Bottom Line Up Front
The Most Important Architectural Decision in SASE
Before comparing vendors on features, buyers need to understand the single most consequential architectural split in the market: Single-Pass vs. Stitched (Multi-Engine) SASE. Every vendor's strengths and weaknesses flow from which side of this divide they sit on.
Native / Converged Architecture
Traffic is inspected once by a unified policy engine that applies SWG, CASB, ZTNA, FWaaS, and DLP checks simultaneously. Security and networking logic share the same data plane.
- Lower latency — no chaining of proxy hops
- Consistent policy — one rule set, no gaps between engines
- Simpler operations — single console, single data model
- Better DLP — full context is available in one pass
Integrated / Multi-Engine Architecture
Capabilities are bolted together from acquired products or partner integrations. Traffic may traverse multiple engines, each adding latency and creating potential for policy inconsistency.
- Higher latency — multiple inspection hops
- Policy gaps at integration seams
- Heavier operational overhead
- Often superior depth in individual components
Why This Matters for the Benchmark
Stitched vendors can still score highly — especially where deep per-component capability matters (e.g., Palo Alto's threat prevention depth). But single-pass vendors will score better on operational simplicity, DLP accuracy, and latency SLAs. This document scores both dimensions explicitly so buyers can weight them according to their own priorities.
What ZTNA Is (and Isn't)
Legacy VPN grants network access — once authenticated, a user can reach anything on the subnet. ZTNA grants application access — the user is authorized to a specific app, on a specific device, in a specific context, for a specific session. Trust is never implicit; it is continuously re-evaluated.
Does the solution check device health (OS patch level, EDR status, certificate presence, disk encryption) at connection time and continuously throughout the session? Best-in-class solutions integrate with major EDR platforms (CrowdStrike, SentinelOne, Microsoft Defender) to pull real-time posture signals — not just a one-time snapshot at login.
Can access policies be enforced at the individual application or API endpoint level — not just at the network segment level? Best-in-class solutions support private app connectors that publish apps without requiring inbound firewall rules, making the app invisible to the internet entirely.
ZTNA is only viable as a VPN replacement if latency is competitive. Best-in-class requires <150ms RTT for 95% of global users to the nearest PoP, a private backbone (not hairpin via public internet), and active/active PoP failover with sub-5-second reconvergence.
For contractors, BYOD users, and VDI reduction, best-in-class solutions provide browser-isolated access that delivers a published app without installing a client. The differentiator is how well it handles thick-client apps (RDP, SSH, thick ERP).
A managed, policy-enforced browser deployed as the primary access vehicle — distinct from agentless RBI. Enterprise browsers (Island, Talon/Palo Alto, Chrome Enterprise) enforce DLP, ZTNA policy, and data controls at the browser layer itself, eliminating the need for network-side inspection for managed devices.
ZTNA Best-in-Class Criteria Table
| Criterion | Best-in-Class Standard (2026) | Why It Matters | Weight |
|---|---|---|---|
| Device Posture (Continuous) | Real-time EDR integration; session termination on posture failure; checks every 60s or on behavior trigger | Static posture checks are defeated by post-auth compromise. Continuous validation is the Zero Trust baseline. | CRITICAL |
| Identity Integration | Native SAML/OIDC; MFA enforcement at policy level; support for Okta, Azure AD, Ping; conditional access on user risk score | ZTNA without strong IdP integration is just a better VPN. Identity is the new perimeter. | CRITICAL |
| Per-App Micro-Segmentation | Connector-based app publishing; no inbound firewall rules required; policy at app/API layer, not subnet | Lateral movement after breach requires network-level access. App-level segmentation eliminates the attack surface. | CRITICAL |
| Global PoP Latency | <150ms RTT for 95th percentile global users; private backbone preferred over public internet routing | User adoption fails if ZTNA is slower than VPN. Latency is the #1 rejection reason in ZTNA rollouts. | HIGH |
| Agentless Access | Browser-isolated access for web apps; SSH/RDP proxy for thick clients; no client install required for BYOD/contractors | Unmanaged devices represent the majority of contractor and partner access scenarios. | HIGH |
| Enterprise Browser Integration | Native enterprise browser capability or validated partner integration (Island, Chrome Enterprise); DLP and ZTNA policy enforced at the browser layer | Enterprise browsers shift security enforcement to the endpoint layer, reducing proxy inspection scope for managed devices. | HIGH |
| Client OS Coverage | Windows, macOS, iOS, Android, ChromeOS, Linux — all with feature parity on posture and policy enforcement | Feature gaps on non-Windows platforms are common and expose the weakest-link vulnerability. | HIGH |
| Digital Experience Monitoring | Per-session latency, packet loss, jitter reporting; end-to-end path visibility from client to app; proactive alerting | Helpdesk teams cannot troubleshoot ZTNA degradation without per-hop visibility. | MEDIUM |
| Legacy App Support | Non-web (UDP, non-HTTP) protocol support; compatibility with legacy on-prem apps without refactoring | Most enterprises have non-HTTP apps that ZTNA must support to complete the VPN replacement. | MEDIUM |
SSE: Seven Technologies, One Architecture Problem
SSE is the security half of SASE. It consolidates historically separate security products — SWG, CASB, FWaaS, DLP, and SSL/TLS decryption — into a cloud-delivered service. The consolidation only delivers value if all components share a unified policy engine and data store; otherwise it is a billing bundle, not an architecture.
SSE Best-in-Class Criteria Table
| Criterion | Best-in-Class Standard (2026) | Why It Matters | Weight |
|---|---|---|---|
| Unified DLP Policy Engine | Single DLP rule set enforced inline across all channels: web, SaaS, private apps, email, and endpoint | Siloed DLP creates policy gaps. A file blocked in SWG must also be blocked in CASB with the same rule. | CRITICAL |
| ML-Based Data Classification | ML classifiers for PII, PHI, PCI, IP — not just regex. OCR for images. EDM for structured data. | Regex-only DLP has a 40–60% false-positive rate in real deployments. ML reduces this significantly. | CRITICAL |
| TLS Inspection at Scale | Full TLS 1.3 decryption for >95% of traffic; no performance cliff at scale; certificate pinning bypass for known apps | The majority of malware now uses encrypted channels. SWG without TLS inspection is operating largely blind. | CRITICAL |
| SSL Decryption Architecture | Decryption performed at the PoP (not backhauled); policy-based exemptions with audit trail; CA deployment tooling; no latency cliff under load | Where and how decryption happens is as important as whether it happens. PoP-local decryption scales with the user, not the data center. | CRITICAL |
| CASB — Inline + API Dual Mode | Real-time inline control for active sessions + API mode for retrospective data scan of existing cloud storage | Inline only misses files already at rest. API only misses live uploads. Both modes are required. | CRITICAL |
| Remote Browser Isolation (RBI) | Pixel-rendering or DOM-reconstruction isolation for risky/uncategorized URLs; BYOD isolation without full agent | Zero-click browser exploits bypass all URL filtering. RBI eliminates the attack surface for unknown sites. | HIGH |
| AI/GenAI Data Protection | Visibility and control over ChatGPT, Copilot, Gemini usage; detect sensitive data in LLM prompts; agentic AI governance | GenAI adoption is outpacing policy. Agentic AI exfiltration — autonomous agents moving data without user action — is the 2026 threat model. | HIGH |
| Shadow IT Discovery | Automatic discovery and risk scoring of >30,000 cloud apps; one-click block/allow/monitor from discovery view | Average enterprise uses 1,000+ cloud apps. Security teams can only manage what they can see. | HIGH |
| IPS Threat Intelligence | Threat feeds updated in real time (<1hr); integration with MITRE ATT&CK; cross-customer threat sharing | Static threat signatures are defeated within hours of novel malware release. | HIGH |
| FWaaS — App Awareness | L7 app identification without relying on port/protocol; supports custom app signatures; evasion-resistant | Port-based firewall rules are trivially bypassed by port-hopping malware and non-standard services. | MEDIUM |
→ Full SSE analysis with vendor comparisons: sase_sse.html
SD-WAN: The Network Foundation of SASE
SD-WAN is often undersold as "just routing" in SASE conversations dominated by security. A vendor's SD-WAN architecture determines WAN performance, branch reliability, and the quality of the middle-mile path between users and cloud workloads. The key split in 2026 is between vendors with native private backbones vs. those relying on public internet routing with optimization.
SD-WAN Best-in-Class Criteria Table
| Criterion | Best-in-Class Standard (2026) | Why It Matters | Weight |
|---|---|---|---|
| Private Global Backbone | Vendor-owned or leased private backbone connecting all PoPs; traffic does not traverse public internet between PoPs; SLA-backed latency guarantees | Public internet routing is unpredictable. A private backbone provides consistent, measurable middle-mile performance. | CRITICAL |
| Application-Aware Path Steering | Real-time path selection per application based on latency, jitter, packet loss thresholds; sub-second reconvergence on path failure | Routing all traffic on the same path wastes expensive MPLS bandwidth on bulk transfers and degrades real-time app quality. | CRITICAL |
| Multi-Link Aggregation | Active/active bonding across MPLS + broadband + LTE/5G; per-packet or per-flow load balancing; automatic failover | Single-link dependency is the leading cause of branch outages. | CRITICAL |
| Cloud On-Ramp Quality | Direct peering or co-location with AWS, Azure, GCP; optimized routing to Microsoft 365; SaaS SLA monitoring | Backhauling SaaS traffic to a central data center adds 80–200ms of unnecessary latency. | HIGH |
| Zero-Touch Provisioning (ZTP) | Branch appliance ships pre-configured; plug in, auto-registers, pulls policy from cloud; <30min to full operation | IT teams cannot staff remote site deployments. ZTP is the difference between SASE being deployable at scale and requiring truck rolls. | HIGH |
| Security Integration (SSE Convergence) | SD-WAN and SSE share a single policy engine and management plane — not a bolted API integration | Separate SD-WAN and SSE policy planes create operational overhead and policy inconsistency. | HIGH |
| LTE/5G Failover | Native 5G integration in hardware; automatic cellular failover <10 seconds; cellular usage reporting and cost controls | 5G branch connectivity is now cost-competitive with broadband for many sites. | MEDIUM |
| WAN Optimization | TCP acceleration, forward error correction (FEC), packet duplication for lossy links | Still relevant for sites relying on satellite or long-haul broadband where raw throughput cannot be purchased cheaply. | MEDIUM |
→ Full SD-WAN analysis with vendor comparisons: sase_sdwan.html
AIOps: From Monitoring to Autonomous Action
AIOps in SASE covers two distinct problems: network operations (diagnose why a user in Singapore has bad latency to Salesforce) and security operations (correlate 47 low-confidence signals into one high-confidence threat incident). Best-in-class vendors in 2026 are moving beyond dashboards into autonomous remediation — where the system proposes or executes corrective actions without a human ticket.
AIOps Best-in-Class Criteria Table
| Criterion | Best-in-Class Standard (2026) | Why It Matters | Weight |
|---|---|---|---|
| UEBA / Behavioral Analytics | Per-user, per-entity behavioral baselines; multi-dimensional anomaly scoring; automated risk escalation with evidence bundles | Credential-based attacks are undetectable without behavioral context. UEBA is the primary control for insider threat and account takeover. | CRITICAL |
| GenAI Policy Authoring | Natural language → policy rule with simulation preview; supports complex conditional logic; self-documents policy intent | Policy authoring is the #1 operational bottleneck in SASE. NL interfaces reduce time-to-policy from days to minutes. | HIGH |
| Autonomous Path Optimization | ML-driven path selection that anticipates congestion (not just reacts); predictive rerouting 30–90 seconds before SLA breach | Reactive path steering still drops packets during the detection window. Predictive optimization eliminates perceptible degradation. | HIGH |
| Root Cause Analysis (RCA) | Automated hop-by-hop path analysis with ISP/PoP fault attribution; <60-second diagnosis for reported incidents | Mean-time-to-resolution for network issues averages 4+ hours without automated RCA. | HIGH |
| Cross-Product Event Correlation | Unified event stream across SWG, CASB, ZTNA, SD-WAN; ML-based incident grouping; eliminates alert fatigue from siloed logs | SOC analysts spend 40–60% of time correlating events across tools. | HIGH |
| SIEM/SOAR Integration | Native connectors to Splunk, Microsoft Sentinel, CrowdStrike Falcon; bidirectional — enrich and receive playbook triggers | SASE does not replace SIEM/SOAR; it must feed it. | MEDIUM |
→ Full AIOps analysis with vendor comparisons: sase_aiops.html
Why Sovereignty Is Now a Scored SASE Criterion
Data residency requirements have tightened significantly entering 2026. GDPR enforcement has expanded, India's DPDP Act is in force, and the EU AI Act's data governance provisions are being applied to cloud security services. For global organizations, a SASE vendor's ability to guarantee data stays within a jurisdiction — at the PoP level, not just contractually — is now a procurement requirement, not a checkbox.
