{"version":"2026.1","canonical":[{"id":"Q-IZ-01","category":"Identity / ZTNA","text":"Describe how your platform enforces zero trust access to private applications, including user, group, device posture and application-level controls."},{"id":"Q-IZ-02","category":"Identity / ZTNA","text":"Which identity providers do you support natively, and what protocols (SAML, OIDC, SCIM, device-trust APIs) are supported end-to-end?"},{"id":"Q-IZ-03","category":"Identity / ZTNA","text":"How are third-party and contractor users granted least-privilege access, and how is that access reviewed and revoked?"},{"id":"Q-SC-01","category":"SWG / CASB / DLP","text":"Describe your SWG, CASB and DLP capabilities and how they share a single policy engine."},{"id":"Q-SC-02","category":"SWG / CASB / DLP","text":"Which SaaS applications do you support via API CASB, and what actions are available (visibility, posture, data protection)?"},{"id":"Q-SC-03","category":"SWG / CASB / DLP","text":"How do you handle TLS inspection, including exception management for sensitive categories such as banking and healthcare?"},{"id":"Q-SC-04","category":"SWG / CASB / DLP","text":"Describe your DLP capabilities — predefined classifiers, custom regex, EDM/IDM, OCR — and the workflow for incident triage."},{"id":"Q-FT-01","category":"FWaaS / Threat","text":"Describe your FWaaS, IPS, anti-malware and sandboxing stack and how consistent policy is applied to branch, roaming and cloud egress."},{"id":"Q-FT-02","category":"FWaaS / Threat","text":"How frequently are IPS signatures, threat intelligence and ML models updated, and how are emergency rules pushed?"},{"id":"Q-FT-03","category":"FWaaS / Threat","text":"Describe your sandbox detonation capability: supported file types, detonation environments and integration with the SWG/CASB inline flow."},{"id":"Q-SD-01","category":"SD-WAN Integration","text":"Describe how your SD-WAN integrates with your SSE stack — single vendor, partnered, or third-party — and where the policy boundary sits."},{"id":"Q-SD-02","category":"SD-WAN Integration","text":"How are SASE PoPs selected per branch, and how is failover handled across primary, backup and 4G/5G links?"},{"id":"Q-SD-03","category":"SD-WAN Integration","text":"Describe support for application-aware routing, including SaaS-specific optimisations (e.g. Microsoft 365, EHR systems)."},{"id":"Q-LS-01","category":"Logging / SIEM","text":"Which log types are captured (access, threat, DLP, admin, audit), at what retention, and how can we export them to our SIEM or cold storage?"},{"id":"Q-LS-02","category":"Logging / SIEM","text":"How are admin actions audited, and how is the audit log protected from tampering?"},{"id":"Q-DR-01","category":"Data Residency","text":"Where is customer data, logs and metadata stored and processed, and which regions can we select for our tenant?"},{"id":"Q-DR-02","category":"Data Residency","text":"Provide a current list of sub-processors, their locations, and the controls applied to their access."},{"id":"Q-SM-01","category":"Service Model","text":"Describe your service model — managed, co-managed or self-managed — and the exact split of responsibilities with the customer."},{"id":"Q-SM-02","category":"Service Model","text":"What SLAs apply to support response, restoration of service and change requests? What credits apply for breach?"},{"id":"Q-DP-01","category":"Deployment","text":"Describe a typical deployment plan for an estate of our size, including pilot, phased rollout and steady-state hand-over."},{"id":"Q-DP-02","category":"Deployment","text":"How is configuration for sites and users automated, and how are changes tested and rolled back?"},{"id":"Q-CM-01","category":"Commercials","text":"Describe your pricing model — per-user, per-site or hybrid — and what is included vs priced separately."},{"id":"Q-CM-02","category":"Commercials","text":"Provide a worked example for our user and site count, including a year-on-year view for the proposed term."},{"id":"Q-CM-03","category":"Commercials","text":"How are growth, reductions and exit handled within the term? Are auto-renewal clauses applied?"},{"id":"Q-VE-01","category":"Vendor Evidence","text":"Provide your current security and compliance certifications (SOC 2 Type II, ISO 27001, ISO 27701, etc.) with expiry dates."},{"id":"Q-VE-02","category":"Vendor Evidence","text":"Share recent independent test results relevant to SASE (CyberRatings, NSS, MITRE evaluations)."},{"id":"Q-VE-03","category":"Vendor Evidence","text":"Provide at least two customer references in our sector with comparable scale and complexity."}],"sector_packs":{"retail_ecommerce":{"label":"Retail and e-commerce","sections":[{"title":"SD-WAN: Payment Resilience & Connectivity","questions":[{"id":"ret-1.1","text":"Does the solution support per-packet steering to ensure that a primary link \"brownout\" does not cause a timeout on a live PDQ/POS credit card transaction?","buyer_lens":"In a busy UK high-street shop, a 30-second delay in card processing at the till leads to abandoned baskets. We need failover to 4G/5G to be instantaneous and transparent.","supplier_lens":"A good answer demonstrates how the appliance detects jitter or loss and moves the specific POS session to the backup link in <100ms.","netify_note":""},{"id":"ret-1.2","text":"Detail the appliance's ability to manage 4G/5G and Satellite (e.g. Starlink) as active-active underlays. How does the system handle the high-frequency latency spikes inherent in satellite?","buyer_lens":"For rural stores or retail parks with poor fibre, we rely on cellular or Starlink. The SD-WAN must intelligently smooth out the satellite jitter.","supplier_lens":"Must confirm use of path conditioning or forward error correction for high-latency links.","netify_note":""},{"id":"ret-1.3","text":"Can the appliance trigger a failover based on RSRP/RSRQ (cellular signal quality) thresholds rather than just \"Up/Down\" status?","buyer_lens":"A weak 5G signal is often worse than no signal. We need the system to know when cellular quality is too poor for payments.","supplier_lens":"Describe how radio-quality metrics drive proactive path decisions for payment-sensitive traffic.","netify_note":""}]},{"title":"SD-WAN: PCI DSS 4.0 & Security Segmentation","questions":[{"id":"ret-2.1","text":"Can the solution enforce a hard VRF-level isolation between the Cardholder Data Environment (CDE) and the Guest WiFi network across all sites?","buyer_lens":"Under PCI DSS 4.0, we must prove that guest traffic cannot reach our till systems. Centralised management is critical for our annual QSA audit.","supplier_lens":"Must confirm use of VRF or distinct zones centrally pushed via the orchestrator.","netify_note":""},{"id":"ret-2.2","text":"Does the integrated IPS include virtual patching to protect legacy POS hardware that can no longer receive official security updates?","buyer_lens":"We have older till systems that are difficult to replace. We need the SD-WAN's firewall to block known exploits targeting these specific legacy vulnerabilities.","supplier_lens":"Explain how exploit signatures and compensating controls protect unsupported POS endpoints.","netify_note":""}]},{"title":"SD-WAN: In-Store WiFi & Customer Analytics","questions":[{"id":"ret-3.1","text":"Does the integrated WiFi capability support the export of presence data (RSSI/MAC) to third-party analytics platforms to view dwell times and busy areas of the store?","buyer_lens":"We need to know which aisles are busy so we can adjust staffing or product placement.","supplier_lens":"Ability to export data via API or webhooks to platforms like RetailNext or Skyfii.","netify_note":""},{"id":"ret-3.2","text":"Can the solution enforce dynamic bandwidth caps on the Guest WiFi VLAN to ensure that a customer watching video doesn't slow down the stock-check application?","buyer_lens":"Customer WiFi is a nice-to-have, but store operations are a must-have. We need business apps to always have gold priority.","supplier_lens":"Describe QoS enforcement, bandwidth guarantees, and policy separation between guest and operational traffic.","netify_note":""}]},{"title":"SD-WAN: Deployment & Rapid Provisioning","questions":[{"id":"ret-4.1","text":"Describe the Zero-Touch Provisioning (ZTP) process for a store using only 4G/5G for the first 30 days. Can the device configure itself via cellular?","buyer_lens":"BT often takes months to install a line. We need to open a store on Monday using just a SIM card, with config pulling automatically from the cloud.","supplier_lens":"Confirmation that the appliance can boot and connect to the orchestrator using a cellular dongle or internal SIM.","netify_note":""},{"id":"ret-4.2","text":"How does the solution handle a golden template push to 1,000+ stores? Can site-specific variables (local IPs, VLAN IDs) be managed centrally?","buyer_lens":"We cannot manually log into 1,000 routers to change a DNS setting. We need one change that propagates to every shop in seconds.","supplier_lens":"Explain template inheritance, variables, bulk rollout controls, and safeguards for nationwide changes.","netify_note":""}]},{"title":"SD-WAN: SLAs, Uptime & Performance","questions":[{"id":"ret-5.1","text":"Does the vendor provide a financial SLA based on application performance (latency/jitter) rather than just link uptime?","buyer_lens":"A link that is technically up but too slow to process a payment is useless. We need the SLA to reflect the user experience.","supplier_lens":"Detailed service credit table for violations of jitter or packet loss thresholds.","netify_note":""},{"id":"ret-5.2","text":"What is the Mean Time to Repair (MTTR) for a hardware failure in a Tier-1 city versus a remote regional town?","buyer_lens":"If a store goes dark on a Saturday, we need an engineer on-site with a replacement box within 4 hours.","supplier_lens":"Provide support geography, replacement logistics, and contract-backed repair commitments.","netify_note":""}]},{"title":"SD-WAN: Support & Operational Models","questions":[{"id":"ret-6.1","text":"Can we grant our store managers read-only access to view their own shop's status while keeping write access with the central IT team?","buyer_lens":"Empowers store staff to check if the internet is down without letting them accidentally delete the firewall rules.","supplier_lens":"Describe RBAC granularity and site-scoped dashboards for non-technical users.","netify_note":""},{"id":"ret-6.2","text":"What is the average time for a configuration change to be pushed from the orchestrator to 500 edge devices?","buyer_lens":"During a security emergency, we need to know the fix hits every till in the country immediately.","supplier_lens":"Share expected rollout times, queuing logic, and verification methods for large estates.","netify_note":""}]},{"title":"SD-WAN: Reporting & Traffic Performance","questions":[{"id":"ret-7.1","text":"Does the reporting dashboard distinguish between in-store sales, inventory sync, and guest traffic?","buyer_lens":"We need to see how much bandwidth our real-time stock sync is using compared to customers browsing the web.","supplier_lens":"Describe application classification and dashboard breakdowns relevant to retail operations.","netify_note":""},{"id":"ret-7.2","text":"Can the dashboard show per-user or per-device performance metrics for the last 60 minutes?","buyer_lens":"If the manager says my handheld scanner is slow, we need to see exactly what that device was doing 10 minutes ago.","supplier_lens":"Explain device-level historical telemetry, drill-downs, and troubleshooting visibility.","netify_note":""}]},{"title":"SD-WAN: Disaster Recovery & Backup","questions":[{"id":"ret-8.1","text":"If the primary data centre hosting the SD-WAN orchestrator fails, what is the recovery time for store management?","buyer_lens":"We cannot lose visibility of 1,000 stores because the vendor's cloud had an outage.","supplier_lens":"Provide orchestrator DR architecture, RTO/RPO, and effect on live trading if control systems fail.","netify_note":""},{"id":"ret-8.2","text":"Are device configurations backed up automatically? Can a replacement device be restored simply by plugging it in (ZTP)?","buyer_lens":"If a box gets stolen or breaks, the new one should learn what to do the moment it's connected to the internet.","supplier_lens":"Describe config backup frequency, secure storage, and zero-touch recovery for failed hardware.","netify_note":""}]},{"title":"SD-WAN: Device Capability & Throughput","questions":[{"id":"ret-9.1","text":"What is the total PoE+ power budget of the appliance? Can it power 4 Access Points and 2 IP cameras simultaneously?","buyer_lens":"Reduces the need for extra power sockets and cabling in a small retail unit.","supplier_lens":"Provide power budget, supported endpoint mix, and any derating conditions.","netify_note":""},{"id":"ret-9.2","text":"What is the maximum throughput when AES-256 encryption and Deep Packet Inspection (DPI) are both enabled?","buyer_lens":"We need to ensure the box can handle our 1Gbps fibre link without becoming a bottleneck.","supplier_lens":"State real-world throughput under full inspection and encryption, not headline best-case figures.","netify_note":""}]},{"title":"SD-WAN: Cloud Integration","questions":[{"id":"ret-10.1","text":"How does the solution optimise the path from the store directly to our Azure-hosted ERP?","buyer_lens":"Avoids hair-pinning traffic through the head office, which reduces lag for stock updates.","supplier_lens":"Describe direct cloud on-ramp logic, path selection, and Azure-specific routing optimisation.","netify_note":""}]},{"title":"SD-WAN: WiFi Analytics & Customer Profile Data","questions":[{"id":"ret-11.1","text":"Does the integrated WiFi solution support the export of anonymised MAC address and RSSI data via API to third-party retail analytics engines?","buyer_lens":"We need to measure capture rates and dwell times in specific zones to optimise store layout.","supplier_lens":"Evidence of compatibility with analytics platforms such as RetailNext or Euclid.","netify_note":""},{"id":"ret-11.2","text":"Does the edge hardware include an integrated BLE radio for push-notifications and wayfinding within large-format stores?","buyer_lens":"We want to send welcome-back offers to customers' loyalty apps the moment they walk through the door.","supplier_lens":"Confirmation of BLE 5.0 or higher support and integration with retail marketing SDKs.","netify_note":""}]},{"title":"SD-WAN: Traffic Performance & Application Failover","questions":[{"id":"ret-12.1","text":"In the event of a link failure, does the solution maintain the session state for persistent TCP applications such as Inventory Management Systems (IMS)?","buyer_lens":"If the primary fibre drops, we cannot have the store manager's stock-check session time out.","supplier_lens":"Demonstration of seamless session persistence where the application is unaware that a physical path change occurred.","netify_note":""},{"id":"ret-12.2","text":"Can the orchestrator dynamically adjust QoS profiles based on a schedule, such as Black Friday or Boxing Day peak trading hours?","buyer_lens":"During peak sales, we must prioritise POS and PDQ traffic above all else. We want to automatically throttle staff training videos during these windows.","supplier_lens":"Describe scheduled policy changes, automation, and controls for temporary peak-trading priorities.","netify_note":""}]},{"title":"SD-WAN: Admin, Ease of Configuration & Templates","questions":[{"id":"ret-13.1","text":"Does the orchestrator provide automated alerts if a local store's configuration deviates from the golden template?","buyer_lens":"We need to ensure no store has gone rogue with its security settings, potentially creating a PCI compliance gap.","supplier_lens":"Evidence of configuration auditing and auto-remediation to force devices back into compliance.","netify_note":""},{"id":"ret-13.2","text":"Describe the process for pushing a security policy update to 500+ stores simultaneously. Can these be scheduled for out-of-hours windows automatically?","buyer_lens":"We need to ensure updates don't happen mid-day, potentially disrupting the tills during trading hours.","supplier_lens":"Explain bulk scheduling, maintenance windows, rollback handling, and change controls.","netify_note":""}]},{"title":"SD-WAN: DIY, Co-Managed & Fully Managed Models","questions":[{"id":"ret-14.1","text":"Can the management portal provide granular Role-Based Access Control (RBAC) so our internal UK IT team can manage store WiFi while the vendor manages core routing?","buyer_lens":"We want to keep control over the customer experience (WiFi) but offload the complex routing and ISP management to a specialist.","supplier_lens":"Demonstration of portal permission tiers for read-only, write-WiFi, and full admin.","netify_note":""},{"id":"ret-14.2","text":"If a managed service is selected, do you take full ownership of third-party ISP fault reporting and escalation?","buyer_lens":"Our IT team shouldn't be calling BT or Virgin. We need the SD-WAN provider to be the single point of accountability for the entire store connection.","supplier_lens":"Clarify whether the managed service includes full carrier management, escalations, and supplier coordination.","netify_note":""}]},{"title":"SD-WAN: Support, Backup & Disaster Recovery","questions":[{"id":"ret-15.1","text":"Is the SD-WAN orchestrator hosted in a geo-redundant cloud environment? What is the impact on store operations if the orchestrator is offline?","buyer_lens":"If the vendor's cloud fails, our stores must continue to trade and process payments locally without interruption.","supplier_lens":"Confirmation of control-plane separation, where stores continue to route traffic even if the management platform is down.","netify_note":""},{"id":"ret-15.2","text":"Does the edge appliance store a last known good configuration locally for emergency recovery without internet access?","buyer_lens":"If a store loses all connectivity, the local engineer needs to be able to factory reset and have the box revert to a basic working state.","supplier_lens":"Explain offline recovery workflows and safeguards for restoring local connectivity.","netify_note":""}]},{"title":"SD-WAN: Reporting & Global Visibility","questions":[{"id":"ret-16.1","text":"Can the reporting engine generate a top 10 worst performing sites report based on application latency and jitter?","buyer_lens":"We need to know which stores are struggling before the manager complains, allowing us to proactively upgrade the local circuits.","supplier_lens":"Describe estate-wide benchmarking reports and proactive site performance analytics.","netify_note":""},{"id":"ret-16.2","text":"Can a service desk agent view the real-time performance of a single MAC address (e.g. a specific till) to see its current latency and signal strength?","buyer_lens":"Essential for troubleshooting the till is slow complaints without needing to be on-site.","supplier_lens":"Explain real-time endpoint telemetry and support workflows for pinpointing store-side issues.","netify_note":""}]},{"title":"SD-WAN: Device Capability & Throughput (Continued)","questions":[{"id":"ret-17.1","text":"How many LAN ports are available on the branch appliance, and how many support PoE+ (802.3at)?","buyer_lens":"In a small retail unit, we want to plug our VoIP phones and CCTV directly into the SD-WAN box to avoid buying a separate