Critical Capabilities for SASE Platforms

14 July 2025 - ID G00821989 - 39 min read
By Jonathan Forest, John Watts,  and 2 more
The SASE platforms market is maturing, yet new vendors continue to enter the space and there is still meaningful differentiation in the capabilities provided. I&O leaders responsible for networking, along with cybersecurity leaders, can use this research to help determine the offering that best aligns with their needs.

Overview

Key Findings

  • The majority of vendors in this research have secure access service edge (SASE) offerings that unify management, but over one-third of the vendors still require two management consoles.
  • While vendors continue to improve their capabilities, there remains significant variation in functionality across most capabilities evaluated in this research.
  • There is growing market interest in the discovery and access control of generative AI applications, as well as in prompt inspection and enforcement, although vendor offerings vary in maturity.
  • The SASE platforms market remains dynamic from a supply side, with three vendors added and one vendor dropped since last year’s research.

Recommendations

  • Prioritize unified SASE platforms by selecting vendors that operate with a single management console to reduce tool sprawl and simplify management.
  • Choose vendor offerings by focusing on areas of differentiation such as: networking functionality, ease of administration, securing access to the web, cloud services and private applications.
  • Distinguish vendor capabilities in securing GenAI applications by the number of applications they can identify, how they determine reputational risk, and the level of prompt inspection and enforcement they apply.
  • Look for opportunities to consolidate existing SD-WAN and security service edge (SSE) solutions into a SASE platform offering by evaluating incumbent vendors and staying informed of the capabilities of networking and security vendors.

Strategic Planning Assumptions

By 2028, 70% of SD-WAN purchases will be part of a single-vendor SASE platform offering, up from 25% in 2025.
By 2028, 50% of new SASE deployments will be based on a single-vendor SASE platform offering, up from 30% in 2025.

What You Need to Know

The SASE platform offerings in this research provide capabilities that connect and secure distributed users, devices and locations to resources in the cloud, edge and on-premises via a platform from a single vendor. In this market, a vendor must own all of the core product capabilities.
This research assesses SASE platform offerings from 11 vendors across 13 capabilities:
  • SD-WAN
  • In-line on-premises security
  • Securing private applications
  • In-line cloud-enforced security
  • SaaS app control and visibility
  • Infrastructure delivery
  • Ease of administration
  • Basic networking
  • Unified platform
  • Data security
  • Threat protection
  • Adaptive access
  • GenAI reporting and controls
SASE platforms are also evaluated across four use cases:
  • Foundational SASE platforms
  • Zero-trust SASE platforms
  • Secure branch network modernization
  • Coffee shop” networking
Capabilities and use cases are assessed on a 1 to 5 scale for each vendor’s offering, in which:
  • 1 = Poor or Absent: most or all defined requirements for a capability are not achieved
  • 2 = Fair: some requirements are not achieved
  • 3 = Good: meets requirements
  • 4 = Excellent: meets or exceeds some requirements
  • 5 = Outstanding: significantly exceeds requirements

Analysis

Critical Use-Case Graphics

Vendors’ Product Scores for Foundational SASE Platform Use Case
Vendors’ Product Scores for Foundational SASE Platform Use Case
Vendors’ Product Scores for Zero-Trust SASE Platform Use Case
Vendors’ Product Scores for Zero-Trust SASE Platform Use Case
Vendors’ Product Scores for Secure Branch Network Modernization Use Case
Vendors’ Product Scores for Secure Branch Network Modernization Use Case
Vendors’ Product Scores for “Coffee Shop” Networking Use Case
Vendors’ Product Scores for “Coffee Shop” Networking Use Case

Vendors

Cato Networks
Cato Networks is based in Tel Aviv, Israel, and its SASE platform offering is Cato SASE Cloud Platform. Gartner estimates that the vendor has approximately 2,500 active SASE platform enterprise customers. The offering is delivered in a unified management console that includes all relevant SSE functionality, Cato Socket edge SD-WAN, Cato Client, Global Private Backbone and the Cato Management Application (CMA). While the offering is targeted at customers of all sizes, it’s most aligned with organizations looking for a simpler experience.
In the last year, Cato Networks has improved its LAN on-premises security capabilities by adding east/west enforcement, a next-generation firewall, IoT/OT device detection and classification, and network microsegmentation. Additionally, the vendor has added its AI SASE policy engine, which can deliver customized recommendations and best practices to suggest new policy rules and optimize existing policies. However, the vendor lacks local intrusion prevention system (IPS) enforcement, as well as native wired and wireless LAN capabilities integrated with its Socket edge SD-WAN appliances.
Cato SASE Cloud Platform scores excellent in both the foundational SASE platform and coffee shop networking use cases, and good in the remaining use cases. These scores are driven by the offering’s strengths in infrastructure delivery, ease of administration, unified platform and threat protection capabilities. At the same time, Cato Networks’ offering has weaknesses with in-line on-premises security controls and basic networking capabilities.
Check Point Software Technologies
Check Point Software Technologies is based in Tel Aviv, Israel, and its SASE platform offering includes both Harmony SASE and Quantum SD-WAN. Gartner estimates that the vendor has approximately 500 active SASE platform enterprise customers. The offering requires two management consoles: Harmony SASE provides the SSE functionality and Quantum SD-WAN provides the SD-WAN functions. Both are accessed via the Check Point Infinity Portal. The offering is best suitable for organizations that require a hybrid of on-premises and cloud security needs.
In the last year, Check Point has delivered its hybrid architecture, which combines on-device, on-cloud, in-browser, on-mobile and appliance-based security enforcement. However, the vendor lacks cloud-based IPS functionality and requires multiple management consoles to operate the offering.
Check Point’s Harmony SASE and Quantum SD-WAN score good across all use cases. These scores are driven in particular by the offering’s strength in the in-line on-premises security controls capability. At the same time, Check Point’s offering has weaknesses with in-line cloud enforced security, ease of administration and adaptive access capabilities.
Cisco
Cisco is based in San Jose, California, and its primary SASE platform offering is Cisco Universal ZTNA. Gartner estimates that the vendor has approximately 500 active SASE platform enterprise customers using this solution. The offering includes Cisco’s Catalyst SD-WAN, Cisco Secure Access, Cisco Duo and Identity Intelligence. It requires two management consoles to deliver the SSE and SD-WAN functionality, along with Cisco ThousandEyes for advanced digital experience monitoring functionality. While we assessed Catalyst SD-WAN as part of the primary offering, Cisco Universal ZTNA also supports Meraki SD-WAN. The offering is suitable for customers of all sizes and use cases, but primarily those with stronger networking requirements or an existing Catalyst SD-WAN deployment.
In the last year, Cisco has introduced identity intelligence, which delivers real-time user trust validation based on context, behavior and risk. However, the offering has limitations regarding the number of attributes used to determine context, how frequently the score is updated and the number of channels to which it is applied.
Cisco Universal ZTNA scores excellent in the secure branch network modernization use case and good in the remaining use cases. These scores are driven by the offering’s strengths in SD-WAN, in-line on-premises security controls, securing private applications, in-line cloud enforced security and threat protection capabilities. At the same time, Cisco’s offering has weaknesses with the adaptive access capability.
Cloudflare
Cloudflare is based in San Francisco, California, and its SASE platform offering is Cloudflare One. Gartner estimates that the vendor has approximately 400 active SASE platform enterprise customers. The offering integrates all SSE functionality, with Magic WAN and Magic WAN Connector managed via the Cloudflare dashboard. Cloudflare’s core market is SMB and midsize cloud-first enterprise customers looking for a simpler experience.
In the last year, Cloudflare has added BGP support for peering over Cloudflare’s WAN onramps. Additionally, the vendor has added postquantum cryptography to enhance the level of security and mitigate risks against future quantum attacks. However, Cloudflare lacks on-premises networking and security capabilities, and has limited file type support for data security and the number of channels to which it can be applied.
Cloudflare One scores good in the foundational SASE platforms, coffee shop networking and zero- trust platform use cases, and fair in the secure branch network modernization use case. These scores are driven by the offering’s strengths in infrastructure delivery, unified platform, securing private applications and in-line cloud enforced security capabilities. At the same time, Cloudflare’s offering has weaknesses with in-line on-premises security controls, basic networking, SD-WAN, and SaaS app control and visibility capabilities.
Fortinet
Fortinet is based in Sunnyvale, California, and its SASE platform offering is Fortinet Unified SASE. Gartner estimates that the vendor has over 1,500 active SASE platform enterprise customers. Fortinet’s Unified SASE offering includes FortiSASE (for the SSE functions) and FortiGate Secure SD-WAN integrated in the FortiSASE portal. The offering is targeted at all customers, with a particular focus on organizations that have a hybrid of on-premises and cloud security needs.
In the last year, Fortinet has delivered Fortinet FortiSASE Sovereign, which offers a SASE platform in a private cloud, providing the customer with control over features and data sovereignty. Additionally, the vendor has launched FortiAI GenAI assistant for network operations center and security operations center support. However, the vendor doesn’t support a broker connector architecture for ZTNA agents to secure private applications (thus requiring customers to keep open ports constantly exposed on the internet) and has limited protection against GenAI applications.
Fortinet Unified SASE scores excellent in the secure branch network modernization and foundational SASE platform use cases, and good for the remaining use cases. These scores are driven by the offering’s strengths in basic networking, SD-WAN, in-line on-premises security controls and threat protection capabilities. At the same time, Fortinet’s offering has weaknesses with securing private applications, and GenAI reporting and controls capabilities.
HPE
HPE is based in Spring, Texas, and its primary SASE platform offering is HPE Aruba Networking SASE. Gartner estimates that the vendor has approximately 100 active SASE platform enterprise customers. The offering we evaluated requires two management consoles: one for HPE Aruba Networking EdgeConnect SD-WAN; and the other for HPE Aruba Networking SSE. The offering also may include options for HPE Aruba Networking EdgeConnect SD-Branch and Microbranch, which were not assessed as these are not part of the lead offering from the vendor. HPE Aruba Networking SASE is aligned for more networking-led use cases.
In the last year, HPE has delivered ZTNA over an IPsec tunnel, allowing SD-WAN gateways to connect directly to the SSE cloud and providing customers with ZTNA capability directly into the branch. Additionally, the vendor has delivered a mesh capability that offers redundancy and optimized routing to improve performance. However, HPE lacks application control, IPS and firewall delivered from the cloud, as well as global service coverage via its POPs.
HPE Aruba Networking SASE scores good in all use cases. These scores are driven by the offering’s strengths in SD-WAN and in-line on-premises security controls capabilities. At the same time, HPE’s offering has weaknesses with in-line cloud enforced security, threat protection, data security, and SaaS app control and visibility capabilities.
Netskope
Netskope is based in Santa Clara, California, and its SASE platform offering is Netskope One SASE. Gartner estimates that the vendor has approximately 1,000 active SASE platform enterprise customers. The offering is fully integrated and includes Netskope One Security Service Edge, Netskope One SD-WAN, Netskope One Gateway appliance, Netskope One Client, and NewEdge POP infrastructure managed via its Netskope One Orchestrator. The offering is targeted at all types of networking and security use cases.
In the last year, Netskope has integrated management, data lake and policy management into a single interface. It has also extended Netskope Zero Trust Engine contextual awareness across SASE and SD-LAN to optimize performance and protection both on-premises and remotely. However, the vendor lacks standalone access points and switches that integrate with its SD-WAN gateways.
Netskope One scores excellent in all use cases. These scores are driven by the offering’s strengths in infrastructure delivery, unified platform, data security, securing private applications, in-line cloud enforced security, and SaaS app control and visibility capabilities. At the same time, Netskope is weaker in the basic networking capability.
Palo Alto Networks
Palo Alto Networks is based in Santa Clara, California, and its SASE platform offering is Prisma SASE. Gartner estimates that the vendor has approximately 5,500 active SASE platform enterprise customers. The offering is fully integrated and includes Prisma Access (SSE), Prisma SD-WAN with its ION appliances and software, GlobalProtect and Prisma Access Browser, managed via Strata Cloud Manager. Prisma SASE is suitable for all types of networking and security use cases.
In the last year, Palo Alto Networks has launched Prisma Access Browser (based on its acquisition of Talon) to extend Prisma SASE with a secure enterprise browser approach. However, the vendor lacks native wired and wireless LAN capabilities integrated with its ION appliances.
Palo Alto Networks’ Prisma SASE scores excellent across all use cases. These scores are driven by the offering’s strengths in unified platform, threat protection, adaptive access, and SaaS app control and visibility capabilities. At the same time, Palo Alto Networks’ offering is weaker in the basic networking capability.
SonicWall
SonicWall is based in San Jose, California, and its SASE platform offering is SonicWall SASE suite. Gartner estimates that the vendor has approximately 100 active SASE platform enterprise customers. The offering has two management consoles: Cloud Secure Edge (CSE) supports the SSE functions; and Network Security Manager (NSM) supports the firewall/SD-WAN appliance accessed via the SonicPlatform. SonicWall’s solution is aligned more with midsize enterprises with a focus on security.
In the last year, SonicWall has delivered integration between its branch firewall and CSE, with a single click to simplify SASE deployment migrations. Additionally, it has delivered a Chrome Extension (Chrome browser and Chromebook) to enable private and internet access. However, the vendor lacks broader service coverage via its POPs, and its GUI is not as intuitive as those of other vendor offerings.
SonicWall SASE suite scores good in the secure branch network modernization, coffee shop networking and foundation SASE platform use cases, and fair in the zero-trust SASE platform use case. These scores are driven by the offering’s strengths in in-line on-premises security controls and securing private applications capabilities. At the same time, SonicWalls’ offering has weaknesses in SaaS app control and visibility, data security, and GenAI reporting and controls capabilities.
Versa Networks
Versa Networks is based in Santa Clara, California, and its primary SASE platform offering is Versa Secure Access Fabric (VSAF). Gartner estimates that the vendor has approximately 4,000 active SASE platform enterprise customers. The offering is fully integrated and includes Versa Security Service Edge and Versa SD-WAN on Versa Cloud Gateways managed via Versa Concerto. We assessed Versa Secure SD-WAN in this analysis as part of VSAF, but the vendor also offers Titan for more streamlined use cases. The VSAF offering is targeted at all networking and security use cases.
In the last year, Versa Networks has launched Private SASE and Sovereign SASE, designed for organizations that require strict security, operational control, privacy and data residency. However, the vendor requires a publicly routable IP address, which increases the security risk in securing private applications. It also relies on its URL categorization to identify GenAI applications and assesses its risk based on URL reputation.
VSAF scores excellent in the foundational SASE platform and secure branch network modernization use cases, and good in the remaining use cases. These scores are driven by the offering’s strengths in basic networking, SD-WAN, unified platform, and in-line on-premises security controls capabilities. At the same time, VSAF is weaker in securing private applications, threat protection, and GenAI protection and controls capabilities.
Zscaler
Zscaler is based in San Jose, California, and its SASE platform offering is Zero Trust SASE. Gartner estimates that the vendor has approximately 500 active SASE platform enterprise customers. It is a fully integrated offering that provides the Zero Trust Exchange SSE platform functionality and Zero Trust SD-WAN functionality via the Experience Center management console. The offering is primarily aligned with security-driven use cases or existing Zscaler customers.
In the last year, Zscaler has introduced a lineup of Zero Trust Branch appliances that integrate Zero Trust SD-WAN and Zero Trust Device Segmentation (derived in part from its AirGap Networks acquisition). Additionally, the vendor has introduced Zero Trust Device Segmentation on campuses and in branches and factories. However, the vendor lacks advanced SD-WAN functionality such as in-depth path selection, packet duplication and support for high bandwidth throughput.
Zscaler Zero Trust SASE scores excellent in the foundational SASE platform, zero trust platform and coffee shop networking use cases, and good in the secure branch network modernization use case. These scores are driven by the offering’s strengths in secure private applications, in-line cloud enforced security, unified platform and threat prevention capabilities. At the same time, Zscaler’s offering is weaker in basic networking and SD-WAN capabilities.

Context

While the market is maturing, there remains differences in capabilities across vendor offerings in terms of unified platforms, infrastructure delivery, networking and broader security capabilities. Most vendors have substantially stronger expertise in either security or networking, but few have both. When evaluating SASE platform offerings, enterprises should focus on the following characteristics, which define a well-architected SASE platform solution:
Unified
  • Single management plane and policy engine to reduce swivel chair operations between multiple consoles.
  • The ability to deploy a single security policy with malware/sensitive data inspection across all channels.
  • Single-pass decryption and inspection for malware and sensitive data.
  • A single user agent that provides full functionality.
  • Integrated digital experience monitoring to enable end-to-end troubleshooting across the entire platform, with a focus on users and applications with drill-down capability.
Simple
  • Intuitive GUIs, to simplify network and security set up and ongoing operations.
  • Use of AI copilots/assistants to help with initial configuration and operational activities, including documentation, policy creation and troubleshooting assistance/recommendations.
  • Simplified licensing and bill of materials (BOM) to converge the network and security functions, rather than treating them like two different solutions (e.g., SD-WAN and SSE).
Network Functionality
  • All core networking features, as outlined in the SASE platforms definition.
  • Advanced SD-WAN features for more advanced networking use cases.
  • Integration with campus networking (WLAN and LAN) for simplified networking.
  • Integrated cloud onramp for enhanced performance and simplicity.
Security Functionality
  • All core security features, as outlined in the SASE platforms definition.
  • Strong ability to provide visibility and control for sensitive data.
  • GenAI controls to manage enterprise data leakage and securing GenAI applications.
  • Robust threat intelligence and threat protection.
  • Continuous adaptive access to provide near-real-time access adjustments, based on a calculated risk score and identity.
  • Integrated, advanced analytics across all channels for identifying and responding to risky or malicious behaviors as quickly as possible.
Infrastructure Delivery
  • Globally distributed POPs with full functionality, so policy enforcement can be as close as needed to remote worker and branch locations.
  • Ability to deliver private POPs and private SASE for data sovereignty and performance reasons.
  • WAN backbone to deliver enhanced service levels.

Market Definition

Secure access service edge (SASE) platforms deliver converged network and security-as-a-service capabilities, such as software-defined WAN (SD-WAN) and secure access to the web, cloud services and private applications regardless of the user’s location, the device used or where that application is hosted. These offerings primarily use a cloud-centric architecture delivered as a platform by one vendor.
SASE securely connects users and devices with applications, services and other users. It supports branch office and remote worker connectivity and on-premises general internet security, private application access and public cloud service provider access use cases.

Mandatory Features

The mandatory features for this market include:
  • Resilient global point-of-presence (POP) infrastructure providing functionality for secure access to the web, cloud services and private applications
  • Centralized management with no more than two consoles covering all the capabilities listed below, accessible via both GUI and API, enabling visibility, troubleshooting, reporting, and granular configuration and policy changes:
    • Secure web access via proxy
    • SaaS visibility and access controls
    • Identity-, context- and policy-based secure remote access to private applications
    • A branch appliance that supports performance-based dynamic traffic steering (such as packet loss, latency and jitter) across multiple physical WAN interfaces, based on applications (not just IPs/ports)
    • Layer 7 firewalling to secure traffic bidirectionally across networks

Common Features

The common features for this market include:
  • Unified management delivered by a single console covering all capabilities of the offering (with GUI and API), enabling visibility, troubleshooting, reporting, and granular configuration and policy changes
  • Ability to securely connect end users to the SASE platform using a variety of techniques, including software agents, agentless portals, browser plug-ins, secure enterprise browsers and remote browser isolation
  • Sensitive data visibility and control
  • Additional security capabilities, including network sandboxing, DNS protection, API-based access to SaaS for data context and configuration information, application layer visibility and protection, and continuous adaptive risk scoring
  • Advanced network functionality, including enhanced internet, private backbone transport, external DNS services, cloud onramps (simplified and automated integration with public cloud networking services) and broader application optimization technologies
  • Ability to replace a branch router (such as support for Border Gateway Protocol [BGP]) and support meshed topologies
  • Integrated digital experience monitoring (DEM) capabilities
  • Ability to support unmanaged operational technology (OT) and unmanaged Internet of Things (IoT) in addition to managed devices

Product/Service Trends

There is increased interest in and adoption of SASE platforms from end-user clients. The desire for improved administrative efficiency and improving zero-trust posture are long-standing drivers. More recent drivers include options for localized enforcement, incorporating GenAI controls to manage enterprise data leakage and securing GenAI applications. Furthermore, Gartner observes end-user interest in coffee shop networking, where there is a distributed workforce and predominantly cloud apps deployed to simplify end-user experience.
Vendor offerings are maturing, with more focus on delivering a single unified experience for end users and administrators, as well as enhanced depth and breadth of networking and security functionality. Additionally, we observe increased integrations with digital experience management (DEM) functionality, and broader GenAI assistants to improve visibility and troubleshooting. Finally, ZTNA is being expanded to support fixed devices without agents, along with universal ZTNA (UZTNA) capabilities to enable broader campus adoption and a single unified experience for work-from-anywhere users.

Critical Capabilities Definition

SD-WAN
The SD-WAN capability provides advanced networking functionality to address more complex requirements.
This includes features at the branch gateway with more sophisticated, performance-based, application-aware path selection (packet loss, latency, jitter, etc.), dynamic routing (e.g., Border Gateway Protocol [BGP]) and support for more complicated meshed topologies. It also includes appliance form factors, physical WAN interfaces and supported throughput .
Application performance techniques are also important, such as protocol and application optimizations, link bonding/packet striping, forward error correction (FEC), packet duplication and SaaS optimization. Finally, SD-WAN offers cloud onramp capabilities and integrations, enabling automated, high-performing and flexible architectures to access cloud workloads.
In-line On-Premises Security
This capability includes on-premises network security features to protect the organization’s branch/campus/remote locations, including — but not limited to — local segmentation, firewalling and IPS to secure traffic bidirectionally across networks.
Securing Private Applications
This capability provides zero-trust access control to private applications (on-premises, colocated and cloud-based) based on identity and context. It favors an architecture that uses a broker connector with no persistent inbound ports open to the internet, thereby reducing the attack surface.
By default, access is limited to individual applications through policy-based controls based on discovery and suggested segmentation, rather than broad access to entire network segments. This is primarily associated with remote workers, but also extends to branch workers and devices, including IoT/OT, and both managed and unmanaged devices. We evaluate the ability to provide policy enforcement points through both vendor-provided, cloud-hosted services and delivered as virtual or physical appliance enforcement point onramps. Products should authenticate and authorize users, including securing privileged accounts, and/or devices using open standards.
In-line Cloud Enforced Security
This capability includes a granular set of in-line controls for securing access to websites and social media sites that drive policy actions based on the type of site visited.
We assess full proxy — including decryption of web traffic at scale — to enable content inspection and the ability to secure DNS traffic, as well as FWaaS and IPS capabilities to protect end users. This includes the ability to deploy lightweight controls to secure unmanaged devices in-line when accessing SaaS and private applications. Application control and malware prevention are also included.
SaaS App Control and Visibility
This capability includes visibility and control for discovery, usage and data at rest in sanctioned and unsanctioned enterprise SaaS applications.
This category includes discovery and risk rating, as well as integration with SaaS vendor application APIs to gain visibility into SaaS. We assess the range of applications that can be integrated, and the depth of data security, threat defense and any differentiated API capabilities such as visibility, configuration or interconnection of SaaS applications.
Infrastructure Delivery
This capability covers the vendor’s infrastructure delivery, including points of presence (POPs) that support the enterprise SASE platform.
It includes the geographic distribution of metro areas where POPs are deployed, as well as the functionality and consistency of capabilities available as part of the POP infrastructure. We also assess the flexibility of both public and private POP options.
Ease of Administration
This capability includes ease of administration from both a network operations and/or security operations perspective, covering initial provisioning and configuration, production (e.g., moves/adds/changes), policy configuration and incident response.
The goal is for the end user to be able to perform their capabilities in a simple and efficient way. This includes UIs, management platforms, monitoring and automation capabilities.
Basic Networking
This capability involves basic SD-WAN functionality with minimal routing protocol support, hub and spoke topology support, and rudimentary path selection functionality.
It may include integrated branch LAN infrastructure, including WLAN and wired LAN functionality managed from the cloud. Low-friction onboarding with high degrees of automation is often required. Cost competitiveness is also a driving factor for customers who require this basic functionality.
Unified Platform
This capability includes the unification of the vendor’s offering, including the number and integration of components required for customers to use the product.
Components include management/configuration consoles, visibility/monitoring, policy engines, agents, data lakes and APIs.
Data Security
This capability includes the efficacy of the data loss prevention (DLP) engine and its ability to reduce false positives and avoid false negatives by providing advanced sensitive data detection techniques such as the use of machine learning and generative AI.
Advanced data security extends beyond DLP to include integration with third-party data classification and data security posture management (DSPM) providers as part of a wider data security ecosystem. It extends to inspect a wide range of file types across web, SaaS and private applications. It also prevents users from accidentally or maliciously sharing sensitive data.
Threat Protection
This includes the ability to detect attacks and custom threats, with features such as sandboxes, remote browser isolation (RBI), malware engines and threat intelligence. It provides multiple methods to detect and mitigate active threats concurrently across web, cloud and private applications.
Adaptive Access
This capability uses near-real-time context to determine whether to allow access to a specific resource based on a risk score, including factors such as user identity, device identification and hygiene, location and user activity.
It includes the ability to dynamically adjust user and device access to applications and resources in near real time. These adjustments are based on effective and customizable assessment of the state and behavior of both user and device, and the risks these create (risk score). This includes enforcement across various channels and deriving risk via cross-channel behaviors, device state visibility, and user entity behavior analysis (UEBA) capabilities. It also includes the ability to profile the endpoint both on connection and during an existing session, and analyze user and endpoint behaviors, adjusting access or requiring additional verification based on calculated risk.
GenAI Reporting and Controls
This capability enables the discovery and cataloging of third-party generative AI and the application of in-line access and sensitive data controls to prevent data leakage.
It includes application control policies, reputational risk assessment and GenAI as a separate URL classification category. Advanced features include more granular control and integration for the most popular enterprise GenAI products, such as Microsoft CoPilot, Google Gemini, Anthropic Claude, and OpenAI ChatGPT. It also includes the ability to capture, inspect and log end-user prompt inputs; integration via API into private tenants for enhanced security; prevention of sensitive data uploads via prompts or file uploads; and visibility into the use of third-party GenAI APIs from the corporate network.

Use Cases

Foundational SASE Platform
This is driven by organizations looking for simplification by reducing tool sprawl, products, vendors and management platforms to securely connect users/devices with apps.
Users are looking for a unified offering that converges networking and security functionality to reduce the administrative complexity of using multiple management consoles. Organizations prioritize ease of use for end users and unified management for operations personnel over advanced features and operational capabilities. Enterprises are aggressively leveraging public cloud services and SaaS for applications, primarily relying on the internet for cloud connectivity. Employees regularly work from anywhere, including branch locations and home offices. The SASE platform product selection is usually made collectively by a cross-functional team, composed of networking and security personnel.
This use case is typically (but not exclusively) driven by a midsize enterprise (MSEs).
Zero-Trust SASE Platform
This use case is driven by organizations seeking to implement SASE to achieve a zero-trust posture for their users, devices, branches and remote locations.
Specifically, this entails improving the security of users and devices (both managed and unmanaged) by:
  • Establishing identity prior to allowing access
  • Granting access only to necessary resources
  • Continuously and dynamically adjusting access in near real time, based on a calculated risk score
Advanced security — including adaptive access, GenAI controls, data security and threat protection — is prioritized over ease of use and a unified networking and security platform.
These enterprises aggressively leverage public cloud services and SaaS for applications. Employees regularly work from anywhere, including branch locations. This effort is typically led by the security team (under the CISO) in collaboration with the network team.
Secure Branch Network Modernization
This use-case is driven by organizations looking to start their SASE journey by focusing on branch network modernization with SD-WAN.
These organizations are seeking to immediately implement SD-WAN with firewall and/or SWG, while planning longer term to add additional SASE functionality such as CASB and ZTNA.
These organizations leverage public cloud services, SaaS and on-premises applications, and often utilize both internet and private networking for hybrid cloud connectivity. Employees primarily work from branch locations, so more advanced SD-WAN functionality is typically desired to manage the contention and routing of traffic. in-line on-premises security controls integrated with the SD-WAN appliance, along with ease of use, are typically desired over more advanced security features. SASE platform product selection is usually led by a networking team, with collaboration and input from security personnel.
"Coffee Shop" Networking
This use case is driven by organizations aiming to replicate the user experience of a coffee shop in the branch office environment.
It is not necessarily about replicating the internal network infrastructure of a coffee shop. These organizations want to deliver a simplified and consistent networking and security converged experience for end users, whether those employees are in a corporate office location, at a coffee shop or other remote location. They also want to simplify the IT administrative and financial burden.
Organizations are interested in a “hoteling model,” where users are in the office only part time, accessing applications that are primarily delivered from the cloud. In this scenario, basic networking functionality is often (but not exclusively) the desired choice, with little to no east/west on-premises security requirements. ZTNA and, increasingly, UZTNA are often prioritized, along with other SSE solutions that may already be deployed where organizations are looking to leverage existing investments to simplify the branch office for the new hybrid work environment.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Critical Capabilities as markets change. As a result of these adjustments, the mix of vendors in any Critical Capabilities may change over time. A vendor’s appearance in a Critical Capabilities one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.

Added

  • Check Point Software Technologies was added, because it met the inclusion criteria for the Critical Capabilities.
  • SonicWall was added, because it met the inclusion criteria for the Critical Capabilities.
  • Zscaler was added, because it met the inclusion criteria for the Critical Capabilities.

Dropped

  • Forcepoint was dropped, because it no longer participates in the SASE platforms market and therefore did not meet the inclusion criteria for this Critical Capabilities research.

Inclusion Criteria

To qualify for inclusion, providers need the following:
General:
  • Provide a generally available (GA) SASE platform offering as of 1 April 2025. All components must be publicly available, shipping and be included on the vendors’ published price list as of this date. Products shipping after this date only may influence the Completeness of Vision axis.
  • Provide commercial support and maintenance for its enterprise SASE platform offering (24/7) to support deployments on multiple continents. This includes hardware/software support, access to software upgrades, security patches, troubleshooting and technical assistance.
  • Participate in the enterprise SASE platform market, including actively selling and publicly marketing its SASE platform to enterprises.
Gartner defines “general availability” as the release of a product to all customers. When a product reaches GA, it becomes available through the company’s general sales channel — as opposed to a limited or controlled release, pre-GA or beta version.
Product
Vendors must have a SASE platform offering that includes all the below functionality, generally available as of 1 April 2025.
All of the following must be available as a service from the cloud to customers:
  • Secure web access via proxy.
  • Enforce SaaS access controls inline. This requires support for inline malware scanning and data security to cover at least two of the following three SaaS enterprise suites: Microsoft 365, Salesforce and Google Workspace.
  • Identity- and context-based secure remote policy-based access to private applications (not just network-level access).
  • Layer 7 firewall capability to secure traffic bidirectionally across networks.
  • A branch appliance that supports performance-based dynamic traffic steering (supporting at least one criterion: latency, packet loss or jitter) across multiple physical WAN interfaces; based on well-known applications (not IPs/ports). This appliance is deployable at a customer’s physical branch location to directly terminate connectivity.
  • The ability for customers to define sensitive data protection policies and apply them via inline network data inspection.
  • An endpoint software agent (supporting Windows and Mac operating systems) for connecting users to the vendor’s SASE platform offering.
  • Centralized management (with both GUI and API) that not only enables provisioning, visibility, troubleshooting and reporting, but also enables granular configuration and policy changes.
  • The vendor must have no more than two management consoles to operate its enterprise SASE platform offering for the foundational SASE use case.
  • The ability for customers to directly manage and administer the full SASE platform offering themselves, including granular configuration and policy of all SASE functions (commonly referred to as do it yourself [DIY]).
  • Single-pass scanning for malware and sensitive data (may be parallelized) for inline security controls.
  • Support single sign-on (SSO) integration with third-party identity providers.
  • Leverage POP infrastructure meeting all the following requirements.
    • Presence in at least 15 distinct geographic metropolitan cities globally, including with at least three distinct metropolitan cities each on three separate continents.
    • POPs are in a highly secure facility; offer the following services locally (intra-POP): web proxy, private access, and in-line SaaS control with high availability; and they are generally available to all enterprise customers.
    • Vendors must provide a publicly available URL with POP metropolitan cities list, POP monitoring/status capability and a documented POP SLA.
  • The vendor must be actively marketing and enhancing its SASE platform offering.
  • The vendor must be able to provide a single-support experience to customers, meaning customers must engage only with the vendor for support.
  • The vendor must natively deliver all of the core SASE functionality (SD-WAN, firewall, ZTNA, cloud access security broker [CASB] and secure web gateway [SWG]) as part of the SASE platform offering.
Global Customer Relevance and Adoption
Vendors must show high relevance to Gartner clients via achieving at least one of the following as of 1 March 2025 with the SSE functionality (ZTNA, CASB and SWG) of SASE delivered as a service from the cloud:
  • Overall adoption: At least 250 unique enterprise customers using SD-WAN and, at a minimum, one of the SSE components (ZTNA, CASB or SWG) with the vendor’s primary SASE platform offering in a production environment, and these customers have an active commercial support license.
  • Recent adoption: At least 75 newly acquired unique enterprise customers in the last 12 months using SD-WAN and, at a minimum, one of the SSE components (ZTNA, CASB or SWG) with the vendor’s primary SASE platform offering in a production environment, and these customers have an active commercial support license.
  • Adoption plus growth: At least 100 unique enterprise customers, with 50% growth in the last 12 months, using SD-WAN and, at a minimum, one of the SSE components (ZTNA, CASB or SWG) with the vendor’s primary SASE platform offering in a production environment. Also, these customers have an active commercial support license.
  • Large-enterprise adoption: At least 75 large unique enterprise customers using SD-WAN and, at a minimum, one of the SSE components (ZTNA, CASB or SWG) with the vendor’s primary SASE platform offering in a production environment. Also, these customers have an active commercial support license.
  • Full suite adoption: At least 50 unique enterprise customers using all components of SASE: SD-WAN, CASB, ZTNA, firewall and SWG with the vendor’s primary SASE platform offering in a production environment, and these customers have an active commercial support license.
Vendors must also show high relevance to Gartner clients by achieving each of the following as of 1 March 2025:
  • The vendor’s primary offering must address at least two of the Critical Capabilities use cases for SASE platforms, with one of them being the foundational SASE use case.
  • At least 25 unique SASE platform enterprise customers headquartered in each of two continents, using SD-WAN and, at a minimum, one of the SSE components (ZTNA, CASB or SWG), all of whom are under active support contracts; for example, 25 customers in Asia and 25 separate customers in North America.
Gartner defines “enterprise” as an organization with at least $50 million in annual revenue and/or 100 to 1,000 employees. Gartner defines “large enterprise” as an organization with at least $1 billion in annual revenue and/or over 1,000 employees. Enterprises can be a private for-profit organization or not-for-profit entities, such as charitable organizations, government and education institutions.
Gartner defines “customer” as a paying end-user organization for the consumption of a service and under active support. This excludes trials, POCs, paid pilots, “try and buys,” lab trials, etc. Customers may include both DIY and those serviced through a managed SASE provider (i.e., any organization using a vendor’s solution fully deployed, regardless how it is delivered).
  • The vendor’s offering must have at least 25 customers for the use case assessed and deemed relevant by Gartner to end users.

Weighting for Critical Capabilities in Use Cases

Critical CapabilitiesFoundational SASE PlatformZero-Trust SASE PlatformSecure Branch Network Modernization"Coffee Shop" Networking
SD-WAN
9%
2%
30%
1%
In-line On-Premises Security
3%
7%
13%
0%
Securing Private Applications
3%
15%
0%
16%
In-line Cloud Enforced Security
3%
7%
12%
16%
SaaS App Control and Visibility
3%
15%
0%
5%
Infrastructure Delivery
15%
5%
5%
10%
Ease of Administration
20%
1%
5%
20%
Basic Networking
9%
2%
20%
6%
Unified Platform
29%
1%
5%
11%
Data Security
1%
10%
0%
0%
Threat Protection
2%
5%
5%
5%
Adaptive Access
2%
25%
0%
10%
GenAI Reporting and Controls
1%
5%
5%
0%
As of 23 June 2025
Source: Gartner (July 2025)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Product/Service Rating on Critical Capabilities

Critical CapabilitiesCato NetworksCheck Point Software TechnologiesCiscoCloudflareFortinetHPENetskopePalo Alto NetworksSonicWallVersa NetworksZscaler
SD-WAN
4.0
3.3
4.6
2.5
4.6
4.7
4.4
4.4
2.4
4.6
2.9
In-line On-Premises Security
2.9
4.9
4.3
1.7
4.7
4.5
4.4
4.3
4.4
4.6
4.0
Securing Private Applications
3.8
3.7
4.1
3.9
2.8
3.6
4.7
4.5
4.2
2.9
4.8
In-line Cloud Enforced Security
3.6
2.9
4.3
4.0
3.5
2.3
4.5
4.2
3.7
3.9
4.5
SaaS App Control and Visibility
3.4
3.4
3.7
2.2
3.6
2.4
4.9
4.8
1.5
3.7
4.3
Infrastructure Delivery
4.8
3.6
3.8
4.9
4.2
3.0
4.9
4.1
2.7
4.3
4.3
Ease of Administration
4.2
2.7
3.6
3.8
3.4
2.9
4.0
3.8
2.0
3.2
3.9
Basic Networking
2.9
3.5
3.5
2.4
4.5
3.1
3.6
2.9
3.8
4.1
2.8
Unified Platform
4.9
3.6
3.8
4.9
4.2
3.7
4.9
4.9
3.7
4.9
4.9
Data Security
3.6
3.5
3.5
2.7
3.9
2.6
4.7
4.4
1.9
3.8
4.4
Threat Protection
4.4
3.5
4.3
3.7
4.4
2.3
4.0
4.4
2.9
2.9
4.6
Adaptive Access
3.8
1.3
1.7
3.2
3.7
3.5
4.4
4.6
2.9
4.0
4.1
GenAI Reporting and Controls
2.9
4.0
4.1
1.6
2.7
2.8
3.7
4.3
1.8
2.8
4.3
As of 23 June 2025
Source: Gartner (July 2025)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Product Score in Use Cases

Use CasesCato NetworksCheck Point Software TechnologiesCiscoCloudflareFortinetHPENetskopePalo Alto NetworksSonicWallVersa NetworksZscaler
Foundational SASE Platform
4.24
3.35
3.81
3.89
4.01
3.36
4.48
4.25
3.00
4.15
4.15
Zero-Trust SASE Platform
3.68
3.04
3.39
3.08
3.67
3.14
4.51
4.45
2.89
3.72
4.29
Secure Branch Network Modernization
3.65
3.55
4.14
2.88
4.26
3.63
4.23
4.04
3.15
4.17
3.59
"Coffee Shop" Networking
4.03
3.07
3.69
3.84
3.66
3.05
4.45
4.24
3.10
3.72
4.29
As of 23 June 2025
Source: Gartner (July 2025)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Acronym Key and Glossary Terms

BGP
Border Gateway Protocol
BOM
bill of material
CASB
cloud access security broker
CDR
content disarm and reconstruction
DLP
data loss prevention
DNS
Domain Name System
DSPM
data security posture management
FEC
forward error correction
IDPS
intrusion detection and prevention system
IoT
Internet of Things
MSE
midsize enterprise
NOC
network operations center
OT
operational technology
POP
point of presence
RBI
remote browser isolation
RFI
request for information
SaaS
software as a service
SAML
Security Assertion Markup Language
SASE
secure access service edge
SCIM
System for Cross Identity Management (Microsoft)
SD-WAN
software-defined wide-area network
SKU
stock keeping unit
SSE
security service edge
STIX/TAXII
Structured Threat Information eXpression
SWG
secure web gateway
TAXII
Trusted Automated eXchange of Intelligence Information
TI
threat intelligence
UEBA
user and entity behavior analytics
UI
user interface
UZTNA
universal zero-trust network access
ZTNA
zero-trust network access

Evidence

  • Gartner analysts have conducted over 300 inquiries discussing SASE Platforms with end user clients from April 1, 2024 through March 31, 2025.
  • Gartner analysts have conducted about 1200 inquiries discussing SASE with end user clients from April 1, 2024 through March 31, 2025.
  • Gartner analysts have conducted over about 1200 inquiries discussing SD-WAN with end user clients from April 1, 2024 through March 31, 2025.
  • Gartner analysts have conducted nearly 1200 inquiries discussing SSE with end user clients from April 1, 2024 through March 31, 2025.
  • All vendors in this research responded to a prequalification survey to help determine their relevance to enterprise clients.
  • All vendors in this research responded to a request for information (RFI) regarding current and planned capabilities.
  • All vendors submitted a video demonstration following a script to show specific product capabilities.
  • Gartner analysts reviewed relevant reviews from Gartner Peer Insights for the 12 months ending March 31st.
  • Gartner analysts reviewed publicly available information, including blogs, vendor technical documentation, product specification sheets and financial information.

Critical Capabilities Methodology

This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
2 = Fair: some requirements are not achieved
3 = Good: meets requirements
4 = Excellent: meets or exceeds some requirements
5 = Outstanding: significantly exceeds requirements
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.