Sovereignty Best-in-Class Criteria Table
| Criterion | Best-in-Class Standard (2026) | Why It Matters | Weight |
|---|---|---|---|
| Regional Data Plane Isolation | Traffic inspected and logged in designated region; no metadata replication to out-of-region nodes; PoP-level isolation — not just tenant-level isolation | Tenant-level isolation still allows metadata to replicate across regions for analytics. PoP-level isolation is what regulators now expect. | CRITICAL |
| Sovereign Cloud PoP Options | Dedicated PoPs in EU, India, Brazil, UAE, Australia; option for private cloud or co-location deployment for highest-sensitivity sectors | Financial services, healthcare, and government typically require dedicated infrastructure, not shared public cloud tenancy. | CRITICAL |
| Regulatory Certifications | ISO 27001, SOC 2 Type II, FedRAMP (US), C5 (Germany), IRAP (Australia), CSA STAR — current, not expired | Certifications are increasingly required by procurement. A vendor without FedRAMP cannot sell to US federal. | HIGH |
| Customer-Controlled Encryption Keys | Bring Your Own Key (BYOK) or Hold Your Own Key (HYOK) for logs and stored DLP-inspected content; key rotation on demand | Vendor-managed encryption keys expose data to vendor-side compromise or government subpoena. | HIGH |
| Log Residency Controls | Granular control over where security event logs, DLP incident logs, and network flow logs are stored; configurable per tenant or per data type | Logs contain PII (IP addresses, usernames, URL paths). Without log residency controls, GDPR compliance for security operations is difficult to demonstrate. | HIGH |
| AI/ML Training Data Isolation | Explicit opt-out from customer data being used to train vendor's ML models; contractual prohibition; audit evidence available | Several SASE vendors use customer traffic telemetry to improve their ML threat models. For regulated industries, this represents unauthorized cross-customer data sharing. | MEDIUM |
→ Full Sovereignty analysis with vendor comparisons: sase_sovereignty.html
Master Scoring Rubric
Each vendor is scored against these criteria on a 1–5 scale. Scores are maintained in ../assets/data/scores.json and rendered dynamically in each pillar document and the Master Scorecard.
Scale: 1 = Poor/Missing · 2 = Below Average · 3 = Adequate · 4 = Strong · 5 = Best-in-Class · Weight multipliers: Critical ×3 · High ×2 · Medium ×1
Four Canonical Buyer Personas
The same vendor can be the right answer for one organization and the wrong answer for another, depending on which pillars matter most. These four personas are used consistently across all pillar deep dives and the Master Scorecard.
Lean IT
SMB–Mid-market · 50–500 employees · 1–5 person security team
One team wearing every hat. Can't afford dedicated NetOps, SecOps, and SD-WAN specialists. Needs a single console that doesn't require three vendors to troubleshoot.
Global Security Ops
Large Enterprise · 2,000+ employees · Dedicated SOC · Multi-region
Threat surface grew post-M&A. Needs real-time DLP, AI-assisted threat detection, DEM, and a unified management plane across hybrid on-prem + cloud estate.
Data-First / Regulated
Finance · Healthcare · Legal · EU / APAC regulated entities
Data classification governs all access policy. GDPR, HIPAA, PCI, DORA compliance obligations. DLP is a board-level concern, not an IT feature.
Platform / Network Architect
500–5,000 employees · Multi-site · MPLS replacement in progress
Owns SD-WAN refresh and branch connectivity. Needs application-aware path steering, a private backbone SLA, and a single policy plane covering WAN and security together.