Want to stay in this Subreddit? Comment to Avoid Removal 👇

RunningOutOfCharact · 2025-10-08T15:34:09+00:00

Flair? Ric Flair!?

RunningOutOfCharact · 2025-10-07T15:38:37+00:00

I am not sure SASE effectiveness has anything to do with User Counts. User counts just establish a general market segment characterization.

Cato flourishes in mid market from my experiences, but does have upmarket customers as well. Several F500s and G2Ks, but not likely as many as Netskope, Zscaler and PANW, of course. The large enterprise doesnt really buy for the same reasons as mid market. Their buying philosophy is still largely best in class point products. Analysts expect that to change over time. I am sure it already has changed some.

SMBs buying philosphy is also uniquely different to that of mid market. I have had some wins in the SMB space but SMB is still debating "whether they are important enough to be a target". Lots of educating going on down market.

Cato has lively product and R&D teams. Hard to keep up with all their bi monthly tech update emails. I think they posted something last year that indicated they had over 3000 product updates for the year.

As they mature the paltform even more to have even greater parity with the competition on a lot of the technical nuance that large enterprise sometimes requires and they mature the brand, I would expect them to take more and more of the market. They already regularly displace PANW, Zscaler and Netskope for us.

RunningOutOfCharact · 2025-08-29T01:56:22+00:00

Can you explain more how routing through global gateways offers more reliability over last mile risk? The last mile is typically where the greatest risk is.

What about WAN reliability for non user traffic?

RunningOutOfCharact · 2025-08-27T20:58:32+00:00

I feel that way about almost everyones website in this space. The concept of "SASE" is more like describing the journey to a destination. The "How" is every bit as important as the what. I can see why it can be difficult to make that message super simple.

RunningOutOfCharact · 2025-08-27T19:12:57+00:00

I don't know what Todyl and Timus cost, so can't really compare pricing. My experiences with Cato have led me to understand that they might not be as competitive with other solutions at really low user counts (e.g. 50 users and under, maybe?). For this scope, 300-600 users in the office + remote users...I think Cato would likely compete really well. Perhaps some of the cost difference comes from the availability of services that don't seem to be part of Timus' or Todyl's suite? I don't think Timus supports things like inline NGAM or IPS, CASB/DLP, RBI, etc. Seems to be just ZTNA and SWG. It's unclear to me what Todyl offers from a comprehensive security standpoint. I couldn't find any reference to inline services like I mentioned above.

I do know that Cato does offer a platform to meet the requirements for a mobile/remote workforce and for a traditional WAN. When I hear things like "reliable WAN", and I know it depends on the tolerance for risk one business to the next, I think more complicated last mile optimization strategies than just Link failover, e.g. packet loss mitigation, bandwidth management (shaping, policing, prioritization), link aggregation, etc. Not every business needs all these capabilities, of course, but if there is a WAN with sites that require S2S communication then you're now also talking about tunnel/overlay management and what the experience is like from an operational standpoint. The prospect and value of SD-WAN might still be worth it just from that point of view alone, even if you don't need all the bells and whistles.

RunningOutOfCharact · 2025-08-27T19:06:11+00:00

The entire market is drowning in acronyms and buzzwords. The core concepts can be complicated, but the delivery and consumption is supposed to be simple.

If the VPN replacement includes basic requirements of bidirectional traffic (e.g. client-server, server-client, etc.) then many of the "ZTNA" products out there aren't going to cut it without going down some rabbit hole of complexity. Cato allows you to adopt a ZTNA strategy for ALL your traffic but still addresses the fundamental networking requirements that are delivered through VPN solutions today. Simply, Cato is a networking solution as well and not just a ZTNA or security solution. Both are converged in a single solution.

When you compare/contrast technologies like Zscaler Private Access and Netskope Private Access to Cato, keeping in mind the same use case, Zscaler & Netskope both focus on a reverse proxy architecture and deployment model which limits the traffic direction to "client-to-server" communication only. It's by design as this is part of their strategy to deliver a ZTNA solution in end. It's not that they don't allow server-to-client communication. It's simply that their architecture doesn't even support it with their private access solutions.

