2024 Gartner® Magic Quadrant™ for Single-Vendor SASE

Strategic Planning Assumption

• By 2027, 65% of new software-defined wide-area network (SD-WAN) purchases will be part of a single-vendor SASE offering, an increase from 20% in 2024.

Market Definition/Description

This document was revised on 17 July 2024. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com

Gartner defines single-vendor secure access service edge (SASE) offerings as those that deliver multiple converged-network and security-as-a-service capabilities, such as software-defined wide-area network (SD-WAN), secure web gateway (SWG), cloud access security broker (CASB), network firewalling and zero trust network access (ZTNA). These offerings use a cloud-centric architecture and are delivered by one vendor.

SASE securely connects users and devices with applications. It supports branch office, remote worker and on-premises general internet security, private application access and cloud service consumption use cases.

Must-Have Capabilities

The must-have capabilities for this market include the following functionalities, primarily delivered as a cloud service:

• Secure web access via proxy

• In-line SaaS visibility and access controls

• Identity-, context- and policy-based secure remote access to private applications

• A branch appliance that supports dynamic traffic steering out of multiple physical, locally attached WAN interfaces, with steering based on applications (not just IPs/ports)

• Firewalling to secure traffic bidirectionally across networks

• Centralized management that covers all of the above capabilities of the offering (with both GUI and API) enabling visibility, troubleshooting, reporting and enables granular configuration and policy changes

Standard Capabilities

The standard capabilities for this market include:

• Unified management delivered by a single console covering all capabilities of the offering (with GUI and API) enabling visibility, troubleshooting, reporting, and enabling granular configuration and policy changes

• The ability to secure end-user browsing via RBI or a secure enterprise browser

• Sensitive data visibility and control

Optional Capabilities

The optional capabilities for this market include:

• Security capabilities, such as network sandboxing, DNS protection, SaaS security posture management (SSPM), API-based access to SaaS for data context and configuration information, application layer visibility and protection, and continuous adaptive risk scoring.

• Advanced network functionality, including enhanced internet, private backbone transport, content delivery networks, external DNS services, cloud onramps (simplified and automated integration with public cloud networking services), or advanced branch networking features

Magic Quadrant

Inclusion and Exclusion Criteria

General

• Provide a generally available (GA) single-vendor SASE offering as of 1 March 2024. All components must be publicly available, shipping and be included on the vendors’ published price list as of this date. Products shipping after this date only may influence the Completeness of Vision axis.

• Provide commercial support and maintenance for its enterprise SASE offering (24/7) to support deployments on multiple continents. This includes hardware/software support, access to software upgrades, security patches, troubleshooting and technical assistance.

• Participate in the enterprise SASE market, including actively selling and publicly marketing SASE to enterprises.

Gartner defines “general availability” as the release of a product to all customers. When a product reaches GA, it becomes available through the company’s general sales channel — as opposed to a limited or controlled release, pre-GA, or beta version.

Product

Vendors must have a SASE offering that includes all the following functionality, generally available as of 1 March 2024.

• The ability to secure web access via proxy.

• The ability to enforce SaaS access controls in-line. This requires support for in-line malware scanning and data security to cover at least three SaaS enterprise suites (for example, Microsoft 365, Salesforce and Google Workspace).

• The ability to provide identity- and context-based secure remote policy-based access to private applications (not just network-level access), often referred to as zero-trust network access (ZTNA).

• All of the above functionalities must be operated “as a service” and primarily delivered as a cloud service to customers.

• Firewall capability to secure traffic bidirectionally across networks.

• A branch appliance that supports:

  • Dynamic traffic steering across multiple physical locally attached WAN interfaces.

  • Traffic steering based on well-known applications (not IPs/ports).

  • An appliance that is deployable at a customer’s physical branch location to directly terminate connectivity.

• The ability for customers to define sensitive data inspection policies and apply them via in-line network data inspection.

• An endpoint software agent for connecting users to the SASE offering.

• Centralized management covering all of the above capabilities of the offering (with both GUI and API) enabling provisioning, visibility, troubleshooting, reporting and that enables granular configuration and policy changes.

• The ability for customers to directly manage and administer the full offering themselves, including granular configuration and policy of all SASE functions (commonly referred to as do it yourself [DIY]).

• Single-pass scanning for malware/sensitive data (may be parallelized).

• Support for single sign-on (SSO) integration with third-party identity providers.

• Maintain POP infrastructure meeting all of the following requirements.

1. Located in 15 distinct geographic metropolitan cities, including at least three metropolitan cities each on two separate continents.

