Themes: SD-WAN & SASE Industry Review 2024 (Pt.3)
Summary
- In Part 3 (the final part) we share our thoughts on SASE and which vendors will prosper as various trends merge with SASE.
- We discuss SASE and overlapping trends such as AIOps, XDR/MDR, WANaaS, SASO (Convequity's term), and browser security.
- Companies discussed include PANW, FTNT, NET, ZS, MSFT, VMware/Broadcom, Netskope, Cato Networks, and Perimeter 81.
Thoughts on SASE 2023
- PANW has a high vision score due to its CloudGenix acquisition being allocated within Prisma SASE instead of Strata NGFW. This means PANW prioritizes its emerging business instead of its existing cash cow and majority revenue stream. This is a bold move that increases PANW's strength in SASE but potentially weakens its potential in SD-WAN, which is more on-prem focused and the integration with the NGFW is more important. To speed up its time-to-market during the period when ZS was rapidly scaling up, PANW didn't spend the time integrating Prisma SASE with its existing PAN-OS for NGFW. This resulted in multiple single-pane-of-glass UIs for PANW's customers. Compared to FTNT's move, this reduces PANW's competitiveness for ones with heavy branch infra demands but is compelling to customers who want to buy a fully cloud-native suite, which is closer to ZS' customer profile. Given CloudGenix's thin client and enterprise focused nature, Prisma SASE is pretty expensive, similar to PANW's overall market positioning. Compared to other strong SD-WAN players, it seems PANW has not invested further into the core SD-WAN functionality. One indicator is that three years after the acquisition, CloudGenix still doesn't offer FEC (Forward Error Correction) and steering control, two technologies important for SD-WAN to ensure business critical applications maintain high performance and availability and ensures the network remains adaptable as conditions change.
- For Gartner, CSCO and Proofpoint score high in vision while Versa and Cato score low in vision. This is absurd except for the reason that these vendors spend more money, time, and effort in pleasing Gartner and aligning themselves with vendor briefings.
- Similarly, FTNT got punished for its great emphasis on on-prem SASE instead of cloud-delivered SASE. FTNT's high perf/$, branch networking and security, and automated functions are not counted as visionary in Gartner's definition.
- CSCO focuses on selling cheap and providing multiple SKUs as a bundle, which is CSCO's typical modus operandi. CSCO is able to price at a 1/3 of competitors' because it has a larger product suite and existing customer relationships that can significantly lower the S&M cost. However, even Gartner is able to recognize that CSCO has a significant legacy drag. Overall, in our view, CSCO's true position should be swapped with Versa and Cato's.
- Cato’s offering lacks certain capabilities around SaaS control and visibility, data security, and SD-WAN features locally on its appliance. Cato has just passed $100m in ARR, and much like other startups in networking, this is a very slow on-ramp even for a world class team and execution, unlike greenfiled opportunities like cloud security whereby Wiz is able to scale up to $100m in 18 months. It is tedious work for any networking startup to offer a comprehensive networking + security suite as it requires tons of R&D and engineering resources and lengthy piloting with customers. Therefore, for the most important customer category, large US enterprises, Cato is not very attractive. Cato is more compelling for mid-market customers who don't have complex requirements, and are more appreciative of Cato's integrated agile platform. It will take Cato another 2-3 years to mature, but given its founder's previous experience at Imperva, it shouldn't be an impossible job for them to complete the missing pieces in the puzzle towards a comprehensive SASE.
- VMware’s offering lags competitors in security functionality, including SaaS control/visibility and data security. This is understandable given VMW has just started its SSE business as a SASE player. VMW's core is its SD-WAN solution that has a wide market adoption, cost-effectiveness, and user experience. If AVGO is able to integrate it well, VMW can integrate with Symantec's tier 1 CASB, DLP, and SWG. The caveat is that integrating multiple vendors with technical debts is not easy, and it may halt other new product developments. On a net to net basis, however, the combined entity should be able to offer a very competitive product suite at attractive prices for legacy customers who don't find next-gen cloud-native solutions well suited for their demands.
Trends
AIOps
AI NetOps + SecOps will continue to spread into more customers' radar and evaluation criteria. For every $1 spent on the product, networking customers need to spend $3 on operations. Therefore, as part of modernization, customers want to automate as much as they can, especially in the era of GenAI. Solutions like DEM (Digital Experience Management) are especially compelling for IT desks because they are often flooded with repetitive service tickets and the associated manual investigations required. Automated remediation for the network and security stack will dramatically reduce the burden of operators, and help customers counter the rising labour shortage and wage increases.
- Within this landscape, PANW is the leader in SecOps.
- FTNT is the leader in NetOps with good in SecOps too.
- Netskope has good DEM and operational automation features.
- ZS is quickly cross-selling its DEM solution but its automation capabilities look limited due to technical debt.
- CSCO has invested a lot in AIOps for NetOps, but its product isn't very disruptive/innovative. Though we may see a significant improvement after SPLK becomes the foundational data layer with a tier 1 SOAR and SecOps capabilities added, especially for legacy and on-prem focused customers.
- Versa and Cato are busy building and maturing their platform as startups, therefore we expect them to make less moves in this regard.
When it comes to Policy Generation & Management and Product Deployment & Maintenance, so far it seems FTNT and Netskope are the leaders. FTNT has advanced automation features, while Netskope's next-gen architecture in both SSE and SD-WAN should support customers with greater agility.