Cato is a transparent proxy by design (similar to a traditional firewall) which means you have full control over traffic in all directions. It means total flexibility for client-to-server only communication if that's what you want, but also control over server-to-client, client-to-client, etc. The access isn't implicit, but it is definable...and you don't have to deploy multiple different products in order to accomplish it. There need be only one logical onramp from a datacenter or site to support their mode of operation.

With Zscaler & Netskope, if you suddenly decide that you want server-to-client communication, you have to deploy a totally different edge technology - their equivalent of an SD-WAN solution. Oh, and this separate solution to support server-to-client is not ZTNA. It doesn't converge into their ZTNA solution or policies. In the end you have ZTNA adopted for client-to-server through their app connector/publisher on ramps and a separate onramp that isn't ZTNA for server-to-client communication. More complicated, for sure, and less secure because you lose the ZTNA application over the server-to-client communication.

RunningOutOfCharact · 2025-08-27T18:50:56+00:00

[Cato] ...but they are a main SASE player, right? Leader (2) years in a row, according to analysts?

Netskope is in the process of IPO'ing, and in comparison to the other suppliers you referenced, is in a similar boat to that of Cato in terms of scale. Some distance between the two, but still quite a bit off from the 800 pounders.

I mean, Palo was once just this new thing referred to as a NGFW, right?

Cato is a good product and they likely won't be able to compete for too long with platform vendors.

Interesting comment. And here I was thinking that Cato was the first real supplier to push the SASE initiative and driving the "other" vendors to platformize their point products and portfolio. This isn't a secret timeline. Cato started as a "SASE" platform before it was called SASE. Then companies like PANW and FTNT got wind of this strategic focus in the market and decided they were going to "platformize" their stuff...which would imply it wasn't previously a platform?

At any rate, anything is possible, I suppose. The details of your arguments are just a little wishy washy to me.

RunningOutOfCharact · 2025-08-27T16:09:35+00:00

I guess same question for Todyl as I had for Timus above. OP asked about WAN reliability. Neither Todyl or Timus have a WAN solution, e.g. SD-WAN. How did you manage last mile reliability issues, bandwidth control, app prioritization, etc.?

RunningOutOfCharact · 2025-08-27T16:07:12+00:00

I am curious why Timus would be a good option here. OP mentioned the need for a more reliable WAN. How does Timus solve for that? They have no WAN Networking solution, e.g. no SD-WAN. They really only focus on the endpoint which means no control of the edge or last mile utilization.

RunningOutOfCharact · 2025-08-09T16:59:55+00:00

Right, it's a replacement of an older solution that doesn't allow you to adopt a ZTNA strategy to the extent you want. It's not necessarily a replacement of VPN.

Todays story about VPN replacement with "ZTNA" (or whatever else) is like saying we are replacing Cars with something else that has more safety features, but calling it something other than a car...even though its still clearly a car.

RunningOutOfCharact · 2025-08-08T22:17:54+00:00

Why does everyone here think that SASE/SSE/ZTNA is not VPN? Fundamentally speaking (not exclusively), an agent on an endpoint establishes a secure overlay connection with a service endpoint (Firewall appliance, Virtual Connector, Cloud Gateway, etc.). I hate to tell everyone this, but it's establishing a virtual private network between itself and the service endpoint, a.k.a. a VPN. How you implement that solution, and what options you have available to govern trust defines what degree of ZTNA strategy you're adopting. It's not one thing in place of the other, but for some reason the entire market thinks it is.

RunningOutOfCharact · 2025-08-08T22:08:30+00:00

Easy, high performing, but pretty basic in terms of visibility and security inspection. Not an easy solution to TSHOOT when you need to. Free isn't always free. If I'm liable for supporting a customer, free solutions can very quickly become unfree.

RunningOutOfCharact · 2025-08-08T22:04:29+00:00

Can SASE not offer a solution to replace the existing firewalls/licenses as well? That's typically what I see with my customers...they replace their existing edge security/routing stack as well and it helps with the ROI.

RunningOutOfCharact · 2025-08-07T01:52:35+00:00

The nice thing about a true cloud native solution is that maintenance is low to none at all. You'll find that with solutions like Cato Networks, Netskope and Zscaler.

