Top 8 Secure Access Service Edge (SASE) Providers

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Secure access service edge (SASE) technology (pronounced “sassy”) strives to provide a comprehensive solution for network management and security in a modern IT environment that sprawls well beyond local networks. Our investigation of the SASE market reveals eight very competitive SASE solutions as well as a number of other strong competitors that do not fully qualify as SASE tools.

Top SASE Tools Compared

The table of Top SASE Tools below summarizes our findings and is followed by additional information on each SASE vendor (in order of our ratings). We explain our methodology further down, along with guidance for SASE buyers.

Top SASE ToolsRankOur Rating (5 point scale)Best use casesSpecial Features
Cloudflare One14.23Entry-level SASEMost transparent pricing and a free tier for < 50 users
Cato SASE Cloud24.12Full-Service SASESimplified deployment with options for managed installation, security, and internet provider management
VMware SASE33.91VMware SD-WAN UpgradeMost cloud connectors and market-share leader for SD-WAN 
Barracuda SecureEdge43.81Remote User ProtectionIntegrated market-leading email security
Versa Unified SASE53.77Full-control SASELocal data center installation option for the SASE controller 
FortiSASE (Fortinet) 63.42FortiGate upgradeApplication specific integrated circuit (ASIC) designs for faster SD-WAN hardware
Palo Alto Prisma SASE73.31Multi-tenant service providersTop rated security products
Cisco+ Secure Connect83.07Cisco SD-WAN UpgradeFull integration with Meraki and Catalyst SD-WAN devices

Jump ahead to:

Cloudflare icon.

Cloudflare One

Best Entry-Level SASE

Cloudflare One edges out SASE competitors with its transparent pricing, simple implementation, and strong IoT support. This solution earned our Best Entry-Level SASE designation based upon its Free Tier for up to 50 users. This solution is well suited for small businesses and organizations experimenting with SASE.

Cloudflare SASE infographic.
Image: Cloudflare


Cloudflare One is available in three tiers of pricing: Free, Pay-as-you-go, and Contract.

All three tiers include the basic SASE package to connect users and assets securely. The Free tier includes application connector software, device client (agent) software, zero-trust network access (ZTNA), secure web gateway (SWG), and in-line cloud access security broker (CASB). The lowest tier of Cloudflare One provides support for 50 users maximum, up to 3 network locations for office-based DNS filtering, and community forum support.

The Cloudflare One Pay-as-you-go Tier starts at $7 per user per month, eliminates any user maximum, allows up to 20 locations, and adds email and chat customer support with a 4-hour response. Remote browser isolation is available for an additional $10 per user per month.

The Cloudflare One Contract tier requires custom pricing and annual billing. At this tier, there is no limit to the number of users, up to 250 network locations, and support is automatically upgraded to priority phone, email, and chat with a 1 hour initial response time. There is also the option to add on features such as remote browser isolation, cloud email security, dedicated egress IP addresses, and DLP.


  • Private backbone with more than 200 access points in more than 100 countries
  • 100% uptime guarantee in the service level agreement (SLA) with 67 Tbps of network capacity
  • Verified device security posture and contextual features built into all SASE tiers
  • Clientless access option for web apps and browser-based SSH on devices not under corporate control
  • Managed deployment and self-enrollment options through MDM tools or through direct access to Cloudflare
  • Agent OS Options include Windows, macOS, iOS, Android, Linux, and even ChromeOS


  • ZTNA by default applies to all traffic, users, and devices
  • Top-rated DDoS protection through a variety of FWaaS capabilities built into the Magic Transit NaaS incorporated into the SASE product
  • Robust automation for traffic routing and distributed denial of service (DDoS) protection
  • IoT Isolation through the Magic Transit NaaS to protect the IoT and other network resources against attack
  • Robust free tier for up to 50 users


  • Lacks direct network controls that software defined wide area network (SD-WAN) owners may be used to managing directly
  • Lacks email notifications desired by some customers for rule violations
  • Feature improvements sought by customers comparing against more established CASB and firewall vendors

For more details and the full list of features, pros, and cons, please see our Cloudflare One SASE Solution Review.

Cato Networks icon.

Cato SASE Cloud

Best for Full-Service SASE

The Cato SASE Cloud offers a dramatically simplified deployment for SASE with only two hardware configurations, as well as automated connection and configuration. Cato earns their Best for Full-Service designation because they also offer full-service options that can fully manage the deployment and management of end-to-end SASE, managed threat detection and response (MDR), and internet service providers (ISPs).

