By Thomas Lintemuth, Charlie Winckless, and 2 more
Baseline enforcement capability of SSE functionality has largely commoditized around features such as advanced threat defense and adaptive access controls, but capabilities such as SSPM and integrated deployment are still maturing. Security and risk management leaders should use this research as a starting point for product evaluations.
Overview
Key Findings
All reviewed vendors offer foundational security capabilities to secure access to private and web applications while ensuring operational integrity. However, choosing a vendor necessitates careful evaluation of their different levels of maturity to match an organization’s specific security needs and strategic goals.
A subset of the vendors offers strong advanced Security Service Edge (SSE) capabilities, including data protection and out-of-band SaaS protection, which are critical for safeguarding sensitive information and ensuring robust security measures for cloud-based applications.
The implementation of SSE introduces a significant single point of failure for application access, which can pose substantial risks to network reliability and availability. As a result, organizations must implement robust redundancy and failover strategies to mitigate potential disruptions and ensure continuous access to critical applications.
Recommendations
As an SRM leader responsible for infrastructure security and enabling a secure workplace, you should:
Prioritize the features that support your organization’s desired outcomes, such as enabling cloud adoption or hybrid work, before engaging with vendors in sales cycles.
Procure licenses for core and advanced features your organization is prepared to fully install and utilize. Most vendors are willing to sell additional add-on features after the initial purchase, but very few refund licenses for shelfware.
Optimize performance by reviewing vendor networks, including the location of POPs relative to your end users. Prioritize vendors that offer a hybrid model of data plane traffic management, such as off-cloud options.
What You Need to Know
This Critical Capabilities research provides buyers of SSE products with vendor rankings for six common use cases, based on relevant evaluation criteria. Buyers can view vendor rankings for each use case.
Analysis
Critical Capabilities Use-Case Graphics
Figure 1: Vendors’ Product Scores for Essential SSE Use Case
Figure 2: Vendors’ Product Scores for Advanced SSE Use Case
Figure 3: Vendors’ Product Scores for Private Application Access Use Case
Figure 4: Vendors’ Product Scores for Branch Office User Connectivity Use Case
Figure 5: Vendors’ Product Scores for Data Protection Use Case
Figure 6: Vendors’ Product Scores for SaaS Enablement Use Case
Vendors
Broadcom
Broadcom’s SSE offering features strong technical capabilities but lacks unification. The product lacks a single console, which forces configuration and reporting from different consoles.Also, Broadcom has not developed as many capabilities in its DEM as other vendors in this research. Conversely, Broadcom is one of the only SSE products that offers good CDRcapabilities.Broadcom declined requests for supplemental information. Gartner’s analysis is, therefore, based on other credible sources.
Critical capabilities summary:
Data protection — Broadcom’s SSE supports regular expression (regex), OCR, EDM and ML DLP capabilities. Broadcom does not prevent screen capture or screen recording, and does not support field-level encryption. Vector ML can detect the difference between a blank form and a completed form.
GenAI — Broadcom has not introduced AI capabilities to support threat detection and response for behavioral analysis or policy recommendations.
Usability — The management interface for Broadcom’s SSE consists of distinct products that are currently undergoing full integration. Management interfaces lack an intuitive workflow for policy development.
Use-case score summary:Broadcom scores were middle-of-the-pack to low for all use cases. Organizations with strong data security requirements, particularly when already utilizing Symantec DLP, should evaluate Broadcom SSE.
Cloudflare
Cloudflare’s SSE product is marketed as Cloudflare One. All configuration and reporting is via a single interface. Good integration with third-party identity providers (IdP) is available. Risk scoring and adaptive access control is not strong.
Critical capabilities summary:
Data protection — Cloudflare One has basic data-protection capabilities. It can utilize regex to identify common patterns to block, such as credit card numbers or passport numbers. A minimal number of country identifiers are available. The product cannot consume DLP policy from a third-party DLP product. Tokenization of data at the field or file level is not supported.
GenAI — Differentiation cannot be made between private instances and public instances of many common GenAI sites. In addition, no GenAI functionality is demonstrated in the product itself.