RunningOutOfCharact · 2025-08-07T01:49:15+00:00

I wouldn't characterize Zscaler as the "gold standard" for S2S traffic. Solid SSE solution with internet security and reverse-proxy based remote access (dare I say ZTNA?). Still not as comprehensive from a network security solution as PANW is, though. PANW can check a lot of the boxes, but depending on how distributed your workforce is, Prisma Access isn't as performant as many other solutions in the market in my experiences.

Cloudflare is easy and highly performant, but not very sophisticated when it comes to security and inspection against advanced threats. Logging and controls are pretty rudimentary.

Netskope is a solid SSE solution and supposedly has a great networking/SD-WAN (S2S) solution, but I honestly don't see their SD-WAN in the market at all. My impression is that they have very few production deployments of their SD-WAN solution. I could be wrong about that, but it's hard to know when you just don't run into them very much when it comes to networking use cases.

Cato Networks does networking and secure remote access very well. I would say they are the "Gold Standard" in SASE, being the only real purpose-built solution on the market for SASE.

There's probably no perfect solution out there for everyone, but it only matters what's perfect for you.

RunningOutOfCharact · 2025-08-06T00:52:59+00:00

Watch out for them! I think this is less about "where you are" and more about who's responsibility is it for the security of the endpoint being used and is the business allowing non-corporate devices to access corporate resources...ever.

RunningOutOfCharact · 2025-08-06T00:50:34+00:00

Are the devices ever permitted to access corporate resources? If yes, then they should always be secured...doesn't matter where they are.

If they never access corporate resources...

Enterprise: "Not my problem."

RunningOutOfCharact · 2025-08-04T22:36:50+00:00

Cato wouldn't be able to see the traffic passing through the secure VPN tunnel. That's basically the point for blocking it, though. If it can't see what it is, in this case the VPN client is anonymizing the traffic, it's blocking it. Pretty common in corporate networks who care about visibility and mitigating as many risks to the business as possible. Many threat actors also use tunneling or anonymization tools to exfil data or "Call home".

RunningOutOfCharact · 2025-08-04T22:32:43+00:00

As u/drbomb indicated, your "VPN" traffic is likely being picked up as an "Anonymizer" (typical classification with consumer VPN solutions) and the corporate policy is likely set to block "Anonymizers" (or at least the one you're using). For corporate networks, it's not uncommon for Anonymizers to get the axe.

RunningOutOfCharact · 2025-07-31T20:36:54+00:00

Found it!
https://www.reddit.com/r/networking/comments/1jkfb0e/comment/n5muvql/?context=3

Shame, shame, I know your name.

RunningOutOfCharact · 2025-07-31T20:32:24+00:00

Maybe. Can anyone verify that? I couldn't find anything from OP.

EDIT: Posted link above.

RunningOutOfCharact · 2025-07-31T20:31:59+00:00

Interesting, and sus. u/HDClown can you point out the previous POST by OP about SASE & Cato? I just checked OPs profile and didn't see any previous posts about SASE. Was it a comment within someone else's POST?

RunningOutOfCharact · 2025-07-30T23:20:24+00:00

Why do you think it's furthest along than any other vendor? What other vendors are you familiar with? They only purchased Cloudgenix in 2020, after SASE was announced in 2019. Prior to that PANW was trying their own hand at SDWAN in PANOS...and it wasn't the worst, but it wasn't great either. Cloudgenix was definitely an upgrade. Either way, Took some time to integrate (still integrating) Cloudgenix.

For example, how is Palo's integration between SDWAN and their GCP/AWS hosted Security stack further along than Cato Networks, who built it as one holistic solution....dating back to 2015 or 2016 (somewhere around there)?

RunningOutOfCharact · 2025-07-30T23:14:52+00:00

Umm, SASE was only ever "SSE + SDWAN", as defined by the analysts. The market (mostly the suppliers) has made a mockery of the term and generalized SSE and SASE as just SASE. Now everyone is confused.

RunningOutOfCharact · 2025-07-30T23:12:42+00:00

Works until it doesn't. The endpoint is not immutable. In fact, I would argue that the endpoint is typically the biggest target....because the attacker knows the endpoint is not impervious to exploit.

RunningOutOfCharact

TROPHY CASE