Cato Networks SASE infographic.
Image: Cato Networks
Cato Networks SASE Cloud dashboard.
Image: Cato Networks


Cato’s SASE offers simplified options and license bundles that include Cato SSE 360, clientless connections, ZTNA Client licenses, and technical support. Cato charges customers annually based primarily on the bandwidth volume per site and the number of mobile users.

Bandwidth is sold for connections between 10 Mbps and 10 Gbps but Cato does not directly publish prices. Some partners publish that 50 Mbps of bandwidth starts at $200 per location and reaches $500 per location for 400 Mbps.

Cato only offers two versions of the Socket Edge SD-WAN (500 Mbps, 2 Gbps), which are sold as Hardware-as-a-Service, with updates, upgrades, and replacements included in the subscription. Cato does not explicitly offer free trials, but they offer free quotes and can authorize proof-of-concept tests.

To compliment the Cato SASE Cloud technology, Cato offers customers options for managed services. These full-service options include MDR, Site Deployment, Hands-Free Management (day-to-day management), and Intelligent Last Mile Management (ISP management).


  • Global Private Backbone with world-wide points of presence (PoPs) fully owned and controlled by Cato to provide faster performance and higher security than internet or IPsec VPN transmission
  • Hardware-as-a-Service avoids delays or IT team time because maintenance contracts include patching, updating, upgrading, replacing, and maintaining connection hardware
  • Inspection everywhere IPS and anti-malware applied to all traffic, everywhere — including cloud and remote assets
  • Windows, macOS, iOS, Android, and Linux support through the self-service Cato Client ZTNA agent
  • Optional Cato Managed Services for internet service provider management, SASE management, managed detection and response (MDR), deployment, and designated support services
  • 1 year of operations and security data stored for each link with event management (SIEM) data built into Cato SASE Cloud for direct evaluation or export


  • No local hardware configuration needed because the Socket Edge SD-WAN configuration is both set up and stored within Cato SASE Cloud for fast and easy installation, failover, or replacement
  • Automatic Point-of-Presence (PoP) location and connection by Socket Edge SD-WAN appliances
  • Lightweight on-device agent with all anti-malware and packet inspection performed on scalable cloud resources
  • SASE Challenger as recognized by Gartner in their 2023 Single Vendor SASE Magic Quadrant
  • Granular migration options for the piecemeal rollout for users and offices with existing and staggered point-service contracts


  • Time consuming to fine-tune connections although initial connections can be quick
  • Slower throughput rates than expected may be caused by poor connections or distance between users or sites and Cato SASE Cloud PoP, although Cato estimates all PoP are within 25 ms of users
  • Lacks some options for network and security controls present in specialist applications, which may distress IT and security teams accustomed to specific options such as sandboxing

For more details and the full list of features, pros, and cons, please see our Cato SASE Cloud Solution Review.

VMware icon.


Best for Diverse Tech Environments

While VMware is well known for its virtualization technologies, it is now also a strong player in the emerging SASE market thanks to its top position in the SD-WAN market. VMware SASE earns its Best for Diverse Tech Environments designation thanks to robust virtual network function (VNF) support to enable connections with a diverse range of third-party security tools.

VMware SASE diagram.
Image: VMware


VMware provides a pricing and configuration guide and notes 1, 3, and 5 year contracts. Customers are encouraged to contact VMware directly or to go through reseller partners to scope out needs and all formal prices.

The different options enable a very tailored environment, with 3 different tiers for the SASE subscription (Standard, Enterprise, Premium), 3 different service support options (Basic, Production, Premier), and 12 bandwidth options.

To support the 12 different bandwidth levels, VMware offers 26 different Edge hardware configurations ranging from $550 to $10,000, or 12 different Virtual Edge device configurations.

VMware provides 3 support options for their software (Basic, Production, Premier) and 4 levels of hardware replacement (Return, Next Business Day, 4-hour 9am to 5pm, 4-hour 24/7). All software support is 24/7/365 by telephone and web form customer service and includes all product updates. All levels of service include remote support, access to the VMware knowledge base, and unlimited requests.