1. POPs are in a highly secure facility; and offer the following services locally (intra-POP): firewall, web proxy, private access, and in-line SaaS control in a highly available fashion; and be generally available to all enterprise customers.

1. Vendors must provide a publicly available POP monitoring/status capability and a documented POP SLA.

Global customer relevance and adoption

Vendors must show high relevance to Gartner clients via achieving at least one of the following as of 1 March 2024:

• Overall Adoption: At least 250 unique enterprise customers that have purchased and deployed the vendor’s primary single-vendor SASE offering in a production environment and are under an active commercial support license.

• Recent Adoption: At least 75 new unique enterprise customers that have purchased and deployed the vendor’s primary single-vendor SASE offering in a production environment and are under an active commercial support license. These are customers who purchased the vendor’s single-vendor SASE offering for the first time after 1 March 2023.

• Large Enterprise Adoption: At least 75 large unique enterprise customers that have all purchased and deployed the vendor’s primary single-vendor SASE offering in a production environment and are under an active commercial support license.

Gartner defines “Enterprise” as an organization with at least $50 million in annual revenues and/or 100 to 1,000 employees. Gartner defines “Large Enterprise” as an organization with at least $1 billion in annual revenues and/or over 1,000 employees. Enterprises can be a private for-profit organization or not-for-profit entities such as charitable organizations, government, and education institutions.

Vendors must also show high relevance to Gartner clients via achieving all the following as of 1 March 2024:

• The vendor’s primary offering must address at least two use cases (as defined by Gartner) for single-vendor SASE.

• At least 25 unique SASE customers, headquartered in two continents, under active support contracts; for example, 25 customers in Asia and 25 separate customers in North America.

Magic Quadrant exclusion criteria

Vendors will be excluded from this research for any of the following reasons:

• The vendor is exiting the market or ceasing sales of the product.

• The vendor is ceasing development of new features of the product.

• The vendor’s offering is a collection of individual products that don’t have native integration between them.

• The vendor requires a customer to use three or more management consoles to operate its enterprise SASE offering for the foundational use case.

• The vendor is unable to provide a single-support experience to customers, meaning customers must engage multiple parties for support.

• The vendor relies on other product vendor(s) to deliver the majority of its SASE functionality.

• The vendor only delivers its offering as a managed service.

Evaluation Criteria

Context

The adoption of cloud and edge computing and work-from-anywhere initiatives has radically shifted access requirements. For most organizations, there are now more users, applications and data located outside of an enterprise than inside. Attempts to use traditional perimeter-based approaches to securing anywhere, anytime access have resulted in a patchwork of vendors, policies, consoles and complicated and/or inefficient traffic routing, creating complexity for security administrators and users. At the same time, enterprises are increasingly pursuing zero-trust strategies, but finding meaningful implementations of zero-trust principles can be challenging.

The need to support digital business combined with a desire for a zero-trust security posture while keeping things manageable is the major driver of the single-vendor SASE market.

The reason is that SASE can improve the end-user experience by enabling the same access to digital capabilities, regardless of their location or the location of the application they are accessing. Further, SASE can help organizations adopt a zero-trust security posture by applying consistent identity- and context-based policies, regardless of the type of resource the user is accessing (whether they be internet, cloud services or private applications).

Market Overview

The market for well-architected single-vendor SASE offerings is dynamic and maturing, and SASE interest among our clients has been growing rapidly. Client interest in single-vendor SASE has more than doubled year over year. We estimate there are over 10,000 organizations using a vendor’s primary single-vendor SASE offering. However, many customer implementations have not yet fully enabled all core features of the vendor’s SASE offering. For example, it is common to see enterprises using SD-WAN, firewall and SWG from a SASE vendor but not CASB or ZTNA.

Multiple vendors now have a single-vendor SASE offering (nine qualify for this research); but few offer the required breadth and depth of functionality with integration across all components, a single management plane, and unified data model and data lake.

SASE Adoption Patterns

There are three primary options for SASE adoption:

1. Single-vendor offering

2. A dual-vendor offering that is an explicit pairing of two vendors (typically one for network services and one for security services)

3. Managed SASE

Single-vendor SASE is the exclusive focus of this research.

Market Shifts

From the demand side, end-user priorities are maturing:

• There is still confusion in the market over the term SASE, as it is sometimes used synonymously with cloud-delivered security or SSE.

• Buyers are increasingly preferring unified offerings. This includes a single management console, agent, policy engine underpinned by a single data lake. Further, they desire simplified and unified pricing for the offering.