switch.","supplier_lens":"Provide physical port counts, PoE capability, and branch deployment trade-offs.","netify_note":""},{"id":"ret-17.2","text":"Is the appliance fanless and rated for deployment in non-ventilated areas, such as a small cabinet under a till?","buyer_lens":"Many shops don't have server rooms. The equipment must survive in cramped, dusty, and uncooled spaces.","supplier_lens":"Share environmental operating limits and suitability for constrained retail back-office spaces.","netify_note":""}]},{"title":"SD-WAN: Cloud Integration (Omnichannel ERP)","questions":[{"id":"ret-18.1","text":"How does the solution automate the on-ramp to our cloud-hosted ERP? Does it use virtual appliances or API-integrated peering?","buyer_lens":"To ensure omnichannel inventory accuracy, the store needs the fastest possible path to the cloud-hosted stock database.","supplier_lens":"Describe automated cloud connectivity models, onboarding steps, and peering options for ERP access.","netify_note":""}]},{"title":"SSE: Zero Trust Network Access (ZTNA)","questions":[{"id":"ret-19.1","text":"Describe the process for providing agentless, browser-based access to internal web-based POS management tools for third-party vendors.","buyer_lens":"We have external contractors who maintain our till software. We cannot allow them to install a VPN client; we need a secure front door via a standard web browser.","supplier_lens":"A good answer demonstrates an HTML5-based reverse proxy that secures the session without client-side software.","netify_note":""},{"id":"ret-19.2","text":"How does the ZTNA policy handle identity-aware access for staff who float between different retail branches?","buyer_lens":"If a store manager covers a different branch, their access permissions must follow them automatically based on their login, not their location.","supplier_lens":"Integration with IdPs like Azure AD to apply rules based on user groups rather than static IP addresses.","netify_note":""},{"id":"ret-19.3","text":"Does the ZTNA service mask internal store assets from public internet discovery (the dark cloud effect)?","buyer_lens":"We want our internal store servers to be invisible to hackers scanning the internet.","supplier_lens":"Explain how internal assets are hidden from unsolicited internet discovery and exposure.","netify_note":""},{"id":"ret-19.4","text":"Can the solution enforce least privilege access, restricting a maintenance vendor to a single IP/Port on a specific store controller?","buyer_lens":"We don't want a CCTV contractor accidentally (or intentionally) accessing our PDQ terminal subnet.","supplier_lens":"Describe app-level policy precision and per-resource access controls for third parties.","netify_note":""},{"id":"ret-19.5","text":"Detail the session persistence logic when a store manager switches from the back-office WiFi to a 4G/5G mobile connection.","buyer_lens":"We cannot have sessions timing out and requiring re-authentication every time a manager walks into a signal dead zone.","supplier_lens":"Explain roaming resilience, session handling, and re-authentication triggers across network changes.","netify_note":""},{"id":"ret-19.6","text":"Describe the inside-out connectivity model. Does it require any inbound ports (e.g. 443) to be opened on the store firewall?","buyer_lens":"Opening ports is a security risk. We require a solution that uses an outbound connector only.","supplier_lens":"Clarify whether inbound exposure is avoided entirely and how connectors are established securely.","netify_note":""},{"id":"ret-19.7","text":"How does the ZTNA service handle high-latency links (e.g. Starlink or busy 4G) for RDP-based machine maintenance?","buyer_lens":"Remote control tools become unusable if the ZTNA broker adds significant jitter to an already variable satellite link.","supplier_lens":"Provide expected overheads and optimisation methods for interactive admin sessions over unstable links.","netify_note":""},{"id":"ret-19.8","text":"Can the solution trigger a re-authentication prompt specifically when a user attempts to access sensitive production databases?","buyer_lens":"We want step-up MFA for high-risk actions, even if the user is already logged into the ZTNA.","supplier_lens":"Explain contextual access policies and adaptive authentication for sensitive systems.","netify_note":""},{"id":"ret-19.9","text":"Does the solution support continuous identity verification throughout the duration of the session?","buyer_lens":"If a user's risk score changes, the session must be terminated immediately.","supplier_lens":"Describe continuous risk evaluation and how active sessions are revoked when trust changes.","netify_note":""},{"id":"ret-19.10","text":"What is the average millisecond overhead added by your UK-based ZTNA brokers for a UK-to-UK connection?","buyer_lens":"Performance is king. If the broker is in Frankfurt, our UK store managers will suffer unnecessary lag.","supplier_lens":"Provide broker location strategy and real-world latency overhead for UK traffic.","netify_note":""}]},{"title":"SSE: Secure Web Gateway (SWG)","questions":[{"id":"ret-20.1","text":"Can the SWG enforce a read-only policy for web-based personal email to prevent store staff from exfiltrating customer lists?","buyer_lens":"We allow staff to check Gmail on breaks, but we must block them from attaching a CSV of our loyalty members to a personal email.","supplier_lens":"Describe granular web controls for mail access modes, attachments, and user actions.","netify_note":""},{"id":"ret-20.2","text":"Detail the latency overhead for TLS 1.3 decryption for users accessing web-based POS systems.","buyer_lens":"Security inspection shouldn't slow down the till. If decryption adds 200ms of lag, the cashier experience suffers.","supplier_lens":"Provide real-world latency overhead data under TLS 1.3 inspection for business-critical apps.","netify_note":""},{"id":"ret-20.3","text":"How does the gateway handle newly registered domains (NRDs) registered within the last 24 hours?","buyer_lens":"Many retail phishing attacks use fresh domains. We need an automated block on any domain younger than 30 days.","supplier_lens":"Describe age-based domain risk controls and tuning options for phishing prevention.","netify_note":""},{"id":"ret-20.4","text":"Can the SWG block specific in-app functions, such as disabling the share button in LinkedIn or upload in Dropbox?","buyer_lens":"We want to allow professional networking but prevent the upload of company-confidential promotional plans.","supplier_lens":"Explain granular SaaS controls for uploads, shares, posts, and risky user actions.","netify_note":""},{"id":"ret-20.5","text":"Does the solution provide coaching pages that explain to a staff member why a site was blocked, in plain English?","buyer_lens":"Reduces service desk tickets if the staff understand that the site was blocked for malware rather than just a generic error.","supplier_lens":"Describe user-facing block pages, policy education, and support ticket reduction features.","netify_note":""},{"id":"ret-20.6","text":"Describe the local breakout logic for trusted UK government or banking sites to reduce PoP load.","buyer_lens":"We don't need to inspect traffic to HMRC; we want that to go direct to save bandwidth.","supplier_lens":"Explain selective bypass or local breakout policies for low-risk trusted services.","netify_note":""},{"id":"ret-20.7","text":"How does the SWG handle credential phishing detection at the page-rendering level?","buyer_lens":"We need to stop staff from entering their corporate Azure AD password into a fake Microsoft login page.","supplier_lens":"Describe page-level phishing detection, brand impersonation checks, and credential guard features.","netify_note":""},{"id":"ret-20.8","text":"Is there a bypass mechanism for specific mission-critical URLs that may break under SSL inspection?","buyer_lens":"Certain proprietary till APIs might fail if decrypted. We need an easy way to whitelist them.","supplier_lens":"Explain exception handling, approvals, and targeted bypass for fragile business applications.","netify_note":""},{"id":"ret-20.9","text":"Can the SWG generate a top 10 high-risk users report based on web-browsing behaviour across the retail estate?","buyer_lens":"We need to proactively identify staff who are visiting hundreds of high-risk sites before a breach occurs.","supplier_lens":"Describe user risk scoring, behavioural analytics, and reporting for unsafe browsing activity.","netify_note":""},{"id":"ret-20.10","text":"Does the SWG integrate with your remote browser isolation (RBI) for uncategorised or suspicious URLs?","buyer_lens":"If a site is unknown, don't block it—Isolate it in the cloud so it's safe to view.","supplier_lens":"Explain native SWG-to-RBI flow and how suspicious browsing is isolated without disrupting users.","netify_note":""}]},{"title":"SSE: Cloud Access Security Broker (CASB)","questions":[{"id":"ret-21.1","text":"Can the CASB distinguish between our corporate Microsoft 365 tenant and an employee's personal OneDrive account?","buyer_lens":"We must stop staff from moving store pricing spreadsheets from our official SharePoint to their personal cloud storage.","supplier_lens":"Describe tenant awareness and policy separation between sanctioned and personal SaaS accounts.","netify_note":""},{"id":"ret-21.2","text":"Does the CASB provide real-time user entity behaviour analytics (UEBA) to detect bulk downloads from the cloud ERP?","buyer_lens":"If a head-office employee suddenly downloads 5,000 product SKUs, we need an immediate alert for a potential insider threat.","supplier_lens":"Describe anomaly detection, download thresholds, and alerting for cloud data abuse.","netify_note":""},{"id":"ret-21.3","text":"How does the CASB secure data accessed from unmanaged devices (e.g. an executive's home iPad)?","buyer_lens":"We want to allow them to view a report but block the download to a device we don't control.","supplier_lens":"Explain access policies for unmanaged devices, including view-only or restricted modes.","netify_note":""},{"id":"ret-21.4","text":"Can the solution automatically redact sensitive customer data (like card numbers) as it appears in a cloud-based CRM?","buyer_lens":"Our support agents don't need to see the full credit card number to help a customer with a return.","supplier_lens":"Describe inline redaction and masking controls inside sanctioned SaaS apps.","netify_note":""},{"id":"ret-21.5","text":"Describe the process for automatically unsharing a file that has been shared with an external Gmail/Outlook account.","buyer_lens":"If an employee accidentally makes a store revenue folder public, the CASB should kill that link instantly.","supplier_lens":"Explain external sharing controls, auto-remediation, and response times for revoking exposure.","netify_note":""},{"id":"ret-21.6","text":"Does the CASB offer API-based scanning of our existing cloud data (at rest)?","buyer_lens":"We need to find sensitive data that was uploaded before we put the CASB in place.","supplier_lens":"Describe API connectors, retroactive scanning, and classification of data already in SaaS.","netify_note":""},{"id":"ret-21.7","text":"Can the CASB block app-to-app permissions (OAuth) for high-risk third-party integrations?","buyer_lens":"We need to stop staff from giving a free PDF converter access to their entire corporate mailbox.","supplier_lens":"Explain OAuth app discovery, risk scoring, and revocation controls.","netify_note":""},{"id":"ret-21.8","text":"How frequently is the cloud app discovery database updated with new SaaS ratings?","buyer_lens":"New apps appear every day; we can't wait months for the vendor to categorise them.","supplier_lens":"Provide update cadence and process for classifying newly discovered SaaS apps.","netify_note":""},{"id":"ret-21.9","text":"Can the CASB detect impossible travel alerts (e.g. a login from London and Manchester within 5 minutes)?","buyer_lens":"A classic sign of a compromised account that needs to be locked down immediately.","supplier_lens":"Describe identity anomaly detection and how impossible travel events are actioned.","netify_note":""},{"id":"ret-21.10","text":"Does the CASB support self-healing remediation for M365 configuration drift?","buyer_lens":"If a security setting is changed in M365, the CASB should change it back to our golden standard automatically.","supplier_lens":"Explain configuration baselines, drift detection, and automatic rollback or remediation.","netify_note":""}]},{"title":"SSE: Data Loss Prevention (DLP)","questions":[{"id":"ret-22.1","text":"Can the DLP engine perform OCR on images to identify PDQ receipts or credit card numbers?","buyer_lens":"To prevent fraud, the system must read images attached to emails and block them if they contain payment data.","supplier_lens":"Describe OCR quality, supported formats, and confidence handling for payment-related image data.","netify_note":""},{"id":"ret-22.2","text":"Does the solution support exact data matching (EDM) for our specific 12-digit loyalty card formats?","buyer_lens":"We need the system to recognise our loyalty numbers specifically to avoid blocking innocent 12-digit strings.","supplier_lens":"Explain custom identifier matching and tuning to reduce false positives.","netify_note":""},{"id":"ret-22.3","text":"How does the DLP handle data in motion across encrypted chat applications like Slack or Teams?","buyer_lens":"We need to ensure sensitive store keys or codes aren't shared via internal chat.","supplier_lens":"Describe DLP enforcement for enterprise chat, message inspection, and policy response options.","netify_note":""},{"id":"ret-22.4","text":"Can the DLP engine detect partial document matching for engineering or marketing designs?","buyer_lens":"If someone copies just two paragraphs of a new season plan, the system should catch the fragment.","supplier_lens":"Explain document fingerprinting and partial-match sensitivity for fragments of sensitive content.","netify_note":""},{"id":"ret-22.5","text":"Describe the justification workflow when a user is blocked from sending a file.","buyer_lens":"If a manager has a valid reason to send a file, they should be able to override with a logged explanation.","supplier_lens":"Describe override workflows, approvals, and audit trails for justified exceptions.","netify_note":""},{"id":"ret-22.6","text":"Can the DLP scan within compressed file formats (e.g. .zip, .rar) and multi-level nested folders?","buyer_lens":"It is a common trick to zip stolen data to hide it from scanners.","supplier_lens":"Explain archive inspection depth, supported formats, and limits for nested content scanning.","netify_note":""},{"id":"ret-22.7","text":"Does the system provide pre-built templates for the UK Data Protection Act 2018?","buyer_lens":"We don't want to build rules from scratch for UK GDPR; we want them out of the box.","supplier_lens":"Describe policy templates and localisation for UK privacy requirements.","netify_note":""},{"id":"ret-22.8","text":"Can the system prevent data exfiltration via print screen or copy to clipboard for web-based apps?","buyer_lens":"Essential for stopping contractors from stealing machine data without even downloading a file.","supplier_lens":"Explain user action controls for clipboard, printing, and screenshot-like exfiltration paths.","netify_note":""},{"id":"ret-22.9","text":"How does the DLP engine handle fingerprinting of sensitive PDF or Excel templates?","buyer_lens":"We want the system to know our price list template and block it if it leaves the network.","supplier_lens":"Describe how structured documents are fingerprinted and matched even when edited or renamed.","netify_note":""},{"id":"ret-22.10","text":"What is the process for triaging DLP alerts? Is there a dedicated forensics dashboard for our UK security officer?","buyer_lens":"We need clear evidence for our HR or Legal teams if an employee is caught stealing data.","supplier_lens":"Describe investigation workflows, evidence retention, and analyst tooling for DLP incidents.","netify_note":""}]},{"title":"SSE: Remote Browser Isolation (RBI)","questions":[{"id":"ret-23.1","text":"Can RBI be triggered automatically for uncategorised websites visited from in-store kiosks?","buyer_lens":"Kiosks are high-risk. If a user navigates to a suspicious site, it must be isolated in the cloud so malware never touches the hardware.","supplier_lens":"Describe policy-driven RBI triggers for high-risk or unknown browsing on shared devices.","netify_note":""},{"id":"ret-23.2","text":"Does the RBI support pixel-pushing rendering to ensure no active code reaches the store endpoint?","buyer_lens":"We want a glass wall—the user sees the site, but the actual code stays in a cloud container.","supplier_lens":"Explain rendering method and how executable content is prevented from reaching endpoints.","netify_note":""},{"id":"ret-23.3","text":"Can you enforce read-only mode within an RBI session to prevent any file downloads?","buyer_lens":"Users can look at the site, but they can't bring any files back into our network.","supplier_lens":"Describe read-only browsing modes and download restrictions inside isolated sessions.","netify_note":""},{"id":"ret-23.4","text":"How does the RBI handle clipboard controls? Can we block copy/paste between the isolated browser and the local machine?","buyer_lens":"Prevents users from copying data out of a secure portal into their local notes.","supplier_lens":"Explain clipboard policy controls and isolation boundaries for browser sessions.","netify_note":""},{"id":"ret-23.5","text":"Does the RBI service sanitise downloaded files by converting them to safe PDFs?","buyer_lens":"If a user must download a manual, the system should strip out all active macros first.","supplier_lens":"Describe file reconstruction or sanitisation capabilities for safe content retrieval.","netify_note":""},{"id":"ret-23.6","text":"Describe the performance impact for streaming video (e.g. YouTube training) through an isolated browser.","buyer_lens":"Training videos shouldn't be choppy just because they are being isolated.","supplier_lens":"Provide expected user experience and performance considerations for streamed content under RBI.","netify_note":""},{"id":"ret-23.7","text":"Can the RBI be used for safe previewing of email attachments?","buyer_lens":"If a staff member gets a suspicious invoice, they can view in RBI without risk of infection.","supplier_lens":"Explain safe viewing workflows for suspicious files and mail attachments using RBI.","netify_note":""},{"id":"ret-23.8","text":"Is the RBI solution natively integrated into your SWG agent, or is it a separate client?","buyer_lens":"We want a zero-touch experience for our staff.","supplier_lens":"Clarify whether users need additional software or if isolation is native to the existing agent stack.","netify_note":""},{"id":"ret-23.9","text":"Can we set a timed session for RBI to automatically log out users after their break?","buyer_lens":"Prevents kiosks from being left in an open, isolated state for hours.","supplier_lens":"Explain session timeout controls and auto-logoff rules for shared browsing scenarios.","netify_note":""},{"id":"ret-23.10","text":"Does the RBI solution support in-session keyboard and mouse event monitoring for forensics?","buyer_lens":"If a breach is suspected, we need to know exactly what the user was doing in that browser.","supplier_lens":"Describe