  • Vendor agnostic, AI-enhanced IT Operations (AIOps) in VMware Edge Network Intelligence provides self-healing ops performance, auto-discovers end user and IoT devices, and monitors deviations
  • Multi-tenancy options for service providers or segregated business structures for compliance
  • Integrated remote browser isolation (RBI) opens web pages in a virtual environment and not on the user’s local device
  • VMware SD-Access agent supports Windows, MacOS, iOS, Linux, and Android devices
  • Robust virtual network function (VNF) support enables network compatibility with a large number of third-party security solutions


  • SASE Niche Player was recognized by Gartner in their 2023 Single Vendor SASE Magic Quadrant
  • Embedded multi-source inbound quality of service (QoS) in SD-WAN between global cloud services and users, enabling consistent WAN connections over MPLS, 4G/5G/SAT, and internet broadband
  • Simplified WAN management thanks to zero-touch deployments, one-click service insertion, and simplified operation
  • Profile configurations speed deployment through standardized common parameters for a set of devices to reduce device-specific configurations
  • Full OpEx Option with available hardware rental agreements


  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
  • Security functionality lags market leaders for data security and SaaS visibility and control
  • Advanced security options require additional products not controlled through VMware SASE such as Workspace ONE
  • Option overload can make it difficult to determine appropriate licenses and options required
  • VNF technology slows performance when used to integrate third-party solutions

For more details and the full list of features, pros, and cons, please see our VMware SASE Solution Review.

Barracuda icon.

Barracuda Networks

Best for Remote User Protection

Barracuda SecureEdge placed fourth in our ranking with good licensing transparency and less complicated deployment. Barracuda lacks SD-WAN networking options valued by the largest organizations concerned with securing branch offices and data centers and a private backbone. However, Barracuda earns its Best for Remote User Protection designation because it offers optional bundles of its market-leading email security.

Barracuda Networks SecureEdge interface.
Image: Barracuda Networks


Barracuda provides some of the best transparency into the components and licensing in the SASE industry. While it does not publish explicit pricing, buyers can obtain a free quote by filling out Barracuda’s SASE Solution Build and Price questionnaire.

Pricing for SecureEdge components is estimated to be:

  • SecureEdge Access Agent: $15 to $20 per user
  • Secure Edge Service:
    • Private: Included with the purchase of SecureEdge Site Devices and valid Energize Edge subscriptions
    • Managed SaaS: provisioned in 50 Mb increments up to 1 Gb and estimated to cost under $300 / 50 Mb / month
    • Microsoft Azure Virtual WAN: delivered through the Microsoft Marketplace and priced between $0.067 and $4.66 per hour depending upon WAN bandwidth

The SecureEdge Manager and SD-WAN Connectors are included in the price of other subscriptions. Barracuda also offers a free trial to setup and test SecureEdge for 30 days.

SecureEdge Site Device and Secure Connector virtual appliances support between 50 users at 300 Mbps and 9,000 users with up to 9.3 Gbps performance. Virtual appliance support is available as standard support (under $80 / month / appliance) or through the Managed SaaS subscription (pricing not publicly available).

The dedicated SecureEdge Site Device hardware starts at $800 (50 users, 300 Mbps performance) and reaches $51,000 (9,000 users, 9.3 Gbps). The annual cost of Energize Updates for these appliances is estimated to be roughly the equivalent of the purchase price of the hardware.

Secure Connector physical appliances cost between $500 and $1,900 per unit and support wired, WiFi, 3G, and 4G connections. Energize Updates for Secure Connector physical appliances are priced between $120 and $130 per year and include basic support.

Energize Updates are required for all appliances and are purchased as a monthly or annual subscription. For other SecureEdge components, Barracuda offers two levels of support: enhanced and premium.

Enhanced support is also included in the price for SaaS solutions and offers 24/7/365 phone, live chat, online portal, and email support. Premium support reduces response time for critical issues from 2 hours to 30 minutes and unlocks higher support specialists tiers and other advanced support options.


  • Advanced and multi-layered security building off of the established CloudGen Firewall technology
  • Advanced threat protection (ATP) using virtual sandboxes to study unknown file behavior
  • Network intrusion detection and prevention systems (IDPS) to detect and block attacks and exploits on the network, application, and databases such as distributed denial of service (DDoS), cross-site scripting (XSS), and SQL injection (SQLi)
  • Self-healing traffic intelligence that detects the health of uplinks and encrypted tunnels across SD-WAN sites for adaptive optimization to reduce latency and maintain bandwidth
  • Application-based routing based upon protocol, user, location, content, applications, and web content to maintain focus on business and mission-critical applications


  • SaaS, Private, and Azure deployment options
  • Replaces clumsy virtual private network (VPN) connections that contribute to deployment and bandwidth issues
  • Fast and easy self-enrollment of up to five devices
  • Incorporates Barracuda Global Threat Intelligence to leverage Barracuda’s existing global firewall, email security, and other real-time threat information from millions of collection points
  • Zero-touch site deployment for simple, quick installation


  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
  • Overwhelming alerts and challenges to set up global alerts cited by customers that lacked setup experience
  • Requires an agent for remote endpoints
  • Not yet global with availability based upon regions and countries
  • No current data loss prevention (DLP) features

For more details and the full list of features, pros, and cons, please see our Barracuda SecureEdge SASE Solution Review.