• Buyers expect worldwide POP coverage that matches their enterprise requirements. Further, buyers are increasingly demanding more options for data and cloud sovereignty, including where traffic is routed, where it is inspected and where logs are stored. In some use cases, buyers are asking for local SASE delivery options, where inspection and logs can be kept local to the customer under their control.

• Digital experience monitoring has moved from an optional feature in 2023 to an expected capability in 2024, to improve troubleshooting and reduce mean time to detect/resolve issues.

• ZTNA is in the early stages of transitioning from being only for remote and mobile users, to an expected capability for users regardless of location (referred to as Universal ZTNA) — even when the user is located in campus or branch locations.

• Coffee shop networking — With hybrid work and the increasing mobile workforce, we see the increasing desire for coffee shop networking use cases where a user can plug in regardless of location and have the “same” experience.

From the supply side, vendors are investing heavily including:

• The multibillion-dollar market opportunity of SASE has attracted new vendors to the market including Cloudflare, HPE, Netskope, Zscaler and others.

• Most SSE vendors now have developed or acquired SD-WAN capabilities. For example, Cloudflare, iBoss and Zscaler all announced SD-WAN capabilities in the last 12 months.

• Most SD-WAN vendors now offer their own security stack. The past 18 months have seen continued acquisitions: HPE acquired Axis, CradlePoint acquired Ericom, and Sonicwall acquired Banyan Security.

• GenAI enhancement within vendor consoles has been a rapid area of innovation over the past 12 months. Initial use cases were around simplified operations (documentation and conversational troubleshooting) but are evolving to broader functionality, including security policy automation and recommended actions.

• Most SASE vendors made strides in unification including reducing the number of consoles or agents required by their customers.

• Vendors are providing customers with a choice of where SASE policies are enforced and are enabling their customers to mix and match enforcement locations across on-premises hardware appliances, on-premises virtual appliances, the vendor’s own POPS and hyperscale-based POPs.

• Some vendors are converging their SD-Branch with SASE offerings to address broader universal ZTNA (consistent zero-trust experience for remote, mobile and on-campus users) requirements with increasingly disparate location types.

Market Direction

In the next six to 18 months, we expect the following changes in the single-vendor SASE market:

• More vendors: We expect several additional vendors to enter the market with a single-vendor SASE offering over the next 12 months.

• GenAI assistants become mandatory: Although GenAI only recently emerged in 2023, GenAI assistants that are integrated natively into a SASE management console will become a mandatory requirement from buyers.

• Price differences stemming from POP strategy: Clients will see notably higher pricing of 25% up to 250% more from vendors that rely exclusively on hyperscaler infrastructure to deliver services, and in different regions. SASE vendors that build solely on hyperscale providers will be at a competitive pricing disadvantage compared to those that own their own infrastructure (or utilize a hybrid approach). This is especially true for hyperscaler-based SWG services where the network egress costs can become significant.

• SASE vendors expand to adjacent markets: There are several security markets immediately adjacent to SASE. For example, addressing endpoint security, endpoint DLP, DSPM, SSPM, microsegmentation, NDR, and network access control use cases. Some vendors are now looking to expand from the integrated SD-WAN capabilities to include wired and wireless networking at branch offices and edge locations.

• Sensitive data discovery and control becomes as important as threat intelligence as buyers evaluate offerings.

• Expanded support for unmanaged devices: Rather than a one-size-fits-all approach, support for unmanaged devices will expand into a spectrum of options including reverse proxies, dissolvable agents, browser plugins, remote browser isolation and local browser isolation (either through separate secure enterprise browser or tighter integration with browser security capabilities exposed by Google and Microsoft).

Evidence

• Gartner analysts have conducted over 500 inquiries discussing single-vendor SASE with clients from April 2023 through April 2024.

• All vendors in this research responded to a request for information (RFI) regarding current and planned capabilities.

• All vendors in this research responded to a prequalification survey to help determine their relevance to enterprise clients.

• All vendors submitted a video demonstration following a script to show specific product capabilities.

• Gartner analysts reviewed relevant reviews from Gartner Peer Insights.

• Gartner analysts reviewed publicly available information, including blogs, vendor technical documentation, product specification sheets and financial information.

• Social media analytics: Gartner conducted social media listening analysis leveraging third-party data tools in calendar year 2023 in all geographies (except China).

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.

Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.

Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.

Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.

Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.

Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.

Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.

Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.

Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.

Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.

Business Model: The soundness and logic of the vendor's underlying business proposition.

Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.

Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.

Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.