session recording or forensic options available for investigating isolated browsing incidents.","netify_note":""}]},{"title":"SSE: Firewall as a Service (FWaaS)","questions":[{"id":"ret-24.1","text":"Does the cloud firewall support geo-blocking to prevent all traffic from high-risk regions from hitting our till systems?","buyer_lens":"We have no business in certain countries. We want to block every packet from those regions by default.","supplier_lens":"Describe region-based enforcement and how geo-blocking is applied to critical systems.","netify_note":""},{"id":"ret-24.2","text":"Can the FWaaS enforce different security rules based on the store format (e.g. Flagship vs. Express)?","buyer_lens":"Our larger stores have more IoT and back-office servers; they need a more complex firewall profile than a small shop.","supplier_lens":"Explain policy segmentation by branch type, operational model, or estate classification.","netify_note":""},{"id":"ret-24.3","text":"Describe the local breakout capability for direct internet access at the store edge while maintaining cloud-delivered security.","buyer_lens":"We don't want to backhaul all store traffic to HQ; it should go direct to the cloud firewall PoP.","supplier_lens":"Describe direct-to-internet store architecture while preserving central inspection and control.","netify_note":""},{"id":"ret-24.4","text":"How does the FWaaS handle IP reputation filtering for incoming connections?","buyer_lens":"Automatically block known bad IPs like Tor exit nodes or known botnets.","supplier_lens":"Explain threat intelligence feeds, reputation scoring, and block actions for hostile IPs.","netify_note":""},{"id":"ret-24.5","text":"Does the FWaaS provide dedicated egress IPs for our retail estate?","buyer_lens":"Our suppliers whitelist our IP. If our SASE IP changes every week, we'll be locked out of our supply chain.","supplier_lens":"Describe reserved egress options, stability guarantees, and support for supplier allowlists.","netify_note":""},{"id":"ret-24.6","text":"Can the FWaaS perform Layer-7 application inspection to block proxy-bypass tools like Ultrasurf?","buyer_lens":"Staff shouldn't be able to use tunnelling apps to bypass our web filters.","supplier_lens":"Describe application-layer detection for evasion tools and bypass utilities.","netify_note":""},{"id":"ret-24.7","text":"Describe the failover process between your cloud PoPs. If your London PoP goes down, where does our traffic go?","buyer_lens":"We need 99.999% uptime for our tills.","supplier_lens":"Explain traffic failover logic, resilience testing, and expected impact when a PoP is unavailable.","netify_note":""},{"id":"ret-24.8","text":"Can the FWaaS generate a top 10 blocked attacks report for our monthly security board meeting?","buyer_lens":"We need to show the business the value of the investment by highlighting blocked threats.","supplier_lens":"Describe executive security reporting, attack trend summaries, and board-ready outputs.","netify_note":""},{"id":"ret-24.9","text":"How does the FWaaS integrate with our identity provider (Azure AD) for user-aware firewall rules?","buyer_lens":"Rules should be based on role, not just IP address.","supplier_lens":"Explain identity-aware policy design and user/group-based firewall enforcement.","netify_note":""},{"id":"ret-24.10","text":"Is the FWaaS policy engine version controlled? Can we roll back a change if it breaks store connectivity?","buyer_lens":"If a firewall change kills the tills at 10 AM, we need to undo it in seconds.","supplier_lens":"Describe policy versioning, approvals, and fast rollback during incidents.","netify_note":""}]},{"title":"SSE: IPS / IDS","questions":[{"id":"ret-25.1","text":"Does the IPS provide virtual patching for legacy POS hardware that can no longer receive official security updates?","buyer_lens":"We have older tills that are vulnerable. We need the network firewall to block exploits targeting these specific machines.","supplier_lens":"Explain how legacy endpoints are protected using signature-based and compensating controls.","netify_note":""},{"id":"ret-25.2","text":"How quickly are zero-day signatures updated in your global IPS engine?","buyer_lens":"We need to be protected against new threats within hours, not days.","supplier_lens":"Provide update cadence, intelligence sources, and emergency response timelines for new threats.","netify_note":""},{"id":"ret-25.3","text":"Does the IPS identify lateral movement attempts between store till VLANs and office VLANs?","buyer_lens":"If one PC is infected, the IPS should stop it from trying to find the tills.","supplier_lens":"Explain east-west detection capabilities for in-store segmentation breaches and propagation attempts.","netify_note":""},{"id":"ret-25.4","text":"Does the IPS support high-throughput inspection for busy data centre backhaul links?","buyer_lens":"It shouldn't become a bottleneck for our main inventory synchronisation.","supplier_lens":"State inspection throughput at scale and how performance is preserved on high-volume links.","netify_note":""},{"id":"ret-25.5","text":"Can the IPS generate an automated alert for DDoS activity targeting a specific store?","buyer_lens":"We need to know if a store is being flooded so we can switch to 4G/5G failover.","supplier_lens":"Explain DDoS detection thresholds, store-level alerting, and integration with failover processes.","netify_note":""}]},{"title":"SSE: DNS Security","questions":[{"id":"ret-26.1","text":"How does the DNS security layer handle command & control (C2) callbacks from infected IIoT devices?","buyer_lens":"If a digital sign is hacked, it will try to phone home. We need to block that call at the DNS level.","supplier_lens":"Explain DNS-layer detection and blocking of malicious beaconing from store-connected IoT devices.","netify_note":""},{"id":"ret-26.2","text":"Can we enforce different DNS policies for guest WiFi versus staff WiFi?","buyer_lens":"Customers shouldn't be able to access hacking sites on our free WiFi.","supplier_lens":"Describe network-segment-aware DNS policy controls for guests and staff.","netify_note":""},{"id":"ret-26.3","text":"Does the DNS filtering support SafeSearch enforcement for search engines and YouTube?","buyer_lens":"Ensures a professional store environment on all staff-accessible devices.","supplier_lens":"Explain content safety controls enforced through DNS policies.","netify_note":""},{"id":"ret-26.4","text":"How does the system handle DNS over HTTPS (DoH) which often bypasses traditional filters?","buyer_lens":"We need to ensure staff can't use DoH to sneak past our security rules.","supplier_lens":"Describe methods for detecting, blocking, or controlling unauthorised encrypted DNS channels.","netify_note":""},{"id":"ret-26.5","text":"Can the DNS service provide a geo-heatmap of where blocked requests are trying to go?","buyer_lens":"Helps us see if our store estate is being targeted by a specific foreign botnet.","supplier_lens":"Explain reporting on blocked DNS destinations and geographic threat visibility.","netify_note":""}]},{"title":"SSE: Device Posture / Endpoint Context","questions":[{"id":"ret-27.1","text":"Can access to the central Inventory system be denied if the device's antivirus is disabled or out of date?","buyer_lens":"If a store manager's laptop is dirty, we don't want it anywhere near our central database.","supplier_lens":"Describe endpoint posture signals and access denials based on unhealthy security state.","netify_note":""},{"id":"ret-27.2","text":"Does the posture check verify that disk encryption (BitLocker) is active before granting a ZTNA session?","buyer_lens":"If a manager loses their laptop on a train, we need to know the data was encrypted.","supplier_lens":"Explain disk-encryption posture checks and how they influence access decisions.","netify_note":""},{"id":"ret-27.3","text":"Can the system distinguish between a corporate managed laptop and a personal device?","buyer_lens":"Personal devices should have far more restrictive access than corporate-imaged ones.","supplier_lens":"Describe how device ownership and management state are identified and enforced.","netify_note":""},{"id":"ret-27.4","text":"Does the posture check integrate natively with our EDR (e.g. CrowdStrike) to pull risk scores?","buyer_lens":"Use the security tools we already pay for to make better access decisions.","supplier_lens":"Explain integrations with endpoint tools and how external risk scores feed access policy.","netify_note":""},{"id":"ret-27.5","text":"Can we enforce a minimum OS version for all handheld scanners on the floor?","buyer_lens":"Scanners running ancient Android versions are a massive security hole.","supplier_lens":"Describe OS version posture checks for specialised retail endpoints.","netify_note":""},{"id":"ret-27.6","text":"Describe the remediation workflow for a user whose device fails a posture check.","buyer_lens":"Tell the manager why they are blocked so they can fix it themselves.","supplier_lens":"Explain user messaging, self-remediation guidance, and helpdesk escalation for posture failures.","netify_note":""},{"id":"ret-27.7","text":"Can the posture check verify the presence of a specific corporate certificate in the local store?","buyer_lens":"The strongest way to ensure the device actually belongs to our company.","supplier_lens":"Describe certificate-based trust and how device certificates are validated in access decisions.","netify_note":""},{"id":"ret-27.8","text":"How frequently is the device posture re-evaluated during an active session?","buyer_lens":"If a user turns off their antivirus after logging in, they should be kicked off immediately.","supplier_lens":"Explain posture refresh cadence and session revocation when compliance changes mid-session.","netify_note":""},{"id":"ret-27.9","text":"Can we set different posture requirements based on the sensitivity of the application?","buyer_lens":"Checking the staff canteen menu needs less security than payroll.","supplier_lens":"Explain adaptive posture enforcement based on app criticality and data sensitivity.","netify_note":""},{"id":"ret-27.10","text":"Does the posture check support geo-fencing? (e.g. deny access if the device is physically outside the UK).","buyer_lens":"If a corporate laptop appears in a country where we have no stores, it's a major red flag.","supplier_lens":"Describe location-aware posture and access restrictions based on geographic policy.","netify_note":""}]},{"title":"SSE: SaaS Security Posture Management (SSPM)","questions":[{"id":"ret-28.1","text":"Does the SSPM tool provide automated remediation for misconfigurations in our SAP S/4HANA or Microsoft 365 tenants?","buyer_lens":"We need a system that doesn't just find a security hole but can automatically fix it based on our UK data residency rules.","supplier_lens":"A dashboard showing config drift and the ability to toggle auto-remediation for critical security settings.","netify_note":""},{"id":"ret-28.2","text":"Can the SSPM audit the app-to-app permissions (OAuth) granted by our employees to third-party cloud tools?","buyer_lens":"Employees often grant read/write access to their email or files to free productivity apps. We need to see and revoke these hidden data access points.","supplier_lens":"Comprehensive OAuth token discovery and revocation capabilities across connected SaaS platforms.","netify_note":""}]},{"title":"SSE: Cloud Email Security","questions":[{"id":"ret-29.1","text":"How does the solution protect against Business Email Compromise (BEC) and look-alike domain attacks targeting our supply chain?","buyer_lens":"We are at risk of invoice fraud where a hacker impersonates one of our suppliers.","supplier_lens":"Use of AI and machine learning to analyse communication patterns and detect identity spoofing.","netify_note":""}]},{"title":"SSE: Threat / Malware Protection — ATP & Sandboxing","questions":[{"id":"ret-30.1","text":"Does the sandbox environment support human-interaction simulation to defeat malware that waits for a mouse click before executing?","buyer_lens":"Modern evasive malware can tell it's in a sandbox and will stay dormant until it thinks a real person is using the machine.","supplier_lens":"Detailed breakdown of anti-evasion techniques used within the sandboxing engine.","netify_note":""}]},{"title":"SSE: Identity & Access (IdP) Integration","questions":[{"id":"ret-31.1","text":"Does the solution support SCIM for automated user provisioning and de-provisioning?","buyer_lens":"When an employee leaves, their access to the stores, ERP, and ZTNA must be revoked instantly across the whole SSE stack.","supplier_lens":"Native SCIM 2.0 support for automated lifecycle management with major IdPs (Azure AD, Okta, etc.).","netify_note":""}]},{"title":"SASE: Converged Outcomes","questions":[{"id":"ret-32.1","text":"Does the SASE solution utilise a SLA-backed private Tier-1 backbone for the middle mile?","buyer_lens":"For our international stores, using the public internet is too unpredictable. We need a backbone that guarantees sub-200ms latency between the UK and our Asia-Pacific sites.","supplier_lens":"Specific list of Tier-1 peering partners and a contractually backed latency/jitter matrix between global PoPs.","netify_note":""},{"id":"ret-32.2","text":"Describe the techniques used to optimise traffic across the global backbone, specifically regarding TCP Window Scaling and Packet Loss Mitigation.","buyer_lens":"Large inventory files often fail to sync over long distances due to standard internet protocols timing out.","supplier_lens":"Look for mentions of TCP proxying or fast TCP where the PoP acknowledges packets locally.","netify_note":""},{"id":"ret-32.3","text":"Detail how the SASE fabric provides direct cloud on-ramp to our ERP instance in Azure (UK South) without hair-pinning traffic.","buyer_lens":"If our store staff have to go from the shop, to a central HQ, and then to Azure, the lag will make the ERP unusable.","supplier_lens":"Confirmation of virtual PoPs or direct peering within the same data centres as the major cloud providers.","netify_note":""},{"id":"ret-32.4","text":"Can the SASE orchestrator manage Transit Gateway Peering across multiple cloud providers (e.g. AWS and Google Cloud) through a single interface?","buyer_lens":"We use AWS for customer analytics and Google Cloud for AI-powered inventory. We need a single way to manage the secure pipes.","supplier_lens":"Demonstration of a multi-cloud fabric where the SASE vendor automates routing between different cloud VPCs.","netify_note":""},{"id":"ret-32.5","text":"Does the solution offer application-specific acceleration for non-web protocols such as CIFS/SMB or MAPI?","buyer_lens":"Our merchandising teams frequently open large product images from remote file shares.","supplier_lens":"Proof of deduplication and caching techniques that only send changed blocks of data across the WAN.","netify_note":""},{"id":"ret-32.6","text":"How does the solution ensure low-latency access for UK-based mobile users who are travelling to high-risk regions or areas with poor local peering?","buyer_lens":"When our senior buyers are on-site at a supplier in Asia, they still need fast access to UK-based inventory servers.","supplier_lens":"Evidence of a global PoP map and auto-closest-PoP logic in the client software.","netify_note":""},{"id":"ret-32.7","text":"In a fully managed SASE model, who is the single point of contact for an end-to-end performance issue?","buyer_lens":"We don't want our IT team stuck in a blame game between the security vendor and the ISP.","supplier_lens":"Definition of the service integration and management role within the managed service contract.","netify_note":""},{"id":"ret-32.8","text":"What is the SLA for emergency security changes (e.g. blocking a specific IP during an active attack)?","buyer_lens":"If we are under attack at 3 AM on a Saturday, we cannot wait for a next business day ticket.","supplier_lens":"24/7 NOC/SOC availability with a 15-minute or 30-minute SLA for urgent security blocks.","netify_note":""},{"id":"ret-32.9","text":"Does the managed SASE portal allow our internal team to view real-time digital experience metrics for individual store users?","buyer_lens":"When a store manager complains the network is slow, we need to instantly see if it's their local WiFi, the ISP, or the SASE PoP.","supplier_lens":"A demo of digital experience monitoring tools providing a hop-by-hop breakdown of the user's connection.","netify_note":""},{"id":"ret-32.10","text":"Can you provide static, dedicated egress IPs for our SASE traffic to ensure compatibility with our suppliers' IP-whitelisting firewalls?","buyer_lens":"Our key suppliers only allow connections from known IPs. If the SASE uses shared IPs that change every week, we will be constantly locked out of our supply chain portals.","supplier_lens":"Option for reserved egress IPs dedicated solely to the customer's organisation.","netify_note":""}]}],"count":130},"manufacturing":{"label":"Manufacturing","sections":[{"title":"SD-WAN: The \"OT-First\" Performance Fabric","questions":[{"id":"man-1.1","text":"Can the solution dynamically steer traffic based on a Jitter threshold of <5ms?","buyer_lens":"In Automotive Robotics, jitter above 5ms causes robotic arm desynchronisation and \"Line Stops.\"","supplier_lens":"A good answer demonstrates sub-second path switching without session loss or \"flapping.\"","netify_note":"Jitter is the variation in packet arrival time; in Industry 4.0, consistency is more important than raw speed."},{"id":"man-1.2","text":"Can the system enable 1:1 Packet Duplication across dual-active circuits for critical safety/PLC traffic?","buyer_lens":"Essential for \"Zero-Loss\" production lines where a single dropped packet triggers an emergency shutdown.","supplier_lens":"Must confirm support for per-packet duplication (not just session-based) across disparate ISPs.","netify_note":"Packet duplication sends the same data over two paths; the receiver simply discards the second packet that arrives."},{"id":"man-1.3","text":"Can the appliance trigger a failover based on RSRP/RSRQ thresholds rather than just a simple \"Up/Down\" ping?","buyer_lens":"Logistics hubs often have \"zombie\" 5G connections that are technically active but too weak for handheld scanner traffic.","supplier_lens":"Evidence of deep integration with the 5G modem firmware for signal-quality routing.","netify_note":"RSRP (Reference Signal Received Power) measures the actual strength of the cellular signal, not just its presence."},{"id":"man-1.4","text":"Detail the bandwidth overhead of your FEC algorithm when set to \"Aggressive\" mode.","buyer_lens":"We need to know if enabling FEC on a 100Mbps link reduces usable capacity to 60Mbps.","supplier_lens":"Should provide a table showing FEC levels (Low/Med/High) vs Bandwidth consumption.","netify_note":"FEC adds parity data to the stream so the receiver can reconstruct lost packets without a re-request."