Versa Networks icon.

Versa Unified SASE

Best for Full-Control Deployment

Versa Unified SASE delivers an option-rich solution for secure networking and security built on the carrier-grade Versa Operating System (VOS). Versa also offers the widest range of deployment options, which earned them our designation as Best for Full-Control Deployment since they offer a fully local SASE deployment, including the controller (Versa Concerto).

Versa Networks SASE diagram.
Image: Versa Networks
Versa Networks Unified SASE interface.
Image: Versa Networks


Versa does not publish pricing or full licensing requirements for its SASE solution and limited information can be obtained without a formal sales estimate. A free trial is available for up to 100 users for organizations with 5,000 or more employees. This size limit suggests that Versa SASE is best suited for large enterprises.

The Versa core components include:

  • Versa Concerto: two main configurations, with a range of 150 tenants and 4,000 branches to 250 tenants and 10,000 branches
  • Versa Secure Internet Access (VISA) is offered in three service tiers:
    • Essential Tier: cloud-based app and SaaS access, bandwidth control and traffic priority management, and web filtering
    • Professional Tier: adds SSL/TLS Proxy, network-based antivirus protection, as well as inline CASB and malware protection
    • Elite Tier: includes Professional Tier, plus clientless SaaS application management, DLP, and advanced threat protection
  • Versa Secure Private Access (VSPA) has two tiers of service:
    • Essentials Tier: intelligent gateway selection, site-to-site data center tunnels, and whitelisting for up to 10 applications
    • Professional Tier: adds unlimited app whitelisting, ZTNA policies based on device posture, and app-based traffic steering
  • Versa Cloud Security Gateway (CSG) Appliances
    • Start at $500 with 1,00 Mbps WAN performance; can can reach 30 Gbps and support wired and wireless connections
    • Functionality for local-network-based stateful firewalls, SD-WANs, NGFW, antivirus, intrusion prevention services (IPS), and unified threat management (UTM) capabilities
    • Virtual Appliances support most major virtualization options: AWS, KVM on CentOS or Ubuntu, Azure; Hyper-V, VMware ESXi
  • Versa SASE Support offers two tiers for support starting with Standard 60 minute response times and 24/7 email and phone support and improving to Premier support with 30 minute response time and additional benefits


  • Cloud, local, and hosted deployment options as well as blended deployments of multiple SASE services
  • Single converged platform with a unified console, policy and data lake
  • AI/ML-powered real-time and historical analytics to provide visibility into operations and security events
  • Extensive global point-of-presence (PoP) access points in Europe, North America and Asia, at least one PoP in Africa, Australia, and South America
  • Traffic engineered network connections use application aware software to optimize reachability and dynamic path selection for traffic between PoPs and network assets
  • Endpoint agent available for Windows, macOS, iOS, and Android devices


  • Security-sensitive deployments run purely on-premises SASE, deployed exclusively through the enterprise network, and even support air-gapped management systems
  • Multi-tenant options for hosted Versa SASE let managed service providers (MSPs) run multiple client SASE instances; Versa claims to be the only true multi-tenant SASE architecture available
  • SASE Challenger as recognized by Gartner in its 2023 Single Vendor SASE Magic Quadrant
  • Full control option for clients to install all SASE components in their own onsite data center or cloud environment
  • High-speed private backbone integrated controls through technology partners such as Google Cloud and Azure


  • Service chaining of network components may limit network performance
  • Limited formal training may be an issue for some service tiers
  • Lagging threat detection noted by Gartner
  • Poor price transparency and licensing information increases the difficulty to budget or determine which components and tiers will be needed to obtain specific SASE capabilities
  • More complex options from well-established technology can create longer and a more complex setup and possible unintended gaps or conflicts in security policies

For more details and the full list of features, pros, and cons, please see our Versa Unified SASE Solution Review.

Fortinet icon


Best Option for Fortinet Upgrades

Fortinet builds on their strong portfolio of firewall and gateway technologies to provide the FortiSASE converged solution for network and security control. FortiSASE incorporates the many different options expected from their long-term customers at the potential expense of more involved and time-consuming deployments.

While FortiSASE provides a strong SASE package, it earns its designation as the Best Option for Fortinet Upgrades because existing customers will bypass many setup and training issues that other organizations might encounter with the deployment of unfamiliar systems. Organizations with existing Fortinet appliances and experience will see the strongest return on investment when upgrading to FortiSASE.

