As AI agents and distributed teams redefine the network edge, unified SASE has evolved from a simple security bundle into the essential operating system for global business.
Secure Access Service Edge (SASE) is a network architecture that combines software-defined wide area networking (SD-WAN) and security functionality into a unified cloud service that promises simplified WAN deployments, improved efficiency and security, and application-specific bandwidth policies.
First outlined by Gartner in 2019, SASE (pronounced โsassyโ) has quickly evolved from a niche, security-first SD-WAN alternative into a popular WAN sector that analysts project will grow to become a $10-billion-plus market within the next couple of years.
[ Download our editorsโ PDF SASE and SSE enterprise buyerโs guide today! ]
Market research firm DellโOro Group forecasts that SASE revenue will reach $17 billion by 2029. Gartner is more optimistic, predicting that the market will grow at a compound annual growth rate 26% and reach $28.5 billion by 2028.
What is SASE?
SASE consolidates SD-WAN with a suite of security services to help organizations safely accommodate an expanding edge that includes branch offices, public clouds, remote workers and IoT networks.
While some SASE vendors offer hardware appliances to connect edge users and devices to nearby points of presence (PoPs), most vendors handle the connections through software clients or virtual appliances. SASE is typically consumed as a single service, but there are a number of moving parts, so some offerings piece together services from various partners.
[ Related: Networking terms and definitions ]
On the networking side, the key features of SASE are WAN optimization, content delivery network (CDN), caching, SD-WAN, SaaS acceleration, and bandwidth aggregation. The vendors that make the WAN side of SASE work include SD-WAN providers, carriers, content-delivery networks, network-as-a-service (NaaS) providers, bandwidth aggregators and networking equipment vendors.
The security features of SASE can include encryption, multifactor authentication, threat protection, data leak prevention (DLP), DNS, Firewall-as-a-Service (FWaaS), Secure Web Gateway (SWG), and Zero Trust Network Access (ZTNA). The security side relies on a range of providers, including cloud-access security brokers, cloud secure web gateways providers, zero-trust network access providers, and more.
The feature set will vary from vendor to vendor, and the top vendors are investing in advanced capabilities, such as support for 5G for WAN links, advanced behavior- and context-based security capabilities, and integrated AIOps for troubleshooting and automatic remediation.
Ideally, all these capabilities are offered as a unified SASE service by a single service provider, even if certain components are white labeled from other providers.
What are the benefits of SASE?
Because it is billed as a unified service, SASE promises to cut complexity and cost. Enterprises deal with fewer vendors, the amount of hardware required in branch offices and other remote locations declines, and the number agents on end-user devices also decreases.
SASE removes management burdens from ITโs plate, while also offering centralized control for things that must remain in-house, such as setting user policies. IT executives can set policies centrally via cloud-based management platforms, and the policies are enforced at distributed PoPs close to end users. Thus, end users receive the same access experience regardless of what resources they need, and where they and the resources are located.
SASE also simplifies the authentication process by applying appropriate policies for whatever resources the user seeks, based on the initial sign-in. It also supports zero-trust networking, which controls access based on user, device and application, not location and IP address.
Security is increased because policies are enforced equally regardless of where users are located. As new threats arise, the service provider addresses how to protect against them, with no new hardware requirements for the enterprise.
More types of end users โ employees, partners, contractors, customers โ can gain access without the risk that traditional security โ such as VPNs and DMZs โ might be compromised and become a beachhead for potential attacks on the enterprise.
SASE providers can supply varying qualities of service, so each application gets the bandwidth and network responsiveness it needs. With SASE, enterprise IT staff have fewer chores related to deployment, monitoring and maintenance, and can be assigned higher-level tasks.
What are the SASE challenges?
Organizations thinking about deploying SASE need to address several potential challenges. For starters, some features could come up short initially because they are implemented by providers with backgrounds in either networking or security, but might lack expertise in the area that is not their strength.
Another issue to consider is whether the convenience of an all-in-one service meets the organizationโs needs better than a collection of best-in-breed tools.
SASE offerings from a vendor with a history of selling on-premises hardware may not be designed with a cloud-native mindset. Similarly, legacy hardware vendors may lack experience with the in-line proxies needed by SASE, so customers may run into unexpected cost and performance problems.
Some traditional vendors may also lack experience in evaluating user contexts, which could limit their ability to enforce context-dependent policies. Due to complexity, providers may have a feature list that they say is well integrated, but which is really a number of disparate services that are poorly stitched together.
Because SASE promises to deliver secure access to the edge, the global footprint of the service provider is important. Building out a global network could prove too costly for some providers. This could lead to uneven performance across locations because some sites may be located far from the nearest PoP, introducing latency.