},{"id":"man-1.5","text":"Does the solution support Starlink, 4G, and Fibre as active-active underlays without proprietary exchange equipment, especially in regions with diverse infrastructure risks?","buyer_lens":"In high-risk regions, relying on a single vendor's connectivity or having limited underlay options can introduce significant operational and security vulnerabilities. We need resilient and diverse connectivity to avoid \"vendor lock-in\" and ensure continuous operation.","supplier_lens":"Confirmation of \"Bring Your Own Bandwidth\" (BYOB) support and examples of successful multi-underlay deployments in politically or geographically unstable regions. Detail how the solution maintains performance across disparate and potentially unreliable networks.","netify_note":"An \"Underlay\" is the physical circuit (e.g. BT Fibre) that the SD-WAN \"Overlay\" sits on top of. Diversity in underlays is a key resilience factor, particularly in areas with heightened risk."},{"id":"man-1.6","text":"How does the solution specifically optimise non-cacheable SAP S/4HANA traffic into Azure/AWS?","buyer_lens":"If the ERP lags, the shop floor cannot log inventory or sequence parts in real-time.","supplier_lens":"Look for \"Book-ended\" optimisation using a virtual appliance in the Cloud VPC.","netify_note":"Cloud On-Ramp automatically finds the shortest path from the factory to the SAP cloud instance."},{"id":"man-1.7","text":"State the average millisecond latency between your primary UK PoP and the London Azure region (UK South).","buyer_lens":"Minimising the \"Middle Mile\" latency is critical for Digital Twin synchronisation.","supplier_lens":"Provision of a latency matrix for the UK and European PoPs.","netify_note":"A PoP (Point of Presence) is the physical entry point into the vendor's high-speed network."},{"id":"man-1.8","text":"Does the system support \"Local Breakout\" for Microsoft 365 based on URL-path recognition?","buyer_lens":"Prevents \"hair-pinning\" office traffic through a central data centre, freeing up capacity for OT.","supplier_lens":"Demonstration of dynamic URL/IP database updates for Office 365.","netify_note":"Local Breakout allows trusted internet traffic to leave the site directly rather than being backhauled."},{"id":"man-1.9","text":"Do you offer TCP Termination to mitigate the impact of high-latency global hops on large file transfers?","buyer_lens":"Essential for global sites where CAD files take hours to sync due to \"TCP Windowing\" issues.","supplier_lens":"Confirmation if the appliance acts as a local proxy to acknowledge TCP packets.","netify_note":"TCP Termination \"tricks\" the sender into thinking the receiver is closer than they actually are."},{"id":"man-1.10","text":"Can the orchestrator automatically provision VPN peering into Google Cloud (GCP) via a native API?","buyer_lens":"We need to be able to spin up new production environments in the cloud without manual CLI work.","supplier_lens":"Demonstration of API-driven multi-cloud peering.","netify_note":"An Orchestrator is the \"central brain\" that manages all SD-WAN devices from one screen."},{"id":"man-1.11","text":"State the AES-256 encrypted throughput with all security features (IPS/DPI) enabled.","buyer_lens":"Vendors often quote \"naked\" throughput; we need the \"real-world\" figure with security on.","supplier_lens":"Must provide performance data for \"Security On\" vs \"Security Off.\"","netify_note":"DPI (Deep Packet Inspection) allows the firewall to look inside the data to see what the app is actually doing."},{"id":"man-1.12","text":"Do you offer hardware with IP67 rating or fanless designs for high-temperature machine cabinets?","buyer_lens":"Standard IT kit will fail in a dusty, 40°C factory environment.","supplier_lens":"List of ruggedised hardware models and their operating temperature ranges.","netify_note":"IP67 means the device is dust-tight and can survive immersion in water."},{"id":"man-1.13","text":"Does the edge appliance feature physical RS-232/485 ports for legacy machine connectivity?","buyer_lens":"Critical for connecting older CNC machines that do not have an Ethernet port to the network.","supplier_lens":"Technical specs of serial port availability and protocol translation (Modbus/TCP).","netify_note":"Serial-to-IP allows modern networks to communicate with machines built in the 1990s."},{"id":"man-1.14","text":"Does the appliance support Native WiFi 6 for rugged handheld scanners on the plant floor?","buyer_lens":"Avoids the cost of buying separate Access Points for small warehouse pop-ups.","supplier_lens":"Confirm WiFi 6 support and the maximum number of concurrent connected devices.","netify_note":"WPA3 is the latest, most secure standard for protecting wireless networks."},{"id":"man-1.15","text":"Does the hardware support dual internal power supplies or 24V/48V DC inputs?","buyer_lens":"Factory rails often use DC power; we shouldn't need a separate AC inverter for the network box.","supplier_lens":"Confirmation of DC power input options for industrial racks.","netify_note":"Dual power supplies ensure the device stays on if one power source fails."},{"id":"man-1.16","text":"Can we push a single \"Golden Configuration\" to 100+ sites simultaneously while maintaining site-specific variables?","buyer_lens":"Avoids \"configuration drift\" and reduces the risk of human error during mass updates.","supplier_lens":"Show how \"variables\" (like local IPs) are handled within a master template.","netify_note":"A \"Golden Config\" is a master template that ensures every site is set up exactly the same way."},{"id":"man-1.17","text":"Describe the ZTP process: Does it require a \"Staging\" phase or is it truly \"Plug-and-Play\"?","buyer_lens":"We need to ship a box to a remote site and have a forklift driver plug it in without needing an engineer.","supplier_lens":"Walkthrough of the \"Phone Home\" process for a new device.","netify_note":"ZTP allows a device to configure itself automatically as soon as it touches the internet."},{"id":"man-1.18","text":"Describe the safety mechanism if a scheduled firmware update fails at a remote site.","buyer_lens":"If an update fails at 2 AM, the factory must still be able to ship at 6 AM.","supplier_lens":"Confirm \"Dual-Partition\" boot or automated rollback to the previous stable version.","netify_note":"Dual-partition means the device keeps the old \"good\" software while it tries to install the new one."},{"id":"man-1.19","text":"Can we grant \"Read-Only\" access to local OT engineers for diagnostics while central IT retains \"Write\" rights?","buyer_lens":"Empowers local teams to see what's wrong without letting them accidentally break the global network.","supplier_lens":"Overview of RBAC levels in the management portal.","netify_note":"RBAC ensures people only have access to the specific settings they need for their job."},{"id":"man-1.20","text":"Can the platform export network health data via REST API into our existing OEE dashboard?","buyer_lens":"We want the \"Network Health\" to be a metric on our main production dashboard.","supplier_lens":"Provide documentation for the API endpoints available for monitoring.","netify_note":"OEE (Overall Equipment Effectiveness) is a standard metric for measuring manufacturing productivity."},{"id":"man-1.21","text":"Can we retain control over Application Routing Policies while you manage the physical hardware and OS?","buyer_lens":"We need to be able to reprioritise traffic during a \"Line Down\" event without waiting for a support ticket.","supplier_lens":"Confirmation of a co-managed support model vs fully managed.","netify_note":"Co-management is a \"shared\" model where the vendor handles the hardware and you handle the business rules."},{"id":"man-1.22","text":"What is the Mean Time to Repair (MTTR) for a hardware failure at a global site?","buyer_lens":"A dead box in a remote plant is a total production outage. We need a 4-hour replacement guarantee.","supplier_lens":"Detailed list of \"On-Site\" response times by region.","netify_note":"MTTR measures how long it takes, on average, to get a failed system back up and running."},{"id":"man-1.23","text":"What is the average \"Config Propagation Time\" from the orchestrator to 50 edge devices globally?","buyer_lens":"If we push a security fix, we need to know it hits every site in seconds, not minutes.","supplier_lens":"Performance metrics for the management control plane.","netify_note":"Control Plane is the \"signalling\" layer that carries the commands from the orchestrator to the devices."},{"id":"man-1.24","text":"Can your service desk manage third-party ISP tickets on our behalf using our existing LOAs?","buyer_lens":"We don't want to be the middleman between the SD-WAN vendor and BT/Virgin when a link goes down.","supplier_lens":"Detailed \"Carrier Management\" service description.","netify_note":"LOA (Letter of Authority) allows a vendor to speak to your ISP on your behalf."},{"id":"man-1.25","text":"What site-specific documentation (e.g. \"As-Built\" diagrams) is provided post-deployment?","buyer_lens":"We need clear records for our internal auditors and for future maintenance.","supplier_lens":"Sample \"Project Handover\" pack.","netify_note":"An \"As-Built\" is a diagram showing exactly how the network was installed, not just how it was designed."},{"id":"man-1.26","text":"Can the system map internal DSCP/CoS tags from the factory floor directly into SD-WAN priority queues?","buyer_lens":"Ensures that \"High Priority\" traffic from the PLC remains \"High Priority\" as it crosses the WAN.","supplier_lens":"Demonstration of Layer 3 QoS tag preservation.","netify_note":"QoS (Quality of Service) acts like a \"Fast Lane\" for important data like voice or machine commands."},{"id":"man-1.27","text":"Can the SD-WAN create isolated \"Islands\" for OT vs IT traffic at Layer 2?","buyer_lens":"Prevents a laptop virus in the office from spreading to the production PLC network.","supplier_lens":"Explanation of VRF or VLAN-based isolation at the edge.","netify_note":"Micro-segmentation is like having internal firewalls between every machine on the floor."},{"id":"man-1.28","text":"Does the dashboard provide per-packet granularity reporting for the last 24 hours of traffic?","buyer_lens":"When a robot stops, we need to see exactly what happened to the packets at that specific second.","supplier_lens":"Demonstration of high-fidelity telemetry dashboards.","netify_note":"Telemetry is the continuous stream of data that tells you how the network is \"feeling.\""},{"id":"man-1.29","text":"Does the integrated IPS include specific signatures for SCADA/ICS vulnerabilities?","buyer_lens":"We need protection against threats specifically designed to target factory equipment.","supplier_lens":"List of OT-specific threat intelligence feeds used.","netify_note":"IPS (Intrusion Prevention System) acts like a \"Bouncer\" that blocks known bad traffic."},{"id":"man-1.30","text":"What is the financial penalty/service credit if the \"Application Performance SLA\" is missed?","buyer_lens":"A generic \"Uptime SLA\" is useless if the link is up but too slow to run the factory.","supplier_lens":"Detailed service credit table for Jitter/Latency violations.","netify_note":"A \"Service Credit\" is money back if the vendor doesn't meet the promised performance levels."},{"id":"man-1.31","text":"Is the solution fully IPv6-ready for modern Industrial IoT (IIoT) sensor integration?","buyer_lens":"Future-proofing for when we have thousands of sensors that require unique IP addresses.","supplier_lens":"Roadmap for full IPv6 stack support.","netify_note":"IPv6 is the new version of IP addresses; it provides trillions of more addresses than the old IPv4."},{"id":"man-1.32","text":"How many PoE+ ports are available on the branch appliance to power local IP cameras?","buyer_lens":"Reduces the need for extra power sockets and cabling for security cameras on the floor.","supplier_lens":"Hardware spec sheet for PoE budget.","netify_note":"PoE (Power over Ethernet) sends electricity through the same cable as the data."},{"id":"man-1.33","text":"Can the IPS shield Legacy Windows XP/7 machines from \"EternalBlue\" style exploits?","buyer_lens":"We can't patch the machine, so we need the network to \"cloak\" the vulnerability.","supplier_lens":"Demonstration of \"Virtual Patching\" policy enforcement.","netify_note":"Virtual Patching blocks an attack at the network gate before it can reach the vulnerable machine."},{"id":"man-1.34","text":"Quantify the latency overhead added by the encryption engine during high-throughput loads.","buyer_lens":"If encryption adds 10ms of delay, it might push our robotics over the 5ms jitter limit.","supplier_lens":"Technical testing results for \"Encrypted vs Plaintext\" latency.","netify_note":"Encryption is the process of scrambling data so it can't be read by hackers."},{"id":"man-1.35","text":"Does the solution include DNS-layer protection to stop malware \"phone-home\" attempts from the factory?","buyer_lens":"A simple and effective way to block Ransomware before it even starts.","supplier_lens":"Confirmation of DNS-layer security integration.","netify_note":"DNS is the \"Phone Book\" of the internet; filtering it stops your computers from \"calling\" bad websites."}]},{"title":"SSE: Zero Trust Network Access (ZTNA)","questions":[{"id":"man-2.1","text":"Does the solution support an \"Inside-Out\" connectivity model that allows internal factory resources to remain invisible to the public internet?","buyer_lens":"In manufacturing, we cannot have open inbound ports on our firewalls that hackers can scan. We need our PLCs and servers to be \"cloaked\" from public discovery.","supplier_lens":"A good answer explains how the connector sits inside the network and establishes an outbound tunnel to the cloud, ensuring no listening ports are exposed to the WAN.","netify_note":"This creates a \"Dark Cloud\" effect where your internal assets do not exist as far as the public internet is concerned."},{"id":"man-2.2","text":"Describe the process for providing agentless, browser-based access to legacy web HMIs for third-party maintenance contractors.","buyer_lens":"We often have vendors who need to check a machine's status but cannot install software on their corporate laptops. We need a secure way to grant them access via a standard web browser.","supplier_lens":"Confirmation of an HTML5-based reverse proxy that allows secure access to internal web apps without a client-side agent.","netify_note":"Agentless ZTNA is essential for third-party risk management as you cannot control the endpoint security of an external company."},{"id":"man-2.3","text":"Can the ZTNA policy be restricted by time-of-day and specific geographical location for shop-floor management systems?","buyer_lens":"We want to ensure that access to the production schedule is only available during shift hours and only from within the UK to prevent out-of-hours data theft.","supplier_lens":"Demonstration of \"Conditional Access\" policies that incorporate time-fencing and geo-fencing as primary variables.","netify_note":""},{"id":"man-2.4","text":"How does the solution handle session persistence for industrial applications that are sensitive to micro-outages or IP address changes?","buyer_lens":"If an engineer is monitoring a live batch process, a dropped session due to a ZTNA \"re-auth\" could result in lost data or a missed alarm.","supplier_lens":"Explanation of session-handling logic and the ability to set custom re-authentication timers for specific industrial user groups.","netify_note":""},{"id":"man-2.5","text":"Does the ZTNA service provide full Layer-4 protocol support, including RDP, SSH, and specific industrial protocols like Modbus/TCP?","buyer_lens":"We don't just use web apps. Our engineers need to RDP into servers and use specialist tools to communicate directly with machine controllers.","supplier_lens":"Verification of \"Private Access\" capabilities that extend beyond simple web-proxying to support any TCP/UDP-based application.","netify_note":""},{"id":"man-2.6","text":"Can the solution perform a \"Posture Check\" to verify that a contractor's laptop has active antivirus and disk encryption before allowing a ZTNA connection?","buyer_lens":"If a contractor has a malware-infected machine, we need the network to block them at the \"front door\" before they can touch our production network.","supplier_lens":"Integration details with endpoint security providers or native checks for OS version, AV status, and firewall settings.","netify_note":""},{"id":"man-2.7","text":"Describe the logging granularity: Does the system record every click/action within a session, or just the initial connection event? How does this logging stand up to forensic requirements in high-risk regions?","buyer_lens":"In high-risk environments, granular logging is paramount not only for compliance and \"Root Cause Analysis\" but also for proving non-compromise or identifying the extent of a breach. We need to know exactly what a user (especially third-party) accessed or modified.","supplier_lens":"Evidence of detailed audit logs showing application-level activity, duration of access, and data exfiltration attempts. Confirm if logs are immutable, geographically redundant, and meet specific regulatory requirements for data retention in sensitive contexts.","netify_note":"Comprehensive audit trails are crucial for incident response and legal recourse, particularly when operating in regions with advanced persistent threats."},{"id":"man-2.8","text":"How does the ZTNA solution mitigate the risk of \"Lateral Movement\" if a single user account is compromised?","buyer_lens":"If a hacker gets an engineer's password, we need to ensure they are stuck in that one specific application and cannot \"scan\" the rest of the factory floor.","supplier_lens":"Description of \"Least Privilege\" access where the user is mapped 1:1 to an application, not a network segment or VLAN.","netify_note":""},{"id":"man-2.9","text":"Can the ZTNA connector be deployed in a high-availability (HA) cluster within our local data centre?","buyer_lens":"If the ZTNA connector fails, all remote maintenance stops. We need hardware or virtual redundancy to ensure constant uptime.","supplier_lens":"Documentation on clustering connectors and load-balancing traffic across multiple local instances.","netify_note":""},{"id":"man-2.10","text":"What is the average latency overhead introduced by the ZTNA cloud broker for a user in the UK accessing a resource in a UK-based factory?","buyer_lens":"We need remote access to be as fast as being on-site. If the lag is too high, using remote engineering tools becomes impossible.","supplier_lens":"Committing to a specific millisecond \"broker overhead\" (e.g. <30ms) for local-to-local traffic.","netify_note":""}]},{"title":"SSE: Secure Web Gateway (SWG)","questions":[{"id":"man-3.1","text":"Detail your capability to inspect TLS 1.3 encrypted traffic at scale without impacting the performance of cloud-hosted ERP systems.","buyer_lens":"Most modern threats are hidden in encrypted traffic. We must inspect this data, but if the decryption process is slow, our SAP/Oracle cloud performance will suffer.","supplier_lens":"Demonstration of high-performance hardware/cloud scaling designed specifically for intensive TLS decryption and re-encryption.","netify_note":""},{"id":"man-3.2","text":"Can the SWG enforce a \"Read-Only\" policy for web-based personal email or social media to prevent attachment uploads?","buyer_lens":"We may allow staff to check their Gmail during breaks, but we must ensure they cannot upload proprietary engineering drawings or \"as-built\" photos to their personal accounts.","supplier_lens":"Proof of granular \"In-App\" controls that distinguish between \"GET\" (download) and \"POST\" (upload) actions.","netify_note":""},{"id":"man-3.3","text":"How does the gateway handle URL filtering for sites categorised as \"Malicious,\" \"Newly Registered Domains,\" or those associated with known state-sponsored threats prevalent in high-risk regions?","buyer_lens":"In high-risk regions, the threat landscape includes sophisticated, rapidly evolving phishing and malware campaigns. We need proactive blocking of domains linked to APTs, newly registered domains, and command-and-control servers to prevent initial access and callback attempts.","supplier_lens":"Access to a real-time threat intelligence feed that categorises millions of URLs, including those used by APTs or nation-state actors, with updates in seconds. Detail any specific capabilities for geo-blocking or blocking of domains tied to specific adversarial groups.","netify_note":"Advanced URL filtering, especially for NRDs and DGA-generated domains, is a first line of defense against highly sophisticated attacks common in geopolitical hotspots."