Fortinet SASE infographic.
Image: Fortinet
Fortinet FortiSASE dashboard.
Image: Fortinet


Fortinet publishes the types of user licenses required to implement FortiSASE and offers flexible licensing options billed annually in 1, 3, and 5-year subscriptions. Customers can contact Fortinet or their partners for specific quotes and published Fortinet partner pricing can allow for some estimates of the approximate costs:

  • FortiSASE User Subscription billed by users in tiers from $100 per user (50 to 499 users) to $45 per user (10,000+ users) with $1,000 Optional 25 Mbps bandwidth add-on
  • Thin Branch (AKA: Thin Edge) connectors are billed by appliance starting at $400 and also require a $150 annual FortiSASE connector subscription
  • FortiSASE Secure Private Access (SPA) appliances (virtual or physical) cost $700 -$2,500 and require a $450 annual FortiSASE connector subscription

Standard product support is included with subscriptions and provides 24/7 FortiCare Support. Optional premium support subscriptions are also available for all appliances to provide rapid appliance replacement, onsite support, secure remote management, and advanced support engineers.


  • Agentless connections and an endpoint agent available for Windows, macOS, Linux, iOS, and Android devices
  • AI-enhanced security analysis and response
  • Secure Edge options for either local FortiGate appliance traffic inspection or cloud-hosted FortiGate capabilities built into FortiSASE
  • Robust security and network options supported on Fortinet’s well-established firewall, gateway, ZTNA, CASB, and SD-WAN technology


  • SASE Challenger as recognized by Gartner in its 2023 Single Vendor SASE Magic Quadrant
  • Service organization control (SOC 2) certified for FortiSASE cloud-hosted services
  • Sandboxing available to investigate suspicious files
  • Accelerated hardware using application-specific integrated circuit (ASIC) designs for SD-WAN hardware for higher throughputs


  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
  • No UDP support for agentless connections because access proxy technology used only supports HTTP, HTTPS, or other TCP traffic
  • Manual update and patch management appears to be required for each locally installed appliance
  • More limited PoP than competitors with no access in South America, or Africa
  • More complex options from Fortinet’s well-established component technology can create longer and more complex setups and possible unintended gaps or conflicts in security policies

For more details and the full list of features, pros, and cons, please see our FortiSASE SASE Solution Review.

Palo Alto Networks icon.

Palo Alto Prisma SASE

Best Multi-Tenant Option

Palo Alto Networks got its start as a network security vendor and has come to fully embrace the SASE model. The Prisma Access platform integrates Firewall as a Service (FWaaS), threat prevention, DNS security and data loss prevention (DLP) capabilities for edge resource protection with the rich features and options expected from an established network security provider.

The SASE quality, AI-enhanced automation, and multi-tenant capabilities earn Prisma SASE our designation as the Best Multi-Tenant Option. Managed IT service providers (MSP) and managed IT security service providers (MSSP) such as AT&T or NTT will be able to leverage Palo Alto’s strong brand and SASE capabilities when deploying their own managed SASE solutions.

Palo Alto Networks Prisma SASE dashboard.
Image: Palo Alto Networks


Palo Alto does not publicly publish pricing for Prisma Access and its components; however, Palo Alto does provide a Prisma Access Licensing Guide. Customers are encouraged to contact Palo Alto or their partners for specific pricing, public licensing information includes:

  • Licenses are typically offered for 1, 3, or 5 years subscriptions
  • Panorama Management appliances for local deployments
    • Customers must maintain a valid support license
    • Cortex Data Lake license ($2,000 / TB of data) required for logs
  • Cloud Managed Prisma Access
    • Customers may need to license and integrate the SaaS Security API for clientless VPN and authentication
    • Cortex Data Lake license ($2,000 / TB of data) required for logs
  • Prisma Access units (per user, per Mbps) cost $60 – $200 per year
  • Add-on options run between $40 and $150 per unit

Palo Alto partners may offer bundled pricing or discounts based upon volume or multi-year subscriptions.


  • Rigorous ZTNA (aka ZTNA 2.0) controls with continuous trust verification, security inspection, and data protection as well as precise access control at the app and sub-app levels
  • Multi-tenant deployment option for service providers
  • Machine learning (ML) enhanced SWG boosts static analysis capabilities to improve security and also simplify user onboarding and customer migration
  • SaaS security misconfiguration detection and drift prevention through the Prisma SASE next-generation CASB
  • Agentless and Agent-based (GlobalProtect app) remote user protection and security
  • Wide OS support: GlobalProtect agent supports Windows, macOS, iOS, Android, ChromeOS, Linux


  • SASE Leader as recognized by Gartner in the 2023 Single Vendor SASE Magic Quadrant and the only vendor in the Leader category
  • Feature rich with many options for licensing and technology add-ons
  • Well trusted brand and an established SASE vendor with a good track record of customer success
  • Granular control over devices, assets, users, and security options
  • Automated IT operations options for AIOps and Autonomous Digital Experience Management (ADEM) for predictive problem detection and analytics to reduce mean time to resolution (MTTR)


  • Add-ons required for key SASE security controls such as next-gen CASB or DLP
  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
  • Option overload can make it difficult to determine appropriate licenses and options required
  • Poor international documentation with limited non-English information
  • Higher prices cited by customers

For more details and the full list of features, pros, and cons, please see our Palo Alto Prisma SASE Solution Review.

