gaps with planned UEBA and browser isolation.

Check Point is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Check Point scored well on a number of decision criteria, including:

• Agentless secure access: The solution enables web portal-based ZTNA, along with RDP (web/native), SSH, and enterprise browser access, without endpoint agents. This comprehensive support for diverse protocols and unmanaged devices exceeds typical SSE offerings, providing flexible zero trust enforcement across access methods.

• ​DLP: Check Point SASE inspects content inline, via browser extensions, SaaS APIs, and GenAI prompts using more than 700 predefined data types, optical character recognition (OCR), and LLM classification. The multichannel DLP with advanced detection prevents sensitive data exfiltration effectively across web, SaaS, and AI interactions.

• Multivector threat protection: The solution leverages CloudGuard's more than 50 AI-driven engines, ThreatCloud AI, threat emulation sandboxing, and Infinity Playblocks for inline blocking across network, endpoint, browser, email, and SaaS. Layered defenses deliver continuous multivector protection without performance degradation.

Opportunities

Check Point has room for improvement in a few decision criteria, including:

• ​Next-generation DPI: The solution performs deep packet inspection for HTTP-based protocols, including traffic analysis, application identification, and SSL inspection for encrypted traffic. Nevertheless, it lacks comprehensive protocol coverage beyond HTTP, with DPI support for additional Layer 2 through Layer 7 protocols remaining on the development roadmap rather than currently deployed.

• ​DSPM: Check Point SASE delivers DSPM functionality to discover, classify, and map sensitive data across hybrid cloud environments, with automated misconfiguration remediation and compliance validation. However, it relies on third-party integration with Sentra rather than native platform capabilities, which can introduce operational complexity due to external dependencies and separate licensing considerations.

• DEM: Check Point's hybrid architecture with on-device security and direct internet connectivity avoids traffic backhauling, preserving performance and eliminating the 2-10x speed degradation common with cloud-routed SSE. However, dedicated DEM tooling for proactive monitoring of application performance, user experience, and network path analytics remains on the roadmap rather than a currently available native capability.

Purchase Considerations

Check Point employs a per-user licensing model combined with regional considerations, offering tiered packages that align capabilities with organizational scale from SMBs to large enterprises. Physical site connectivity is priced separately, based on bandwidth. The tiered structure allows customers to select appropriate feature sets that match their security requirements. However, organizations must evaluate whether advanced capabilities, such as DSPM, require additional third-party licensing through Sentra integration. Customers should assess total cost across user counts, geographic regions, and potential third-party dependencies before finalizing procurement decisions.

Check Point supports hybrid, multicloud, on-prem (via NGFW appliance integration), private, and public cloud deployments. The solution enables rapid deployment within hours through an intuitive management console, reducing migration complexity. Organizations benefit from 24/7 SLA-backed support with dedicated account managers for technical and security incident response. Customers should verify compatibility with identity providers, evaluate API-driven orchestration capabilities using Terraform, and confirm data residency requirements in Australia and India. Weekly product updates ensure continuous feature enhancements without manual intervention.​

Use Cases

Check Point SASE addresses a broad range of use cases, including branch office connectivity, BYOD and unmanaged device security, contractor and third-party access, data leak prevention, GenAI protection, hybrid and remote workforce enablement, internet browsing security, mergers and acquisitions temporary access scenarios, private application access with zero trust policies, SaaS security and discovery, and secure connectivity between cloud environments. The solution supports both agent-based and agentless deployment models to accommodate diverse access requirements.

Cisco: Cisco Secure Access

Solution Overview

Founded in 1984, Cisco provides networking and security solutions, specializing in enterprise networking equipment, cloud computing, and cybersecurity technologies. In October 2023, Cisco launched Cisco Secure Access, a fully managed SSE solution delivered via AWS and Cisco-managed PoPs across all major regions.

Cisco Secure Access is a cloud-delivered SSE solution within Cisco’s broader SASE architecture, integrating with Catalyst SD-WAN, Firepower Threat Defense, and Meraki SD-WAN, as well as third-party SD-WAN vendors such as Cloudflare, Netskope, Palo Alto Networks, Skyhigh, and Zscaler. Core components include CASB, DLP, DNS security, FWaaS (Layer 3, Layer 4, and Layer 7), IPS, RBI, sandboxing, SWG, and ZTNA. Key features include more than 40,000 IPS signatures using SNORT 3 technology, an AI assistant for policy creation, Apple iOS and Samsung Galaxy mobile zero trust access via QUIC/MASQUE protocols, DEM, Cisco Identity Services Engine (ISE) integration with Scalable Group Tags (SGTs) support, resource connectors, and Talos threat intelligence. Differentiators include a 99.999% uptime SLA commitment, a unified Cisco Secure Client, GenAI controls, assurance via Cisco ThousandEyes, centralized policy administration, and a multilayer, defense-in-depth security architecture.

Cisco takes a general platform approach to SSE, incrementally improving existing features while innovating with emerging capabilities, including an AI assistant for policy creation, Layer 7 FWaaS, resource connectors, and IPS integration.

Cisco is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Cisco scored well on a number of decision criteria, including:

• Cloud sandboxing: The solution integrates with Cisco Secure Malware Analytics (formerly Threat Grid) to provide automated static and dynamic malware analysis in cloud and on-prem sandbox environments, generating behavioral indicators and context-rich threat intelligence that feeds into the broader SSE platform. The sandboxing engine employs evasion techniques to detect malware that attempts to identify sandbox environments, ensuring comprehensive analysis while maintaining integration with advanced malware protection and Talos threat feeds.

• DLP: Cisco delivers multimodal DLP protection across email, endpoints, SaaS applications (data at rest), and web traffic (data in motion) with unified policy management from a single dashboard. It incorporates AI-powered data classification, customizable templates for industry-specific data types, generative AI guardrails for prompt injection detection, and fail-open/fail-close options for offline endpoint operations.

• Industry-specific compliance: The solution maintains certifications for government and regional frameworks, including C5 (Germany), ENS High (Spain), FedRAMP, GovRAMP, ISMAP (Japan), and TX-RAMP, as well as global standards. These region-specific certifications enable deployment in regulated public-sector environments and support compliance with GDPR, HIPAA, and PCI DSS requirements through documented data protection controls.

Opportunities

Cisco Secure Access has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides clientless browser-based zero trust access through its identity-aware proxy, authenticating users via Security Assertion Markup Language (SAML) and contextual policies to broker granular application access without VPN tunnels. However, it lacks native agentless endpoint posture assessment for unmanaged devices, relying instead on third-party enterprise access integrations to provide these capabilities.

• ​DSPM: Cisco introduced the Observability for Data Security Posture Management module in 2024, offering data discovery and classification across data stores, data access control management, GenAI-powered exfiltration detection, and security risk identification, including unencrypted data and dormant users. Nevertheless, it functions as a separate observability module rather than a fully integrated native DSPM capability within the core SSE platform, which requires additional licensing and may limit seamless data security workflows across the unified security stack.

• NHI management: Cisco supports identity-based access control using SAML, Remote Authentication Dial‑In User Service (RADIUS), certificates, and ISE integration for ZTNA to private resources. However, it does not provide specialized NHI features, such as automated credential rotation for service accounts, ephemeral token provisioning via SPIFFE, or governance for AI agents and Model Context Protocol (MCP) servers.

Purchase Considerations

Cisco uses per-user subscription licensing with tiered pricing based on user-count bands (50-999, 1,000-4,999, 5,000-9,999, and so on) and term lengths (12, 36, or 60 months). Customers select from Essentials or Advantage packages across Secure Internet Access (SIA), Secure Private Access (SPA), or DNS Defense modules, with dynamic pricing calculated in Cisco Commerce. Support is required: either SWSS Enhanced (default) or SWSS Premium (minimum annual spend of $30,000 USD). Subscriptions auto-renew for 12-month terms unless cancelled 60 days prior.

Customers must purchase a minimum of 50 users per SKU and cannot mix Essentials and Advantage tiers except when combining DNS Defense with SPA. Migration from Cisco Secure Connect requires manual processes and scheduled downtime for reconfiguring policies, tunnels, and applications. A technical POC guide is available for validating SASE use cases in customer environments. Provisioning requires end-customer administrator contact information and takes up to 72 hours after order placement. Each organization is limited to one active subscription managed through change-subscription workflows for mid-term modifications.

Use Cases

Cisco Secure Access addresses a broad range of use cases, including branch office connectivity, firewall optimization for distributed deployments, secure access for hybrid workforces, private application access (cloud and on-prem), remote-location internet security, SaaS application protection, secure internet access, VPN infrastructure replacement via VPNaaS, and ZTNA. The solution supports multi-organization environments with multitenancy and integrates with identity providers, including Azure Entra ID and Okta, to enable dynamic, risk-based access policies.

Cloudflare: Cloudflare One

Solution Overview

Founded in 2009, Cloudflare provides content delivery network (CDN), security, and performance services, specializing in distributed denial-of-service (DDoS) protection, web application firewall (WAF), and SASE solutions. Cloudflare acquired Replicate (an AI platform) in November 2025, and Human Native (an AI data marketplace) and Astro (a web framework) in January 2026. The company launched Cloudflare One, a unified SASE platform with integrated SSE capabilities, in October 2020.

Cloudflare One delivers SSE through a unified SASE architecture running on Cloudflare's global anycast network and integrates with Aruba EdgeConnect, Cisco Catalyst 8000, and VMware VeloCloud SD-WAN platforms. Core components include CASB, DLP, FWaaS (Network Firewall), RBI, SWG (Gateway), and ZTNA (Access) managed through a single control plane. Key features include API-driven and inline CASB scanning, Microsoft Information Protection integration, MASQUE tunnel protocol, and threat intelligence from millions of internet properties. Primary differentiators include converged networking and security delivery, programmable infrastructure via API and Terraform, and performance leveraging Cloudflare's CDN backbone.

Cloudflare takes a general approach to SSE, improving existing features while innovating on emerging ones, including AI prompt protection for GenAI applications, outbound email security with DLP, and enhanced device-client connectivity management.

Cloudflare is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Cloudflare scored well on a number of decision criteria, including:

• Cloud browser isolation: The solution executes browser sessions in isolated containers distributed across more than 330 global data centers using proprietary Network Vector Rendering (NVR) technology that transmits sanitized Skia drawing instructions to client-side WebAssembly rather than pixel streams or document object model (DOM) content. This architecture prevents zero-day exploits and malware from reaching endpoints while maintaining near-native browser performance through low-latency vector rendering that eliminates encoding delays and reduces bandwidth consumption.

• Cloud sandboxing: Cloudflare employs real-time sandboxing in its email security solution, which detonates suspicious attachments and analyzes behavioral patterns for malicious payloads, including encrypted files, enabling preemptive campaign identification before distribution. The solution deconstructs archives and compound documents into discrete components, applies machine learning to binary bitmaps for signatureless detection, and performs instant URL crawling combined with computer vision to identify credential harvesters.

• Next-generation DPI: Cloudflare Gateway performs TLS decryption and protocol detection across all ports (not just 80/443), enabling HTTP body inspection for DLP pattern matching, AI prompt scanning, and threat detection within encrypted traffic flows. It supports payload logging with customer-managed encryption keys, examines request bodies for patterns of sensitive data, and integrates regional services for geographically constrained decryption processing while maintaining bring-your-own public key infrastructure (BYOPKI) certificate options.

Cloudflare is classified as an Outperformer due to rapid feature velocity delivering AI security capabilities (AI prompt protection, confidence scoring, shadow AI reporting), MASQUE protocol implementation, and post-quantum encryption support.

Opportunities

Cloudflare has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides clientless access to HTTP/HTTPS applications via browser-based isolation, using resolver policies and remote browser sessions, plus browser-rendered RDP, SSH, and Virtual Network Computing (VNC) connectivity without installing device agents. However, it lacks native protocol support for non-browser applications, including mobile apps and smart TV platforms, which require direct server communication without intermediate browser authentication flows, thereby necessitating device-client deployment or IP-based bypass.

• DLP: Cloudflare supports exact data match (EDM), document fingerprinting for .docx and .txt files up to 10 MB with configurable similarity thresholds, AI prompt topic/sentiment detection, and password-protected file blocking. Nevertheless, document fingerprinting is limited to the .docx and .txt formats and does not support OCR. Average response times of 250 ms, with a 90th percentile of 500 ms, reduce the precision of real-time enforcement.

• GenAI risk management and control: Cloudflare delivers GenAI security with a unified proxy, including inline DLP scanning for prompt/response data, content moderation guardrails, CASB integrations for ChatGPT, Claude, Copilot, and Gemini misconfigurations, and shadow AI discovery with blocking capabilities. However, it offers fewer governance frameworks than specialized GenAI platforms, focusing primarily on traffic-level controls rather than comprehensive model lifecycle management, organization-wide policy templates, usage-attribution analytics, or automated remediation workflows to address unsanctioned model proliferation.