},{"id":"man-3.4","text":"Does the SWG provide native protection against \"Credential Phishing\" by identifying when a user is typing their corporate password into a non-corporate site?","buyer_lens":"Our plant managers are frequent targets for phishing. If they accidentally click a link, the network should stop them from entering their Azure AD password.","supplier_lens":"Explanation of \"Password Reuse\" protection or page-scanning technology that identifies fake login forms.","netify_note":""},{"id":"man-3.5","text":"Can you apply different web-filtering profiles based on the machine type (e.g. a kiosk on the floor vs a designer's workstation)?","buyer_lens":"A kiosk on the shop floor should only be able to access the internal Wiki and the ERP, whereas a CAD designer needs broader access for research.","supplier_lens":"Demonstration of policy-grouping based on device type, user identity, or network location.","netify_note":""},{"id":"man-3.6","text":"Describe the \"Safe Search\" enforcement for image and video platforms used for staff training.","buyer_lens":"We use platforms like YouTube for training videos but must ensure that inappropriate content is filtered out to maintain a professional and safe working environment.","supplier_lens":"Native integration with major search engines and video platforms to force \"Restricted Mode.\"","netify_note":""},{"id":"man-3.7","text":"How does the solution handle \"File Type Control\"? Can we block the download of executable (.exe) files while allowing PDFs?","buyer_lens":"To prevent accidental malware installation, we must stop shop-floor users from downloading any software, even if the site itself is not malicious.","supplier_lens":"Granular file-extension and \"True File Type\" (header) inspection to prevent users from bypassing rules by renaming files.","netify_note":""},{"id":"man-3.8","text":"Is the SWG capable of \"Inline Sandboxing\" for files downloaded from the internet?","buyer_lens":"If an engineer downloads a firmware file, it must be \"detonated\" in a safe cloud area to check for hidden viruses before it reaches their PC.","supplier_lens":"Confirmation that file delivery is held until the sandbox verdict is returned, rather than \"scan on delivery.\"","netify_note":""},{"id":"man-3.9","text":"How does the system handle \"Bandwidth Throttling\" for non-essential web traffic (e.g. video streaming) during high-production hours?","buyer_lens":"We don't want someone watching Netflix on their lunch break to slow down the data sync for our production line.","supplier_lens":"Ability to set Quality of Service (QoS) rules or bandwidth caps for specific web categories or users.","netify_note":""},{"id":"man-3.10","text":"Can the gateway generate reports showing \"High Risk\" user behaviour that could indicate a compromised account or an insider threat?","buyer_lens":"We need to know if an employee is suddenly visiting hundreds of hacking forums or cloud storage sites so we can intervene before a breach occurs.","supplier_lens":"Dashboard views showing \"Risk Scores\" per user based on web activity and security events.","netify_note":""}]},{"title":"SSE: Cloud Access Security Broker (CASB)","questions":[{"id":"man-4.1","text":"Can the CASB distinguish between a corporate-managed instance of a cloud application and a personal instance of the same application?","buyer_lens":"We use OneDrive for our official engineering files. We need to allow uploads to our corporate account but block users from uploading those same files to their personal OneDrive accounts.","supplier_lens":"A good answer demonstrates \"Tenant Restrictions\" or \"Instance Awareness\" that identifies the specific destination account.","netify_note":"This prevents \"Shadow IT\" data leaks where employees use their own accounts to bypass corporate storage rules."},{"id":"man-4.2","text":"Describe the process for automatically \"quarantining\" sensitive files found in cloud storage that have been shared with unauthorised external email addresses.","buyer_lens":"If a plant manager accidentally shares a folder containing the 2026 production roadmap with a personal Gmail account, the system must automatically pull that share back.","supplier_lens":"Evidence of API-based scanning that can retroactively change permissions on files stored in SaaS environments.","netify_note":""},{"id":"man-4.3","text":"How does the solution identify anomalous behaviour, such as a single user downloading an unusually high volume of data from the ERP or cloud storage, especially when originating from or destined for high-risk regions?","buyer_lens":"In high-risk operating environments, detecting anomalous data access or exfiltration patterns is critical for identifying insider threats or compromised accounts. Beyond typical bulk downloads, we need to flag access from unusual geographies or during non-working hours.","supplier_lens":"Demonstration of \"User and Entity Behaviour Analytics\" (UEBA) capabilities, including contextual analysis of geographic location, time of access, and integration with HR systems for employee departure alerts.","netify_note":"UEBA enriched with geographical context is vital for detecting sophisticated insider threats or state-sponsored data exfiltration attempts."},{"id":"man-4.4","text":"Does the CASB provide a \"Risk Score\" for new cloud applications discovered on the network, and what criteria are used for this score?","buyer_lens":"Our staff often sign up for free \"productivity\" tools. We need to know if these tools meet UK data residency standards before we allow them on our network.","supplier_lens":"A database of thousands of apps scored against compliance standards like ISO 27001 and GDPR.","netify_note":""},{"id":"man-4.5","text":"Can the solution enforce \"Step-up Authentication\" (MFA) specifically when a user attempts to access a high-risk folder within a SaaS application?","buyer_lens":"General login MFA is fine, but if someone tries to enter the \"Proprietary Designs\" folder, we want them to re-verify their identity immediately.","supplier_lens":"Integration with IdPs like Okta or Azure AD to trigger conditional access mid-session.","netify_note":""},{"id":"man-4.6","text":"How does the CASB protect data being accessed from unmanaged devices (e.g. an employee's home PC) without requiring an agent?","buyer_lens":"If an executive checks their email from a home laptop, we need to allow them to \"view\" files but \"block\" them from downloading them to an unmanaged machine.","supplier_lens":"Use of a \"Reverse Proxy\" to intercept the session and apply granular data controls in the browser.","netify_note":""},{"id":"man-4.7","text":"Can the CASB inspect the content of encrypted files (e.g. password-protected ZIPs) being uploaded to cloud services?","buyer_lens":"Malicious actors often hide stolen IP in password-protected files to bypass simple scanners. We need a way to flag or block these files by default.","supplier_lens":"Policy options to block any encrypted file type that cannot be inspected by the DLP engine.","netify_note":""},{"id":"man-4.8","text":"Describe the integration between the CASB and the Secure Web Gateway (SWG) for consistent policy enforcement.","buyer_lens":"We don't want to manage two different sets of rules for web traffic and cloud traffic. They must be part of a single, unified security logic.","supplier_lens":"A unified policy engine where a \"DLP rule\" applies equally across the SWG and CASB.","netify_note":""},{"id":"man-4.9","text":"Can the system automatically \"Mask\" or \"Redact\" sensitive data (like customer credit card numbers) as it is being viewed in a cloud application?","buyer_lens":"Our support team might need to see a customer record, but they don't need to see the full financial details. Redacting this at the CASB level ensures \"Least Privilege.\"","supplier_lens":"Real-time data masking capabilities that modify the traffic as it passes through the broker.","netify_note":""},{"id":"man-4.10","text":"How frequently is the \"Cloud App Discovery\" database updated with new SaaS applications and their security ratings?","buyer_lens":"New apps appear every day. A database that is six months out of date leaves us blind to new \"Shadow IT\" risks on the factory floor.","supplier_lens":"Commitment to daily or real-time updates of the application risk database.","netify_note":""}]},{"title":"SSE: Data Loss Prevention (DLP)","questions":[{"id":"man-5.1","text":"Does the DLP engine support \"Exact Data Matching\" (EDM) for protecting our specific manufacturing part numbers or chemical formulas, especially considering the increased risk of industrial espionage in certain regions?","buyer_lens":"In environments where intellectual property theft is a significant concern, protecting our unique manufacturing part identifiers and formulas is paramount. The DLP system must be capable of precise, content-aware detection to prevent the exfiltration of sensitive, proprietary information.","supplier_lens":"The ability to upload and manage a secure database of specific strings or values that the DLP engine will precisely match across all data in motion and at rest. Detail how the system handles data originating from or transiting through high-risk jurisdictions.","netify_note":"EDM is the most surgical way to prevent the theft of highly specific manufacturing IP. In high-risk regions, the stakes of such data loss are significantly elevated."},{"id":"man-5.2","text":"Can the DLP solution identify sensitive information within images or scanned documents (OCR)?","buyer_lens":"Someone might take a photo of a design drawing on their phone and try to email it. We need the system to \"read\" the text inside that image and block it if it contains sensitive labels.","supplier_lens":"Native Optical Character Recognition (OCR) capabilities within the cloud inspection engine.","netify_note":""},{"id":"man-5.3","text":"How does the system handle DLP for \"Data in Motion\" versus \"Data at Rest\" in cloud storage?","buyer_lens":"It's not enough to block a file as it's being sent; we need to scan our existing cloud folders to find sensitive data that was put there before the rules were in place.","supplier_lens":"Dual support for \"Inline\" (real-time) and \"API-based\" (out-of-band) scanning.","netify_note":""},{"id":"man-5.4","text":"Can the DLP engine detect \"Partial Matches\" or \"Small Snippets\" of proprietary code or engineering data?","buyer_lens":"A sophisticated thief won't send the whole file; they'll copy and paste a few paragraphs of a formula into a seemingly innocent email. We need to catch these \"snippets.\"","supplier_lens":"Use of \"Partial Document Matching\" or \"Index Document Matching\" (IDM) to identify fragments of protected data.","netify_note":""},{"id":"man-5.5","text":"What is the process for a user to \"Justify\" a DLP block if they believe it is a false positive?","buyer_lens":"If a legitimate shipment is delayed because the system incorrectly blocked a manifest, the manager needs a way to \"override\" with a reason that is logged for the auditors.","supplier_lens":"Customizable \"End-User Coaching\" pop-ups that allow for justification and logging of overrides.","netify_note":""},{"id":"man-5.6","text":"How does the solution prevent the exfiltration of data via \"Printing\" or \"Copying to Clipboard\" for remote users?","buyer_lens":"A remote contractor shouldn't be able to \"Copy\" our machine settings and \"Paste\" them into their local notepad.","supplier_lens":"Integration with endpoint agents or RBI to disable clipboard and print functions for specific sessions.","netify_note":""},{"id":"man-5.7","text":"Can the DLP system scan compressed files (e.g. .7z, .rar) and nested folders within those files?","buyer_lens":"It is a common trick to \"zip\" files to avoid detection. We need the system to \"unzip,\" inspect the contents, and then re-zip the file in transit.","supplier_lens":"Support for multi-level recursion (scanning inside a zip, inside a zip).","netify_note":""},{"id":"man-5.8","text":"Does the DLP solution offer a \"Unified Policy Builder\" that works across Email, Web, and Cloud?","buyer_lens":"We want one \"Master Policy\" for \"Secret Formula X\" that applies everywhere. We shouldn't have to rebuild the rule for every different channel.","supplier_lens":"A central policy engine that pushes rules to the SWG, CASB, and ZTNA simultaneously.","netify_note":""},{"id":"man-5.9","text":"How are DLP incidents triaged? Is there a dedicated \"Incident Management\" dashboard for our security officer?","buyer_lens":"When a breach is blocked, we need a clear trail of evidence: who, what, when, and the actual content of the block for legal purposes.","supplier_lens":"A dedicated forensics dashboard with customisable workflows for incident investigation.","netify_note":""},{"id":"man-5.10","text":"Does the system provide \"Out-of-the-Box\" templates for UK-specific regulations like the Data Protection Act 2018?","buyer_lens":"We don't want to spend months building rules for PII (Personally Identifiable Information). We need the vendor to provide pre-configured \"Best Practice\" templates.","supplier_lens":"A library of pre-built compliance templates for UK, EU, and global standards.","netify_note":""}]},{"title":"SSE: Remote Browser Isolation (RBI)","questions":[{"id":"man-6.1","text":"Does the RBI solution support \"Pixel-pushing\" rendering to ensure that no active web content or code ever reaches the local endpoint?","buyer_lens":"In our design offices, we cannot risk \"Drive-by Downloads\" where malicious code executes in the background of a designer's browser. We need the actual code to stay in the cloud.","supplier_lens":"A good answer confirms that only a stream of visual pixels is sent to the user, with all JavaScript and HTML executed in a remote, disposable container.","netify_note":"Pixel-pushing is the most secure form of RBI, as it effectively creates a \"glass wall\" between the user and the internet."},{"id":"man-6.2","text":"Can the solution enforce \"Read-Only\" mode for web-based document viewing to prevent the downloading of proprietary engineering files?","buyer_lens":"When our staff view supplier documentation on external portals, we want them to see the plans but not be able to save a local copy to their machine.","supplier_lens":"Demonstration of granular controls that disable \"Right-Click,\" \"Save As,\" and \"Print\" functions within the isolated session.","netify_note":""},{"id":"man-6.3","text":"Describe the user experience impact (latency) when RBI is triggered for \"Uncategorised\" or \"High-Risk\" websites.","buyer_lens":"If a site takes 10 seconds to load because of RBI, our engineers will find ways to bypass the security. The isolation must be transparent and fast.","supplier_lens":"Provision of latency metrics for the isolation broker, ideally showing an overhead of less than 100ms.","netify_note":""},{"id":"man-6.4","text":"How does the RBI handle \"Clipboard Controls\" between the isolated browser and the user's local applications?","buyer_lens":"We may need to allow an engineer to \"Copy\" a part number from a website, but \"Block\" them from copying a whole paragraph of proprietary text.","supplier_lens":"Ability to set uni-directional or bi-directional clipboard restrictions with character-count limits.","netify_note":""},{"id":"man-6.5","text":"Can the RBI service \"Sanitise\" downloaded files by converting them to a safe PDF before they reach the user?","buyer_lens":"If a user must download a manual, we want the system to strip out any active macros or hidden scripts by reconstructing the file in the cloud first.","supplier_lens":"Integration with CDR (Content Disarm and Reconstruction) technology within the isolation workflow.","netify_note":""},{"id":"man-6.6","text":"Does the solution support \"Targeted RBI\" where only high-risk URLs are isolated, rather than the entire web session?","buyer_lens":"To manage costs and performance, we only want to isolate the \"dark corners\" of the web, not trusted sites like the BBC or Microsoft.","supplier_lens":"Confirmation of integration with the SWG's URL filtering categories to trigger RBI based on risk scores.","netify_note":""},{"id":"man-6.7","text":"Can RBI be used as a \"Secure Virtual Desktop\" for third-party vendors to access internal web-based HMIs?","buyer_lens":"Instead of a full VPN, we want a vendor to log into a secure browser session that only lets them see the machine management page.","supplier_lens":"Use cases for \"Inbound RBI\" where the isolation protects the internal application from a potentially compromised external user.","netify_note":""},{"id":"man-6.8","text":"Describe how the RBI handles streaming media (e.g. training videos) and interactive web elements like maps or 3D CAD viewers.","buyer_lens":"If our engineers are watching a \"How-To\" video on a machine's website, the video must not be \"choppy\" or out of sync.","supplier_lens":"Explanation of adaptive bitrate streaming or \"DOM-based\" rendering for specific media types to maintain performance.","netify_note":""},{"id":"man-6.9","text":"How are \"Isolated Sessions\" logged for audit purposes? Do you record a video of the session or just text-based activity?","buyer_lens":"If there is a security breach, we need to see exactly what the user was looking at inside the isolated browser.","supplier_lens":"Capability to provide detailed URL logs and, in some cases, screen-capture summaries of isolated activity.","netify_note":""},{"id":"man-6.10","text":"Is the RBI solution natively integrated into the SSE agent, or does it require a separate browser extension or client?","buyer_lens":"We want a \"Zero-Touch\" experience. We cannot manage different extensions for Chrome, Edge, and Firefox across the whole company.","supplier_lens":"Confirmation of \"Clientless\" or \"Unified Agent\" deployment models.","netify_note":""}]},{"title":"SSE: Firewall as a Service (FWaaS)","questions":[{"id":"man-7.1","text":"Does the FWaaS support Identity-Aware Rules that follow a user from the factory floor to their home office?","buyer_lens":"A plant manager should have the same firewall restrictions (e.g. access to the finance VLAN) regardless of whether they are plugged into the warehouse or working from home.","supplier_lens":"Integration with IdPs like Azure AD to apply rules based on \"User Groups\" rather than just static IP addresses.","netify_note":"FWaaS decouples security from the physical location, ensuring a consistent \"Security Perimeter\" around the user."