Usability — Product feedback to end users for access violations is immature. The product offers limited built-in reports and no custom report writing.
Use-case score summary: Cloudflare scored fair for all six use cases. Highly distributed organizations looking for an SSE vendor with a strong network and good DNS protections should consider Cloudflare One.
Fortinet
Fortinet’s SSE product was developed from a variety of existing products and requires multiple consoles for management and reporting. The endpoint agent that supports SSE is multipurpose, also supporting functions such as antivirus and sandboxing. The product offers little customization for the system-generated user and device risk scores. Native integration to IdPs is limited to two.
Critical capabilities summary:
Data security — Fortinet’s SSE offers a maturing set of DLP controls while still lacking AI/ML DLP inspection. External DLP policy can be ingested from several third-party products. Tokenization of data and encryption of data in SaaS applications is not supported.
GenAI — The number of discovered GenAI sites is low. Connections to common sites are protected via in-line controls. No GenAI capabilities are inherent in the product. Sensitive data in GenAI prompts can be blocked.
Usability — End-user notifications for policy violations are inconsistent. DEM is basic. Integration with third-party SD-WAN vendors is limited.
Use-case score summary: Fortinet achieved goodscores for all six use cases. Organizations that are value-conscious and that need a product with good basic capabilities should consider Fortinet.
iboss
iboss’ Zero Trust SSE is a single console that provides access to all SSE functions, including administration and reporting. iboss provides very good and transparent risk scoring, allowing customers to customize the scoring to their environment. CDR is very good. No integration with UEM vendors is supported outside of product deployment, and full EDR integration is only possible natively with one EDR vendor.
Critical capabilities summary:
Data security — iboss has no integrations with traditional on-premises enterprise DLP providers. Blocking screen capture/screen recording and keyloggers is not supported. Tokenization of data and tombstoning options are not available.
GenAI — An AI/ML incident dashboard is provided for event correlation and alert interpretation. Transcripts of prompt queries and responses can be made available. High-risk term and phrase detection can be enabled. Sensitive data in GenAI prompts can be blocked.
Usability — iboss simplifies policy generation with the concept of connecting to applications without the requirement to denote it as a private application or SaaS application. DEM capabilities are available, but lack the ability to alert end users when issues are detected. Outside of DEM, end users are provided good and meaningful feedback for access violations. A broad number of integrations with SD-WAN providers are offered.
Use-case score summary:iboss received good scores for four of the six use cases. Organizations looking for a foundationally sound SSE product with strong adaptive access capabilities and modest needs regarding data security should consider Iboss Zero Trust SSE.
Netskope
Netskope’s One SSE provides mature capabilities across all the areas in this research.Integration with IdP vendors requires SCIM or SAML setup, as no vendors are predefined in Netskope’s console. Real-time endpoint status can be pulled from just two EDR vendors.
Critical capabilities summary:
Data security — Netskope’s SSE has good integration with most enterprise DLP products. Detection uses all of the common elements, such as regex, OCR, EDM and ML.
GenAI — A significant number of GenAI sites can be discovered, classified and subjected to policy enforcement. Sensitive data in GenAI prompts can be blocked. Code injection or adversarial prompts can be blocked.
Usability — Netskope’s management console supports only the English language. Its DEM is capable, yet some functionality requires additional licensing. Feedback to the end user for access violations is consistent and informative.
Use-case score summary: Netskope achievedhigh scores for all use cases. Organizations looking for a comprehensive SSE product with minimal limitations should consider Netskope One SSE.
Palo Alto Networks
Palo Alto Networks markets its SSE capabilities as Prisma Access. Most configuration and management is performed in its cloud management platform, known as Strata Cloud Manager, but some capabilitiesrequire a second console. Prisma Access offers good threat protection, including use of its Advanced WildFire sandbox capabilities. Network POP coverage for geographic locations deemed important for Gartner clients is less than other vendors in this research.
Critical capabilities summary:
Data security — Redaction, tombstoning and encryption are not native capabilities of the product for in-line data access. These protections are available to applications that support protection via API. An enterprise browser is available. CDR support is not native to the product.