Purchase Considerations

Cloudflare uses a seat-based subscription model with Free (up to 50 users), Standard, and Enterprise tiers, billed per active user based on authentication events rather than device count. Users consume seats with any Access login or Gateway connection and remain billable until manually removed or automatically expired after configurable inactivity periods (1 to 12 months). Blocking is enforced once seat limits are exceeded. The solution operates exclusively as a cloud-delivered SaaS offering, routing all traffic through Cloudflare's global network, with no on-prem or private cloud deployments.

Migrations benefit from automated configuration export tools, including the Descaler Program for Zscaler customers, which enable policy translation and quick DNS-based switchovers for baseline protection when deploying device clients incrementally. Enterprise buyers should evaluate seat management strategies, including immediate consumption upon authentication, use of API and service tokens to avoid unnecessary seat allocation, and integration requirements with existing SD-WAN vendors (Aruba, Cisco, or VMware, for example) that require compatible infrastructure. The free tier provides functional POC capabilities, with full SSE feature access limited by user count.

Use Cases

Cloudflare One addresses a broad range of use cases, including branch office connectivity, data protection for AI tools (such as blocking sensitive data copying into ChatGPT), distributed workforce security with SWG and RBI protections, email phishing defense, mergers with overlapping IP address spaces, production and staging environment isolation, remote access to private applications, VPN replacement with zero trust authentication, and zero-day threat mitigation through browser isolation. The solution supports hybrid work models with identity-based visibility and device posture enforcement across corporate and personal devices.

Forcepoint: Forcepoint ONE SSE

Solution Overview

Founded in 1994, Forcepoint provides cybersecurity solutions, specializing in data security, cloud security, and threat protection. In March 2022, Forcepoint launched Forcepoint ONE, a data-first SASE platform combining SSE capabilities, including SWG, CASB, ZTNA, RBI, content disarm and reconstruction (CDR), with FlexEdge Secure SD-WAN. Forcepoint acquired Getvisibility, adding AI-powered DSPM and data detection and response (DDR), in April 2025.

Forcepoint ONE SSE delivers cloud-native SASE, combining CASB, CDR, DLP, RBI, SWG, and ZTNA capabilities through a unified policy engine. The solution integrates with third-party SD-WAN solutions, including FlexEdge, Arista VeloCloud SD-WAN (previously VMware SD-WAN by VeloCloud), and other enterprise networking infrastructure, enabling secure local internet breakout from branch offices. Core differentiators include AI-powered DSPM with proprietary AI Mesh technology for high-accuracy data classification, comprehensive GenAI security with ChatGPT Enterprise Compliance API integration, and Risk-Adaptive Protection that dynamically adjusts controls based on real-time user behavior and risk scoring. The data-first security model enforces consistent DLP policies across endpoints, cloud applications, email, private applications, and web traffic from a single management console.

Forcepoint takes a focused approach to SSE, emphasizing data-centric security, and is innovating to add emerging features, including AI Mesh-powered DSPM, comprehensive GenAI security controls, and Risk-Adaptive Protection.

Forcepoint is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Forcepoint scored well on a number of decision criteria, including:

• DLP: The solution extends enterprise DLP policies from endpoints to CASB, SWG, and ZTNA channels through native integration with Forcepoint Enterprise DLP, providing more than 1,600 out-of-the-box classifiers, data fingerprinting, and unified policy management from a single console. It applies classification-aware policies consistently across cloud applications, websites, and private applications, with advanced content inspection that supports OCR for images and PDFs and persistent file-level protection through integrated DRM controls.

• Multivector threat protection: Forcepoint integrates RBI, zero trust CDR, antivirus scanning, malware detonation, and advanced threat intelligence across SWG, CASB, and ZTNA enforcement points. RBI executes web content in remote, sandboxed containers, while CDR sanitizes downloaded documents by removing malicious elements and reconstructing safe versions, thereby protecting against zero-day exploits, drive-by downloads, and data exfiltration across all SSE channels.

• GenAI risk management and control: Forcepoint ONE integrates with OpenAI's ChatGPT Enterprise Compliance API and merges CASB, SWG, DSPM, and Enterprise DLP to analyze user queries, inspect AI-generated outputs, and assign risk scores based on information sensitivity. It classifies sensitive data in source repositories feeding AI models, applies dynamic policy enforcement, including blocking, justification requirements, and logging for regulated data, with unified controls across ChatGPT Enterprise, Microsoft Copilot, and Gemini platforms.

Opportunities

Forcepoint has room for improvement in a few decision criteria, including:

• Cloud sandboxing: The solution provides cloud-based sandboxing that detonates suspicious files in isolated virtual containers and monitors behavioral indicators, including network calls, system modifications, and evasion techniques, to detect zero-day threats and advanced malware. However, it lacks AI-powered analysis engines, machine-learning-based evasion detection, and integration with multiple third-party sandbox environments that provide deeper threat intelligence correlation and extended verdict enrichment.

• ​Next-generation DPI: Forcepoint delivers FWaaS with comprehensive zero trust enforcement across TCP/UDP traffic and contextual TLS inspection via the Cloud Proxy to detect data leaks and malware. Nevertheless, it does not currently offer next-generation DPI, which remains on the product roadmap for a future release, to enhance traffic visibility and advanced threat detection.

• ​NHI management: Forcepoint inspects nonhuman machine traffic from service accounts, scheduled jobs, update agents, automation bots, and application connectors through Secure Internet Access SWG proxy-layer controls and CASB inline/API-based monitoring for SaaS applications. However, it lacks dedicated NHI management features, including automated service account discovery, credential rotation policies, privilege lifecycle management for machine identities, API key governance, and secrets vault integration that dedicated NHI solutions provide.

Purchase Considerations

Forcepoint ONE SSE utilizes tiered subscription licensing (Essentials, Advanced, Premium) sold on a per-user basis, allowing organizations to start with foundational SWG and CASB capabilities before adding ZTNA and Enterprise DLP modules. The cloud-native AWS-hosted architecture eliminates appliance costs and bandwidth-based charges. However, organizations should budget for professional services to support migration from legacy security infrastructure, policy tuning, and data classification integration. Optional costs include premium support tiers and specialized compliance add-ons for regulated industries.

The solution is cloud-delivered SaaS with API and inline proxy enforcement modes for SaaS, web, and private application access. Migration complexity varies based on existing endpoint DLP deployments, data classification maturity, and integration requirements with Digital Guardian, Clearswift, and Secure Collaboration components across the Fortra portfolio. Organizations should evaluate whether bundling endpoint DLP and classification services increases total costs relative to competitive single-vendor SSE offerings, given that Forcepoint's data-centric model relies on cross-portfolio integrations.

Use Cases

Forcepoint ONE SSE addresses a broad range of use cases, including cloud application performance acceleration, compliance framework violation detection, DLP across CASB, SWG, and ZTNA channels, enterprise DLP policy extension to cloud and web environments, safe usage of potentially contaminated websites and documents, SaaS application security, sensitive data protection across endpoints and cloud services, VPN replacement for private application access, and zero trust security adoption for distributed workforces.

Fortinet: FortiSASE*

Solution Overview

Founded in 2000, Fortinet provides integrated cybersecurity solutions, specializing in network, cloud, and secure access protection. FortiSASE, a single-vendor SASE platform with integrated SSE, was first released in October 2022. Fortinet acquired Perception Point (advanced email and collaboration security) in December 2024 and Suridata (SSPM for SaaS security) in May 2025, both of which enhance FortiSASE’s SaaS and SSE controls.

FortiSASE delivers cloud-native SSE within a unified SASE platform, featuring native SD-WAN capabilities at each of its more than 60 PoPs. These PoPs connect to FortiGate SD-WAN hubs via IPsec VPN overlays and Border Gateway Protocol (BGP) routing, with ADVPN enabling dynamic tunnels. Core SSE components include dual-mode CASB, DLP, DEM, FWaaS, SWG, and universal ZTNA, all powered by FortiGuard AI-driven threat intelligence and managed through FortiOS. The platform supports third-party SD-WAN connectivity and delivers full-stack SSE capabilities at every PoP with 99.999% uptime SLA. Key differentiators include unified management through a single console and FortiClient agent, consistent security policy enforcement, and centralized data lake architecture.

Fortinet takes a general-purpose platform approach to SSE, innovating to add emerging features such as agentless ZTNA, AI-powered DLP, GenAI protection, network lockdown mode, RBI, and sovereign SASE deployment options.

Fortinet is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Fortinet scored well on a number of decision criteria, including:

• Agentless secure access: The solution delivers agentless secure internet access via PAC-file-based SWG deployment, redirecting HTTP and HTTPS traffic from web browsers via an explicit proxy while enforcing security policies, including application control, IPS inspection, and web filtering. Authentication supports integrations with Active Directory, lightweight directory access protocol (LDAP), RADIUS, and SAML identity providers. Automated proxy configuration can be distributed through Windows Group Policy Objects (GPO) or Microsoft System Center Configuration Manager (SCCM) to simplify browser setup on unmanaged devices.

• DLP: Fortinet provides custom dictionaries for credit cards, keywords, regular expressions, and SSNs, exact data-match templates that link to external threat feeds, indexed document fingerprinting, Microsoft Purview Information Protection label classification, and FortiGuard-managed predefined sensors for comprehensive data identification across protocols. Deep inspection with certificate-based decryption enables content analysis of encrypted traffic and supports advanced matching techniques, including contextual analysis, pattern recognition, and logical dictionary combinations, with configurable match counting.

• ​Multivector threat protection: The solution consolidates antimalware, antivirus, application control, DNS filtering, IPS, sandboxing, and web filtering in a unified cloud-based security stack powered by FortiOS at each PoP. FortiGuard AI-powered threat intelligence, delivered by more than 1,200 in-house threat researchers, provides real-time, proprietary updates that enable proactive defense against polymorphic malware, ransomware, and zero-day exploits across all traffic vectors.

Opportunities

Fortinet has room for improvement in a few decision criteria, including:

• Industry-specific compliance: The solution achieves SOC 2 Type II certification and supports standard regulatory frameworks, including GDPR, HIPAA, and PCI DSS, through policy enforcement, audit trails, and embedded compliance reporting capabilities. However, it lacks prebuilt, industry-specific compliance templates, policy frameworks, and automated workflows for sectors such as banking, finance, government, and healthcare, requiring organizations to manually configure compliance controls for sector-specific requirements.

• ​DSPM: FortiSASE incorporates SSPM capabilities through the Suridata acquisition, providing continuous monitoring, misconfiguration detection, and risk assessment across SaaS applications, including AI plugin visibility and unauthorized access detection. Nevertheless, it offers SSPM focused on SaaS application security rather than a comprehensive DSPM that discovers, classifies, and monitors sensitive data across all cloud storage, databases, and data repositories, regardless of location or platform.

• DEM: The solution integrates with FortiMonitor to deliver end-to-end DEM, covering endpoint monitoring, first- and last-mile network performance, SaaS application visibility for Microsoft 365 and WebEx, and SD-WAN environment monitoring through a single dashboard. However, it requires FortiMonitor as a separately licensed add-on product rather than natively embedded DEM capabilities, creating additional procurement complexity and potentially limiting adoption compared to platforms with built-in monitoring.

Purchase Considerations

Fortinet employs user-based subscription licensing across Advanced and Comprehensive tiers, sold in volume bands with decreasing per-user costs at scale. Each subscription includes three device licenses per user, FortiCare Premium support, and four global PoPs by default, with add-on SKUs available for additional bandwidth (100 TB increments), regional PoPs, and sovereign deployment models. Terms span one, three, or five years, with bundled FortiGuard AI-powered security services and optional FortiMonitor DEM licensing purchased separately. Organizations with existing FortiGate SD-WAN can leverage expansion licenses to simplify the migration path.

Customers should conduct multiweek PoC trials to validate traffic routing, policy enforcement, and latency improvements before full deployment, as demonstrated in telecommunications implementations that test browser configurations and user workflows. Migration complexity is reduced through phased rollouts, starting with pilot user groups and gradually expanding as capabilities such as ZTNA, antivirus, and DLP are added in a modular fashion to avoid big-bang transitions. Organizations require discovery workshops to map users, applications, and existing controls, and deployment scripts and rollout checklists to streamline implementation. FortiSASE Sovereign offers separate nonfunctional requirement (NFR) SKUs for evaluation environments, with dedicated orchestrator licenses for testing.

Use Cases

Fortinet addresses a broad range of use cases, including cloud network security, endpoint protection for remote workers, microbranch security with agentless Wi-Fi access point integration, SaaS application visibility and control, secure cloud access with API protection, secure internet access with web filtering and threat prevention, and secure private access via ZTNA for corporate applications. The solution supports hybrid deployments that combine on-prem FortiGate infrastructure with cloud-delivered SSE capabilities, enabling organizations to transition from legacy VPN architectures while maintaining consistent policy enforcement.