},{"id":"man-7.2","text":"Detail the FWaaS capability to perform Layer-7 Application Identification for industrial protocols like Modbus, S7, and OPC-UA.","buyer_lens":"We need the firewall to know the difference between \"Modbus Traffic\" and \"General Web Traffic\" so we can apply specific security logic to our machinery.","supplier_lens":"A good answer includes a library of thousands of application signatures, including a dedicated OT/Industrial section.","netify_note":""},{"id":"man-7.3","text":"Can the FWaaS enforce Geo-Blocking at the network layer to prevent any traffic from high-risk regions reaching our production servers, with dynamic threat intelligence for rapidly changing geopolitical landscapes?","buyer_lens":"In today's geopolitical climate, certain regions pose an elevated threat. We require the ability to block traffic based on geographic origin to protect our critical infrastructure from known adversarial sources, with the flexibility to adapt to evolving threat intelligence.","supplier_lens":"Native Geo-IP database integration allowing for \"Allow/Deny\" rules based on country of origin, dynamically updated with threat intelligence feeds. Detail the granularity of control (country, continent, IP range) and the update frequency of the geo-blocking database.","netify_note":"Geo-blocking is a fundamental control for reducing attack surface, particularly effective against broad-spectrum attacks originating from specific high-risk jurisdictions."},{"id":"man-7.4","text":"How does the FWaaS handle IPsec VPN Terminations from small, remote IoT gateways or sensors?","buyer_lens":"We have small sensors in remote pump stations that need to tunnel back to the cloud firewall. We need the FWaaS to act as the \"Head-end\" for these tunnels.","supplier_lens":"Support for standard IPsec and IKEv2 protocols to terminate tunnels from any third-party industrial router.","netify_note":""},{"id":"man-7.5","text":"What is the \"Egress IP\" strategy? Do our sites share a public IP with other customers, or can we have a Dedicated Static IP for our cloud firewall?","buyer_lens":"Some of our customers \"Whitelist\" our IP address for secure data transfers. If our IP changes or is shared with a \"bad actor,\" our traffic might be blocked.","supplier_lens":"Option for \"Dedicated Egress IPs\" to ensure IP reputation and compatibility with third-party whitelisting.","netify_note":""},{"id":"man-7.6","text":"Describe the FQDN-based Filtering capabilities for managing software update paths for factory machinery.","buyer_lens":"We want to allow our Siemens machines to talk only to updates.siemens.com and block everything else, without having to manage a list of hundreds of changing IP addresses.","supplier_lens":"Support for \"Wildcard FQDNs\" and dynamic DNS resolution within the firewall rulebase.","netify_note":""},{"id":"man-7.7","text":"Does the FWaaS include a Global Policy Manager to push rule changes to all international sites simultaneously?","buyer_lens":"If we identify a new threat, we need to \"Close the Gate\" across our UK, US, and Asia plants with one single click.","supplier_lens":"A central orchestrator that provides a \"Unified Security Policy\" for all connected branches and remote users.","netify_note":""},{"id":"man-7.8","text":"How does the FWaaS handle Large File Transfers (FTP/SFTP) between manufacturing sites and external partners?","buyer_lens":"We regularly send multi-gigabyte design files. The firewall must be able to inspect this traffic without \"timing out\" or throttling the transfer speed.","supplier_lens":"Technical specs on \"Stateful Inspection\" limits and support for \"FTP Application Layer Gateways.\"","netify_note":""},{"id":"man-7.9","text":"Can the FWaaS generate an alert if it detects \"Port Scanning\" or \"Reconnaissance\" activity originating from within our own factory floor?","buyer_lens":"If a piece of malware is trying to \"find\" other machines on our network, we need the cloud firewall to flag this \"Lateral Movement\" attempt immediately.","supplier_lens":"Native IDS/IPS signatures designed to detect internal scanning and brute-force attempts.","netify_note":""},{"id":"man-7.10","text":"What is the SLA for Service Availability for the FWaaS? Is it backed by financial credits if the cloud firewall goes offline?","buyer_lens":"If the cloud firewall dies, our whole factory is disconnected from the internet and the cloud ERP. We need a 99.999% uptime guarantee.","supplier_lens":"Detailed uptime SLA with a tiered service credit structure for any downtime.","netify_note":""}]},{"title":"SSE: Intrusion Prevention & Detection (IPS/IDS)","questions":[{"id":"man-8.1","text":"Does the IPS service include a dedicated signature set for Industrial Control Systems (ICS) and SCADA protocols?","buyer_lens":"We need the system to recognise and block exploits specifically targeting factory hardware (e.g. Siemens, Rockwell, Schneider Electric) rather than just standard office IT threats.","supplier_lens":"Evidence of integrated OT-specific threat intelligence feeds and the ability to detect \"Industrial-specific\" vulnerabilities like PLC stop commands or unauthorised firmware uploads.","netify_note":"Standard IPS often misses the subtle, protocol-specific attacks that can disable a production line."},{"id":"man-8.2","text":"Can the IPS perform Virtual Patching for legacy operating systems (e.g. Windows XP, Windows 7) that can no longer receive official security updates?","buyer_lens":"We have million-pound machines running on unpatchable OSs. We need the network to \"shield\" these machines by blocking known exploits at the network level before they reach the endpoint.","supplier_lens":"Demonstration of \"Shielding\" signatures that map to CVEs for legacy systems.","netify_note":""},{"id":"man-8.3","text":"Describe the \"Fail-Open\" vs \"Fail-Closed\" logic of the IPS engine during a period of extreme traffic congestion or cloud PoP resource exhaustion.","buyer_lens":"If the security engine is overwhelmed, we need to know if it will \"fail-open\" to keep the factory running (prioritising availability) or \"fail-closed\" (prioritising security).","supplier_lens":"Configurable fail-mode options with clear documentation on default behaviour and override capabilities.","netify_note":""},{"id":"man-8.4","text":"How does the IDS/IPS identify Lateral Movement attempts between different factory segments or VLANs?","buyer_lens":"If a single workstation is compromised, the IPS should immediately flag and block that machine if it starts \"scanning\" the rest of the factory network for vulnerable PLCs.","supplier_lens":"Native detection of internal scanning, brute-force, and anomalous cross-segment traffic patterns.","netify_note":""}]},{"title":"SSE: DNS Security (Protective DNS)","questions":[{"id":"man-9.1","text":"How does the DNS filtering layer handle \"Newly Registered Domains\" (NRDs) and \"Domain Generation Algorithms\" (DGAs)?","buyer_lens":"Ransomware often uses domains registered within the last 24 hours for Command & Control. We need to block access to any domain younger than 30 days by default.","supplier_lens":"Access to real-time WHOIS data and algorithmic detection to block domains that look \"randomly generated.\"","netify_note":"DNS Security is often the simplest and most effective way to prevent a malware infection from \"calling home\" to its master."},{"id":"man-9.2","text":"Can we enforce different DNS policies for IIoT sensors versus office-based staff laptops?","buyer_lens":"A smart sensor should only ever need to talk to its manufacturer's update server. Any other DNS request from that sensor is a sign of compromise and must be blocked.","supplier_lens":"Policy segmentation based on device type, network zone, or identity group for DNS resolution rules.","netify_note":""}]},{"title":"SSE: SaaS Security Posture Management (SSPM)","questions":[{"id":"man-10.1","text":"Does the SSPM tool provide automated remediation for misconfigurations in our SAP S/4HANA or Microsoft 365 tenants?","buyer_lens":"We need a system that doesn't just \"find\" a security hole (like an open SharePoint folder) but can automatically \"fix\" it or alert the admin immediately based on our UK data residency rules.","supplier_lens":"A dashboard showing \"Config Drift\" and the ability to toggle \"Auto-Remediation\" for critical security settings.","netify_note":""},{"id":"man-10.2","text":"Can the SSPM audit the \"App-to-App\" permissions (OAuth) granted by our employees to third-party cloud tools?","buyer_lens":"Employees often grant \"Read/Write\" access to their email or files to free productivity apps. We need to see and revoke these \"hidden\" data access points.","supplier_lens":"Comprehensive OAuth token discovery and revocation capabilities across connected SaaS platforms.","netify_note":""}]},{"title":"SSE: Cloud Email Security","questions":[{"id":"man-11.1","text":"How does the solution protect against Business Email Compromise (BEC) and \"Look-alike\" domain attacks targeting our supply chain?","buyer_lens":"We are at risk of \"Invoice Fraud\" where a hacker impersonates one of our suppliers. We need the system to flag emails that come from domains that look like our suppliers' but are slightly different.","supplier_lens":"Use of AI and Machine Learning to analyse \"Communication Patterns\" and detect identity spoofing.","netify_note":""}]},{"title":"SSE: Threat / Malware Protection (ATP & Sandboxing)","questions":[{"id":"man-12.1","text":"Does the sandbox environment support \"Human-Interaction Simulation\" to defeat malware that waits for a mouse click before executing?","buyer_lens":"Modern \"Evasive Malware\" can tell it's in a sandbox and will stay \"dormant\" until it thinks a real person is using the machine. We need a sandbox that can \"trick\" the malware into revealing itself.","supplier_lens":"Detailed breakdown of \"Anti-Evasion\" techniques used within the sandboxing engine.","netify_note":""}]},{"title":"SSE: Identity & Access (IdP) Integration","questions":[{"id":"man-13.1","text":"Does the solution support SCIM (System for Cross-domain Identity Management) for automated user provisioning and de-provisioning?","buyer_lens":"When an employee leaves the company, their access to the factory floor, the ERP, and the ZTNA must be revoked instantly across the whole SSE stack.","supplier_lens":"Native SCIM 2.0 support for automated lifecycle management with major IdPs (Azure AD, Okta, etc.).","netify_note":""}]},{"title":"SSE: Device Posture / Endpoint Context","questions":[{"id":"man-14.1","text":"Can the system deny access to the production environment if the device's Anti-Virus (EDR) is disabled or if a specific \"Corporate Certificate\" is missing?","buyer_lens":"If a device is \"unhealthy\" or unmanaged, it must be blocked at the network gate. We cannot risk a \"dirty\" laptop plugging into our shop-floor network.","supplier_lens":"Integration with third-party EDRs (e.g. CrowdStrike, SentinelOne) and the ability to check local file/registry keys before granting a session.","netify_note":""}]},{"title":"SASE: Converged Outcomes","questions":[{"id":"man-15.1","text":"Does the SASE solution utilise a SLA-backed Private Tier-1 Backbone for the \"Middle Mile\", or does it rely on encrypted tunnels over the public internet?","buyer_lens":"For our international plants, using the public internet for global traffic is too unpredictable. We need a backbone that guarantees sub-200ms latency between the UK and our Asia-Pacific sites to ensure our Digital Twin data remains in sync.","supplier_lens":"A good answer provides a specific list of Tier-1 peering partners and a contractually backed latency/jitter matrix between global PoPs.","netify_note":"A private backbone acts like a \"private motorway\" for your data, bypassing the \"congested side streets\" of the public internet to ensure consistent performance."},{"id":"man-15.2","text":"Describe the techniques used to optimise traffic across the global backbone, specifically regarding TCP Window Scaling and Packet Loss Mitigation.","buyer_lens":"Large engineering files often fail to sync over long distances due to standard internet protocols \"timing out.\" We need the backbone to \"accelerate\" these transfers.","supplier_lens":"Look for mentions of \"TCP Proxying\" or \"Fast TCP\" where the PoP acknowledges packets locally to speed up the transfer.","netify_note":"This process \"tricks\" the sending server into thinking the receiver is closer than they actually are, preventing the \"slow-start\" speed drops common in global networking."},{"id":"man-15.3","text":"Detail how the SASE fabric provides Direct Cloud On-Ramp to our SAP S/4HANA instance in Azure (UK South) without \"Hair-pinning\" traffic through a central data centre.","buyer_lens":"If our shop-floor staff have to go from the factory, to a central HQ, and then to Azure, the lag will make the ERP unusable. We need a \"Direct-to-Cloud\" path that is still fully secured.","supplier_lens":"Confirmation of virtual PoPs or direct peering within the same data centres as the major cloud providers.","netify_note":"\"Hair-pinning\" is an inefficient routing path where data travels a long distance to a central hub only to be sent back in the direction it came from."},{"id":"man-15.4","text":"Can the SASE orchestrator manage Transit Gateway Peering across multiple cloud providers (e.g. AWS and Google Cloud) through a single interface?","buyer_lens":"We use AWS for our \"Data Lake\" and Google Cloud for \"AI Analytics.\" We need a single way to manage the secure pipes between these clouds and our factories.","supplier_lens":"Demonstration of a \"Multi-Cloud Fabric\" where the SASE vendor automates the routing between different cloud VPCs.","netify_note":""},{"id":"man-15.5","text":"Does the solution offer Application-Specific Acceleration for non-web protocols such as CIFS/SMB or MAPI?","buyer_lens":"Our designers frequently open massive CAD files from remote file shares. If the SASE doesn't \"accelerate\" these specific file protocols, the engineers will lose hours every week to loading bars.","supplier_lens":"Proof of deduplication and caching techniques that only send \"changed blocks\" of data across the WAN.","netify_note":"WAN Optimisation reduces the amount of data actually sent by \"remembering\" bits of data that have been sent before and only sending the new bits."},{"id":"man-15.6","text":"How does the solution ensure low-latency access for UK-based mobile users who are travelling to high-risk regions or areas with poor local peering?","buyer_lens":"When our senior engineers are on-site at a supplier in Asia, they still need fast access to the UK-based production servers. The SASE must find the closest PoP and tunnel them back via the backbone.","supplier_lens":"Evidence of a global PoP map and \"Auto-Closest-PoP\" logic in the client software.","netify_note":""},{"id":"man-15.7","text":"In a Fully Managed SASE model, who is the \"Single Point of Contact\" for an end-to-end performance issue involving a third-party ISP and the cloud security layer?","buyer_lens":"We don't want our IT team stuck in a \"Blame Game\" between the security vendor and the ISP. We need one partner who takes ownership of the entire \"User-to-App\" path.","supplier_lens":"Definition of the \"Service Integration and Management\" (SIAM) role within the managed service contract.","netify_note":"Managed SASE means the provider looks after the technology and the underlying circuits, giving you one throat to choke."},{"id":"man-15.8","text":"What is the SLA for Emergency Security Changes (e.g. blocking a specific IP during an active attack) in a managed service environment?","buyer_lens":"If we are under attack at 3 AM on a Saturday, we cannot wait for a \"Next Business Day\" ticket. We need \"Emergency Change\" windows measured in minutes.","supplier_lens":"24/7 NOC/SOC availability with a 15-minute or 30-minute SLA for urgent security blocks.","netify_note":""},{"id":"man-15.9","text":"Does the Managed SASE Portal allow our internal team to view real-time \"Digital Experience\" metrics for individual shop-floor users?","buyer_lens":"When a plant manager complains the \"Network is slow,\" we need to be able to see instantly if it's their local WiFi, the ISP, or the SASE PoP before we call the helpdesk.","supplier_lens":"A demo of \"Digital Experience Monitoring\" (DEM) tools that provide a hop-by-hop breakdown of the user's connection.","netify_note":""},{"id":"man-15.10","text":"Can you provide Static, Dedicated Egress IPs for our SASE traffic to ensure compatibility with our suppliers' IP-whitelisting firewalls?","buyer_lens":"Our key suppliers only allow connections from \"Known IPs.\" If the SASE uses \"Shared IPs\" that change every week, we will be constantly locked out of our supply chain portals.","supplier_lens":"Option for \"Reserved Egress IPs\" that are dedicated solely to the customer's organisation.","netify_note":"An Egress IP is the \"return address\" your data uses when it leaves the SASE cloud to talk to the rest of the internet."}]}],"count":117},"financial_services":{"label":"Financial services","sections":[{"title":"SD-WAN: Low-Latency Financial Network Fabric","questions":[{"id":"fin-1.1","text":"Can the solution perform per-packet path steering in under 1ms to prevent trading order execution delays during link degradation?","buyer_lens":"On a trading floor, a 10ms delay can mean an order executes at the wrong price. We need path-switching that is imperceptible to our trading platforms.","supplier_lens":"A good answer confirms hardware-assisted per-packet steering, not software-polled probing, with <1ms switchover times evidenced by test data.","netify_note":"Per-packet steering is essential for latency-sensitive financial workloads where session-based failover is too slow."},{"id":"fin-1.2","text":"Does the solution support 1:1 packet duplication across dual-active circuits for real-time payment processing and settlement traffic?","buyer_lens":"A single dropped packet in a CHAPS or SWIFT settlement can cause a failed transaction and regulatory reporting obligations. Zero packet loss is non-negotiable.","supplier_lens":"Must confirm per-packet duplication (not session-based) across diverse ISP paths, with confirmation the receiving side discards duplicates silently.","netify_note":"Packet duplication sends identical data over two paths simultaneously; the receiver takes whichever arrives first — guaranteeing zero loss."},{"id":"fin-1.3","text":"Can the SD-WAN enforce dedicated QoS queues for real-time market data feeds, separating them from general branch internet and voice traffic?","buyer_lens":"If Bloomberg or Reuters market data shares a queue with staff video calls, data delays could cause traders to miss price moves during volatile market opens.","supplier_lens":"Describe application-aware QoS with named policies for market data protocols, DPI identification of feed traffic, and guaranteed bandwidth reservation.","netify_note":"Market data feeds deliver thousands of price updates per second; any sharing of bandwidth with lower-priority traffic directly impacts trading profitability."