Cisco icon.

Cisco+ Secure Connect

Best for Cisco SD-WAN Upgrade

Cisco has long been a dominant vendor in the networking market, with an expansive product portfolio that includes both hardware and software. Cisco+ Secure Connect earns its designation as Best for Cisco SD-WAN upgrade because organizations already trained and invested in Cisco networking, SD-WAN, or related security products will enjoy much higher returns on investment through upgrades. The time and cost to switch appliances and train employees in other solutions will likely push other SASE solutions out of consideration.

Cisco SASE diagram.
Image: Cisco


Cisco+ Secure Connect can be purchased directly from Cisco or through Cisco partners as one of four versions:

  • Foundation Essentials (SWG, CASB, DNS, Firewall, SD-WAN integration)
  • Foundation Advantage (adds additional firewall, IPS, DLP, and malware protection)
  • Complete Essentials (adds ZTNA and clientless browsers to Foundation Essentials)
  • Complete Advantage (increases limit for clientless browser application limits for Complete Essentials and adds firewall, IPS, DLP, and malware protection)

Customers purchasing the Essentials (Foundation or Complete) license will be limited in sandbox submissions (500), cloud applications monitored for malware (2), and applications allowed to be accessed through the clientless browser (10).

The four bundles of the SASE product are estimated to cost between $100 and $300 per user per month depending upon the bundle choice. Standard terms for licenses are 12, 36 and 60 months.

Cisco AnyConnect Client and SD-WAN appliances may require additional purchases beyond the scope of the SASE license. All versions of Cisco+ Secure Connect include 24/7 trouble-shooting.


  • Cloud-delivered overlay WAN architecture connects branches to headquarters, data centers, and multi-cloud environments through a single integrated network fabric
  • SD-WAN integration with the SASE controller for Meraki, Catalyst, and others
  • Cisco Umbrella SIG unifies firewall, SWG, DNS-layer security, CASB, and threat intelligence functions into a single and well-tested cloud service
  • User authentication options for customer’s SAML or bundled cloud-identity platform
  • Cisco Umbrella global architecture provides high-speed, low latency backbone with globally available points of presence (PoP)
  • Flexible licensing and consumption models allowing organizations to scale up or down as worker distribution shifts


  • SASE Visionary as recognized by Gartner in the 2023 Single Vendor SASE Magic Quadrant
  • Clientless ZTNA option for least privileged access control without an agent — suitable for BYOD, contractors, and partners
  • Powerful Cisco brand can reduce friction for purchasing and internal adoption
  • Integrates well-established technology for Cisco networking, SWG, CASB, and SD-WAN technologies
  • Easy upgrade purchase for existing Cisco SD-WAN customers


  • PoP connections are limited in number and do not offer all Cisco+ Secure Connect options globally
  • More complex options from well-established technology can create longer and a more complex setup and possible unintended gaps or conflicts in security policies
  • Limited SD-WAN options without separate purchase of other Cisco SD-WAN technology, such as Meraki SD-WAN
  • No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers

For more details and the full list of features, pros, and cons, please see our Cisco+ Secure Connect SASE Solution Review.

Key Features of SASE Software

Secure access service edge (SASE) is one of the more recent security concepts to gain traction, with the category first defined by Gartner in 2019. SASE’s definition converges the technologies used by operations (Ops) to deliver wide-area network capabilities and the controls used by security teams for network, user, data, and cloud security.

To qualify as a SASE tool, a solution must:

  1. Centralize control
  2. Monitor network
  3. Monitor user activity
  4. Inspect traffic
  5. Control access
  6. Secure cloud-based assets
SASE diagram.

Centralized Control

A SASE tool must consolidate all security management and operations reporting through a unified software tool. This requirement merges the reunification of development, operations, and security in DevSecOps application development to break down silos between operations and security that contribute to conflicts and misconfigurations.

