Magic Quadrant for Secure Web Gateways

28 May 2013 ID:G00249600
Analyst(s): Lawrence Orans, Peter Firstbrook


Malware detection and cloud services are two areas of continuing disparity among SWG vendors. Our market analysis of the vendors highlights key differences in these capabilities and other key functions.

Market Definition/Description

Secure Web gateways (SWGs) utilize URL filtering, malware detection and application control technology to protect organizations and enforce Internet policy compliance. SWGs are delivered as on-premises appliances (hardware and virtual) or cloud-based services.

We estimate that the combined SWG revenue of the Magic Quadrant participants in 2012 was $1.18 billion (which includes on-premises and cloud-based offerings). Revenue from solutions that lack full SWG functionality has been excluded (for example, URL filtering only or proxies sold without anti-malware protection). The market grew approximately 15% over 2011, which is in line with our estimate from the 2012 report. We anticipate that the market will grow 13% to 15% in 2013.

Eight of the 13 vendors in this analysis now offer a multitenant cloud service. However, the market is still dominated by on-premises solutions (86% share, based on revenue), with SWG as a service representing the remainder of the market (14%). Gartner's market share and growth rate estimate of the broader market for SWG proxy and URL filtering software can be found in "Market Share: Security Software, Worldwide, 2012."

The market is segmented between large enterprises and small or midsize businesses (SMBs). SMB solutions are designed for ease of use, cost-effectiveness and basic security protection. Large enterprise solutions protect against more-advanced threats, including the capability to detect targeted attacks.

Vendors are increasingly integrating content-aware data loss prevention (DLP) to monitor sensitive data. Cloud services are being driven by the need to protect mobile devices and secure remote-office connections.

Magic Quadrant

Figure 1. Magic Quadrant for Secure Web Gateways
Figure 1.Magic Quadrant for Secure Web Gateways

Source: Gartner (May 2013)

Vendor Strengths and Cautions

Barracuda Networks

Barracuda Networks, which is based in Campbell, California, offers the Barracuda Web Filter appliance (hardware and virtual) and the cloud-based Barracuda Web Security Service. Barracuda customers typically implement its appliances in transparent bridge mode to view all network traffic, but the appliances can also be implemented in proxy mode. Barracuda Web Filter appliances are good candidates for SMBs and selected large enterprises (especially in the education and government vertical industries), particularly those that are budget-constrained.

  • Barracuda offers a low-cost solution that is easy to use with very competitive functionality.
  • A partnership with Malwarebytes provides malware cleanup capabilities that can be initiated from the gateway.
  • Application controls provide heuristic detection across all ports and protocols, with optional endpoint agents or in-line deployments.
  • Social media controls, including optional archiving capabilities, are very complete.
  • For mobile users, Barracuda offers several options for traffic redirection and authentication, including endpoint agents for recent versions of Windows and Mac OS X, and a safe browser option for Apple iOS.
  • Barracuda does not offer a choice of antivirus engines. Open-source ClamAV is the only option. Barracuda adds internally developed signatures, although its malware research team is relatively small.
  • The Barracuda Web Filter appliance lacks dynamic URL categorization.
  • Some enterprise-class capabilities for management and reporting are absent. For example, the dashboard is not customizable, and it only provides limited drill-down into logs or reports.
  • The cloud-based service is also missing a number of enterprise features. For example, it lacks IPsec support for traffic redirection, and it requires an authentication appliance for directory integration.

Blue Coat Systems

Blue Coat is in its second year as a privately held company, after private equity firm Thoma Bravo acquired it in February 2012. In December 2012, Blue Coat acquired Crossbeam Systems, a blade-server platform that integrates firewall, intrusion prevention system (IPS) and other security components. Blue Coat plans to port its SWG solution to the Crossbeam platform (no set date has been provided), and will continue to offer its dedicated hardware appliances and virtual appliances. The company also operates a cloud-based SWG service. In May 2013, Blue Coat acquired the SSL appliance product line from Netronome. Also in May 2013, Blue Coat announced its intent to acquire Solera Networks. Blue Coat is a very good candidate for most large enterprise customers.

  • Blue Coat's ProxySG remains the strongest proxy in the market in terms of breadth of protocols and the number of advanced features. It supports a long list of protocols (including SOCKS), extensive authentication and directory integration options, and the Online Certificate Status Protocol (OCSP).
  • Blue Coat's cloud offering includes multitenant IPsec gateways, which enable it to support a wide range of mobile devices. Blue Coat agents are available for Windows, Mac OS X and Apple iOS.
  • Blue Coat provides some integrated features with its cloud and on-premises solutions. Its Unified Reporting feature allows logs from the cloud service to be rolled up into an on-premises Blue Coat Reporter console. Its Unified Policy feature allows policy developed in the cloud to be synchronized with its on-premises appliances.
  • Blue Coat offers strong reporting capabilities for its on-premises and its cloud-based services. Both solutions provided multiple canned reports and the ability to create custom reports.
  • The ProxySG appliance lacks on-box malware detection. Customers that want antivirus engine protection must purchase a separate appliance (ProxyAV). Malware protection is also provided by Blue Coat's "cloud assist" WebPulse service.
  • The ProxyAV lacks advanced malware techniques, such as code emulation. Instead, it utilizes signature-based detection delivered by Blue Coat partners (a choice of four antivirus engines).
  • Blue Coat cannot monitor all network traffic (which is helpful for detecting outbound malware) in its most commonly deployed proxy mode (known as explicit proxy), but it can be configured in other modes to monitor all traffic.
  • Unlike several other vendors that offer cloud-based services and on-premises appliances, Blue Coat does not offer a "single SKU" price model that allows the option to mix and match cloud and on-premises Web-filtering licenses.


Cisco, which is based in San Jose, California, offers an appliance-based SWG and a cloud-based SWG service. In 2012, Cisco rebranded these solutions. The appliance-based product is now named Web Security Appliance (formerly IronPort) and the cloud-based service is now named Cloud Web Security (formerly ScanSafe). The Web Security Appliances (WSAs) are implemented as proxies.

In February 2013, Cisco acquired Cognitive Security, a startup company based in the Czech Republic. Cognitive analyzes NetFlow traffic and other data to detect advanced threats. Cisco plans to utilize Cognitive's technology in its Security Intelligence Operations, a threat and vulnerability analysis center that distributes security updates and reputation data to a range of Cisco products and services, including its SWG offerings.

Cisco's WSA products are very good candidates for most midsize and large enterprises, while the Cloud Web Security service is a good candidate for all enterprises.

  • Cisco has integrated a traffic redirection feature — a critical component of any cloud service — into some of its on-premises equipment. The ASA firewall, ISR G2 router and WSA all support Cisco's "connector" software, which directs traffic to the Cloud Web Security service. The configuration is enabled via a menu item on these appliances.
  • Cisco provides several options for authenticating users to the Cloud Web Security service, including SAML. The connector implementations (noted above) also transport user credentials to the cloud.
  • Mobile support is a strength of Cisco's cloud offering. The AnyConnect client supports Windows, OS X, Apple iOS, Android, Windows Phone 8 and BlackBerry. However, Cisco's cloud lacks support for IPsec, which is widely supported on mobile devices.
  • In addition to Cisco's reputation database, the WSA provides three choices for on-box signature databases (McAfee, Sophos and Webroot), all of which can be supported simultaneously. Adaptive scanning utilizes the anti-malware engine that is best suited for the content type.
  • Cisco provides a very granular application control capability. The Cisco appliance includes a Switched Port Analyzer (Span) port to monitor and block outbound malicious traffic that evades the proxy.
  • Reports and dashboards do not provide sufficient information on outbound malware detection to enable prioritized remediation.
  • Some customer references noted that reporting could be improved. Advanced reporting requires a Cisco version of Splunk at an extra cost.
  • Cisco lacks a unified management console for its on-premises WSA appliances and its Cloud Web Security service to ease the management of hybrid deployments.
  • Some customer references highlighted that Cisco needs to improve its Content Security Management Appliance's ability to centrally manage and control individual proxies.

ContentKeeper Technologies

ContentKeeper Technologies is based in Australia, where it has many large government and commercial customers. It offers a family of SWG appliances that deploys in transparent bridge mode, and it also offers a hosted cloud-based service. In 2012, ContentKeeper opened a new office in North America in Orange Country, California. It also rebranded its family of appliances with the names Web Filter Pro and ContentKeeper Secure Internet Gateway (CK-SIG). ContentKeeper is a candidate for K-12 schools and for most enterprise customers.

  • The Behavioral Analysis Engine (a feature of CK-SIG) provides real-time and near-real-time analysis of Web objects using browser code emulation.
  • ContentKeeper has developed "sandboxing" technology to analyze suspicious files and executables in a virtualized Windows environment. The solution produces detailed reports for each item that is analyzed. The sandboxing technology can be configured as a hosted service, or it can be run locally on an appliance. It comes as a standard feature in CK-SIG and may also be configured as a feature of Web Filter Pro.
  • A bring your own device (BYOD) feature enables Web Filter Pro and CK-SIG to enforce access policies for mobile devices and users. Policies could include blocking Internet access or blocking applications (by filtering network traffic). Agents are available for off-network mobile devices. Supported operating systems include Windows, OS X, iOS, Linux and Android.
  • ContentKeeper appliances support the ability to proxy and analyze Secure Sockets Layer (SSL) traffic. Antivirus protection and basic IPS are provided through a combination of third-party and internally developed signatures.
  • ContentKeeper lacks a shared, multitenant, cloud-based SWG service. It provides a hosted cloud offering, where customers run virtual appliances hosted in Amazon's cloud service (and some ContentKeeper-managed data centers). Hosted offerings are not as flexible (for example, dynamic ability to scale) as shared multitenant clouds.
  • While the vendor has made good progress in developing malware detection tools, these solutions are new, and ContentKeeper has yet to earn recognition as a leading malware research and product company. Prospective customers should carefully test ContentKeeper's anti-malware capabilities.
  • Some customer references requested improvements to the solution's graphical user interface (GUI). In January 2013, ContentKeeper released an updated interface, although the console still lacks malware severity indicators for enabling prioritized remediation.


McAfee, a subsidiary of Intel, offers a family of on-premises SWG appliances (McAfee Web Gateway [MWG]) and a cloud-based SWG service (SaaS Web Protection). The SWG appliances are most commonly implemented as proxies, although they can be deployed in other modes, including in-line transparent bridges. In February 2013, McAfee announced its acquisition of ValidEdge, which makes a sandboxing appliance for detecting advanced malware and targeted attacks. McAfee's solutions are good candidates for most enterprise customers, particularly those that are already McAfee ePolicy Orchestrator users.

  • MWG has strong malware protection due to its on-box browser code emulation capabilities. The solution provides the ability to adjust the sensitivity of malware detection. A rule-based policy engine enables flexible policy creation.
  • The SaaS Web Protection cloud service supports SAML for authenticating users.
  • McAfee has integrated DLP technology across its product lines. MWG ships with a number of preformatted dictionaries.
  • Application control is very strong. HTTP manipulation allows organizations to remove selected functions from Web applications (for example, blocking posts to social media sites).
  • A single SKU pricing model gives customers the flexibility to purchase a single Web gateway license, and to mix and match on-premises and cloud-based service models.
  • The SaaS Web Protection cloud service is missing an important traffic redirection option by not supporting IPsec.
  • McAfee's mobility strategy needs improvement. It does not offer an endpoint client for Mac OS X. Its McAfee Client Proxy for Windows is a strong solution, but it has been late to support Windows 8 (a June 2013 release is planned). The lack of IPsec support in the cloud is also an impediment to supporting mobile devices.
  • The cloud solution does not have the same level of policy granularity that is available with the on-premises appliance.

Phantom Technologies-iboss Security

Phantom Technologies is a privately held company based in San Diego. It offers a family of appliance-based platforms (iboss) that is typically deployed in transparent bridge mode. It also offers a cloud-based URL filtering solution for mobile users. Phantom is a candidate for organizations that are based in North America (more than 90% of its customers are in North America).

  • Support for features aimed at the K-12 market has helped Phantom develop a strong installed base in the education market (approximately one-third of its revenue is from the K-12 vertical industry). For example, the iboss SWG Web filter enables schools to easily allow access to YouTube's educational site, while blocking access to the main YouTube site.
  • Full SSL content inspection is provided utilizing an agent-based solution on endpoints. This is a scalable approach that relieves the iboss appliance of the burden of managing certificates, and of terminating and decrypting SSL traffic.
  • Bandwidth controls are very flexible. For example, bandwidth quotas can be applied to a specific organizational unit in Active Directory, and they can also be assigned to a specific domain.
  • The iboss appliance uses DLP technology to identify high-risk behavior.
  • Iboss includes a unique autorecord feature (up to three minutes) that enables a playback for a sequence of events. This feature is often used to confirm intentional versus unintentional user violations.
  • Phantom's cloud offering is limited to URL filtering decisions. It lacks a multitenant cloud-based service that analyzes traffic and Web objects to detect malware. An on-premises appliance is required to handle policy management and reporting.
  • Malware detection capabilities are limited. Phantom has only limited resources (a small team of researchers) to develop its own signatures. Choices for antivirus engines are limited to Bitdefender or ClamAV (both can be combined with Snort rules).
  • Uncategorized URLs are not classified in real time.


Sangfor is a network equipment vendor based in China. Approximately half of its revenue comes from its SWG products, and the remaining revenue comes from its VPN, WAN optimization controllers and application delivery controller products. Sangfor's SWG comes in a hardware appliance form factor, and it is usually implemented as an in-line transparent bridge. The company offers two versions of its SWG product: one aimed at the Chinese market, and one aimed at English-speaking countries. Nearly all the company's revenue comes from the Asia/Pacific region. Sangfor is a candidate for organizations that are based in China and in supported countries in the Asia/Pacific region.

  • Sangfor has strong application control features. It can apply granular policies to Facebook and other Web-based applications, and it has also developed network signatures to block port-evasive applications like BitTorrent and Skype.
  • Sangfor's in-line transparent bridge mode enables flexible and granular bandwidth control capabilities. Bandwidth utilization parameters can be specified for uplink and downlink traffic.
  • Sangfor has a good Wi-Fi guest network feature. The SWG supports a guest registration portal, and it sends credentials to guests via SMS. It uses these credentials to monitor and report on guests' Internet behavior. At the time of this writing, this Wi-Fi guest feature is only available on the Chinese version of the product.
  • Mobility is a weak point for Sangfor. It does not offer a cloud-based service.
  • The solution lacks some enterprise-class features. The ICAP is not supported, thereby limiting the SWG's capability to send content to third-party scanners (such as DLP sensors or antivirus scanners).
  • The English version of the product does not dynamically classify uncategorized URLs (however, the Chinese version has this capability).
  • Malware protection is basic and lacks advanced features for detecting new malware and targeted attacks. The solution relies heavily on a signature database from Sangfor's antivirus partner. Sangfor's malware research team also maintains its own signature database, although it does not have a strong reputation for anti-malware research.


Sophos has executive offices in the U.K. and Massachusetts. Best known for its endpoint protection platform (EPP), it has a broad range of network gateways through native development and its acquisition of Astaro in 2011. The Sophos Web Appliance (SWA) can be deployed in proxy or transparent in-line bridge mode. Sophos provides an option for its customers to run virtual instances of its SWG in Amazon's EC2 cloud. Sophos' endpoint client is tethered to SWA for policy management and logging when off-LAN. Sophos is a candidate for midsize customers and for enterprises that are already using its EPP solution.

  • Sophos is an established player in the malware detection market. SWA uses Sophos-developed technology to perform a pre-execution analysis of all downloaded code, including binary files and JavaScript.
  • Several Sophos reference customers commented on the solution's ease of use. Features include automated network and directory discovery, contextual help functions and simple policy configuration.
  • Sophos has a strong reputation for support and service. It optionally monitors customers' appliances and provides proactive assistance for critical conditions.
  • Sophos' cloud offering is limited to URL filtering decisions. It lacks a multitenant cloud-based service that analyzes traffic and Web objects to detect malware. Software on laptops and mobile devices sends URL requests to the Sophos cloud, which categorizes the URL and sends a response to the Sophos client on the endpoint so it can enforce the policy.
  • Social media controls are lacking. SWA does not provide a GUI to easily configure granular policies for Facebook.
  • SWA is missing some enterprise-class features, such as dashboard customization, bandwidth management, time quotas (for Web surfing), ICAP support, and advanced reporting and analytics.
  • The URL-filtering feature does not provide dynamic classification of uncategorized websites.
  • Reporting on compromised endpoints is not hyperlinked to Sophos' threat research.


Symantec, which is based in Mountain View, California, has two offerings in the SWG market: (1) the service; and (2) the Symantec Web Gateway appliance, which may be deployed as an in-line transparent bridge, as a proxy, or in Span or test access point (TAP) mode. Symantec bundles a virtual version of its Web Gateway appliance with a suite offering that includes email and endpoint protection. Symantec is a good candidate for most enterprise customers.

  • service and Symantec Web Gateway benefit from Symantec's strong malware research labs and its Insight file reputation engine.
  • The Web Gateway appliance has strong reporting capabilities and provides valuable information on malware-compromised endpoints. Reports indicate the type of threat and its severity. It also provides quick access to more detail, such as geolocation data, search terms, filenames and types, removal information and a malware encyclopedia.
  • Symantec Web Gateway can be implemented quickly (in Span/TAP mode), which has enabled Symantec to develop a strong value-added reseller (VAR) partnership program. VARs deploy the appliance on customers' premises to run Symantec's Malicious Activity Assessment.
  • lacks some enterprise-class features and has been late in supporting others. It doesn't support IPsec for traffic redirection, and it doesn't support SAML or cookies for user authentication. did not support inspecting SSL traffic until 2Q13, and it lacks DLP support (which is planned for 3Q13). Because these are new features, enterprises should test them carefully.
  • Symantec's mobility strategy needs improvement. Its Smart Connect is a strong solution for Windows endpoints, but it is not available for Mac OS X. The lack of IPsec support in the cloud is also an impediment to supporting mobile devices. The Remote Connect client (for non-Windows devices) uses proxy autoconfiguration (PAC) settings to redirect traffic to the cloud, but PAC settings can be easily modified by users.
  • Neither Symantec Web Gateway nor support dynamic classification of unknown URLs.
  • There is very little integration between Symantec Web Gateway and, and the vendor does not offer a single SKU pricing model to mix and match licenses from the two offerings.

Trend Micro

Trend Micro is based in Tokyo, and its U.S. headquarters is located in Dallas. It offers an appliance version (hardware and software), InterScan Web Security (IWS), and a new cloud service (launching in the second half of 2013). IWS can be implemented as a transparent bridge or a proxy. Trend Micro is a candidate primarily for organizations that already have a strategic relationship with the company.

  • Malware detection is provided by Trend Micro's signature database, script analysis and a reputation service (fed by the company's cloud-based Smart Protection Network). Trend Micro's Damage Cleanup Services can provide remote client remediation for known threats. IWS also blocks communication to known botnet command-and-control centers.
  • Trend Micro recently launched "Deep Discovery," a complementary solution providing a centralized sandboxing engine that executes suspect code in a virtual machine to detect malicious behavior. Trend Micro products, including the IWS gateway, integrate to deliver suspect code to the Deep Discovery solution for advanced detection.
  • Integrated DLP, with common compliance templates, was recently added to IWS.
  • Application Control includes more than 850 Internet applications, including some peer-to-peer and IM traffic types that are detected by network signatures. Browsers, browser versions and plug-ins can be blocked by policy. Application Control also offers time of day as well as time and bandwidth quota policy options.
  • At the time of this writing, Trend Micro's cloud is not generally available. The vendor plans to launch the service in Japan and the Asia/Pacific region in the second half of 2013, and it is targeting a North American launch for 2014.
  • Reporting on compromised endpoints (outbound malware detection) does not provide drill-down information about threat details, and lacks severity indicators to help security teams prioritize remediation efforts.
  • Policies are not consistent between the cloud service (once it becomes available) and IWS. For example, the cloud service does not block posts to Facebook, but IWS does.
  • IWS and the cloud service do not offer dynamic classification of uncategorized URLs.


Trustwave, based in Chicago, offers a diversified security portfolio, although its primary focus is as a PCI Qualified Security Assessor (QSA) and managed service company. Its Secure Web Gateway appliance (gained via the 2012 acquisition of M86 Security) is a proxy-based gateway that specializes in real-time malware detection. The solution is available in hardware and virtual instances. Trustwave also provides an option for its customers to run virtual instances of Secure Web Gateway in Amazon's EC2 cloud. Trustwave is a good candidate for security-conscious organizations, or those looking for a managed security service.

  • Trustwave has strong real-time browser code emulation, which enables it to detect new threats and targeted attacks.
  • Social media controls are strong. The Secure Web Gateway has a "zero post" policy option that enables read-only access to selected websites or Web categories to prevent posting to social media websites.
  • Trustwave has integrated its Secure Web Gateway with its DLP solution to enable content security and control.
  • Trustwave has integrated its Secure Web Gateway with its network access control (NAC), DLP, and security information and event management (SIEM) products to support automated responses for BYOD and mobile devices. For example, endpoints that trigger SWG alerts can be removed from the network by NAC.
  • Support for mobile workers is weak due to Trustwave's lack of a multitenant cloud-based SWG service.
  • The dashboard console, which is restricted to only three panels, is weaker than many competing offerings.
  • The Secure Web Gateway does not dynamically categorize unknown URLs.
  • The Secure Web Gateway lacks the ability to block port-evasive applications, such as BitTorrent.


Websense, based in San Diego, offers appliances (hardware and software) and a cloud-based service. In January 2013, the company's CEO announced his retirement, and Websense filled the post by promoting its president to be the new CEO. In May 2013, Websense announced that it had entered into a definitive agreement to be acquired by Vista Equity Partners, a private equity firm. Websense is a very good candidate for most enterprise customers.

  • Websense has a strong offering for organizations interested in a hybrid SWG strategy (on-premises and cloud-based). Its Triton management console provides a common point for policy management and reporting in hybrid environments. The company offers a single SKU hybrid pricing model. Customers can purchase a single license and implement it in a mix-and-match scenario (on-premises or cloud-based users).
  • The Websense cloud service supports multiple options for traffic redirection (including IPsec) and multiple options for user authentication (including SAML).
  • The Websense Web Security Gateway provides strong malware detection technology, including browser code emulation and network traffic analysis. Websense provides a cloud-assist sandboxing analysis with its ThreatScope offering. Objects must be submitted manually to ThreatScope, although Websense has plans to automate the process.
  • Websense has strong DLP technology that is integrated (on box) with its solutions (full enterprise DLP requires an additional license). It uses the deep packet inspection capabilities of its DLP technology to inspect outbound traffic for malware behavior (this feature does not require a DLP license).
  • Websense lacks a proven large-scale appliance. In January 2012, it announced the X10G blade server platform. Gartner very rarely sees the X10G in price bids. Organizations that are considering the X10G should test it thoroughly in the lab and carefully check references.
  • Websense's pricing model is outdated. It licenses its service per IP address, and in this era of BYOD, many customers find that they are rapidly approaching or exceeding their contracted limit of IP addresses. However, Websense has shown flexibility in contract negotiations with its customers.
  • Price-sensitive SMB customers may find Websense's subscription-based pricing to be too expensive. Competitors that offer per-site pricing or per-appliance pricing are typically less expensive than Websense.
  • Some Websense customers have reported dissatisfaction with the quality and responsiveness of Websense's support organization. In the second half of 2012, Websense took steps to address these issues and hired a new executive to run its service and support organization. Prospective Websense customers and those that have experienced support issues should ask Websense to outline the changes in its support organization.


Zscaler, which is based in San Jose, California, is a pure-play provider of cloud-based SWG services. The company continues to be one of the fastest-growing vendors in this market. Its strong Completeness of Vision score is due to its rapid product development and innovation. Zscaler is a very good candidate provider for most enterprises.

  • Zscaler has the largest global footprint for SWG vendors, with enforcement nodes in 28 countries. It is one of the few vendors to have an extensive presence in the Middle East and South America.
  • Zscaler provides flexible implementation options by offering the broadest set of choices for traffic redirection (including IPsec) and authentication (including SAML). Flash cookies enable agentless authentication for mobile users on supported devices.
  • Zscaler provides strong content inspection capabilities to develop vulnerability shields that address specific Common Vulnerabilities and Exposures (CVEs) for Microsoft and other applications. Suspicious files are analyzed in a sandbox environment. All traffic is scanned every time regardless of site reputation.
  • Policy controls are flexible for bandwidth control and social media sites. Strong SSL support enables granular controls for DLP policies and content inspection.
  • A unique streaming log service provides near-real-time import of logs from the cloud to on-premises servers, where they can be analyzed by a SIEM solution.
  • Compared with some of its larger competitors, Zscaler has only a limited number of dedicated malware researchers. This is evident in the lack of detail provided for compromised endpoints, and in the absence of threat prioritization and correlation information.
  • In keeping with its agentless approach, Zscaler encourages the use of PAC files for Windows and Mac OS X systems for mobile employees. Knowledgeable users can subvert PAC file traffic redirection. Also, port-evasive applications, such as Skype, BitTorrent and some malware, will not be forwarded to the Zscaler network from endpoints that rely only on PAC files. Customers that prefer endpoint agents can use Zscaler's eZ Agent for local enforcement on Windows systems; however, they will be disappointed by Zscaler's lack of an agent for OS X.
  • Its DLP capability could be improved with more predefined templates and workflow.
  • Some customers have reported dissatisfaction with the quality and responsiveness of Zscaler's service and support organization.

Vendors Added or Dropped

We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor appearing in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. This may be a reflection of a change in the market and, therefore, changed evaluation criteria, or a change of focus by a vendor.


  • None


The following vendors did not meet the revenue threshold as outlined in the Inclusion Criteria section below:

  • EdgeWave
  • Optenet

Other Vendors We Considered

Check Point Software Technologies markets an SWG stand-alone product that it introduced in 2012. This new product does not yet meet our revenue threshold criterion for inclusion. The solution is comparable to unified threat management (UTM) because it ships with an embedded firewall that can be enabled free of charge. Check Point also offers an SWG blade for its firewalls. We will monitor how Check Point develops its stand-alone SWG and re-evaluate it for the 2014 update to this Magic Quadrant.

As a next-generation firewall, Palo Alto Networks offers some SWG functionality. However, as noted above, this analysis excludes solutions that are primarily firewalls. In "Next-Generation Firewalls and Secure Web Gateways Will Not Converge Before 2015," Gartner predicts that the evolution of complex threats will drive the need for separate network firewall and Web security gateway controls for most organizations through 2015.

Inclusion and Exclusion Criteria

Inclusion Criteria

These criteria must be met for vendors to be included in this Magic Quadrant:

  • Vendors must provide all three components of an SWG:
    • URL filtering
    • Anti-malware protection
    • Application control capabilities
  • Pure-play URL filtering solutions have been excluded.
  • Vendors' URL filtering components must be primarily focused on categorizing English language websites.
  • Vendors must have at least $15 million in SWG product revenue in their latest complete fiscal year.
  • Vendors must have an installed base of at least 2,000 customers, or aggregate endpoint coverage of at least 3 million seats.

Exclusion Criteria

The following categories of vendors have been excluded from this Magic Quadrant:

  • UTM and next-generation firewall vendors — these solutions are optimized for port/protocol filtering and lack the content analysis focus of SWG offerings.
  • URL-filtering-only vendors that lack malware detection capabilities.
  • Vendors that license complete SWG products and services from other vendors — for example, ISPs and other service providers that "white label" cloud-based SWG services from other vendors.

Evaluation Criteria

Ability to Execute

Vertical positioning on the Ability to Execute axis was determined by evaluating these factors (see Table 1):

  • Overall viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the business unit will continue to invest in the product.
  • Sales execution/pricing: A comparison of pricing relative to the market.
  • Market responsiveness and track record: The speed at which the vendor has spotted a market shift and produced a product that potential customers are looking for; as well as the size of the vendor's installed base relative to the amount of time the product has been on the market.
  • Marketing execution: The effectiveness of the vendor's marketing programs and its ability to create awareness and mind share in the SWG market.
  • Customer experience: Quality of the customer experience based on reference calls and Gartner client teleconferences.
Table 1. Ability to Execute Evaluation Criteria

Evaluation Criteria



No Rating

Overall Viability (Business Unit, Financial, Strategy, Organization)


Sales Execution/Pricing


Market Responsiveness and Track Record


Marketing Execution


Customer Experience



No Rating

Source: Gartner (May 2013)

Completeness of Vision

The Completeness of Vision axis captures the technical quality and completeness of the product and organizational characteristics, such as how well the vendor understands this market, the vendor's history of innovation, its marketing and sales strategies, and its geographic presence (see Table 2):

  • Market understanding: Ability of the SWG vendor to understand buyers' needs and translate them into products and services.
  • Offering (product) strategy: The SWG vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
  • Innovation: This criterion includes product leadership and the ability to deliver features and functions that distinguish the vendor from its competitors. Advanced features — such as a strong cloud service, the ability to perform on-box malware detection of dynamic content (for example, JavaScript code) and the ability to pinpoint compromised endpoints — were rated highly.
  • Geographic strategy: The vendor's strategy for penetrating geographies outside its home or native market.
Table 2. Completeness of Vision Evaluation Criteria

Evaluation Criteria


Market Understanding


Marketing Strategy

No Rating

Sales Strategy

No Rating

Offering (Product) Strategy


Business Model

No Rating

Vertical/Industry Strategy

No Rating



Geographic Strategy


Source: Gartner (May 2013)

Quadrant Descriptions


Leaders are high-momentum vendors (based on sales and mind share growth) with established track records in Web gateway security, as well as vision and business investments indicating that they are well-positioned for the future. Leaders do not necessarily offer the best products and services for every customer project; however, they provide solutions that offer relatively lower risk.


Challengers are established vendors that offer SWG products, but do not yet offer strongly differentiated products, or their products are in the early stages of development or deployment. Challengers' products perform well for a significant market segment, but may not show feature richness or particular innovation. Buyers of Challengers' products typically have less complex requirements and/or are motivated by strategic relationships with these vendors rather than requirements.


Visionaries are distinguished by technical and/or product innovation, but have not yet achieved the record of execution in the SWG market to give them the high visibility of Leaders — or they lack the corporate resources of Challengers. Buyers should expect state-of-the-art technology from Visionaries, but be wary of a strategic reliance on these vendors and closely monitor their viability. Visionaries represent good acquisition candidates. Challengers that may have neglected technology innovation and/or vendors in related markets are likely buyers of Visionaries' products. Thus, these vendors represent a slightly higher risk of business disruptions.

Niche Players

Niche Players' products typically are solid solutions for one of the three primary SWG requirements — URL filtering, malware and application control — but they lack the comprehensive features of Visionaries and the market presence or resources of Challengers. Customers that are aligned with the focus of a Niche Players vendor often find such provider offerings to be "best of need" solutions. Niche Players may also have a strong presence in a specific geographic region, but lack a worldwide presence.


Most enterprises already have an SWG, or at least have implemented URL filtering. Three-year contracts are the most common, and the market has changed rapidly since 2010. Cloud services have now reached early mainstream status, and anti-malware technologies continue to evolve to keep pace with attacks. Enterprises should not blindly renew their existing contracts. Due diligence is necessary to ensure that SWG solutions match IT road maps in the areas of mobility and security.

Market Overview

Malware protection continues to be the key differentiator and driver of adoption. The market ranges from less effective, signature-based approaches to highly effective, signatureless methods that are capable of detecting targeted attacks (see "Secure Web Gateway Malware Detection Techniques"). An important trend is the technique of sandboxing, in which suspicious files, executables and Web objects are analyzed in an isolated, virtual Windows environment. Several vendors have already added sandboxing capabilities via their own cloud-based malware research centers, while others are investing in the technology in 2013 and 2014.

Cloud services are another area in which there is wide variation among vendor offerings. All services need to support traffic redirection (sending traffic from on-premises routers and off-premises mobile devices) to the cloud and user authentication (identifying users is necessary for policy enforcement and reporting). As outlined in "Decision Framework for Implementing Cloud-Based Secure Web Gateway Services," there are multiple options for traffic redirection and authentication, and no clear winners have emerged in either category. Supporting mobile users is particularly challenging, given the architectural differences among Windows, Mac OS X, iOS, Android and Windows Phone 8 systems. Apple's Global HTTP Proxy feature in iOS and Samsung's Samsung For Enterprise (Safe) are positive steps from the device manufacturers. However, supporting mobile users is complex, and it is far from being a commodity feature in cloud-based SWGs. Expect continued disparity in this area throughout 2013 and 2014.

The market for SWG functionality will remain broad through at least 2016. Barriers to entry are low since vendors can readily license a URL database and an antivirus engine, package them with basic reporting and some application control, and market the solution as an SWG. These solutions will continue to put pricing pressure on the SMB market, but larger enterprises should avoid the temptation to go with a low-cost provider. Vendors that can demonstrate a strong track record of malware research and success in malware prevention will be the ones that succeed in the large enterprise market.

Acronym Key and Glossary Terms

BYOD bring your own device
DLP data loss prevention
EPP endpoint protection platform
ICAP Internet Content Adaptation Protocol
IP Internet Protocol
IPS intrusion prevention system
NAC network access control
PAC proxy autoconfiguration
SaaS software as a service
SIEM security information and event management
SMB small or midsize business
Span Switched Port Analyzer
SSL Secure Sockets Layer
SWG secure Web gateway
TAP test access point
UTM unified threat management
VAR value-added reseller

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor that compete in/serve the defined market. This includes current product/service capabilities, quality, feature sets, skills, etc., whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability (Business Unit, Financial, Strategy, Organization): Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood of the individual business unit to continue investing in the product, to continue offering the product and to advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all pre-sales activities and the structure that supports them. This includes deal management, pricing and negotiation, pre-sales support and the overall effectiveness of the sales channel.

Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message in order to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional, thought leadership, word-of-mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements, etc.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling product that uses the appropriate network of direct and indirect sales, marketing, service and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature set as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including verticals.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.