SASE transitions can also put a strain on personnel. Turf wars could flare up as SASE cuts across networking and security teams. Changing vendors to adopt SASE could also require retraining IT staff to handle the new technology.
What is driving the adoption of SASE?
The key drivers for SASE include supporting hybrid clouds, remote and mobile workers, and IoT devices, as well as finding affordable replacements for expensive technologies like MPLS and IPsec VPNs.
As part of digital transformation efforts, many organizations are seeking to break down tech siloes, eliminate outdated technologies like VPNs, and automate mundane networking and security chores. SASE can help with all of those goals, but youโll need to make sure vendors share a vision for the future of SASE that aligns with your own.
According to Gartner, there are currently more traditional data-center functions hosted outside the enterprise data center than in it โ in IaaS providers clouds, in SaaS applications and cloud storage. The needs of IoT and edge computing will only increase this dependence on cloud-based resources, yet typical WAN security architectures remain tailored to on-premises enterprise data centers.
In a post-COVID, hybrid work economy, this poses a major problem. The traditional WAN model requires that remote users connect via VPNs, with firewalls at each location or on individual devices. Traditional models also force users to authenticate to centralized security that grants access but may also route traffic through that central location.
This model does not scale. Moreover, this legacy architecture was already showing its age before COVID hit, but today its complexity and delay undermine competitiveness.
With SASE, end users and devices can authenticate and gain secure access to all the resources they are authorized to reach, and users are protected by security services located in clouds close to them. Once authenticated, they have direct access to the resources, addressing latency issues.
What is the SASE architecture?
Traditionally, the WAN was comprised of stand-alone infrastructure, often requiring a heavy investment in hardware. SD-WAN didnโt replace this, but rather augmented it, removing non-mission-critical and/or non-time-sensitive traffic from expensive links.
In the short term, SASE might not replace traditional services like MPLS, which will endure for certain types of mission-critical traffic, but on the security side, tools such as IPsec VPNs will likely give way to cloud-delivered alternatives.
Other networking and security functions will be decoupled from underlying infrastructure, creating a WAN that is cloud-first, defined and managed by software, and run over a global network that, ideally, is located near enterprise data centers, branches, devices, and employees.
With SASE, customers can monitor the health of the network and set policies for their specific traffic requirements. Because traffic from the internet first goes through the providerโs network, SASE can detect dangerous traffic and intervene before it reaches the enterprise network. For example, DDoS attacks can be mitigated within the SASE network, saving customers from floods of malicious traffic.
What are the core security features of SASE?
The key security features that SASE provides include:
โ Firewall as a service (FWaaS)
In todayโs distributed environment, both users and computing resources are located at the edge of the network. A flexible, cloud-based firewall delivered as a service can protect these edges. This functionality will become increasingly important as edge computing grows and IoT devices get smarter and more powerful.
Delivering FWaaS as part of the SASE platform makes it easier for enterprises to manage the security of their network, set uniform policies, spot anomalies, and quickly make changes.
โ Cloud access security broker (CASB)
As corporate systems move away from on-premises to SaaS applications, authentication and access become increasingly important. CASBs are used by enterprises to make sure their security policies are applied consistently even when the services themselves are outside their sphere of control.
With SASE, the same portal employees use to get to their corporate systems is also a portal to all the cloud applications they are allowed to access, including CASB. Traffic doesnโt have to be routed outside the system to a separate CASB service.
โ Secure web gateway (SWG)
Today, network traffic is rarely limited to a pre-defined perimeter. Modern workloads typically require access to outside resources, but there may be compliance reasons to deny employees access to certain sites. In addition, companies want to block access to phishing sites and botnet command-and-control servers. Even innocuous web sites may be used maliciously by, say, employees trying to exfiltrate sensitive corporate data.
SGWs protect companies from these threats. SASE vendors that offer this capability should be able to inspect encrypted traffic at cloud scale. Bundling SWG in with other network security services improves manageability and allows for a more uniform set of security policies.
โ Zero trust network access (ZTNA)
Zero Trust Network Access provides enterprises with granular visibility and control of users and systems accessing corporate applications and services.
A core element of ZTNA is that security is based on identity, rather than, say, IP address. This makes it more adaptable for a mobile workforce, but requires additional levels of authentication, such as multi-factor authentication and behavioral analytics.
What other technologies may be part of SASE?
In addition to those four core security capabilities, various vendors offer a range of additional features.
These include web application and API protection, remote browser isolation, DLP, DNS, unified threat protection, and network sandboxes. Two features many enterprises will find attractive are network privacy protection and traffic dispersion, which make it difficult for threat actors to find enterprise assets by tracking their IP addresses or eavesdrop on traffic streams.