Monitored Network Status

Although quite similar to Security Service Edge (SSE) technologies, SASE primarily distinguishes itself from SSE with the requirement to monitor, maintain, and control network operations. Gartner has narrowly defined network control as wide area network (SD-WAN) control, but we see network-as-a-service or mesh networks with ZTNA as functional equivalents. Based on Gartner’s forecast, 80% of organizations will implement SASE or SSE architecture by 2025 because the combined network operations and  network security of a SASE offering allows more consistent services end-to-end.

Monitored User Activity

SASE tools need to monitor users and block inappropriate or unauthorized behavior. Most tools use secure web gateways (SWG) and firewalls as a service (FWaaS) capabilities, but data loss prevention (DLP) analysis is also available in the top tools. In a practical sense, this requirement can be extended to both human users as well as application programming interface (API) connectors and the internet of things (IoT).

Inspected and Decrypted Traffic

A SASE tool should be able to inspect traffic and block both malware and malicious URLs through and filtering often through SWG, intrusion prevention systems (IPS), domain name service (DNS) security, and FWaaS or integrated next generation firewall (NGFW) capabilities.

Controlled Access 

SASE tools must control access between users based both within a corporate network and working remotely to access locally hosted or cloud-based resources and SaaS apps. Preferably, tools should apply zero trust network access (ZTNA), role-based access control (RBAC), and CASB capabilities.

Secure Cloud-based Assets

Functionally, this requirement mirrors Secure Service Edge (SSE) requirements to secure all assets outside of the local network firewall such as SaaS apps and cloud infrastructure (IaaS, PaaS).

Read More: 

Criteria Used for Top SASE Product List

Although Cloudflare One came out on top in our SASE product analysis, this does not mean this solution will be the right fit for all organizations and needs. The difference between the top performing and worst performing SASE vendors considered for this article is small. Each of these SASE solutions and many of the challenger SASE solutions could provide a strong solution for the specific needs of an organization.

To help potential buyers understand our ranking and how these SASE vendors fit into the larger picture solutions, we will fully explain our methods. Following the scoring and weighting details, we will also briefly review the four categories of SASE Challengers also considered for this list: SASE-as-a-Service, Needs-Integration SASE, Security-Only SASE, and Feature-Light SASE.

Top SASE Scoring and Weighting

To create this list of top SASE products, we first followed a fundamental set of criteria.

  1. Tools, not services: Buyers interested in services can also work with MSPs or MSSPs to obtain SASE solutions so we focused on products that can be directly purchased or licensed without a required service component
  2. Integrated solution: The tool must be able to be managed as a single solution; organizations interested in a collection of tools to create a SASE solution could just as easily consider a solution built from the technology of different vendors
  3. Full-feature set: The tool must deliver the key features of SASE, not a subset or partial solution

Applying this criteria resulted in a list of 8 SASE contenders. Vendors explored that did not satisfy at least one of these three criteria are covered in more detail below under SASE Challengers.

Next, we created a rubric and scored each company based on:

  • Licensing Information (15%)
  • Monitoring and Managing (30%)
  • Asset Control (15%)
  • Implementation and Administration (25%)
  • Customer Support (15%)

Licensing Information (15%)

To evaluate the value of a tool, one must be able to understand the value proposition and the return on investment based on the licensing information. In this category, we rated vendors on their perceived price value, pricing transparency, the availability of a free trial, potential volume or annual discounts published, and how well the vendor explained the types of licenses and products needed to deploy a SASE solution.

We note that most tools do not list pricing and often offer limited information on licensing requirements and options. Most likely the complexity and customization required for enterprises creates such an enormous number of possible combinations that it becomes impossible for most vendors to provide standardized pricing that would make sense for a sufficient number of customers.

Category winner: Barracuda SecureEdge

Monitoring and Managing (30%)

The key function of a SASE tool is to monitor and manage network operations, network security, and all of the related data, devices, users, and apps. Vendors were evaluated on centralized control, monitored network status (for operations), monitored user activity, traffic inspection for malware, data loss protection, the availability of a private backbone, and support for the internet of things (IoT) and similar devices.

Category winner: Cloudflare

Asset Control (15%)

SASE tools must be able to control access and data flowing through the network. Vendors were evaluated on ability to control user access, control device access, and control access to the internet.

Category winner: Inconclusive – nearly all vendors received the maximum score

Implementation and Administration (25%)

To drive value, a tool must be able to be installed and used effectively. In this category, vendors were evaluated on perceived ease of administration, the robustness of options, perceived technical skill required for setup, options for deployment, and automation of operations or security functions.

Category winner: Cato SASE Cloud

Customer Support (15%)

Success often requires effective support. For this category, vendors were evaluated on customer support availability, communication options, and training.