Fortra: Fortra SSE

Solution Overview

Founded in 1982, Fortra provides cybersecurity solutions specializing in offensive and defensive security. Fortra acquired Lookout's Cloud Security business (SSE with CASB, ZTNA, and SWG) in May 2025 and Red Macros Factory (offensive security) in November 2025, launching Fortra Secure Service Edge as a standalone, cloud-native solution with integrated DLP and DRM capabilities powered by Fortra DLP.

Fortra SSE delivers unified CASB, DLP, FWaaS, SWG, and ZTNA through a cloud-native, AWS-hosted architecture with separate management and data planes across global PoPs. The solution integrates with Aruba EdgeConnect, VMware SD-WAN, and other network edge solutions for branch connectivity. Key features include agentless browser-based ZTNA, API-first design, classification-aware policies, cloud sandboxing, multitenant isolation, RBI, TLS inspection, and UEBA-driven adaptive access controls. Primary differentiators include native DRM with persistent file-level encryption, deep integration with the Fortra Data Classification Suite for label-driven enforcement, and endpoint-to-cloud DLP coverage spanning Fortra DLP and Email Security portfolio components within a single-vendor, single-proxy architecture.

Fortra takes a focused approach to SSE, emphasizing data-centric protection through classification-aware DLP, native DRM encryption, and adaptive redaction, while innovating with emerging features such as CSPM, DSPM, GenAI risk management, and SSPM.

Fortra is positioned as a Challenger and Forward Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Fortra scored well on a number of decision criteria, including:

• Agentless secure access: The solution delivers browser-based ZTNA via a hardened reverse proxy at global PoPs, evaluating identity, device posture, and risk signals on every request rather than only at login, preventing session drift. The reverse proxy provides protocol-aware controls for HTTP/HTTPS and secure rendering of SSH/RDP within the browser, with inline DLP and native DRM encryption applied to detect sensitive content, watermark files, redact data, or block exfiltration attempts before content leaves the proxy.

• ​Cloud browser isolation: Fortra SSE executes web content and active code in remote sandboxed containers at global PoPs, delivering only safe visual renderings via pixelstream or DOM-mirrored reconstructions to end-user browsers while blocking malicious code from reaching endpoints. Policy-driven adaptive isolation automatically opens risky sites in isolation while allowing trusted sites to render natively, with integrated DLP and native DRM encryption triggering redaction, masking, or blocking of sensitive data uploads and downloads.

• ​DSPM: Fortra continuously discovers, classifies, and maps sensitive data across hybrid and multicloud environments, natively leveraging the Data Classification Suite to enrich findings with persistent labels that reduce false positives and enable classification-aware enforcement across SSE, endpoint DLP, and email gateways. Adaptive Risk Control (ARC) consolidates DSPM posture signals with endpoint, network, and SSE telemetry for unified risk scoring and audit-ready reporting, while automated remediation fixes misconfigurations and applies native DRM encryption with persistent usage controls when sensitive files require external sharing.

Opportunities

Fortra has room for improvement in a few decision criteria, including:

• Cloud sandboxing: The solution detonates suspicious files and code in cloud-based virtual containers across distributed PoPs, observing behavioral signals, including evasion techniques, network calls, and system modifications, through multistage analysis. However, it lacks advanced sandbox features, including multiple OS environments for concurrent detonation, extensive malware-family attribution with detailed threat-intelligence correlation, automated threat-hunting workflows, and integration with third-party threat feeds beyond basic verdicts.

• ​Multivector threat protection: Fortra delivers layered protection across web, cloud, email, and endpoint vectors through inline TLS inspection, cloud sandboxing, multiple independent antivirus engines, behavioral analytics via ARC, and endpoint DLP monitoring for risky user actions. Nevertheless, it achieves multivector coverage primarily through portfolio integration with separate Fortra products, such as Fortra DLP and Email Security, rather than through native SSE capabilities, resulting in distributed threat intelligence correlation and potentially fragmented advanced threat detection compared to purpose-built unified platforms.

• ​Industry-specific compliance: The solution provides preconfigured compliance frameworks with automated policy templates for GDPR, HIPAA, PCI DSS, and SOX, featuring built-in compliance dictionaries, classification-driven enforcement, adaptive redaction, and audit-ready reporting consolidated through ARC analytics. However, it delivers generic regulatory controls rather than vertical-specific workflows, lacking purpose-built features for healthcare clinical data handling, financial services transaction monitoring, manufacturing supply chain security, or government-specific compliance frameworks beyond standard regulatory templates.​

Fortra is classified as a Forward Mover due to its recent acquisition of the Lookout SSE solution, which requires integration maturity, an emerging market presence, and a roadmap focused on adding foundational capabilities rather than on market-leading innovation.

Purchase Considerations

Fortra SSE operates on a per-user subscription model with tiered service packages: Essentials, Advanced, and Premium. Organizations can start with foundational capabilities such as CASB and SWG, then add ZTNA and DLP modules as requirements evolve without rearchitecting. Pricing is based on the number of licensed users, the selected feature tier, and optional add-ons, including advanced data protection, enhanced SaaS API coverage, and professional services. ​

Fortra SSE deploys as a cloud-native SaaS offering on AWS, supported by API-based integrations, a globally distributed cloud proxy, and lightweight connectors for private cloud or on-prem environments. Migration complexity varies based on the existing security architecture. Professional services are available for deployment assistance, policy design optimization, and data classification tuning. Organizations migrating from legacy perimeter-based security or consolidating multiple point solutions should budget for policy mapping, IDP integration, and phased rollout across web, SaaS, and private application access.

Use Cases

Fortra SSE addresses a broad range of use cases, including adaptive access control, classification-driven data protection, cloud application security, compliance enforcement for GDPR, HIPAA, and PCI DSS, DRM-encrypted file sharing, endpoint-to-cloud DLP, OAuth risk management, private application access replacing VPNs, remote workforce protection, SaaS API security, shadow IT discovery, threat detection in cloud apps, TLS inspection for encrypted traffic, VPN replacement with agentless ZTNA, and web threat protection. The solution excels in data-centric scenarios that require persistent encryption, label-aware policies, and unified governance across email, endpoint, network, and web channels.

HPE Aruba Networking: HPE Aruba Networking SSE*

Solution Overview

Founded in 2002 and acquired by Hewlett Packard Enterprise (HPE) in 2015, HPE Aruba Networking specializes in wireless, switching, SD-WAN, and AI-driven operations. In August 2023, HPE launched HPE Aruba Networking SSE following its March 2023 acquisition of Axis Security. HPE acquired Juniper Networks (AI-native campus and data center networking) in July 2025.

HPE Aruba Networking SSE delivers cloud-native security across more than 500 global PoPs on AWS, Azure, and GCP. The solution integrates CASB, DEM, SWG, and ZTNA into a unified single-pane-of-glass interface. It connects with EdgeConnect SD-WAN and third-party SD-WAN solutions via automated IPsec tunnel provisioning through APIs. Key features include agent-based and agentless ZTNA supporting AS400, ICMP, and VoIP protocols, FWaaS, SSL inspection, sandboxing, malware scanning, and DNS filtering. Differentiators include high-availability mesh connectivity with smart routing that dynamically adjusts traffic paths across PoPs for zero-downtime failover, plus an AI-powered SASE copilot delivering actionable security insights.​

HPE Aruba Networking takes a general approach to SSE, incrementally improving existing capabilities such as DEM and mesh connectivity while innovating to add emerging features, including an AI-powered SASE copilot and GenAI security controls.

HPE Aruba Networking is positioned as a Challenger and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

HPE Aruba Networking scored well on a number of decision criteria, including:

• Agentless secure access: The solution delivers agentless ZTNA via web browsers, using anycast IP addressing to route requests to the nearest PoP and establish TLS connections with dynamically generated certificates for self-hosted applications via axisapps.io domains or custom CNAME vanity URLs. It provides secure access to all private applications, including AS400, databases, Git, ICMP, Linux/Windows servers, RDP, SSH, and VoIP, without requiring endpoint agents for employees, BYOD users, or third parties.

• ​Next-generation DPI: HPE Aruba Networking SSE performs Layer 7 traffic inspection across its PoP infrastructure, processing all packets through policy engines that validate user sessions, apply granular access controls, and inspect bidirectional traffic between clients and application servers. It executes policy-based inspection during both the request and response phases, performing SSL inspection, replacing URLs for security, and continuously monitoring commands executed, files accessed, and URLs visited across all connection types.

• DEM: The solution integrates DEM across all traffic types (internet, private, SaaS) in a single interface, providing hop-by-hop visibility into application performance with both agent-based and agentless monitoring capabilities. The solution monitors device-specific metrics, including battery percentage, DNS configuration, IP address, location, serial number, and temperature, while running synthetic transaction tests to measure application reachability, performance, and responsiveness from an edge perspective.​

Opportunities

HPE Aruba Networking has room for improvement in a few decision criteria, including:

• Industry-specific compliance: The solution provides predefined dictionaries for GDPR, HIPAA, NIST, and PCI DSS standards, along with SOC 2 Type II certification, enabling DLP policies that detect and block sensitive data patterns across SaaS applications, internet traffic, and private applications. However, it offers general compliance frameworks rather than vertical-specific regulatory templates, industry-tailored risk assessments, or sector-specific data-handling workflows that address the unique requirements of financial services, healthcare, manufacturing, or government environments.

• DSPM: HPE Aruba Networking SSE delivers AI-driven data classification, shadow IT discovery through CASB visibility, and DLP capabilities with regex and dictionary matching to identify sensitive data across cloud applications and enforce protection policies. Nevertheless, it lacks dedicated DSPM capabilities, including automated discovery across multicloud data stores, continuous security posture scanning, DSPM risk scoring, data access permission analysis, over-privileged access detection, and data lineage tracking across structured and unstructured repositories.

• NHI management: The solution provides authentication via certificate-based mechanisms, identity provider integrations with API access, and device posture assessment for endpoints accessing resources via ZTNA, SWG, and CASB components. However, it lacks specialized NHI capabilities, including automated credential rotation for service accounts, API key lifecycle management, IoT device identity governance, machine identity certificate management, ephemeral token provisioning, and dedicated audit trails for NHI access patterns.

Purchase Considerations

HPE Aruba Networking employs a user-based annual subscription model with three tiers (Foundation, Foundation Plus, and Advanced Plus) based on security feature requirements, volume bands (1-999, 1,000 to 9,999, or more than 10,000 users), and customer success packages. Site-based bandwidth licensing is available for third-party SD-WAN integration via IPsec tunnels. Organizations can purchase feature add-ons separately from base subscriptions, with flexible consumption options including delayed activation for up to 90 days, license co-termination, mid-cycle tier upgrades, and seamless renewal.

The solution deploys as pure SaaS, with no on-prem infrastructure required, and offers 90-day evaluation licenses for POC testing. Migration from a legacy VPN involves deploying outbound-only SSE connectors that connect to the cloud platform within minutes, eliminating inbound firewall rules. Organizations should note that HPE Aruba Networking periodically reviews usage metrics for license compliance, and access may be disabled at the end of the subscription term if the subscription is not renewed. Integration with EdgeConnect SD-WAN or third-party solutions requires additional planning for a unified SASE architecture.

Use Cases

HPE Aruba Networking SSE addresses a broad range of use cases, including branch office connectivity via SD-WAN integration, BYOD device security, cloud migration protection, hybrid workforce enablement, remote worker access with granular controls, SaaS application security through CASB, third-party and partner access with agentless ZTNA, VPN replacement with zero trust architecture, and web-based threat protection across distributed environments. The platform supports both managed and unmanaged devices, enabling access to private, public cloud, and SaaS applications from any location.

iboss: Zero Trust SSE

Solution Overview

Founded in 2003, iboss provides a cloud-native Zero Trust SASE platform, specializing in SSE security. In May 2024, the company integrated Zero Trust SD-WAN (an optional add-on) with its existing Zero Trust SSE to deliver single-vendor SASE.

iboss Zero Trust SSE operates on a containerized, cloud-native architecture deployed across 100 PoPs spanning 100 countries with multicloud redundancy (AWS, Azure, and GCP). It delivers five core SSE components: AI-powered CASB, DLP, FWaaS, SWG, and ZTNA, all integrated within a single codebase and unified management console. Key features include AI-driven threat detection processing 150 billion daily transactions, continuous adaptive access with per-request NIST 800-207 Zero Trust authorization, unlimited SSL/TLS inspection without performance degradation, behavioral analytics, and shadow AI discovery with dual risk scoring. Key differentiators include an AI-native architecture embedded at the platform level rather than retrofitted, zero trust enforcement extending to every request beyond authentication, a purpose-built, unified solution engineered from inception rather than assembled from acquisitions, and autonomous AI agents that reduce mean time to resolution from 30 to 40 minutes to 3 to 5 minutes.

iboss takes a general platform approach to SSE, innovating by adding emerging features, including AI-powered CASB with zero-day app detection, DSPM, GenAI and agentic AI security monitoring, identity threat detection and response (ITDR), SSPM, and autonomous threat response.

iboss is positioned as a Leader and Outperformer in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

iboss scored well on a number of decision criteria, including:

• Agentless secure access: The solution delivers browser-based zero trust access to internal applications without installing an endpoint agent, using cloud browser isolation to render risky websites in remote, sandboxed containers. ZTNA access is enabled via browser-based authentication with seamless SSO integration via Azure Entra and Okta, while granular policy controls restrict clipboard access, downloads, and printing based on application sensitivity and user context.