GenAI — There are a significant number of GenAI sites discovered, with thorough information available for the sites that have been onboarded. Sensitive data in GenAI prompts can be blocked.
Usability — Feedback to the end user for access violations is inconsistent, with some restrictions providing no end-user feedback. Real-time endpoint checking requires OPSWAT. DEM provides good information to the end user.
Use-case score summary: Palo Alto Networks received good scores for all use cases. Organizations looking for a strong SSE product that leads with strong threat detection should consider Palo Alto Networks’ Prisma Access.
Skyhigh Security
Skyhigh Security’s SSE offering is called Skyhigh Security Service Edge. Management is via a single console. Skyhigh offers very good SaaS visibility and overall data security. POP coverage is below average;not all services are offered in all POPs without seeing sufficient demand and requests from clients.
Critical capabilities summary:
Data security — Tags from Microsoft Azure Information Protection (AIP) can be used for various tasks, including the ability to decrypt. Broad integration with enterprise DLP is included. All forms of DLP detection are supported, including regex, OCR, EDM and ML. Strong in-line data security controls are provided, supporting redaction, tokenizing data, watermarking and tombstoning of files during upload. Skyhigh blocks exfiltration via steganography.
GenAI — The product makes good use of a GenAI engine by offering suggestions on regex formatting for DLP rules. AI can be trained with client-provided data. The system can analyze and then allow, block or remediate prompts based on defined risk thresholds for bias, toxicity, malware and jailbreaking to maintain enterprise security. Prompts can be analyzed for sensitive data and blocked by policy. Skyhigh discovers and classifies a high number of GenAI sites.
Usability — End-user feedback for access violations is inconsistent with different notifications based on where the access is denied. The administrative console is not very intuitive to use. Sandbox and enterprise DLP are provided by a third party, which requires different consoles and provides feedback that looks different and is inconsistent with messages to the end user from the main SSE product.
Use-case score summary: Skyhigh Security received good scores for all use cases. Organizations requiring an SSE product with good data security capabilities should consider Skyhigh Security Service Edge.
Versa Networks
Versa Networks’ SSE offering is called Versa Security Service Edge (SSE). Policies are built using a single interface. Breadth of integrations with EDR vendors is lacking, yet the ones supported will cover most clients. Integration with UEM vendors is limited. POP coverage is slightly below average. Integration with IdP vendors is well-supported.
Critical capabilities summary:
Data security — Versa provides a consistent set of DLP capabilities and has included AI/ML detection methods. The product cannot read tags from any enterprise DLP product, but it can read from Microsoft AIP. Tokenization of data at the file and field level are supported, as is data encryption.
GenAI — The SSE console offers an AI assistant and large language model (LLM) for ease of configuration management and common language interpretation. Versa has good discovery of GenAI sites.It can block source code and PII upload in GenAI prompts.
Usability — The administration console is not intuitive to use for policy building. Versa’s user notification for policy violations is not consistent. Some policy violations fail to trigger notification of the user; other notifications offer cryptic messages.
Use-case score summary: Versa Networks scored in the middle to bottom half for all use cases. Organizations looking for an SSE product that is well-integrated with network access should consider Versa SSE.
Zscaler
Zscaler’s SSE, Zscaler for Users,has unified all functionality into a single console. Sandbox capabilities are very good, including an option for preprocessing files with AI analysis. POP coverage is strong. Integration with EDR and UEM vendors is limited.
Critical capabilities summary:
Data security — DLP supports integration with most enterprise DLP, in addition to supporting regex, OCR, EDM and ML detections. CASB feature sets are not consistent when comparing in-line versus API integrations. End-user feedback for data violations is good. Documents can be automatically categorized as they flow through the product.
GenAI — Zscaler for Users offers average GenAI site detection capabilities. GenAI prompts can be inspected and controlled in accordance with defined policy to mitigate data leakage.
Usability — Each configuration and management interface is intuitive. End-user feedback for violations is consistent and informative. DEM capabilities are best-of-breed.
Use-case score summary:Zscaler received high scores for all use cases. Organizations looking for a feature-rich SSE product with global coverage should evaluate Zscaler for Users.
Context
SSE secures access to the web, cloud services and private applications regardless of the location of the user, the device they are using or where the application is hosted. This places these products in a critical path for access to much of an organization’s data, especially data accessed via private applications.
SSE customers are primarily looking to secure remote or hybrid workers who are accessing the public internet, cloud services and private applications. Where users are largely on-premises, SSE provides flexibility but may incur higher costs than on-premises controls. SSE customers may also want to secure remote users when their organization is virtual, is a heavy cloud consumer or has no complex networking requirements for satellite locations.
SSE makes up the security pillar of an SASE architecture. Various vendors offer SSE for purchase and use by security buyers. At the same time, vendors in the WAN edge infrastructure market cover the networking portion of the SASE framework considered by networking buyers.
Data from Gartner surveys and client inquiries indicates that most buyers are planning for a two-vendor strategy for SASE. Vendors, however, are looking to push a single-vendor SASE approach (seeMagic Quadrant for Single-Vendor SASE), and the difference in capability between SSE vendors and SASE platform vendors is rapidly closing. This technical match has made clients increasingly willing to consider single-vendor offerings, especially in the small- to medium-enterprise space.
Buyers of SSE products often ask where they should begin, as many organizations already have some components in place. Organizations have a variety of options to choose from when starting their SSE journey. Gartner recommends the following:
Appliance-heavy organizations should align their SSE initiative with business-led SaaS and IaaS adoption efforts, or make it part of the effort to enable a hybrid working or remote workforce initiative.
Organizations that have already implemented discrete SSE components from more than one vendor should consolidate on one vendor.
Organizations that already have a fully implemented SSE product should reevaluate the market landscape on no longer than a two-year cadence, as vendors’ features and pricing are evolving rapidly.
Organizations undertaking a larger SASE transformation with SD-WAN as the driver can evaluate SSE capabilities from SD-WAN providers against those of best-of-breed SSE vendors. This will help them determine whether they need a separate SSE product.
Organizations should not start with zero-trust network access (ZTNA) when evaluating SSE offerings, particularly if clientless ZTNA is desired. The primary benefit of SSE for ZTNA is that it offers a converged product and an integrated agent for securing internet usage, cloud usage and access to applications.
Clients pursuing an overall zero-trust architecture can use SSE’s unified offering to enable the pushing of zero-trust principles to all users and devices regardless of whether they are managed or not.
Market Definition
Gartner defines security service edge (SSE) as an offering that secures access to the web, cloud services and private applications regardless of the location of the user, the device they are using or where that application is hosted. SSE protects users from malicious and inappropriate content on the web and provides enhanced security and visibility for the SaaS and private applications accessed by end users.
Security service edge provides a primarily cloud-delivered solution to control access from end users and devices to applications,as well as websites and the internet. It provides a range of security capabilities, including adaptive access based on identity and context, malware protection, data security and threat prevention, as well as the associated analytics and visibility. It enables more direct connectivity for hybrid users by reducing latency and providing the potential for improved user experience. Capabilities that are integrated across multiple traffic types and destinationsallow a more seamless experience for both users and administrators while maintaining a consistent security stance.
Mandatory Features
The mandatory features of this market include:
Management and data planes that are primarily cloud-delivered
Identity-aware forward proxy with decryption and protection capabilities
In-line protection of data in SaaS and private apps
Out of band protection of data in SaaS apps via API integration
Adaptive and granular access control supporting both devices with an SSE agent (or similar traffic steering method) and devices with no local SSE software or configurations
Integration with external identity providers
Common Features
The common features of this market include:
Single integrated console supporting all features and functions of the platform
Ability to apply controls consistently across multiple network and application destinations
Support for managing and securing traffic from all common endpoints (such as Windows, macOS, iOS and Android devices)
Integration with key enterprise technologies such as security information and event management (SIEM), extended detection and response (XDR), SD-WAN and other adjacent technologies
Support for published and documented APIs that are accessible to the customer and that allow automation of common tasks and integration with other security platforms
Curated, managed and risk-scored catalogs of SaaS applications
Control of traffic on all ports and protocols
Remote browser isolation (RBI) to enhance security across all network destinations and channels
SaaS security posture management for visibility and remediation of SaaS configurations and visibility into SaaS plug-in applications
Continuous adaptive access controls across all channels based on initial connection status and any change in state during connection
Read, write and act upon labels from common data classification platforms
Embedded user entity behavior analytics (UEBA) to provide automated detection and response for anomalous and risky device and user behaviors
Ability to apply advanced data protection capabilities
Product/Service Trends
SSE secures access to the web, cloud services and private applications. Capabilities include access control, threat protection, data security, security monitoring and acceptable use control enforced by network-based and API-based integration. SSE is primarily delivered as a cloud-based service, and may include on-premises or agent-based components.
The vendor convergence trend has been driving organizations to deploy a “single” SSE product versus the three primary independent products. Further driving the market is organizations’ desire to have a unified access model for users regardless of whether they are working on-premises or remotely. A constant undercurrent driving interest in SSE is the desire to use zero-trust principles for access control.
Critical Capabilities Definition
Ease of Administration
Ease of administration refers to the simplicity of initial provisioning, day-to-day activities (e.g., moves/adds/changes), policy configuration, incident response, troubleshooting, monitoring, visibility and digital experience from the perspective of an administrator.
This also includes UIs, management platforms and digital experience monitoring capabilities. Comprehensive reporting, including compliance, across all applications is required, as is granular visibility and analysis of user activities and sensitive data usage. Advanced capabilities include AI to ease administration.
Threat Protection
Threat protection provides the ability to detect and mitigate basic, advanced and custom threats.
It includes static and dynamic analysis combined with advanced threat protection features, such as sandboxes, RBI, and content disarm and reconstruction (CDR), as well as layers of malware engines, assessing TI research and applying TI to the platform.
Adaptive Access
Adaptive access is the use of near-real-time context to determine the level of access allowed for a resource, including factors such as user identity, device identification and hygiene, location and user activity.
It provides granular visibility into network traffic, enabling real-time monitoring of user activity and immediate detection of any anomalies or potential threats. It can dynamically adjust user and device access to applications and resources in near real time. These adjustments are based on a continual assessment of the “session risk,” including state and behavior of users and devices. This includes enforcement across channels and deriving risk via cross-channel behaviors, device state visibility, and user and entity behavior analytics (UEBA) capabilities.
Securing Private Applications
This capability entails least-privileged access control, based on identity and context to private applications. This applies primarily to remote workers, but also extends to branch workers and nonperson entities.
The product enables remote and branch workers to connect to the SSE service via agents, SD-WAN integration and methods like VPN tunnels and identity integrations. It applies zero-trust principles for accessing private applications and cloud services from managed and unmanaged devices.
Application Discovery
Application discovery enables the SSE product to discover and assign risk scores to all applications based on a rich set of attributes and also eases the onboarding of new cloud or self-hosted applications. This includes the ability to describe useful attributes of specific cloud applications.
Attributes can then be used and modified to align with an organization’s risk profile in the adoption of cloud applications. The product also must offer analysis to discover unsanctioned applications or services being accessed.
Web Control and Visibility
Web control and visibility provides visibility, inspection and control for traffic to and from sanctioned and unsanctioned applications originating from managed and unmanaged devices, regardless of location.
The product discovers all applications, assigns risk scores from a rich set of attributes, and eases the onboarding of new applications. The product integrates with SaaS applications to continuously assess security risk and manage the security posture of customer tenants, providing visibility, governance and control of how SaaS services are configured and managed. Capabilities include reporting the configuration of native SaaS security settings, determining SaaS-to-SaaS interconnection, managing identity permissions and offering suggestions for improved configuration to reduce risk. The product must offer analysis to discover unsanctioned applications being accessed. This capability addresses all types of devices and machines, whether they are managed or not, and mobile devices, regardless of location.
Data Security
Data security monitors traffic to prevent data leakage. It uses advanced, sensitive data-detection techniques to reduce false positives and negatives.
It enables encryption of data in transit and at rest. It prevents users from accidentally or maliciously sharing sensitive data. It provides built-in rules and dictionaries supporting multiple standards and regional standards, custom regular expression and dictionaries, OCR, EDM and AI/ML-based detections. Advanced capabilities include the tokenization of sensitive data, integration with third-party data classification and the ability to train ML models on customer-specific data.
Securing SaaS Applications
This capability includes a granular set of controls for securing access to websites and social media sites.
These controls drive policy actions based on the type of site visited.
This capability includes proxy functions including decryption of traffic that allows content inspection, as well as support for secure recursive Domain Name System (DNS) traffic and threat defense and data security capabilities.
Unified Platform
Unified platform ensures that the SSE product has a unified look and feel from an administrative as well as a user perspective. This includes the number and integration of components required for customers to use the product.
Components include management/configuration consoles, visibility/monitoring, policy engines, agents, data lakes and APIs. Information on the uptime of the vendors’ system should also be available. Advanced capabilities include digital experience monitoring to detect user to application issues. Functionality requires a minimum number of agents. Services are supported across all POPs.
Enterprise Integration
Enterprise integration ensures that the SSE product integrates with a customer’s currently deployed products. It ingests data from third-party products and sends it to other products.
Enterprise integration also offers native integration with leading identity providers. It must seamlessly integrate with any SD-WAN products currently deployed.
Use Cases
Essential SSE
This use case focuses on the security and accessibility capabilities of a product to connect users to enterprise resources, whether the applications are private or SaaS-based.
Advanced SSE
This use case builds on the foundational capabilities of Essential SSE, adding enhanced security including real-time access, data protection, and robust end-user monitoring.
This may include add-on products to round out the full capabilities of an advanced SSE product suite.
Private Application Access
This use case focuses on how vendors support on-premises users accessing private applications while minimizing reliance on off-premises elements.
Products should support any type of network protocol, whether TCP- or UDP-based, initiate connections from the server out to the endpoint and support disaster-recovery options.
Branch Office User Connectivity
This use case focuses on enabling branch-based workers to access private applications and SaaS/Web resources.
Strong SSE vendors offer the most flexibility in how users can connect. Enterprise application and service integration play a key role, as log and telemetry data from the SSE product must integrate into a broader threat-centric view of users and devices that are not connected to corporate networks for extended periods. The SSE product becomes an important source of data for broader security monitoring capabilities.
Data Protection
This use case focuses on detecting and controlling sensitive data across the web, cloud and private applications.
Many organizations prioritize this capability to control sensitive data loss across multiple vectors. By adding protections across the integrated SSE product, organizations benefit from a single DLP or data-protection rule to apply across multiple vectors, access methods and device types.
SaaS Enablement
This use case is focused on providing secure access to SaaS- or Web-based applications.
This use case emphasizes cloud application discovery as well as configuration and control of managed SaaS applications.
Vendors Added and Dropped
Added
No vendors were added to this report.
Dropped
Lookout did not satisfy the requirement for customers in this market.
Inclusion and Exclusion Criteria
To qualify for inclusion, the provider’s SSE offering must:
Operate as a service. The offering must be delivered as a cloud service securing authorized users on allowed endpoints to appropriate services running in public or private clouds and on-premises environments.
Gartner must have strong evidence that the SSE product is broadly adopted independently of an SD-WAN, firewall or other networking capability offered by the same vendor. A vendor’s core SSE offering must include several capabilities that support securing authorized users on allowed endpoints to appropriate services. These capabilities must have been generally available by 31 October 2024. The capabilities are:
Secure access to the internet from common endpoints, including at a minimum Windows, macOS, iOS and Android via proxy. Provide URL filtering and advanced threat defense to protect users and enforce acceptable use policies.
Secure usage of software as a service both in-line and via API. Provide visibility, compliance enforcement, data security and threat protection for the use of SaaS applications; both monitor and remediate issues via a proxy product (in-line) and API integrations. API integration for CASB functions must include at least five major enterprise suites, such as Microsoft Office 365, Google Workspace, Salesforce, Workday, GitHub, Atlassian and ServiceNow. At least one of these integrations must be something other than a file-sharing or file-storage application. API integrations with social media or free SaaS platforms, such as Twitter, Reddit, YouTube or Facebook, are not included in this count. Security must include threat protection, data protection and both detection and prevention capabilities. In-line security must be provided from managed devices, including at least Windows, macOS, iOS and Android, to any SaaS application and be enforceable from unmanaged devices to known and explicitly sanctioned SaaS applications.
Provide secure remote access to private applications. Create an identity- and context-based logical access boundary that encompasses an enterprise user and associated device separated from an internally hosted application or set of applications. Applications must be hidden from discovery and have access restricted via a trust broker to a named set of entities; support both agent (or full integration with native OS functions) and agentless connection methods from all common endpoints, including at a minimum Windows, macOS, iOS and Android. Agent-based, or full integration with native OS functions, support must be provided to access these private applications using both Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) from all common endpoints, including at least Windows, macOS, iOS and Android.
Provide visibility into the state of common endpoints, including at least Windows, macOS, iOS and Android, and be able to use that context in access decisions.
An SSE vendor must also demonstrate scale relevant to enterprise-class organizations. At least two of the three criteria below must be met:
Generated $40 million in revenue from the evaluated SSE offering between 1 November 2023 and 31 October 2024.
As of 31 October 2024, have at least 500 enterprise customers (each of over 1,000 seats) securing two out of three of:
Private applications; SaaS applications (both in-line and API); general access to www. sites capabilities (excluding identity integration) of the evaluated SSE under support; have at least 4 million seats for the evaluated SSE under paid support as of 31 October 2024.
An SSE vendor must also demonstrate relevance to global organizations by:
Demonstrating that its SSE service offers a minimum of 20 POPs globally, with at least five POPs in each major global region (North America, EMEA and Asia/Pacific [APAC]). Each counted POP must be hosted in a secure and managed facility and locally supported and have enabled capabilities for all the must-have capabilities of an SSE product.
Providing Gartner with strong evidence that 10% or more of its customer base is outside its home region (North America, EMEA or APAC).
Lastly, an SSE vendor must rank among the top 20 organizations in Gartner’s Customer Interest Index for this research. Data inputs used to calculate the Customer Interest Index for SSE included a balanced set of measures:
Gartner end-user inquiry volume per vendor
Gartner.com search data
Gartner Peer Insights competitor mentions
Google trends data
Social media analysis
An SSE vendor is excluded if:
The vendor’s SSE functionality is primarily delivered with an SD-WAN platform as part of a single-vendor SASE offering, or the vendor’s primary direction is toward a single-vendor SASE solution incorporating their own SD-WAN.
The vendor is primarily a managed services provider and SSE offerings mostly come as part of broader managed services provider contracts or is a service provider leveraging third-party SSE services.
The vendor did not natively offer one or more of the must-have capabilities from the SSE market definition prior to 31 October 2024. Vendors cannot rely on OEM partnerships for must-have capabilities.
Weighting for Critical Capabilities in Use Cases
Critical Capabilities
Essential SSE
Advanced SSE
Private Application Access
Branch Office User Connectivity
Data Protection
SaaS Enablement
Ease of Administration
10%
0%
10%
20%
5%
10%
Threat Protection
10%
15%
5%
10%
5%
10%
Adaptive Access
15%
13%
25%
0%
0%
5%
Securing Private Applications
10%
15%
25%
0%
10%
0%
Application Discovery
20%
15%
0%
15%
0%
0%
Web Control and Visibility
10%
5%
0%
20%
20%
25%
Data Security
0%
15%
10%
10%
35%
0%
Securing SaaS Applications
0%
15%
0%
10%
10%
25%
Unified Platform
10%
4%
10%
10%
5%
15%
Enterprise Integration
15%
3%
15%
5%
10%
10%
As of 19 February 2025
Source: Gartner (May 2025)
This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.
Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.
Critical Capabilities Rating
Product/Service Rating on Critical Capabilities
Critical Capabilities
Broadcom
Cloudflare
Fortinet
iboss
Netskope
Palo Alto Networks
Skyhigh Security
Versa Networks
Zscaler
Ease of Administration
2.3
2.4
3.5
3.5
3.9
3.6
3.3
3.0
4.0
Threat Protection
2.3
3.0
3.8
3.5
3.9
4.3
3.2
3.8
3.6
Adaptive Access
2.9
2.5
3.4
3.2
4.0
3.9
3.6
2.8
3.3
Securing Private Applications
3.2
3.1
3.9
3.8
3.9
3.8
3.3
3.7
3.6
Application Discovery
3.1
2.7
3.1
2.4
3.5
3.6
3.8
2.7
3.8
Web Control and Visibility
3.4
2.7
3.7
3.1
4.0
3.7
4.5
3.5
4.0
Data Security
3.8
2.0
3.0
2.4
3.7
3.4
4.3
2.9
3.6
Securing SaaS Applications
2.7
2.8
3.0
1.8
4.0
4.2
3.8
3.7
4.0
Unified Platform
2.7
3.4
3.5
3.6
3.5
3.3
3.0
3.5
3.5
Enterprise Integration
3.2
3.3
3.3
3.7
3.8
3.6
3.9
3.7
3.6
As of 19 February 2025
Source: Gartner (May 2025)
Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.
Product Score in Use Cases
Use Cases
Broadcom
Cloudflare
Fortinet
iboss
Netskope
Palo Alto Networks
Skyhigh Security
Versa Networks
Zscaler
Essential SSE
2.93
2.87
3.47
3.27
3.79
3.72
3.62
3.27
3.67
Advanced SSE
3.02
2.74
3.39
2.91
3.82
3.83
3.69
3.31
3.67
Private Application Access
3.00
2.83
3.51
3.43
3.85
3.71
3.53
3.31
3.56
Branch Office User Connectivity
2.92
2.71
3.40
3.00
3.81
3.70
3.76
3.28
3.82
Data Protection
3.29
2.60
3.35
2.92
3.83
3.65
3.98
3.34
3.74
SaaS Enablement
2.86
2.88
3.43
3.00
3.89
3.82
3.75
3.52
3.81
As of 19 February 2025
Source: Gartner (May 2025)
To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.
Acronym Key and Glossary Terms
CASB
Cloud access security broker
CDR
Content disarm and reconstruction
DEM
Digital experience monitoring
DLP
Data loss protection
EDM
Exact data matching
EDR
Endpoint detection and response
GenAI
Generative AI
IdP
Identity provider
ML
Machine learning
OCR
Optical character recognition
PII
Personally identifiable information
POP
Point of presence
SCIM
System for Cross-Domain Identity Management
SD-WAN
Software-defined WAN
UEM
Unified endpoint management
Critical Capabilities Methodology
This methodology requires analysts to identify the critical capabilities for a class of products or services. Each capability is then weighted in terms of its relative importance for specific product or service use cases. Next, products/services are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities for each use case is then calculated for each product/service.
"Critical capabilities" are attributes that differentiate products/services in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.
In defining the product/service category for evaluation, the analyst first identifies the leading uses for the products/services in this market. What needs are end-users looking to fulfill, when considering products/services in this market? Use cases should match common client deployment scenarios. These distinct client scenarios define the Use Cases.
The analyst then identifies the critical capabilities. These capabilities are generalized groups of features commonly required by this class of products/services. Each capability is assigned a level of importance in fulfilling that particular need; some sets of features are more important than others, depending on the use case being evaluated.
Each vendor’s product or service is evaluated in terms of how well it delivers each capability, on a five-point scale. These ratings are displayed side-by-side for all vendors, allowing easy comparisons between the different sets of features.
Ratings and summary scores range from 1.0 to 5.0:
1 = Poor or Absent: most or all defined requirements for a capability are not achieved
To determine an overall score for each product in the use cases, the product ratings are multiplied by the weightings to come up with the product score in use cases.
The critical capabilities Gartner has selected do not represent all capabilities for any product; therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making a product/service decision.