Category winner: Barracuda SecureEdge

SASE Challengers

Vendors excluded from this SASE list can still deliver an outstanding solution for their clients even if they do not qualify for our listing. We will further explain the exclusion of other potential candidates and how they can solve the same problems in their own way through the categories of:

  • SASE as a Service
  • Needs-Integration SASE
  • Security-Only SASE
  • Feature-Light SASE

SASE as a Service

We believe the readers of this article are looking for a tool to purchase. SASE as a Service is a form of managed service and therefore does not meet the criteria to be listed as a top SASE provider; however, many employees with smaller IT or security teams may prefer to investigate full-service SASE providers such as:

  • Aryaka delivers fully managed SD-WAN and SSE solution to deliver SASE-as-a-service
  • Masergy, a division of Comcast, provides a manage SASE service created from Fortinet’s SD-WAN, Cloud Firewall and SWG appliances combined with Forcepoint’s CASB
  • Open Systems provides a fully managed SASE that combines their SD-WAN and SSE capabilities

Needs-Integration SASE

A key requirement for SASE is a unified controller. Although some of these tools advertise unified SASE capabilities, a review of documentation and demonstrations show that these tools require users to switch between separate SD-WAN and Security tools. We expect that many will move towards integration, but they are not yet demonstrating that capability.

  • Akamai
  • Citrix
  • Juniper 
  • Netskope
  • Zscaler

Security-Only SASE = SSE

These quality security tools lack the SD-WAN or network operations controls needed to qualify as a SASE tool. They remain quality security service edge (SSE) solutions, but would need to be combined with segregated network operations solutions.

  • Check Point
  • Iboss
  • Lookout 
  • Perimeter 81 (acquired by Check Point; many SSE features are add-on options)
  • Skyhigh (Formerly McAfee, MVision)
  • Symantec

Feature-Light SASE

Marketed as SASE, these tools may be perfectly suitable for some organizations, but lack key features to qualify as a SASE tool:

  • Cradlepoint: This division of Ericsson provides robust operations and security options, but specifically for LTE and 5G networks
  • GTT: Provides a managed SD-WAN and not a tool for network operations
  • NordLayer: Lacks anti-malware and packet analysis features
  • Twingate: Lacks anti-malware and packet analysis features

SASE represents the reconvergence of networking operations and security for modern IT environments. Market observers predict that this will occur across four distinct areas:

  • Converged endpoint protection may also come to SASE tools as they extend further into the endpoint detection and response (EDR) space to protect remote users and analyze endpoint posture
  • CSPM SASE convergence will see SASE tools adopt cloud security posture management (CSPM) capabilities to secure infrastructure as code (IaC) and other cloud security needs
  • Increased AI automation will enhance security as more SASE vendors automate or proactively suggest common steps for network operations and network security based upon artificial intelligence (AI) or machine learning (ML) algorithms
  • Mobile integration will see increased support for 5G wireless connections and other wireless standards as they become required by more enterprises

Frequently Asked Questions (FAQs)

Buyers exploring SASE and other remote asset security solutions often ask the following questions about SASE technology.

FAQ #1: How Does SASE Relate to Other Technologies?

  • SASE vs SD-WAN: SASE incorporates the network operations monitoring and control of SD-WAN into SASE solutions and adds security for remote users and assets
  • SASE vs SSE: SASE incorporates SSE principles to secure all assets outside of the network firewall (remote users, branch offices, cloud resources, etc.) and adds network operations controls
  • SASE vs CASB: SASE fully or partially incorporates the cloud access control of CASB into the SASE solution and adds many other capabilities

FAQ #2: What are the Key Benefits of SASE?

  • Simplified management through converged operations and security management into a unified platform that applies consistent policies and access controls throughout the entire distributed network
  • Reduced security overhead by combining the redundant packet inspection of ISP, gateways, and firewalls into a single application, which typically improves network throughput speeds by also pushing packet inspection to scalable cloud resources
  • Reduced security gaps and improved compliance through consistent, universal security policies applied to all branch offices and remote users

Bottom Line: Choose the Right SASE Solution for Your Needs

As IT environments sprawl far beyond traditional network borders, every organization needs to find solutions to secure those far-flung users, devices, and assets. While all SASE solutions provide the same fundamental six capabilities to simplify and consolidate network operations and security, not every SASE solution will be a good fit for specific needs.

Organizations need to review the differences in deployment, integration, configuration, and value to understand which SASE solution will be the best fit. After all, the right tool for one specific set of needs will be the best solution for those needs — regardless of where it ranks.

Read next: 

This article was originally written by Drew Robb on June 7, 2022 and revised by Chad Kime on September 27, 2023.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Chad Kime Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis