Gartner has officially released the first ever Single-Vendor SASE Magic Quadrant. The report specifically says it will replace the Market Guide for Single-Vendor SASE, so I think we can expect the SSE and WAN Edge Infrastructure Magic Quadrants to stay in place for the time being. I read through this report in its entirety and I wanted to summarize it in this article and share the detail that surprised me most.
Gartner Predictions for Single-Vendor SASE
Gartner always includes a few predictions at the start of their reports. This data comes from the various methods of research they do. Here are this year’s SASE predictions.
- By 2025, there will be a 50% increase in the number of vendors offering single-vendor SASE (compared to 2023).
- By 2026, 60% of new SD-WAN purchases will be part of a single-vendor SASE solution (up from 15% in 2023).
How Gartner Defines Single-Vendor SASE
Gartner defines single-vendor SASE as a solution provided by one vendor who offers multiple SASE features in a cloud-centric architecture. The solution should support branch offices, remote workers, and on-premises general security.
- Offers a unified cloud-based SASE platform with a simple and intuitive customer portal.
- Cato’s customers report excellent client experiences.
- Cautions: All security functionality is cloud-based (i.e., not on the edge device), and they are mostly aligned with SMB and midmarket customers’ needs.
- Versa offers a unified SASE platform with a single management portal for both SD-WAN and security.
- Robust SD-WAN platform and an early-mover in this market.
- Cautions: Threat detection capabilities lag in comparison, and they have a limited sales strategy.
- Fortinet offers FortiSASE integrated with FortiGate and managed by FortiMangager.
- The integration with FortiGate gives branches a strong network security posture at the edge.
- Fortinet has well-established global channels and can sell to both enterprises and SMB customers.
- Cautions: Requires multiple products to address different use cases and their POP footprint is geographically limited.
I had the opportunity to sit down with the Fortinet team at their HQ in San Jose, CA earlier this month and they addressed a few of these cautions in person. Since the analysis that was done to write this report, they have increased their POP footprint from 19 POPs to 120 POPs globally. That said, by default, customers only have access to four POPs unless they request to add more. From my perspective, this is still a limitation when compared to the competition, especially for traveling or remote employees.
In addition to increasing their number of POPs, they’ve also taken strides to make the management portal(s) easier to use. The Fortinet team seemed relatively confident that they’d be in the leader space next year. So much is changing with these vendors almost daily. I’m excited to see where they all end up in a year from now.
Palo Alto Networks
- Offers a unified SASE platform (Palo Alto Prisma) that is geared toward enterprises in all verticals and includes a single, straightforward interface.
- Their product roadmap is well-aligned with enterprise customer needs and has a large/loyal installed base that will help Palo Alto grow.
- Cautions: If customers are currently using the Panorama management portal, they will have a different portal for Palo Alto Prisma. The pricing tends to be high, and the solution doesn’t include RBI (Remote Browser Isolation) today.
Not sure why RBI is important? Check out my blog post covering all the features of SASE and what types of customers should use each one!
- Cisco’s SASE offering includes Cisco+ Secure Connect integrated with Cisco Meraki SD-WAN. Cisco Umbrella and Cisco Catalyst can be swapped in as well.
- Strong threat intelligence, cost effective pricing, and their product roadmap is well-aligned with enterprise customers’ needs.
- Cautions: Multiple products for different use cases, multiple consoles needed, and their POP footprint is geographically limited.
- Primary offering is Forcepoint ONE integrated with FlexEdge Secure SD-WAN.
- Very strong security capabilities with a robust POP infrastructure.
- Cautions: Their clients report lower customer experience and there is generally limited awareness of Forcepoint in the SASE market.
SASE Niche Players
- VMware SASE has strong SD-WAN functionality, is geographically dispersed, and occasionally includes Workspace ONE for specific requirements.
- Customers report excellent customer experience.
- Cautions: VMware lags in security functionality (requires Workspace ONE for some features).
- Juniper SASE is targeted toward large enterprises.
- Provides strong branch firewall, SD-WAN, secure web access, and data security functionality. They have a large installed base to cross-sell into.
- Cautions: There is limited awareness of Juniper in the SASE space, their POP infrastructure lags behind competitors, and the pricing tends to be very expensive.
Along with the four main quadrants, we also have a list of honorable mentions that were close to making it into a quadrant but missed the mark in some way (as of April 12, 2023). Here’s what Gartner had to say about why they didn’t make the cut:
- Check Point: Didn’t have the number of enterprise customers to be included.
- Cloudflare: Aspects of its single-vendor SASE offering were not generally available (likely SD-WAN).
- Cradlepoint: Aspects of its single-vendor SASE offering were not generally available.
- HPE (Aruba): Aspects of its single-vendor SASE offering were not generally available.
- Netskope: Aspects of its single-vendor SASE offering were not generally available.
As you can see, most of them were missing one or more aspects of single-vendor SASE. The section below will detail which features Gartner required to be included to be in the SASE Magic Quadrant.
Gartner shared a list of product features that must be included to be featured in this report:
- The ability to secure web access via proxy (Secure Web Gateway – SWG)
- In-line malware scanning and data security to cover at least three SaaS enterprise suites (Cloud Access Security Broker – CASB)
- Zero Trust Network Access (ZTNA)
- Everything above must be delivered as a service and be primarily cloud-based.
- SD-WAN via a branch appliance
- Centralized management with both GUI and API
- The ability for customers to manage the solution on their own
- Single-pass scanning for malware/sensitive data
- Single sign-on integration
- Have at least three POPs on two continents each. POPs must offer the full suite of SASE features.
In addition to those feature requirements, the vendors must:
- Have at least 100 unique enterprise customers that have deployed the vendor’s primary SASE offering
- Have at least 25 unique SASE customers, headquartered in two continents, under active support contracts (e.g., 25 customers in Asia and a separate 25 customers in North America)
- Support at least two prominent enterprise use cases for single-vendor SASE, as defined by Gartner.
What Surprised Me Most
In short, I was surprised that Cato wasn’t in the Leader Quadrant along with Palo Alto. From what we’ve seen over the years, Gartner has used Cato as an example of SASE from the very beginning. Gartner also talks about SASE platforms requiring a cloud presence. So, to see Cato in the Challengers Quadrant and see a “caution” of theirs being that they don’t have security functionality in the edge device (i.e., it’s all in the cloud) was shocking, to say the least.
In my opinion, Cato tends to be a fit for a lot of clients looking at a SASE solution. They have a robust cloud-based network security solution paired with POP-based SD-WAN that uses their own network backbone. They have been a “leader” in this space for years. My intention isn’t to discredit Palo Alto. I think they deserve their spot in the Leader Quadrant; I just don’t think they should have been the only one there.
Whether due to this report or not, a lot of the vendors listed here have been making significant improvements in the past few months, so I’m curious to see what this Magic Quadrant looks like next year.