• ​Cloud browser isolation: Zero Trust SSE executes web content and active code in remote appliance containers, streaming only safe bitmap renderings to user browsers while preventing malicious code from reaching endpoints or corporate networks. AI-powered machine learning automatically determines which interactions are safe or risky to balance security with productivity, while integrated ZTNA enforcement maintains continuous MFA, device posture verification, and behavioral monitoring throughout isolated sessions.

• ​Adaptive policy orchestration: The solution implements per-request adaptive orchestration, in which every access decision incorporates current risk scores that reflect behavior, device posture, location anomalies, and threat intelligence, and policies automatically enforce stricter controls when thresholds are exceeded. Machine learning recommends policy adjustments based on usage patterns, compliance requirements, and evolving threats, while autonomous policy adaptation occurs without security team intervention, enabling an immediate response to emerging threats.​

iboss is classified as an Outperformer due to continuous delivery with weekly updates and monthly feature releases, the recent launch of AI-powered CASB with zero-day app detection and generative AI security, and an aggressive roadmap.

Opportunities

iboss has room for improvement in a few decision criteria, including:

• Industry-specific compliance: The solution provides preconfigured compliance templates for CCPA, FERPA, GDPR, HIPAA, PCI DSS, and SOX with automated policy enforcement across all SSE functions, continuous monitoring dashboards, and audit-ready reporting with detailed incident trails. However, it is actively expanding the depth and breadth of automation across the education, government, healthcare, and manufacturing sectors as part of its roadmap.

• ​Next-generation DPI: Zero Trust SSE performs Layer 2 through Layer 7 traffic analysis, unlimited SSL/TLS inspection, application identification without port-based detection, behavioral pattern recognition for command-and-control communication, protocol anomaly detection for malformed packets, and real-time threat correlation with adaptive inspection policies. Nevertheless, the hybrid inspection model spanning cloud PoPs and locally deployed appliances introduces operational complexity for organizations that prefer a purely cloud-native DPI approach without local infrastructure deployment.

• DSPM: iboss delivers continuous discovery across SaaS environments, automated machine-learning classification by sensitivity level, access mapping to identify overly permissive configurations, and risk-based prioritization with automated remediation workflows integrated into CASB and DLP enforcement. Nevertheless, deeper native IaaS, PaaS, and on-prem unification beyond current API-connected hybrid capabilities remains a near-term roadmap item.

Purchase Considerations

iboss offers per-user subscription licensing across three service tiers: Core (essential SSE foundation), Advanced (complete SSE with ZTNA and advanced threat protection), and Complete (enterprise SSE with advanced CASB and full DLP). Optional add-ons include AI-powered CASB, AI-chat monitoring, DLP protection, remote browser isolation, and Zero Trust SD-WAN. The solution features transparent pricing with no bandwidth charges, throughput fees, data transfer costs, or regional surcharges. Volume discounts apply for large deployments with monthly or annual billing options available.​

Deployment supports public cloud SaaS, hybrid cloud, multicloud, private cloud, and sovereign cloud configurations with containerized gateways for on-prem processing. Typical deployments are less than four weeks, with professional services available for architecture assessment, accelerated implementation, and policy optimization. Organizations should specify their sovereign deployment needs up front and evaluate add-on requirements early, as capabilities such as browser isolation and SD-WAN require separate licensing. Migration complexity remains low because the cloud-native architecture eliminates hardware dependencies.

Use Cases

iboss addresses a broad range of use cases, including cloud application security with unified DLP and CASB policies, compliance enforcement for healthcare, financial, and government organizations requiring HIPAA and PCI controls, firewall appliance replacement through cloud-delivered FWaaS, GenAI protection with real-time prompt inspection preventing sensitive data leakage, hybrid workforce access with per-request authorization, legacy VPN replacement eliminating network-level access, shadow IT discovery with AI-powered risk scoring, and web gateway consolidation reducing on-prem infrastructure costs.

Kitecyber: Kitecyber SSE

Solution Overview

Founded in 2022, Kitecyber provides endpoint-based SSE protection, specializing in AI-driven threat prevention, combining unified endpoint management (UEM), SWG, Zero Trust Posture Assessment (ZTPA), and DLP through a single agent. The standalone Unified AI Copilot SSE initially launched with UEM and App Shield capabilities, with ZTPA and DLP modules added in 2024.

Kitecyber Unified AI Copilot delivers DLP, SWG, UEM, and ZTPA through a single endpoint agent without third-party SD-WAN integration. Its endpoint-based architecture eliminates traffic hairpinning by processing security locally via a network proxy, complemented by a cloud control plane for management across APAC, EMEA, EU, and North America. Key features include AI-powered data classification, compliance frameworks (GDPR, HIPAA, PCI DSS, and SOX), device posture enforcement, file system monitoring, GenAI risk controls, geofencing, shadow IT discovery, URL filtering, and UEBA. Differentiators include 100% traffic coverage, combined endpoint and network visibility, a minimal footprint (1 to 2% CPU, 200 MB RAM), and a zero-latency architecture.

Kitecyber takes a focused approach to SSE, targeting CSPs, NSPs, MSPs, and SMBs and addressing feature gaps with DLP, GenAI controls, SWG, UEBA, and ZTPA capabilities.

Kitecyber is positioned as an Entrant and Fast Mover in the Innovation/Feature Play quadrant of the SSE Radar chart.

Strengths

Kitecyber scored well on a number of decision criteria, including:

• DLP: The endpoint-based architecture monitors both file system operations and network traffic, detecting bypass techniques like file encoding that evade network-only solutions before data reaches transmission. It combines Yara rules and regex pattern matching with GenAI-powered analysis to classify sensitive data across more than 80 categories, achieving sub-1% false-positive rates by leveraging contextual endpoint telemetry unavailable to cloud-based inspection systems.

• ​Industry-specific compliance: Kitecyber SSE accepts regulatory frameworks as configuration input during deployment and automatically enforces corresponding compliance controls with pre-built policy templates for GDPR, HIPAA, PCI DSS, SOX, SEC, FINRA, and SOC-2 requirements. Audit-ready reporting maps security events and data classifications to specific regulatory mandates, while the unified console consolidates compliance visibility across SWG, zero trust access, endpoint DLP, and DSPM functions.

• ​GenAI risk management and control: The solution discovers shadow GenAI applications through endpoint traffic analysis and enforces granular access policies that block, alert, or report usage based on application sanctioning status and device compliance state. File-level monitoring tracks sensitive data transfers to LLM platforms, including copy, paste, upload, and download operations, and applies DLP classification with more than 80 data categories to detect protected information before transmission, while restricting GenAI access to managed endpoints.

Opportunities

Kitecyber has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides BYOD access on macOS and iOS via managed apps, browsers, and data controls through UEM, enforcing login, download, and network restrictions while retaining data in the customer's cloud. However, it requires managed browser profiles rather than agentless, configuration-free ZTNA, limiting coverage for fully unmanaged devices where profiles cannot be installed. Windows and Android equivalents are currently in development.

• ​Cloud browser isolation: Kitecyber SSE offers a managed browser enforcing login, download, and network access restrictions, keeping organizational data within the customer's cloud provider and preventing unauthorized transfers from browser sessions to unapproved destinations. Nevertheless, it does not execute web content in remote sandboxed containers or stream visual renderings, meaning active web code reaches the endpoint rather than being isolated in cloud-based execution environments.

• ​Cloud sandboxing: The solution scans files on endpoint devices and mounted cloud drives, including Google Drive and OneDrive, using machine learning-based classification and Yara rules to detect malware signatures and identify sensitive data content. However, it does not detonate files in dynamic, isolated cloud containers to observe behavioral patterns. Instead, it relies on static machine learning-based and signature analysis, rather than execution-based sandboxing, for zero-day threats.

Purchase Considerations

Kitecyber employs a per-user-per-month licensing model with module-based pricing, enabling organizations to activate DLP, SWG, UEM, and ZTPA components independently based on requirements. Transparent pricing is published on the company website, with volume discounts available for deployments of 1,000 users or more. Customers receive 24/5 direct support via email, phone, and Slack, with enterprise support packages offering four-hour SLA guarantees for weekend outages. No hidden fees are disclosed in the licensing structure.​

The solution requires installing the endpoint agent on all managed devices, creating migration complexity for organizations with unmanaged or BYOD environments that cannot support agent deployment. Cloud-native deployment leverages multiregion control planes across APAC, EMEA, EU, and North America for management functions, while security processing occurs locally on endpoints. Integration capabilities remain limited. Custom scripts are currently required for SIEM, SOAR, and XDR log ingestion, though native connectors are planned. Organizations should note that the platform currently targets CSPs, MSPs, NSPs, and SMBs rather than large enterprises or government sectors.

Use Cases

Kitecyber SSE addresses a broad range of use cases, including device compliance enforcement, endpoint DLP for sensitive data monitoring, GenAI application discovery and risk management, private application access with device posture verification, SaaS application control, shadow IT detection, and web gateway protection. The endpoint-based architecture supports organizations that require unified device management and SSE capabilities, eliminating the need for multiple point solutions for CSPs, MSPs, NSPs, and SMBs.

Menlo Security: Menlo Secure Enterprise Browser

Solution Overview

Founded in 2012, Menlo Security provides cloud-based browser security, specializing in isolation technology to prevent web-borne threats. It launched Menlo Secure Enterprise Browser in February 2024 as a standalone SSE solution with integrated SWG, CASB, ZTNA, and DLP. It acquired Votiro (CDR and DDR file security) in February 2025.

Menlo Secure Enterprise Browser delivers converged SSE capabilities (CASB, DLP, FWaaS, RBI, SWG, and ZTNA) through a cloud-native architecture hosted on AWS and GCP across 30 global data centers. Core components include Adaptive Clientless Rendering (ACR) isolation technology, HEAT Shield AI with Google Gemini integration, Browsing Forensics, Browser Posture Management, CDR, and data security. Key features include more than 300 DLP dictionaries, agentless zero trust application access, AI-powered zero-day phishing detection, last-mile DLP controls, and Policy API automation. The solution is used by Cisco Secure Access for SSE delivery. Key differentiators include an isolation-first architecture, execution of all web content in disposable cloud containers, and patented ACR, which delivers a native browser experience without agents across Chrome, Edge, Firefox, and Safari.​

Menlo Security takes a focused approach to SSE, innovating its browser isolation platform with HEAT Shield AI, DDR, and GenAI controls to extend zero trust protection across the workspace.

Menlo Security is positioned as a Challenger and Outperformer in the Innovation/Feature Play quadrant of the SSE Radar chart.

Strengths

Menlo Security scored well on a number of decision criteria, including:

• Agentless secure access: The solution delivers zero trust application access through the Menlo Cloud, eliminating client installation, certificate management, and network changes. It renders browser-based and legacy thick applications in isolated cloud containers while enforcing last-mile DLP controls (copy/paste restrictions, download blocks, redaction, watermarking) before content reaches Menlo Secure Storage, supporting BYOD and unmanaged devices without compromising security.

• ​Cloud browser isolation: Menlo Security's patented ACR executes all web content in disposable cloud containers, delivering only safe DOM elements to endpoints while maintaining native browser performance. HEAT Shield AI integrates Google Gemini for real-time DOM inspection, computer-vision-based logo detection, and analysis of password-protected nested files, blocking HTML smuggling, phishing kits, and reverse-proxy attacks without requiring agents or workflow changes.

• ​Multivector threat protection: Menlo Security combines isolation-powered prevention across email, file transfers, SaaS, and web channels with multi-antivirus scanning, cloud sandboxing, and CDR/DDR for password-protected and nested files. Secure Application Access renders business applications in isolated containers, limiting endpoint interaction to keyboard and mouse inputs to prevent lateral movement, while HEAT Shield AI analyzes rendered content for zero-day phishing across all attack vectors.

Menlo Security is classified as an Outperformer due to delivering advanced CDR/DDR file sanitization, inline DDR data masking, Browser Posture Management, GenAI controls with prompt inspection, and HEAT Shield AI integration with Google Gemini.

Opportunities

Menlo Security has room for improvement in a few decision criteria, including:

• Industry-specific compliance: The solution addresses PCI-DSS, HIPAA, and GDPR requirements through Browser Posture Management with CIS benchmarks, AI Adaptive DLP for PII/PHI masking, CDR, Privileged Remote Access for SSH/RDP in healthcare, and Operational Technology (OT) use cases in energy and manufacturing, backed by FedRAMP Rev.5, ISO 27001, and SOC 2 Type II certifications. However, the solution lacks industry-specific policy templates and automated compliance reporting workflows.

• DSPM: Menlo Security's AI Adaptive DLP provides inline data discovery, classification, and real-time sensitive data masking for data in motion and at rest, covering cloud collaboration tools (Box, Filecloud), cloud storage (OneDrive, SharePoint, S3), browser sessions, and email attachments. Nevertheless, it does not currently provide full DSPM capabilities such as cloud infrastructure misconfiguration detection, automated data store risk scoring, or posture dashboards.

• ​GenAI risk management and control: Menlo Security's AI Adaptive DLP scans prompts and training data for PII and intellectual property, File Security blocks prompt injection, and Google Threat Intelligence enables real-time AI-driven intent analysis with identity-based Zero Trust controls that restrict access to approved GenAI models. However, shadow AI discovery relies on list-based blocking, and Menlo Security lacks autonomous LLM monitoring and visibility into AI supply chain risks.​

Purchase Considerations

Menlo Secure Enterprise Browser operates on a per-user annual subscription model with volume-based tiering, where per-user costs decrease as the total user count increases. The solution offers three core products (Manage, Protect, and Secure) typically bundled as Secure Enterprise Bundle, with optional add-ons including Browsing Forensics, HEAT Shield AI, and CDR/DDR capabilities. Multiyear subscriptions are available with custom pricing based on requirements. Support tiers include bundled Premium support and optional Platinum support with 15-minute P1 response SLAs. Implementation costs vary based on deployment complexity, use cases, and feature selection.

Deployment options include public cloud SaaS (GCP and AWS), customer-managed private cloud virtual appliances, and hybrid configurations running identical solution software. Migration complexity is reduced with an agentless architecture that requires no client installation, certificate management, or network changes for browser-based access. Organizations that require upfront deployment planning can leverage flexible browser/device support to enable rapid rollout to large user bases. The cloud-native architecture eliminates hardware requirements and enables instant elastic scalability without capacity planning. Professional services are available for implementation, with proxy-chaining capabilities that support a gradual transition from existing SSE solutions.​

Use Cases

Menlo Secure Enterprise Browser addresses a broad range of use cases, including BYOD and unmanaged device access, browser-based zero trust application access, email link and attachment isolation, file download sanitization, GenAI interaction monitoring, legacy VPN/VDI replacement, phishing and ransomware prevention, SaaS application security with granular controls, and sensitive data exfiltration prevention through last-mile DLP. The solution enables remote workers to access private and SaaS applications without agents, while protecting against HEAT attacks, HTML smuggling, and zero-day exploits across all browser-based workflows.

Microsoft: Global Secure Access*

Solution Overview

Founded in 1975, Microsoft provides a wide range of technology products and services, specializing in operating systems, productivity software, cloud computing, and gaming. Microsoft launched Global Secure Access in July 2024 as its SSE solution, integrating Microsoft Entra Internet Access and Private Access.

Global Secure Access is a cloud-delivered SSE solution comprising Microsoft Entra Internet Access (SWG) and Microsoft Entra Private Access (ZTNA). Its architecture integrates with third-party SD-WAN providers, including Cisco Catalyst and Versa, for unified SASE deployments. Core SSE capabilities include CASB, DLP, TLS inspection, and web content filtering. Key differentiators include identity-centric security leveraging Entra ID, universal continuous access evaluation (CAE), and unified Conditional Access policies applying device, location, risk, and user context across all internet and private resources.

Microsoft takes a general approach to SSE, innovating by adding emerging features such as strict-enforcement mode, TLS inspection, and universal CAE to its broader Entra offering.

Microsoft is positioned as a Challenger and Fast Mover in the Maturity/Feature Play quadrant of the SSE Radar chart.

Strengths

Microsoft scored well on a number of decision criteria, including:

• Industry-specific compliance: The solution maintains FedRAMP High authorization, HIPAA BAA compliance, and certifications spanning Canadian privacy laws, DoD DISA SRG Level 2, GDPR, GxP (FDA 21 CFR Part 11), HDS France, MARS-E, NERC, and PCI DSS Level 1. It inherits compliance from Azure's ISO 27001:2013 certification and adds SSE-specific audits across the financial services, government, healthcare, and retail sectors.

• DSPM: Microsoft Purview DSPM integrates natively with Global Secure Access via SSE connectivity to detect sensitive information shared with AI applications via browsers, APIs, add-ins, and other applications, leveraging network data security. The integration enables continuous discovery, classification, and protection of sensitive data across cloud and SaaS environments while monitoring for anomalous usage patterns and unauthorized data exposure.

• GenAI risk management and control: The solution enforces prompt policies for GenAI applications through Conditional Access integration, requiring traffic to pass through the Global Secure Access client and linked security profiles with TLS inspection. Microsoft Entra applies authentication strength controls requiring phishing-resistant MFA for GenAI access, while Purview Insider Risk conditions block applications for users with elevated risk scores.

Opportunities

Microsoft has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution supports remote network connectivity for branch offices through IPsec tunnels with third-party SD-WAN devices, enabling agentless access to Microsoft 365 traffic without requiring client installation at remote sites. This approach provides network-level security for distributed locations while maintaining centralized policy management through the Azure portal. However, it cannot enforce Conditional Access policies for Microsoft traffic accessed through remote networks without the client, limiting zero trust capabilities and preventing context-aware security decisions based on device compliance, location risk, or user identity.

• Cloud browser isolation: Global Secure Access integrates with Microsoft Defender Application Guard to provide hardware-based browser isolation using Hyper-V containerization for untrusted websites accessed through Microsoft Edge, protecting the host system from browser-based exploits and zero-day attacks. Users invoke isolated browsing sessions that run untrusted content in separate virtual machines while trusted sites execute natively on the host operating system. Nevertheless, it lacks native cloud-based RBI comparable to dedicated RBI solutions, and Microsoft deprecated Defender Application Guard in March 2025, leaving organizations dependent on endpoint-based isolation rather than cloud-delivered isolation infrastructure.

• Cloud sandboxing: The solution leverages Microsoft Defender's automatic file and URL detonation capabilities within the Defender XDR threat intelligence platform, analyzing suspicious entities asynchronously in isolated environments with results typically available within two hours. Safe Attachments in Defender for Office 365 performs behavioral analysis of email attachments using sandbox detonation to detect zero-day malware and sophisticated threats before delivery. However, it does not provide inline cloud sandboxing for web-based file downloads or URL detonation at the network edge within the SSE traffic flow, requiring organizations to rely on separate Microsoft Defender solutions rather than integrated real-time sandboxing within Global Secure Access.

Purchase Considerations

Global Secure Access operates on a per-user, multitier licensing model. Secure Access Essentials is included with Microsoft 365 E3 and higher plans, while standalone Microsoft Extra Private Access and Internet Access require separate licenses. The Microsoft Entra Suite bundles both capabilities with additional identity governance features. Organizations with existing Entra ID P2 or Microsoft 365 E3/E5 licenses receive discounts typically ranging from 30% to 50%. A free trial lasting 30 to 60 days enables evaluation without initial commitment.

Deployment requires the Global Secure Access client for Windows devices, with a phased rollout recommended to minimize disruption. Organizations can implement coexistence strategies to gradually migrate from existing VPN and security tools rather than requiring immediate replacement. POC deployments require up to seven hours to configure and test core capabilities. Customers should evaluate integration with existing Microsoft investments, including Entra ID, Defender, and Microsoft 365, as the solution's identity-centric approach assumes deep adoption of the Microsoft ecosystem for optimal effectiveness.

Use Cases

Global Secure Access addresses a broad range of use cases, including conditional access enforcement for private applications, hybrid work environments requiring secure access to both cloud and on-prem resources, identity-centric internet threat protection, legacy application modernization with modern authentication, Microsoft 365 traffic security, multicloud access management, remote worker connectivity, SSO implementation across private apps, and VPN replacement with zero trust network access.

Netskope: Netskope One SSE

Solution Overview

Founded in 2012, Netskope provides cloud-native SASE and SSE solutions, specializing in secure access, data protection, and threat prevention. In March 2024, the company rebranded its platform as Netskope One, unifying SSE (CASB, SWG, ZTNA, DLP, and FWaaS) and SD-WAN capabilities. SSE functionality evolved from the original 2013 CASB product through organic development and acquisitions.

Netskope One SSE operates on the NewEdge private security cloud, with a patented Zero Trust Engine that delivers single-pass inspection across ATP, CASB, DLP, FWaaS, RBI, SWG, UEBA, and ZTNA components. The architecture integrates with third-party SD-WAN solutions, including Aryaka, Cisco, Fortinet, HPE Aruba Networking, Palo Alto Networks, and Versa for unified SASE deployments. Key features include AI/ML-based classification with more than 3,000 data identifiers, DEM for proactive user experience management, DSPM for data discovery and posture monitoring, and TrueInstance technology for dynamic detection of cloud app instances. Primary differentiators include a consolidated, single-pass architecture that eliminates latency, a patented Zero Trust Engine that enables granular policy enforcement, and the NewEdge network, spanning more than 120 data centers and delivering 99.999% uptime.

Netskope takes a general platform approach to SSE, incrementally improving existing capabilities while innovating to add emerging features, including advanced DSPM, Cloud Risk Exchange integrations, GenAI security controls, and enhanced UEBA.

Netskope is positioned as a Leader and Outperformer in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Netskope scored well on a number of decision criteria, including:

• Agentless secure access: Netskope One Private Access provides browser-based clientless ZTNA for third-party users, contractors, and BYOD scenarios without requiring agent installation. The solution enforces identity-based access through mandatory IDP integration, supporting web-based applications on ports 80/443 with zero trust controls that prevent overpermissioning and lateral movement while maintaining application-level segmentation.

• Cloud browser isolation: Netskope RBI delivers pixel-rendering isolation through Targeted RBI for uncategorized and security-risk categories, and Extended RBI for custom applications with granular policy controls based on Cloud Confidence Level (CCL), application tags, and destination country. DLP and threat protection policies apply to isolated sessions and enable file upload/download controls, read-only access restrictions, clipboard management, and print controls through the unified policy engine.

• DLP: Netskope One DLP provides multimodal protection through inline and API-based inspection, covering data in motion and at rest across cloud, email, IaaS, private apps, web, and endpoints. Capabilities include data fingerprinting, EDM, machine learning classifiers, OCR, USB device control, unified policy management, and adaptive remediation actions, including alert, block, encrypt, quarantine, restrict sharing, and Information Rights Management (IRM) protection.

Netskope is classified as an Outperformer due to its continuous innovation, adding DSPM, GenAI controls, SSPM, and UEBA while enhancing AI/ML-powered threat detection and maintaining comprehensive multimode DLP across all access channels.

Opportunities

Netskope One SSE has room for improvement in a few decision criteria, including:

• Multivector threat protection: Netskope Threat Protection delivers inline detection through AI/ML classifiers for Portable Executable (PE) files and phishing, multistage sandboxing for more than 30 file types, heuristic analysis with deobfuscation and recursive unpacking for more than 350 types, antivirus engines, IPS for web traffic, and threat intelligence feeds with MITRE ATT&CK mapping. However, it provides limited native integration for endpoint-based threat correlation and lacks unified email threat protection within the SSE solution, requiring separate solutions for comprehensive multivector coverage.

• Industry-specific compliance: Netskope One DLP provides more than 40 predefined compliance templates, including AMRA, EC Directive, GDPR, GLBA, HIPAA, PCI-DSS, PHI, PII, PHIPA, PIPEDA, SSN Confidentiality Act, and US FTC Rules, with automated policy enforcement and audit-ready reporting. Nevertheless, it offers fewer vertical-specific frameworks for regulated industries such as energy, manufacturing, and government than competitors with dedicated compliance automation workflows and industry-tailored policy orchestration.

• Next-generation DPI: Netskope FWaaS delivers Level 2, Level 3, and Level 7 application-aware filtering for non-web egress traffic, optional IPS and DNS security against tunneling and malicious domains, and DLP for FTP/Telnet traffic via SOCKS5 proxy. However, IPS/IDS capabilities remain optional rather than natively integrated, and full Level 2 to Level 7 protocol decoding with behavioral pattern recognition across all traffic types is less comprehensive than dedicated next-generation DPI solutions.

Purchase Considerations

Netskope One SSE uses per-user, per-year (PUPY) licensing, with tiered packages offering feature bundles at the Basic, Premium, and Elite levels. Organizations can select a la carte licensing for specific components, such as CASB API (all apps, five apps, or three apps), Microsoft Teams, or Salesforce inspection, as standalone modules. Additional bandwidth consumption add-ons accommodate unauthenticated machine or guest WiFi traffic beyond allocated data volumes, with separate entitlements required for IPsec/GRE tunnel processing. The model supports both SSE-only and combined SSE Private Access (ZTNA) licensing with equal user counts.

Key purchase considerations include flexible deployment via Netskope Client, Gateways (hardware/virtual), IPsec/GRE tunnels, or reverse proxy for unmanaged devices, supporting seamless VPN migration through Private Access's integrated SD-WAN-like bidirectional connectivity for legacy apps. POCs are streamlined with rapid onboarding and traffic-steering validation, though a full migration from multivendor stacks requires policy harmonization and NewEdge PoP optimization to achieve optimal latency.

Use Cases

Netskope One SSE addresses a broad range of use cases, including cloud application security with instance-aware CASB, data protection through multimode DLP across web and SaaS environments, DEM for performance optimization, GenAI security with prompt inspection and risk scoring, remote worker secure access combining client-based and clientless connectivity, secure internet access with threat prevention and web filtering, secure private access replacing legacy VPN with ZTNA, shadow IT discovery identifying unmanaged applications, threat protection using multilayered defense mechanisms, and vendor consolidation unifying multiple point products into a single platform.

Nord Security: NordLayer

Solution Overview

Founded in 2019 as a subsidiary of Nord Security, NordLayer provides network security for businesses, specializing in ZTNA, SWG, and FWaaS within a SASE/SSE framework. The solution evolved from VPN services, launching Web Protection (SWG) in 2020, expanding ZTNA capabilities through 2021 and 2022, and releasing Cloud Firewall (FWaaS) in 2023.

NordLayer delivers SSE through a cloud-native architecture on third-party infrastructure, with clients and browser extensions connecting via IPsec tunnels to customer SD-WAN solutions. Core components include CASB, DLP, FWaaS, SWG, and ZTNA. Key features include application blocking, device posture security, DNS filtering, Download Protection, identity integrations (Entra ID, Google Workspace, JumpCloud, Okta, and OneLogin), System for Cross-domain Identity Management (SCIM) provisioning, SentinelOne integration, split tunneling, SSO, and Web Protection. Differentiators include proprietary NordLynx protocol (WireGuard-based), PQC (AES-256, ChaCha20), SMB-optimized usability, and toggle-ready deployment.

Nord Security takes a focused approach to SSE, targeting SMBs, filling feature gaps with recent additions such as device posture security, local network access, SentinelOne integration, and failed login detection.

Nord Security is positioned as an Entrant and Forward Mover in the Maturity/Feature Play quadrant of the SSE Radar chart.

Strengths

Nord Security scored well on a number of decision criteria, including:

• Industry-specific compliance: NordLayer holds ISO 27001:2022 certification for information security management systems, SOC 2 Type 2 attestation validating operational control effectiveness, and HIPAA compliance validation through independent assessor review confirming alignment with Security Rules. It supports five to six regulatory frameworks (GDPR, HIPAA, ISO 27001, PCI-DSS, SOC 2) via technical controls, including device posture security, SCIM-based policy orchestration, continuous activity monitoring with connection logs and audit trails, failed login detection, and centralized policy enforcement enabling compliance validation.

Opportunities

Nord Security has room for improvement in a few decision criteria, including:

• Cloud browser isolation: The solution provides browser-based security through browser extensions and the NordLayer browser, which enforces policies for data transfer, shadow IT monitoring, and SaaS application controls with local execution on endpoints. However, it lacks remote browser isolation, which runs web content in the cloud, preventing direct endpoint exposure to potentially malicious websites and providing pixel-streaming protection against zero-day browser exploits.

• Cloud sandboxing: NordLayer implements Download Protection, which performs real-time file inspection to detect and block malicious downloads before they reach endpoints, and combines it with DNS filtering and Web Protection for content-based threat prevention. Nevertheless, it lacks cloud sandboxing infrastructure to detonate suspicious files in isolated environments, analyze unknown file behavior, and provide forensic intelligence on advanced malware techniques before permitting downloads.

• Next-generation DPI: The solution employs Download Protection to inspect files during transfer and enforces traffic policies through application blocking, DNS filtering, and FWaaS capabilities to control network flows according to administrative rules. However, it lacks next-generation DPI functionality, including protocol-aware traffic analysis, encrypted traffic inspection, application-layer threat detection, and behavioral analysis across all network protocols, beyond file- and DNS-level controls.

Nord Security is classified as a Forward Mover due to an ad hoc release cadence, a roadmap focused on foundational capabilities, and the absence of emerging features such as GenAI controls, SSPM, and UEBA.

Purchase Considerations

Nord Security employs tier-based licensing structured around user and dedicated IP licenses, with optional add-ons for enhanced functionality. The solution can be purchased standalone or as part of the Nord Security portfolio, including NordPass and NordStellar. Customers should note that certain integrations require additional infrastructure investments beyond NordLayer licensing, including Entra ID plans for SCIM provisioning, IPsec-capable routers with static public IP addresses for site-to-site tunnels, and appropriate identity provider subscriptions. NordLayer maintains transparent pricing without hidden platform fees.

Deployment supports hybrid, multicloud, on-prem, private cloud, and public cloud environments via client installation, browser extensions, IP allowlisting, and site-to-site IPsec tunnels. Migration complexity remains minimal due to a toggle-ready architecture and a simplified control panel designed for nontechnical administrators. Organizations receive 24/7 support via live chat, email, and scheduled technical engineer sessions, though no default SLA is in place. Customers should evaluate timing for the upcoming NordLayer browser release and SIEM integration capabilities when planning deployments.

Use Cases

NordLayer addresses a broad range of use cases, including geo-specific content access, secure remote and hybrid work environments, threat prevention, and ZTNA. The solution targets organizations that require simplified SSE deployment without extensive technical expertise, particularly SMBs across consulting, gaming, healthcare, IaaS, innovation, SaaS, and tech/IT industries. The solution provides secure access to hybrid, multicloud, on-prem, private cloud, and public cloud resources through centralized policy management and a toggle-ready architecture.

Palo Alto Networks: Prisma Access

Solution Overview

Founded in 2005, Palo Alto Networks provides cybersecurity solutions, specializing in next-generation firewalls, cloud security, and network protection. Launched in 2019 as part of its Prisma SASE platform, Prisma Access integrates SSE functionality (SWG, CASB, and ZTNA). Palo Alto Networks acquired Chronosphere (observability) and CyberArk (identity security) in January 2026.

Prisma Access delivers cloud-native SSE through Security Processing Nodes (MU-SPNs, RN-SPNs) and Service Connection Corporate Access Nodes (SC-CANs), managed by Strata Cloud Manager. It integrates with Arista VeloCloud, Aryaka, Cisco Catalyst, Cisco Meraki, Citrix, HPE Aruba EdgeConnect, Nuage Networks, and Riverbed SteelConnect SD-WANs via IPsec tunnels. Core components include CASB, DLP, SWG, and ZTNA. Key features include AI Access Security, App-ID, Device-ID, Precision AI-powered threat prevention, Prisma Browser isolation, User-ID, and ZTNA 2.0. Differentiators include GenAI-specific security controls, enterprise browser integration, and LLM-powered data classification across more than 300 categories.

Palo Alto Networks takes a general platform approach to SSE, innovating by adding emerging features, including AI Access Security for GenAI protection, enterprise browser isolation, IPv6 support, and ZTNA 2.0 capabilities.

Palo Alto Networks is positioned as a Leader and Fast Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

Palo Alto Networks scored well on a number of decision criteria, including:

• Multivector threat protection: The solution integrates inline machine learning across advanced threat prevention, advanced DNS security, advanced URL filtering, and WildFire analysis engines to detect threats in real time across SSL, HTTP, DNS queries, and unknown TCP/UDP protocols. It identifies malicious command-and-control communications, phishing attacks, JavaScript exploits, and sandbox-evading malware through complementary analysis techniques, including bare-metal hypervisor analysis and automated, real-time categorization.

• Industry-specific compliance: Prisma Access holds FedRAMP High Authorization, Impact Level 5 Provisional Authorization, TIC 3.0 compliance validation, FIPS 140-2 cryptographic certification, and StateRAMP High certifications specifically for US federal, state, and local government, and defense agencies. These certifications enable deployment in environments that handle controlled unclassified information, law enforcement data, emergency services systems, and healthcare records, all of which require the most stringent security controls.

• Next-generation DPI: App-ID employs application signatures, SSL/TLS decryption, protocol decoding, and heuristic analysis to identify applications attempting to evade detection through port hopping, protocol masquerading, or encryption. The technology provides granular control over application functions, enabling policies that permit specific Microsoft 365 accounts or allow Slack messaging while blocking file transfers, and categorizes unknown traffic for explicit policy enforcement.

Opportunities

Palo Alto Networks has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides Clientless VPN via SSL-enabled web browsers to access web-based enterprise applications, and a ZTNA Connector for automated secure tunnels to private applications without manual IPsec configuration. The solution supports identity-based ZTNA in both client-based and clientless forms, enabling access to applications regardless of location. However, it requires deploying the GlobalProtect agent to enable comprehensive ZTNA 2.0 functionality, including continuous trust verification, HIP-based policies, and full application access across all ports and protocols, thereby limiting truly agentless scenarios to basic web application access.

• Cloud browser isolation: Prisma Access offers RBI, with infrastructure settings that define session behavior, isolation profiles that control browser actions during isolated sessions, and agent split tunneling to enable direct endpoint connections and improve the user experience. It integrates with GlobalProtect, Explicit Proxy, and Remote Network Connection methods and requires traffic decryption to inspect traffic against isolation policies. Nevertheless, it requires a separate license purchase and activation beyond the base Prisma Access subscription, adding procurement complexity and cost for organizations that require browser isolation as part of their SSE deployment.

• SSPM: The solution includes SSPM via OAuth 2.0 integration with sanctioned SaaS applications, along with continuous scanning of configuration settings against predefined rules to detect misconfigurations and security posture violations. It provides automated scanning, app owner notifications, and security configuration reporting through Strata Cloud Manager. However, it requires the CASB-X cross-platform bundle or a CASB add-on license that includes Enterprise DLP, SaaS Security API, SaaS Security Inline, and SSPM components, rather than being included in the core SSE offering.

Purchase Considerations

Palo Alto Networks employs a modular licensing model with three editions: Enterprise (all applications), Secure Web Gateway (internet traffic), and ZTNA (private applications). Mobile users are licensed per tracked user for 30 days, while remote networks use Mbps-based licensing. Mandatory components include Strata Cloud Manager (Essentials is free, Pro is paid) and Strata Logging Service. Additional capabilities require separate licenses, including the CASB-X bundle (SSPM, Enterprise DLP, SaaS Security API/Inline), RBI, Autonomous Digital Experience Management (ADEM), and IoT Security, which increase total cost beyond the base SSE functionality.

Organizations can evaluate Prisma Access through POC testing before deployment. Customers choose between Strata Cloud Manager and Panorama management platforms, with deployment complexity depending on network topology and routing requirements. Migration planning should account for GlobalProtect agent deployment requirements to enable full ZTNA capabilities and for distributing SSL decryption certificates across endpoints. Advanced deployments require a thorough understanding of organizational infrastructure, particularly in hybrid architectures that integrate third-party SD-WAN solutions. License enforcement allows a 15-day grace period after expiration before service shutdown.

Use Cases

Prisma Access addresses a broad range of use cases, including branch office connectivity, cloud and data center application access, hybrid workforce security, privileged access management, remote user secure access, SaaS application protection, and unmanaged device/BYOD scenarios. The solution provides consistent security policies across headquarters, branch offices, mobile users, and remote locations globally, delivering ZTNA, web security, and application protection regardless of user location or device type.

Skyhigh Security: Skyhigh Security Service Edge (SSE)

Solution Overview

Founded in 2011 as Skyhigh Networks, Skyhigh Security provides cloud-native security services, specializing in SSE solutions. Skyhigh SSE operates as a standalone converged platform—not full SASE—integrating SWG, CASB, ZTNA, DLP, and RBI with unified policy management.

Skyhigh Security SSE operates on a cloud-native, API-driven architecture built from the ground up with 120 global PoPs delivering sub-50 ms latency. Core components include CASB, DLP, DSPM, FWaaS, RBI, SWG, and ZTNA unified through a single policy engine. Key features include AI/ML-based threat detection, continuous identity verification, inline TLS inspection, automated compliance templates (GDPR, HIPAA, PCI DSS), and agentless, browser-based access. Differentiators include data-first, contextual, zero trust architecture, unified DLP across all vectors with single-pass inspection that eliminates policy sprawl, native DSPM-DLP integration, and true hybrid deployment flexibility that supports air-gapped and regulated environments.

Skyhigh Security takes a data-centric approach to SSE, innovating by adding emerging features such as AI-powered false-positive detection, DSPM Data Explorer, GenAI governance, machine learning-driven auto-classification, and webpage watermarking.

Skyhigh Security is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Skyhigh Security scored well on a number of decision criteria, including:

• Cloud browser isolation: The solution executes web content in remote, sandboxed containers and streams only safe visual renderings to endpoints, preventing malicious code and zero-day exploits from reaching user devices. It includes integrated data leakage prevention through print disablement and webpage watermarking, which display user credentials across viewed content to enforce accountability and enable tracking.

• ​Multivector threat protection: Skyhigh Security SSE combines emulation-based antimalware, remote browser isolation, and behavior-based machine learning models to defend against threats across web, cloud, and email attack surfaces. It supports multilayered sandbox and antivirus engine integration, including third-party solutions like Trellix IVX, enabling comprehensive threat analysis and detection before malicious content reaches production environments.

• ​DSPM: The solution natively integrates DSPM with DLP through a centralized Data Explorer dashboard that continuously discovers, classifies, and maps sensitive data across hybrid cloud environments using machine learning-driven automatic classification. It combines DSPM, DLP, CASB, and SSPM for unified data discovery, access governance, misconfiguration identification, and inline protection enforcement across all enterprise data stores.​

Opportunities

Skyhigh Security has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution provides browser-based zero trust access to web, cloud, and private applications without requiring endpoint agent installation, simplifying deployment for distributed workforces, contractors, and third-party users. However, it lacks comprehensive device posture assessment capabilities and the advanced security controls available in agent-based approaches, limiting visibility into endpoint compliance and real-time verification of security status for unmanaged devices.

• ​Industry-specific compliance: Skyhigh Security SSE holds FedRAMP High for CASB and SWG, IRAP Protected (Australia), and supports DORA and DPDPA, with sector-specific classifications covering CUSIP, DEA, ITAR, and SOX, and automated policy mapping for CIS Benchmarks and NIST 800-53. Nevertheless, the planned roadmap expansion of preconfigured templates and automated workflows indicates compliance attestation depth across all mandates has not yet reached full competitive parity.

• ​Next-generation DPI: The solution inspects network traffic across Layer 2 through Layer 7, including encrypted flows, and performs protocol decoding, anomaly detection, and policy enforcement for all traffic types. However, it demonstrates limited advanced behavioral pattern recognition capabilities, lacks comprehensive application-identification granularity beyond basic protocol analysis, and provides only basic traffic classification without sophisticated machine learning-based traffic profiling for emerging applications.

Purchase Considerations

Skyhigh Security employs tiered, user-based licensing, with costs determined by active user count and processed data volume. It offers feature-based pricing, enabling customers to select base components (CASB, SWG) and expand with advanced add-ons, including AI-powered analytics and data protection modules. A unique customer-controlled pricing model allows organizations to manage costs by directing traffic to cloud or on-prem infrastructure for security inspection. Multiyear contracts provide discounts, and all fees, including optional professional services and support tiers, are disclosed up front with transparent cost structures.

Key purchase considerations include deployment flexibility across cloud-delivered, hybrid, on-prem, private cloud, and FedRAMP High-certified environments. Organizations should evaluate whether hybrid architectures are needed to support air-gapped or regulated environments that require on-prem components. The solution supports agentless browser-based deployment for contractors and third parties alongside traditional agent-based approaches. Customers benefit from 24/7 global technical support with SLA-backed incident response, comprehensive knowledge portals, and optional deployment assistance packages. The solution delivers twice-quarterly product updates with monthly minor enhancements.

Use Cases

Skyhigh Security SSE addresses a broad range of use cases, including compliance enforcement of industry regulations through preconfigured GDPR, HIPAA, and PCI DSS templates. It also supports data discovery, access governance, and monitoring across cloud environments, malware and zero-day threat prevention through inline machine learning-based detection, real-time traffic inspection and DLP enforcement across encrypted and unencrypted sessions, secure internet access for enterprises using continuous zero trust evaluation, secure zero trust remote workforce access to internet and private applications, and sensitive data protection across web, SaaS, and private application environments.

SonicWall: Cloud Secure Edge

Solution Overview

Founded in 1991, SonicWall provides network security solutions, specializing in firewalls, VPN, and cybersecurity for SMBs and enterprises. In July 2024, SonicWall launched Cloud Secure Edge as part of its SASE platform, integrating SSE capabilities (ZTNA, SWG, and CASB) following its January 2024 acquisition of Banyan Security.

SonicWall Cloud Secure Edge operates on a device-centric SSE architecture leveraging GCP infrastructure across more than 25 global regions. Core components include Access Tier (identity-aware proxy), Cloud Command Center (SaaS management console), Connector (dial-out secure tunnel component), and Global Edge Network. It delivers integrated CASB, SWG, VPNaaS (using WireGuard protocol), and ZTNA capabilities with continuous device Trust Scoring, least-privilege access controls, and built-in two-factor authentication. Key differentiators include device-centric enforcement that secures data at the endpoint rather than backhauling traffic through cloud gateways, clientless access options via browser extensions or device certificates, and native integration with SonicWall Next-Generation Firewalls (Gen7+) that serve as CSE Connectors for private application access.​

SonicWall takes a focused approach to SSE, targeting MSPs and distributed workforces via device-centric ZTNA, incrementally improving existing CASB and SWG capabilities, and adding emerging GenAI governance controls for sensitive data protection.

SonicWall is positioned as a Challenger and Fast Mover in the Maturity/Platform Play quadrant of the SSE Radar chart.

Strengths

SonicWall scored well on a number of decision criteria, including:

• Agentless secure access: The solution provides clientless access via a Chrome browser extension, enabling users to reach internal websites, infrastructure, and SaaS applications without installing desktop agents. The extension uses Mutually Authenticated TLS flows with the OpenID Connect protocol and JSON Web Tokens for transparent authentication, and performs device posture checks via Mobile Device Management (MDM) certificate verification to ensure only known devices can access protected resources.

• Cloud sandboxing: Cloud Secure Edge integrates with SonicWall Capture Advanced Threat Protection, a cloud-based multiengine sandbox that employs hypervisor-level analysis, full-system emulation, virtualization, and Real-Time Deep Memory Inspection to detect unknown threats. The sandboxing service analyzes suspicious files using multiple detection methods, including behavioral analysis, AI, and machine learning to identify zero-day attacks and ransomware before they reach endpoints or production environments.

• Adaptive policy orchestration: The solution implements dynamic Trust Scoring that continuously evaluates device signals, including auto-update status, OS version, disk encryption, firewall state, and security agent presence against administrator-defined Trust Factors. The solution automatically calculates Trust Levels by aggregating Trust Effect settings. It dynamically adjusts access privileges as device posture degrades, without requiring manual policy updates, ensuring enforcement adapts in real time to changing security conditions.

Opportunities

SonicWall has room for improvement in a few decision criteria, including:

• DLP: The solution delivers DLP capabilities integrated with CASB and SWG, providing inline content inspection to detect sensitive data exfiltration across web and SaaS applications through pattern matching. However, it lacks advanced classification engines, such as machine learning-based contextual analysis, exact data-match capabilities, and optical character recognition, which competitors offer to reduce false positives and improve detection accuracy.

• Multivector threat protection: Cloud Secure Edge integrates Capture ATP, a cloud-based multi-engine sandbox employing Real‑Time Deep Memory Inspection (RTDMI), hypervisor-level analysis, and full-system emulation to detect zero-day threats, alongside an integrated SWG providing antimalware scanning and URL filtering. Nevertheless, email security, endpoint threat detection, and lateral movement vectors are not natively addressed, with protection scoped to web-proxied and ZTNA-brokered traffic rather than a fully integrated cross-vector platform.

• Industry-specific compliance: The solution supports compliance through logging, reporting, and policy enforcement capabilities that enable organizations to demonstrate regulatory requirements adherence across user access and data protection activities. However, it does not offer preconfigured compliance frameworks, automated policy templates for HIPAA, PCI DSS, GDPR, or SOX, continuous compliance monitoring dashboards, or industry-specific, audit-ready, detailed reports that simplify regulatory adherence.

Purchase Considerations

Cloud Secure Edge uses a per-user subscription model, with annual, biennial, and triennial terms available. Organizations can purchase two complementary products separately or together: Secure Private Access for internal resources and Secure Internet Access for web and SaaS security. Each product offers Basic and Advanced tiers, with Advanced providing expanded capabilities including SSH/RDP access and full CASB functionality. Qualified managed security service provider (MSSP) partners can leverage monthly usage billing, while customers can evaluate the solution through a 30-day free trial activated via MySonicWall.

Deployment integrates seamlessly with Generation 7 or newer SonicWall firewalls through native SonicOS connectors, simplifying policy management through unified dashboards. Migration complexity remains minimal compared with legacy VPN solutions, as the solution consolidates multiple components into a single client application. SonicWall provides migration documentation for transitions from competing platforms, including Cisco Umbrella. Organizations should verify identity provider compatibility with SAML, OpenID Connect (OIDC), or LDAP protocols, and assess whether Basic-tier capabilities meet requirements or whether Advanced-tier features justify incremental investment.

Use Cases

SonicWall Cloud Secure Edge addresses a broad range of use cases, including BYOD device security, legacy VPN replacement with zero trust access, merger and acquisition integration, protecting distributed workforces from internet threats, SaaS application protection through CASB controls, secure access to private applications and cloud resources, SWG filtering for malware and phishing prevention, third-party contractor access management, and unified policy enforcement across hybrid environments.

Versa: Versa Security Service Edge (SSE)

Solution Overview

Founded in 2012, Versa provides SASE solutions specializing in SD-WAN, SSE, and SD-LAN. Versa launched its first SASE solution (Versa Secure Access) in 2020, with SSE functionality integrated from inception. In November 2024, Versa introduced VersaONE Universal SASE Platform, consolidating SSE, SD-WAN, and SD-LAN products.

Versa SSE operates on a unified, single-pass architecture built on the Versa Operating System (VOS), deployed across approximately 100 global PoPs, interconnected via a traffic-engineered backbone. The platform integrates with third-party firewalls, routers, and SD-WANs to enable flexible connectivity. Core components include CASB, DLP, NGFW, RBI, SWG, and ZTNA, consolidated under a single policy engine. Key features include AI-driven threat detection, GenAI Firewall with prompt inspection, Microsoft Information Protection integration, multiple antivirus engines, three sandboxing options, and UEBA with User Confidence Score. Differentiators include a connector-free architecture, millisecond-latency TLS decryption, native multitenancy, and unified telemetry that correlates endpoint posture signals from partners.

Versa takes a general platform approach to SSE, innovating with emerging features such as adversarial validation, DSPM, enterprise browser, exposure management, GenAI agent security, and MCP support, while expanding existing capabilities.

Versa is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Versa scored well on a number of decision criteria, including:

• Cloud sandboxing: The solution provides commercial, native, and open source sandboxing options that process files through a multistage analysis pipeline incorporating AI/ML classification, behavioral analysis, customer-contributed signatures, multiple antivirus engines (Bitdefender, Check Point, CrowdStrike, Malwarebytes, McAfee, Sophos, Symantec, TrendMicro, and VirusTotal), and multi-sandbox correlation for comprehensive malware detonation. Threats identified directly inform inline security decisions across CASB, NGFWaaS, SWG, and ZTNA enforcement points within the unified architecture.

• DLP: Versa DLP provides contextual protection across endpoint, inline, and at-rest channels using Document Fingerprinting, EDM, machine learning models, OCR, Proximity Analysis, and dictionaries to classify 25 content types, with enforcement actions including block, encryption, quarantine, redaction, and tokenization. It integrates UEBA-driven User Confidence Score adjustments that tighten DLP policies based on behavioral anomalies, combines AI-driven classification engines with MIP label enforcement, and extends unified protection across collaboration tools, email, private applications, SaaS, and web traffic.

• Multivector threat protection: The solution combines antimalware, ATP, behavioral analytics, IDS/IPS, machine learning-based detection, multiple antivirus engines, NGFW, sandboxing, TLS inspection, and UEBA across cloud, email, endpoint, private application, SaaS, and web attack surfaces within a single-pass architecture. Endpoint Information Profile continuously monitors device posture, including CrowdStrike telemetry, antimalware status, failed authentications, OS version, registry values, and running processes, to detect anomalies, including lateral movement, privilege escalation, and suspicious data staging, while threat prevention functions execute simultaneously without multiple inspection passes.

Opportunities

Versa has room for improvement in a few decision criteria, including:

• Agentless secure access: The solution enables clientless access via browser-based connectivity, using a forward proxy for enterprise users, PAC files for traffic routing, RBI for isolated sessions, and a reverse proxy for external SaaS access, without requiring endpoint agent installation. However, it lacks an enterprise browser capability, which is under development and planned for release in the first half of 2026, limiting modern agentless access options compared to platforms that offer mature browser-based security controls.