},{"id":"fin-1.4","text":"Detail the bandwidth overhead of your Forward Error Correction (FEC) algorithm in Aggressive mode on a 1Gbps trading floor uplink.","buyer_lens":"We need to know the precise usable capacity reduction when FEC is active, so we can size circuits accordingly without under-provisioning trading traffic.","supplier_lens":"Provide a table showing FEC modes (Low/Medium/High) versus bandwidth consumption and latency overhead per mode.","netify_note":"FEC adds redundant data so the receiver can reconstruct lost packets without re-transmission requests — critical where re-transmission latency is unacceptable."},{"id":"fin-1.5","text":"How does the solution optimise the path from branch offices to cloud-hosted core banking platforms (e.g. Temenos, Finastra on Azure/AWS)?","buyer_lens":"If branch staff are hair-pinning through a central data centre to reach a cloud core banking system, response times will be unacceptable during peak opening hours.","supplier_lens":"Describe direct cloud on-ramp logic using virtual PoPs within the same cloud region, avoiding backhauling through on-premises data centres.","netify_note":"Cloud on-ramp automatically finds the shortest secure path from the branch to the cloud instance, eliminating unnecessary network hops."},{"id":"fin-1.6","text":"State the average millisecond latency between your primary UK PoP and the London Azure region (UK South) and AWS eu-west-2.","buyer_lens":"Minimising middle-mile latency is critical for payment processing SLAs and FCA operational resilience obligations under PS21/3.","supplier_lens":"Provide a latency matrix showing measured round-trip times between UK PoPs and major cloud provider regions.","netify_note":"A PoP (Point of Presence) is the physical entry point into the vendor's high-speed network backbone — latency here directly affects every connected site."},{"id":"fin-1.7","text":"State the AES-256 encrypted throughput when IPS, DPI, and application identification are all simultaneously enabled on the branch appliance.","buyer_lens":"We need to know the real-world throughput with all security features active, not vendor headline figures under ideal lab conditions.","supplier_lens":"Provide side-by-side performance data for 'Security Off' versus full enforcement mode across the branch appliance range.","netify_note":"DPI (Deep Packet Inspection) examines packet contents to classify applications — enabling it alongside encryption consumes significant hardware resources."},{"id":"fin-1.8","text":"Does the solution support 4G/5G and satellite as active-active underlays? How is high-frequency jitter from satellite smoothed for payment traffic?","buyer_lens":"Remote financial advice offices or pop-up branches may depend on cellular or satellite. Payment and core banking traffic must remain stable across these links.","supplier_lens":"Confirm path conditioning and FEC support for high-latency satellite links, with evidence of successful deployment in financial services environments.","netify_note":"An 'Underlay' is the physical circuit the SD-WAN overlay runs on top of; diverse underlays are fundamental to resilience."},{"id":"fin-1.9","text":"Describe the ZTP process for a new bank branch. Can a non-technical branch manager plug in the device and have it configure itself automatically?","buyer_lens":"Financial services organisations open and close branches regularly. We need equipment to arrive pre-configured and self-activate without requiring an on-site engineer.","supplier_lens":"Walkthrough of the phone-home process confirming the device can retrieve its full configuration from the orchestrator over any internet connection.","netify_note":"ZTP allows a device to auto-configure as soon as it reaches the internet — removing engineer site visits for routine deployments."},{"id":"fin-1.10","text":"Can a single golden security and routing template be pushed to 200+ financial services branches simultaneously, with site-specific variables managed centrally?","buyer_lens":"We cannot manually log into every branch device to change a DNS server or routing policy. One change must propagate securely and verifiably to every location.","supplier_lens":"Show how site-specific variables (local subnets, branch codes) are managed within a master template, with bulk rollout controls and change verification.","netify_note":"A Golden Config is a master template ensuring every site is configured identically — eliminating drift that could create compliance or security gaps."},{"id":"fin-1.11","text":"Can we grant regional IT teams read-only diagnostics access while central security operations retain full write access to routing and firewall policies?","buyer_lens":"Local IT teams need to diagnose branch issues without the ability to inadvertently alter security policies that are required for FCA and PCI DSS compliance.","supplier_lens":"Provide an overview of RBAC permission tiers, including site-scoped read-only views versus global administrative rights.","netify_note":"RBAC (Role-Based Access Control) ensures each team member can only access the specific settings relevant to their role."},{"id":"fin-1.12","text":"Does the orchestrator generate automated alerts if a branch device's configuration deviates from the approved golden template?","buyer_lens":"Configuration drift creates compliance risk. We need instant notification if any branch has deviated from the approved security baseline, particularly for PCI DSS audit purposes.","supplier_lens":"Evidence of configuration auditing and optional auto-remediation that forces devices back into the approved policy state.","netify_note":"Drift detection is a critical compliance control — it ensures every site remains within the auditable, approved configuration boundary."},{"id":"fin-1.13","text":"Describe the safety mechanism if a firmware update fails at a remote branch during overnight maintenance windows.","buyer_lens":"If an update fails at 2 AM, the branch must be trading normally at 9 AM. We need an automatic rollback to the last known good state without manual intervention.","supplier_lens":"Confirm dual-partition boot or automated rollback capabilities, with evidence of the process and recovery time objectives.","netify_note":"Dual-partition keeps the previous stable firmware while installing the new one — meaning a failed update can never leave the device in a broken state."},{"id":"fin-1.14","text":"Do you offer a financial SLA based on application-level performance metrics (latency and jitter) rather than simply link uptime percentage?","buyer_lens":"A link that is technically 'up' but too slow for core banking is a service failure. Our SLA must reflect the actual user experience of financial applications.","supplier_lens":"Provide a detailed service credit table specifying credit thresholds for jitter, latency, and packet loss violations on named critical applications.","netify_note":"Application-level SLAs hold vendors accountable for actual user experience — not just whether a ping can traverse the link."},{"id":"fin-1.15","text":"If a managed service is selected, do you take full ownership of third-party ISP fault reporting, escalation, and resolution on our behalf?","buyer_lens":"Our IT teams should not be managing BT or Virgin Media escalations whilst a branch is offline. We need one accountable provider for the entire branch connectivity experience.","supplier_lens":"Clarify whether the managed service includes full carrier management, LOA-based escalation rights, and proactive monitoring of ISP-supplied circuits.","netify_note":"LOA (Letter of Authority) allows the managed service provider to contact your ISP directly on your behalf — removing the customer from the fault loop entirely."},{"id":"fin-1.16","text":"If the primary SD-WAN orchestrator suffers an outage, what is the impact on branch operations and what is the RTO for management restoration?","buyer_lens":"Branches must continue processing payments even if the vendor's cloud management platform is unreachable. Data plane continuity is non-negotiable.","supplier_lens":"Confirm control-plane/data-plane separation where branches continue routing traffic independently, and provide RTO metrics for management restoration.","netify_note":"A resilient orchestrator architecture means branches act autonomously during control plane failures — payments never stop because the management cloud went down."}]},{"title":"SSE: Zero Trust Network Access (ZTNA)","questions":[{"id":"fin-2.1","text":"Does the ZTNA solution use an inside-out connectivity model, ensuring internal banking applications are never exposed to public internet scanning?","buyer_lens":"Our core banking portals and payment systems must be invisible to the public internet. Open inbound ports represent a direct attack surface for financially motivated threat actors.","supplier_lens":"Confirm the connector establishes outbound-only tunnels so no listening ports are exposed to the WAN, making internal applications undiscoverable.","netify_note":"The inside-out or 'dark cloud' model means attackers cannot find what they cannot see — critical for protecting high-value financial systems."},{"id":"fin-2.2","text":"Can the solution provide agentless, browser-based ZTNA access to internal systems for external auditors or regulatory inspectors who cannot install software?","buyer_lens":"FCA and PRA inspectors and external auditors regularly need to access specific reporting portals. We cannot ask regulators to install a VPN client on their corporate laptops.","supplier_lens":"Confirm an HTML5-based reverse proxy supporting agentless access to web-based internal applications without client-side software.","netify_note":"Agentless ZTNA is essential for third-party risk management — you control access to the application without relying on the security posture of the external device."},{"id":"fin-2.3","text":"Can ZTNA policies be restricted by time-of-day, such as blocking access to trading platforms outside market hours unless explicitly authorised?","buyer_lens":"Access to trading systems during off-hours is a high-risk indicator. Restricting access to defined market hours reduces the attack window for compromised credentials.","supplier_lens":"Demonstrate conditional access policies incorporating time-fencing with override workflows requiring secondary authorisation for out-of-hours access.","netify_note":"Time-based access controls reduce the attack surface by limiting when credentials can be used to access sensitive financial systems."},{"id":"fin-2.4","text":"How does the ZTNA solution prevent lateral movement if a trader or advisor's account is compromised?","buyer_lens":"If an attacker gains a staff member's credentials, they should be confined to that one specific application — they must not be able to pivot to risk systems, customer databases, or payment gateways.","supplier_lens":"Describe least-privilege access where users are mapped 1:1 to specific applications, not to network segments or VLANs, with no implicit access to adjacent systems.","netify_note":"Least-privilege ZTNA is fundamentally different from VPN — a user gets access to an app, not a network, eliminating lateral movement risk."},{"id":"fin-2.5","text":"Does the solution continuously re-evaluate user risk scores throughout the duration of a session, and can it terminate an active session if risk increases?","buyer_lens":"If a user's device becomes compromised mid-session, or they suddenly access a trading system from an unusual location, the session must be terminated immediately without waiting for re-authentication.","supplier_lens":"Describe the frequency of risk re-evaluation, what signals are consumed (device posture, location, behavioural anomalies), and the session revocation mechanism.","netify_note":"Continuous verification is the core principle of Zero Trust — trust must be re-earned continuously, not just at login."},{"id":"fin-2.6","text":"Can the ZTNA policy trigger a step-up MFA prompt when a user attempts to access specific high-value transaction systems or payment authorisation portals?","buyer_lens":"A general login MFA is insufficient for payment authorisation. We want an additional verification challenge when a user attempts to initiate or approve a high-value transfer.","supplier_lens":"Explain contextual, risk-adaptive authentication that triggers step-up challenges based on application sensitivity, transaction value threshold, or behavioural signals.","netify_note":"Step-up authentication adds friction precisely where the risk is highest — protecting high-value financial actions without inconveniencing general access."},{"id":"fin-2.7","text":"Does the system provide granular, immutable audit logs of every access event, including session duration, actions taken, and data accessed, for regulatory examination?","buyer_lens":"FCA, PRA, and DORA require detailed records of who accessed what and when. Our audit logs must be tamper-proof and readily exportable for regulatory inspection.","supplier_lens":"Confirm immutable, timestamped logs with application-level granularity, long-term retention options, and SIEM export capabilities for compliance workflows.","netify_note":"Immutable logs are foundational to DORA compliance and FCA operational resilience obligations — they cannot be altered or deleted by any user, including administrators."},{"id":"fin-2.8","text":"Can the ZTNA connector be deployed in a high-availability cluster to ensure that a single connector failure does not interrupt access to critical banking systems?","buyer_lens":"Access to core banking and payment systems cannot be interrupted by a single point of failure in the ZTNA connector. We need hardware or virtual redundancy within our data centre.","supplier_lens":"Document clustering architecture, load balancing across connector instances, and failover behaviour including expected downtime during a connector node failure.","netify_note":"HA connector clusters ensure the ZTNA access layer is as resilient as the applications it protects."},{"id":"fin-2.9","text":"What is the average latency overhead introduced by the ZTNA cloud broker for a UK-based user accessing a UK data centre application?","buyer_lens":"Remote access to trading platforms and core banking must be as fast as on-premises access. If the broker adds more than 30ms, latency-sensitive financial workflows become impractical.","supplier_lens":"Commit to a specific millisecond broker overhead for local-to-local UK traffic, supported by measured test results from UK-based PoPs.","netify_note":"ZTNA broker latency overhead is the key performance metric for remote access to latency-sensitive financial applications."}]},{"title":"SSE: Secure Web Gateway (SWG)","questions":[{"id":"fin-3.1","text":"Detail your capability to inspect TLS 1.3 encrypted web traffic at scale without impacting the performance of cloud-hosted financial applications.","buyer_lens":"Modern threats are concealed in encrypted traffic. We must inspect it, but if TLS decryption introduces latency, our cloud banking and trading platform response times will suffer during peak hours.","supplier_lens":"Demonstrate high-performance cloud scaling for TLS 1.3 inspection with measured latency overhead under peak load conditions for financial application traffic.","netify_note":"TLS 1.3 inspection is critical for financial services — threats increasingly use encrypted channels to evade detection while targeting high-value financial data."},{"id":"fin-3.2","text":"Does the SWG provide protection against credential phishing by detecting when a user is typing their corporate credentials into a fraudulent login page?","buyer_lens":"Financial services staff are high-value phishing targets. If a branch manager enters their Active Directory credentials into a fake portal, the impact could be catastrophic.","supplier_lens":"Explain page-level phishing detection, brand impersonation identification, and corporate credential guard capabilities that alert or block in real time.","netify_note":"Credential phishing is the most common initial access vector for financially motivated threat actors targeting banks and insurers."},{"id":"fin-3.3","text":"How does the gateway handle newly registered domains (NRDs) and domain generation algorithm (DGA) traffic used by malware command-and-control infrastructure?","buyer_lens":"Ransomware targeting financial institutions routinely uses domains registered within hours of the attack. We need NRDs blocked by default with configurable age thresholds.","supplier_lens":"Confirm real-time WHOIS data access, algorithmic DGA detection, and the ability to set domain age thresholds as a blocking policy.","netify_note":"NRD blocking is one of the most effective low-cost controls against ransomware and malware C2 callbacks in financial services environments."},{"id":"fin-3.4","text":"Can the SWG enforce a read-only policy for personal cloud storage and webmail to prevent staff from uploading customer financial data to personal accounts?","buyer_lens":"A regulated financial institution cannot allow customer account data or pricing models to be uploaded to personal Dropbox or Gmail accounts, even inadvertently.","supplier_lens":"Demonstrate granular in-app controls distinguishing between GET (read) and POST (upload) actions within personal cloud services and webmail platforms.","netify_note":"Controlling upload actions rather than blocking entire services allows productive personal use while preventing sensitive data exfiltration."},{"id":"fin-3.5","text":"Can the SWG allow trusted financial and regulatory domains (e.g. FCA, Bank of England, SWIFT) to break out locally without full SSL inspection?","buyer_lens":"We do not need to inspect traffic to well-known regulatory and interbank portals. Bypassing these reduces PoP load and ensures regulatory submissions are never delayed by inspection overhead.","supplier_lens":"Explain selective bypass and local breakout policies for low-risk trusted financial services domains, including the process for adding new trusted destinations.","netify_note":"Selective bypass optimises performance for known-safe destinations — a key consideration for time-sensitive regulatory reporting and interbank communications."},{"id":"fin-3.6","text":"Can the SWG generate reports identifying high-risk user browsing behaviour patterns that could indicate a compromised account or insider threat?","buyer_lens":"We need to proactively identify if a staff member is visiting high-risk or unusual sites — a potential sign of compromise, insider threat, or data reconnaissance — before a breach occurs.","supplier_lens":"Describe user risk scoring, behavioural analytics, and reporting dashboards that surface risky browsing patterns for security team investigation.","netify_note":"Behavioural analysis of browsing activity is a key insider threat detection control in the highly targeted financial services sector."},{"id":"fin-3.7","text":"Is the SWG capable of inline sandboxing for files downloaded by financial staff, holding delivery until the sandbox verdict confirms the file is safe?","buyer_lens":"If a member of staff downloads a document from a counterparty portal, it must be detonated in a cloud sandbox before reaching their device — not scanned on delivery after the fact.","supplier_lens":"Confirm that file delivery is held pending the sandbox verdict, not delivered and scanned concurrently, with expected hold times for common file types.","netify_note":"Inline sandboxing prevents execution before analysis — the key distinction from 'scan on delivery' approaches that still allow initial execution."