Other optional capabilities include Wi-Fi-hotspot protection, support for legacy VPNs, and protection for offline edge-computing devices or systems.
Centralized access to network and security data can allow companies to run holistic behavior analytics and spot threats and anomalies that otherwise wouldnโt be apparent in siloed systems. When these analytics are delivered as a cloud-based service, it will be easier to include updated threat data and other external intelligence.
The ultimate goal of bringing all these technologies together under the SASE umbrella is to give enterprises flexible and consistent security, better performance, and less complexity โ all at a lower total cost of ownership.
Enterprises should be able to get the scale they need without having to hire a correspondingly large number of network and security administrators.
Survey the SASE vendor landscape
The SASE market is complex. Vendors include pure-play SASE, SD-WAN vendors expanding into security, security vendors expanding into networking) multivendor SASE, and single-vendor SASE. Itโs also worth noting that the โleaderโ quadrant in analyst reports changes frequently.
What is multivendor SASE?
Refers to a SASE platform that is provided by multiple vendors. This means youโd source that different components of the SASE platform, such as the secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA) from different vendors. This allows you to choose the best-of-breed solutions for each component of the platform. By using multivendor SASE platform, you avoid being tied to a single vendor and reduce the risk of vendor lock-in. On the negative side, managing multiple vendors is time-consuming than managing a single-vendor solution. Also, issues among vendors can impact the performance, efficiency and reliability of the SASE solution.
What is single-vendor SASE
Single-vendor SASE refers to a solution that is provided by a single vendor. This means that all of the components of the SASE platform, such as the secure web gateway (SWG), cloud access security broker (CASB), and zero-trust network access (ZTNA) are delivered by a single vendor. Advantages of single-vendor SASE include simplified management, smoother integration and enhanced support. Disadvantages include vendor lock-in, more limited capabilities compared to multivendor platforms, and higher costs for large organizations.
Many SASE vendors have used APIs to connect separate security and networking tools. By 2026, the market has matured. single-vendor SASE โ where the policy, the code, and the cloud are all owned by one company โ is now the standard for reducing โoperational dragโ and avoiding security gaps between the network and applications.
Who are the top SASE providers?
The SASE landscape has shifted from a fragmented market of point solutions to a platform-first era dominated by single-vendor SASE. While established networking incumbents remain powerful, the top tier is now defined by those who have successfully integrated AI-security posture management (AI-SPPM) and sovereign data controls into their global backbones.
The industry has seen significant consolidation: HPE has fully integrated Juniper Networksโ AI-driven security. Broadcom has finalized the transition of VMwareโs SASE into the VeloCloud ecosystem; and Check Point has absorbed Perimeter 81 into its Harmony platform.
The current market leaders are categorized as follows:
- The platform leaders: Palo Alto Networks (Prisma Access) and Zscaler continue to set the pace for enterprise-scale universal SASE, providing seamless security for both remote and on-premises workforces.
- AI and cloud-native pioneers: Cato Networks remains the benchmark for pure-play SASE, while Netskope and Cloudflare lead the way in protecting data as it moves between users and generative AI models.
- Integrated infrastructure giants: Cisco, Fortinet, and the newly expanded HPE (Juniper) offer the deepest integration between hardware and security, making them the choice for organizations with complex branch-office needs.
- Specialized and emerging tier: Versa, Akamai, and Skyhigh Security provide specialized edge security and low-latency performance for high-traffic or regulated industries.
How to adopt SASE
Enterprises that must support a large, distributed workforce, a complicated edge with far-flung devices, and hybrid/multi-cloud applications should have SASE on their radar. For those with existing WAN investments, the logical first step is to investigate your WAN providerโs SASE services or preferred partners.
On the other hand, if your existing WAN investments are sunk costs that youโd prefer to walk away from, SASE offers a way to outsource and consolidate both WAN and security functions.
Over time, the line between SASE and SD-WAN will blur, so choosing one over the other wonโt necessarily lock you into a particular path, aside from the constraints that vendors might erect.
For most enterprises, however, SASE will be part of a hybrid WAN/security approach. Traditional networking and security systems will handle pre-existing connections between data centers and branch offices, while it will be used to handle new connections, devices, users, and locations.
SASE isnโt a cure-all for network and security issues, nor is it guaranteed to prevent future disruptions, but it will allow companies to respond faster to disruptions or crises and to minimize their impact on the enterprise. In addition, it will allow companies to be better positioned to take advantage of new technologies, such as edge computing, 5G and mobile AI.