• ​Industry-specific compliance: Versa SSE provides prebuilt, compliance-oriented policy templates aligned with frameworks such as GDPR, HIPAA, and PCI DSS, combined with data residency controls through Private SSE and Sovereign SSE deployments that maintain localized processing for regulated industries. Nevertheless, it offers general compliance frameworks rather than deep industry-specific certifications or specialized controls tailored to individual vertical requirements, which may limit organizations that require sector-specific regulatory compliance beyond standard data governance mandates.

• NHI management: The solution provides machine identity-aware security controls that govern nonhuman identities through certificate-based authentication, API endpoint identification using DPI, behavioral analysis via UEBA for service accounts, and least-privilege enforcement across automation systems and software agents. However, it does not function as a standalone machine identity lifecycle management system with automated credential rotation, comprehensive secrets management, or dedicated workload identity governance capabilities for managing the complete lifecycle of software-based actors.​

Purchase Considerations

Versa offers two primary licensing models. The per-user subscription model prices based on the number of authorized users, required SSE functionality (ATP, CASB, DLP, FWaaS, RBI, SWG, or ZTNA), analytics depth, and selected deployment model. The bandwidth-based subscription model removes the user-counting requirement entirely, with pricing tied to pre-purchased bandwidth capacity — making it better suited for environments with high-bandwidth applications, non-human devices, or IoT/IIoT deployments.. Organizations should evaluate whether bundled or modular licensing aligns with their consumption patterns and growth trajectory. Versa offers transparent pricing with no hidden fees, simplifying budgeting compared to multivendor alternatives.

Deployment options include cloud-delivered SSE via 100 global PoPs, hybrid configurations, Private SSE on customer infrastructure, or Sovereign SSE for data residency compliance. Migration complexity is reduced through a connector-free architecture that supports third-party SD-WAN integration (firewalls, routers, or SD-WAN devices), Versa Client deployment, and agentless access via forward/reverse proxies and PAC files. Organizations should assess the compatibility of existing infrastructure, evaluate requirements for dedicated versus multitenant environments, and confirm that geographic PoP coverage meets latency requirements before procurement.

Use Cases

Versa SSE addresses a broad range of use cases, including cloud application security for protecting SaaS environments with inline CASB and API controls, consolidation of multiple point products into a unified platform, data protection and compliance across regulated industries through integrated DLP and policy frameworks, secure access to private applications via connector-free ZTNA, secure collaboration for Microsoft Teams and similar tools, secure internet access through comprehensive SWG capabilities, secure remote access with continuous zero trust enforcement, and threat prevention across web, email, cloud, and endpoint attack surfaces.

Zscaler: Zscaler SSE*

Solution Overview

Founded in 2008, Zscaler provides cloud-native security through its Zero Trust Exchange platform, specializing in SSE and SASE solutions. Zscaler acquired Red Canary (managed detection and response) in May 2025 and SPLX (AI security governance) in November 2025.

Zscaler SSE is built on the Zero Trust Exchange platform and uses a Single-Scan Multi-Action (SSMA) architecture with a Central Authority, Nanolog clusters, and Public Service Edges (PSEs). It integrates with third-party SD-WAN solutions, including Aruba EdgeConnect, Aryaka, and Cisco. Core components include CASB, DLP, FWaaS, SWG, and ZTNA. Key features include browser isolation, inline sandbox, and UEBA. Differentiators include comprehensive protection that extends beyond the workforce to business partners, IoT/OT, and workloads, the world's largest security cloud, and parallel processing via SSMA for superior performance.

Zscaler takes a general approach to SSE, innovating to add emerging features, including AI security (agent communications and private AI apps), DSPM, microsegmentation for cloud workloads, and the Zero Trust Gateway.

Zscaler is positioned as a Leader and Fast Mover in the Innovation/Platform Play quadrant of the SSE Radar chart.

Strengths

Zscaler scored well on a number of decision criteria, including:

• Agentless secure access: Zscaler Browser Isolation delivers secure access to BYOD and B2B devices without requiring endpoint agents, using pixel-streaming technology to render web content remotely. It integrates with CASB and Zscaler Private Access (ZPA) to prevent data exfiltration by disabling clipboard, download, and upload actions while maintaining seamless browsing experiences through HTML5 canvas delivery.

• Industry-specific compliance: Zscaler SSE holds FedRAMP High and Moderate authorization for its entire Zero Trust Exchange platform, enabling government agencies to secure sensitive unclassified data with rigorous security controls. The platform provides built-in support for GDPR, HIPAA, and PCI DSS through configurable HTTPS inspection, anonymized logging, regional data residency options, and audit trails that simplify compliance validation.

• GenAI risk management and control: The solution delivers advanced prompt classification and inspection across Microsoft Copilot and other GenAI applications, blocking policy violations while leveraging AI-powered data security classification covering more than 200 categories. It enforces DLP controls across AI interactions, disables cut-paste-download actions through browser isolation, and processes 500 trillion daily signals to identify sensitive data exposure risks.

Opportunities

Zscaler has room for improvement in a few decision criteria, including:

• DSPM: Zscaler DSPM provides agentless scanning and AI-powered classification of sensitive data across cloud environments, automatically creating data inventories and mapping access paths to identify misconfigurations, exposures, and overprivileged access. However, it focuses primarily on cloud data stores and SaaS repositories rather than on comprehensive posture management across on-prem file shares, databases, endpoints, and unstructured data lakes, which require broader enterprise coverage.

• NHI management: Zscaler SSE secures NHI through identity-aware inspection, per-identity microsegmentation, and least-privilege access controls that monitor machine-to-machine communications and block lateral movement across service accounts, APIs, and CI/CD pipelines. Nevertheless, it lacks dedicated NHI lifecycle management capabilities, including automated credential rotation, service account discovery across hybrid environments, and specialized governance workflows that continuously track NHI proliferation and usage patterns.

• ​Autonomous threat response: Zscaler processes 500 trillion daily signals through AI models that accelerate threat detection, automate policy enforcement with an inline zero trust architecture, and integrate with SOAR workflows to enrich security alerts with contextual intelligence. However, it requires orchestration platforms like Torq for fully autonomous incident response and relies on human validation before executing containment actions rather than deploying self-directed AI agents that autonomously reason and remediate threats.

Purchase Considerations

Zscaler SSE follows a subscription-based SaaS model with per-user annual pricing across tiered bundles, including Business, Enterprise, and Transformation editions that combine Zscaler Internet Access, Zscaler Private Access, and advanced capabilities. Organizations typically commit to multiyear contracts spanning 12, 24, or 36 months, with volume discounts available for longer terms and larger deployments. Enterprise tiers require a minimum of 500 users and support custom app segmentation, with pricing scaling based on selected security modules, user count, and negotiated enterprise agreements.

Organizations should evaluate cloud-native deployment through client connectors, forwarding proxies, or API-based integrations that eliminate on-prem hardware but require identity provider integration and SSL certificate management. Zscaler offers 30-day POC trials that enable staged traffic mirroring, policy validation, and performance benchmarking of latency, throughput, and enforcement metrics under production conditions. Migration complexity varies with existing VPN infrastructure. Automated configuration export tools are available, but customers must plan the DNS cutover timing and phased user onboarding.

Use Cases

Zscaler SSE addresses a broad range of use cases, including B2B partner access, BYOD security, cloud application security, consistent DLP across encrypted traffic, double-extortion ransomware prevention, IoT/OT device protection, remote workforce security, SaaS security with shadow IT discovery, threat detection and mitigation, and workload security. The solution extends zero trust principles beyond traditional user-focused deployments to workloads, devices, branches, and business partners while providing consistent policy enforcement across all channels.

The SSE market has matured as organizations operate with increasingly distributed networks and hybrid workforces. Major requirements that impact purchase decisions include baseline expectations for comprehensive cloud security, the implementation of zero trust strategies, and seamless remote access for distributed workforces.

As cyberthreats evolve, IT decision-makers prioritize solutions that provide enhanced visibility, integrated threat intelligence, and advanced data protection. Organizations have largely completed the shift to cloud-native security services and now seek unified architectures that integrate security and networking capabilities, with identity as the new perimeter, replacing static network trust models.

Organizations are recognizing the value of SASE platforms built on SSE foundations for providing secure access to cloud-based applications and resources from any location while also addressing compliance requirements and data sovereignty concerns. The market is witnessing increased adoption of specific AI-powered capabilities, including GenAI risk management, AI Security Posture Management (AI-SPM) for centralized monitoring and governance of AI models and data, shadow AI discovery and visibility, AI prompt protection, AI-assisted threat detection and response, adaptive policy orchestration, NHI management, and predictive anomaly detection to enhance threat detection and response effectiveness.

Prospective customers should take the following steps:

Understand Your Security Needs

• Specific challenges: Identify your organization's unique security challenges. This includes the cyberthreat types most relevant to your industry, your compliance requirements, and the specific vulnerabilities of your IT infrastructure.

• Security goals and strategy: Outline a plan with defined security goals and a strategy for achieving them. This helps determine whether a SASE model fits your security architecture, especially in supporting hybrid work, cloud use, and the externalization of IT resources.

• ​Vendor consolidation: Prioritize consolidation toward single-vendor SASE solutions to streamline the security landscape, improve threat detection and response coordination, and simplify management through centralized approaches. Organizations are increasingly favoring consolidated solutions to reduce operational complexity and improve visibility.

​Consider Operational and Strategic Fit

• Support and managed services: Given the sophistication of SASE, look for providers that offer comprehensive support and managed services. This includes technical, business, and project management expertise to help you focus on strategic objectives rather than maintaining the solution.

• Cloud architecture options: SASE solutions are inherently cloud-delivered. Evaluate whether public cloud or hybrid architectures, combining public cloud with vendor-owned data centers, best meet your compliance and data sovereignty requirements.

• ​Phased deployment and risk mitigation: Consider a phased approach that allows incremental implementation, testing, and validation of SSE components within specific network segments or departments. Start by securing remote and hybrid workforces with ZTNA, then move to SWG and CASB, addressing the highest-risk areas first to mitigate SSE adoption risks.

• ​Full SASE platform capabilities: Evaluate providers' current full SASE capabilities, including native or partnered SD-WAN integration, unified console management, and proven large-scale deployment track records. Vendors should already offer complete SASE architectures rather than future roadmaps.

​Evaluate Functional and Nonfunctional Requirements

• Comprehensive security features: Look for solutions that offer baseline integrated security services, including CASB, DLP, FWaaS, RBI, SWG, ZTNA, sandboxing, DNS security, and SSPM. Differentiate vendors based on emerging capabilities, including GenAI risk management, AI-SPM, shadow AI discovery, AI prompt protection, NHI management, adaptive policy orchestration, and AI-assisted threat detection and response.

• ​Scalability and flexibility: Look for solutions that can adapt to changing business needs. This is crucial for both small businesses and enterprises as they grow or shift their operations.

• Simplified management: Consider solutions that consolidate security services into a single, cloud-based platform to reduce complexity and cost.

• Performance and latency: Solutions should minimize latency through globally distributed points of presence, ensuring security services do not disrupt business operations.

• ​Visibility and control: Enhanced visibility into network activity and greater control over network access and usage are essential for identifying potential vulnerabilities and responding to threats effectively. Continuous verification of identity and context is now central to modern SSE architectures.

• DEM: Ensure solutions include DEM capabilities to track application performance, network latency, and user experience metrics, ensuring security policies do not degrade productivity.

Compare Vendors and SSE Solutions

• Product assessment: Evaluate vendors, products, and feature sets based on this report. Your company's security model will dictate the required features and implementation strategies.

• Vendor evaluation: Thoroughly vet potential SSE vendors, considering their reputation, customer support quality, current platform maturity, and ecosystem (including the solution's ability to integrate with other tools and its scalability). Focus on whether vendors offer native or partnered SD-WAN, how they've integrated acquisitions into unified platforms, and their single-console management capabilities.

• ​Architectural simplicity: Look for solutions that offer architectural simplicity, minimize technical debt, and accelerate business processes. The solution should be born in the cloud, with best-in-class resilience and optimal user experience.

​Choosing the right solution requires carefully evaluating your organization's specific security needs, the capabilities and strategic fit of potential solutions, and vendors' support and services. By following these steps, you can select a solution that effectively protects against cyber threats while supporting your business objectives.

Don't wait for a security breach to highlight vulnerabilities. Instead, proactively implement a robust SSE strategy to safeguard your digital assets and empower your workforce to work securely from anywhere.

To learn about related topics in this space, check out the following GigaOm Radar reports:

• GigaOm Radar for Microsegmentation

• GigaOm Radar for API and Application Security

• GigaOm Radar for Identity & Access Management

*Vendors marked with an asterisk did not participate in our research process for the Radar report, and their capsules and scoring were compiled via desk research.

For more information about our research process for Radar reports, please visit our Methodology.

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

© Knowingly, Inc. 2026 "GigaOm Radar for Security Service Edge (SSE)" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact sales@gigaom.com.