}]},{"title":"SSE: Cloud Access Security Broker (CASB)","questions":[{"id":"fin-4.1","text":"Can the CASB distinguish between a corporate-managed Microsoft 365 or Salesforce tenant and an employee's personal account of the same application?","buyer_lens":"A regulated firm cannot allow customer relationship data or financial models to be moved from our corporate Microsoft 365 tenant to a personal OneDrive or consumer SharePoint.","supplier_lens":"Demonstrate tenant restrictions or instance awareness that identifies the specific destination account, blocking uploads to personal tenants while permitting corporate ones.","netify_note":"Tenant awareness prevents shadow IT data leakage — employees using personal accounts to bypass corporate data governance and retention policies."},{"id":"fin-4.2","text":"How does the CASB identify anomalous behaviour such as a staff member bulk-downloading customer account records or pricing models from cloud systems?","buyer_lens":"Insider threats and account takeovers are significant risks. If a user suddenly downloads 10,000 customer records, we need an immediate alert — not a weekly report.","supplier_lens":"Demonstrate User and Entity Behaviour Analytics (UEBA) capabilities including download volume thresholds, time-of-access anomalies, and integration with HR departure workflows.","netify_note":"UEBA is the primary technical control for detecting both insider data theft and external account takeover in cloud-hosted financial applications."},{"id":"fin-4.3","text":"Does the CASB provide a risk score for unsanctioned cloud applications discovered on the network, assessed against financial services compliance standards?","buyer_lens":"Staff frequently sign up for free productivity tools. We need to know if these applications meet our data residency, security, and FCA third-party risk obligations before we allow them.","supplier_lens":"Provide a database of applications scored against ISO 27001, SOC 2, GDPR, and PCI DSS, with the ability to add custom scoring criteria for financial services requirements.","netify_note":"Shadow IT risk scoring enables systematic governance of unsanctioned cloud usage — a mandatory requirement under DORA's third-party risk management provisions."},{"id":"fin-4.4","text":"Can the CASB automatically redact sensitive customer financial data (account numbers, sort codes, card numbers) as it appears in cloud-based CRM systems?","buyer_lens":"Customer service agents do not need to see full account numbers to resolve queries. Redacting this at the CASB layer enforces least privilege for sensitive financial data without application changes.","supplier_lens":"Describe real-time inline data masking that modifies traffic at the CASB broker layer, with support for financial data patterns including account numbers, card data, and NI numbers.","netify_note":"Inline redaction is a key GDPR and PCI DSS control — data that cannot be seen cannot be leaked, photographed, or memorised."},{"id":"fin-4.5","text":"How does the CASB protect financial data accessed from unmanaged devices such as an employee's personal laptop or a contractor's device?","buyer_lens":"We must allow regulated staff to view documents from personal devices in emergency scenarios, but we cannot allow them to download sensitive financial data to an unmanaged machine.","supplier_lens":"Describe reverse proxy session interception for unmanaged devices, enforcing view-only policies with download blocking, watermarking, and print restrictions.","netify_note":"Reverse proxy CASB does not require an agent — the policy is enforced in the cloud broker, making it effective regardless of the device's security posture."},{"id":"fin-4.6","text":"Can the CASB automatically quarantine or remove sharing permissions on files containing financial data that have been accidentally shared with external email addresses?","buyer_lens":"If a staff member accidentally shares a folder containing customer account data with a personal Gmail address, the CASB must detect and reverse that share within seconds — not at the next scan cycle.","supplier_lens":"Evidence of real-time API-based scanning that can retroactively modify permissions and quarantine files in major cloud platforms within a defined response time.","netify_note":"Automated quarantine prevents accidental data exposure from becoming a reportable breach under UK GDPR and FCA notification obligations."},{"id":"fin-4.7","text":"Can the CASB audit and revoke OAuth app-to-app permissions that employees have granted to third-party cloud integrations?","buyer_lens":"Staff often grant broad read/write permissions to their email and files through free productivity integrations. Under DORA, we must maintain visibility and control over all third-party data access paths.","supplier_lens":"Comprehensive OAuth token discovery across connected SaaS platforms with risk scoring and one-click revocation capabilities for high-risk app permissions.","netify_note":"OAuth token sprawl is a major attack vector — a compromised third-party app with OAuth access to your corporate mail is as dangerous as a direct breach."},{"id":"fin-4.8","text":"Does the CASB offer API-based scanning of existing cloud data at rest to identify historical exposure of customer financial data?","buyer_lens":"We need to find sensitive customer data that was uploaded before our DLP policies were in place — legacy exposure is a compliance risk we cannot ignore.","supplier_lens":"Describe out-of-band API connectors for retroactive cloud storage scanning, classification of sensitive financial data, and remediation workflows for historical exposures.","netify_note":"API-based scanning covers data at rest — a different risk profile from inline protection, and equally important for FCA data governance requirements."}]},{"title":"SSE: Data Loss Prevention (DLP)","questions":[{"id":"fin-5.1","text":"Does the DLP engine support Exact Data Matching (EDM) for specific customer account numbers, IBAN formats, and sort codes held in our systems?","buyer_lens":"Generic regex patterns generate too many false positives. EDM allows us to match our actual customer account numbers precisely, ensuring that real data — not patterns — triggers the policy.","supplier_lens":"Describe the ability to upload a secure database of specific identifiers (account numbers, IBANs) for precise matching, including how the database is secured and updated.","netify_note":"EDM is the most targeted DLP method — it matches real data values rather than patterns, dramatically reducing false positives in high-volume financial environments."},{"id":"fin-5.2","text":"Can the DLP engine perform OCR on images and scanned documents to identify account numbers, payment details, or regulatory classifications within image files?","buyer_lens":"Staff may photograph account statements or compliance documents. The system must read text inside images and block transmission if it contains sensitive financial identifiers.","supplier_lens":"Describe native OCR capabilities within the cloud inspection engine, supported file formats, confidence thresholds, and handling of low-quality scans.","netify_note":"OCR-based DLP closes a common evasion loophole — converting data to an image before sending bypasses text-pattern matching if OCR is not supported."},{"id":"fin-5.3","text":"Can the DLP engine detect partial matches of proprietary financial models, pricing schedules, or regulatory reports if only a fragment is copied or sent?","buyer_lens":"A sophisticated insider will not send the whole document. They will copy a few rows of a pricing model into an email. We need the system to recognise those fragments.","supplier_lens":"Explain Partial Document Matching or Index Document Matching (IDM) capabilities that identify content fragments from registered sensitive documents.","netify_note":"Partial matching is essential for protecting financial IP — complete documents are rarely exfiltrated directly, but fragments are routinely embedded in emails or messages."},{"id":"fin-5.4","text":"How does the DLP solution handle data in motion across encrypted collaboration tools such as Microsoft Teams, Slack, or Bloomberg Terminal chat?","buyer_lens":"Financial staff share sensitive information across chat tools. We must ensure that account details, transaction data, or material non-public information cannot be shared via these channels.","supplier_lens":"Describe DLP enforcement for enterprise chat applications including message inspection, file attachment scanning, and policy response options for financial data classifications.","netify_note":"Encrypted chat applications are increasingly used to share sensitive financial data — DLP must extend beyond email and web to cover these channels comprehensively."},{"id":"fin-5.5","text":"Can the solution prevent exfiltration of financial data via clipboard copy or screen capture from web-based banking and trading applications?","buyer_lens":"A contractor accessing our trading platform via a browser should not be able to copy customer positions or account balances into their local clipboard or take screenshots.","supplier_lens":"Explain user action controls for clipboard restriction, print screen blocking, and screenshot prevention within ZTNA and RBI-protected sessions.","netify_note":"Clipboard and screenshot controls close high-risk exfiltration paths that do not involve file downloads — common methods used in financial data theft."},{"id":"fin-5.6","text":"What is the process for a user to justify and override a DLP block if they believe it is a false positive on a legitimate financial communication?","buyer_lens":"If a relationship manager's legitimate counterparty communication is blocked, they need a rapid, auditable workflow to override — not a helpdesk ticket with a 4-hour SLA.","supplier_lens":"Describe customisable coaching pop-ups that present the user with justification options, with override requests logged and reviewed by the security team.","netify_note":"Justification workflows balance security with operational productivity — they prevent business disruption while maintaining a complete audit trail for compliance purposes."},{"id":"fin-5.7","text":"Can the DLP system scan inside compressed files (.zip, .7z, password-protected archives) to inspect financial data before it leaves the network?","buyer_lens":"A common technique for extracting customer data is to compress it into an encrypted archive to evade basic scanners. We need multi-level recursive inspection of compressed files.","supplier_lens":"Confirm support for multi-level archive recursion, supported compression formats, and policy options for blocking encrypted archives that cannot be inspected.","netify_note":"Recursive archive inspection is essential — files compressed inside other compressed files are a well-known evasion technique for bypassing flat-file DLP scanning."},{"id":"fin-5.8","text":"Does the DLP system include out-of-the-box policy templates for UK GDPR, the Financial Services and Markets Act, and PCI DSS 4.0?","buyer_lens":"We do not want to spend months building DLP rules from scratch. We need pre-configured templates for financial PII, payment card data, and regulatory document classifications.","supplier_lens":"Provide a library of pre-built UK and international financial compliance templates, including coverage of financial services-specific data types beyond standard PII.","netify_note":"Pre-built compliance templates dramatically accelerate DLP deployment — a critical advantage given the density of UK financial services regulatory obligations."},{"id":"fin-5.9","text":"How are DLP incidents triaged? Is there a dedicated forensics dashboard providing a clear chain of evidence for the information security officer and legal team?","buyer_lens":"If a staff member is found to have exfiltrated customer data, we need complete, court-admissible evidence: who, what, when, and the exact content of the blocked transmission.","supplier_lens":"Describe the investigation workflow, evidence retention policy, chain-of-custody capabilities, and analyst tooling available for DLP incident investigation.","netify_note":"A robust forensics dashboard is essential for both regulatory enforcement and civil/criminal proceedings following a financial data breach."}]},{"title":"SSE: Remote Browser Isolation (RBI)","questions":[{"id":"fin-6.1","text":"Does the RBI solution use pixel-pushing rendering so that no active web content from counterparty or vendor portals ever executes on a financial staff member's endpoint?","buyer_lens":"Financial staff access many third-party portals daily — counterparty systems, data providers, regulatory submissions. We cannot risk drive-by downloads from any of these sources.","supplier_lens":"Confirm pixel-pushing rendering that sends only a visual stream to the user, with all HTML, JavaScript, and active code executing in a remote disposable container.","netify_note":"Pixel-pushing is the highest security form of RBI — it creates a glass wall between the user and internet content, preventing any code from reaching the financial endpoint."},{"id":"fin-6.2","text":"Can RBI enforce read-only mode for specific financial or regulatory portal sessions, preventing downloads of documents to the local endpoint?","buyer_lens":"Staff accessing regulatory reporting portals or data provider sites should be able to view information but should not be able to save local copies of sensitive market data or compliance reports.","supplier_lens":"Demonstrate controls that disable Save As, right-click, print, and download functions within isolated browser sessions for defined portal categories.","netify_note":"Read-only RBI is a proportionate control — it maintains productivity by allowing access while preventing the most common data extraction pathway."},{"id":"fin-6.3","text":"Can the RBI service sanitise downloaded documents — stripping macros and active content — before they reach a financial staff member's endpoint?","buyer_lens":"If a relationship manager must download a document from a counterparty portal, it should be reconstructed in the cloud with all active content removed before touching our endpoint.","supplier_lens":"Describe Content Disarm and Reconstruction (CDR) integration within the isolation workflow, supported file types, and expected delivery time after sanitisation.","netify_note":"CDR reconstructs files from their underlying data, eliminating all executable content — more effective than anti-virus for zero-day threats hidden in documents."},{"id":"fin-6.4","text":"Does the SWG integrate with RBI so that uncategorised or high-risk websites are automatically isolated rather than blocked outright?","buyer_lens":"Blocking access to uncategorised sites creates operational friction for staff researching counterparties or market data. Isolation allows safe access without security compromise.","supplier_lens":"Confirm native integration between the SWG URL filtering engine and RBI trigger policies, so high-risk categories automatically route to the isolation service.","netify_note":"Targeted RBI — isolating only risky sites — balances security with productivity, applying isolation where it matters without degrading general browsing performance."},{"id":"fin-6.5","text":"How are isolated sessions logged for compliance and forensic purposes? Are URL access logs and session activity captured with timestamps?","buyer_lens":"Under FCA and DORA obligations, we may need to evidence what a staff member or contractor accessed within an isolated session during an investigation.","supplier_lens":"Describe the granularity of session logging, including URL access logs, session duration, any download attempts, and long-term retention options for compliance purposes.","netify_note":"Isolated session logs provide the compliance audit trail required by financial services regulations — they must be tamper-proof and retained for mandated periods."},{"id":"fin-6.6","text":"What is the latency overhead when RBI is triggered for financial research or market data sites used by analysts and traders?","buyer_lens":"Traders and analysts access real-time research platforms constantly. If RBI adds perceptible lag, users will seek workarounds that undermine our security posture.","supplier_lens":"Provide measured latency overhead metrics for the isolation broker, ideally demonstrating less than 100ms overhead for UK-based traffic.","netify_note":"Performance is the primary adoption barrier for RBI in financial services — if isolation is imperceptibly fast, user resistance and workarounds are eliminated."}]},{"title":"SSE: Firewall as a Service (FWaaS)","questions":[{"id":"fin-7.1","text":"Does the FWaaS enforce identity-aware firewall policies that follow a staff member from the office to their home network without requiring policy reconfiguration?","buyer_lens":"A relationship manager should have the same firewall restrictions on access to customer databases and trading systems whether they are at their desk or working from home.","supplier_lens":"Demonstrate integration with Azure AD or Okta applying firewall rules based on user group and role rather than static IP addresses.","netify_note":"Identity-aware FWaaS decouples security enforcement from physical location — essential for consistent policy compliance across hybrid working financial services staff."},{"id":"fin-7.2","text":"Can the FWaaS enforce geo-blocking to prevent inbound connections from high-risk regions to payment systems and core banking infrastructure?","buyer_lens":"Financial institutions have no legitimate inbound traffic from many jurisdictions. Blocking these at the network layer is a cost-effective reduction of our attack surface.","supplier_lens":"Describe native geo-IP database integration with country-level granularity, update frequency, and the ability to whitelist specific IP ranges within blocked regions for legitimate counterparties.","netify_note":"Geo-blocking reduces attack surface for financially motivated threat actors — the majority of automated attacks against financial systems originate from a small number of jurisdictions."},{"id":"fin-7.3","text":"Can you provide static, dedicated egress IPs for our SASE traffic to maintain compatibility with correspondent banks and financial counterparties that enforce IP whitelisting?","buyer_lens":"Our correspondent banking relationships and SWIFT connectivity depend on whitelisted IP addresses. If our SASE egress IP changes or is shared with another customer, transactions may be blocked.","supplier_lens":"Describe reserved egress IP options dedicated exclusively to the customer's organisation, with guaranteed IP stability and no shared tenant risk.","netify_note":"Dedicated egress IPs are a non-negotiable requirement for financial services SASE deployments where correspondent banking relationships depend on IP whitelisting."},{"id":"fin-7.4","text":"If your primary UK PoP fails, how is financial services traffic rerouted and what is the maximum expected performance degradation during failover?","buyer_lens":"Payment processing and trading platforms cannot tolerate PoP outages. We need a clear, tested failover process with performance guarantees, not just theoretical redundancy.","supplier_lens":"Explain traffic failover logic between PoPs, failover testing schedules, expected latency increase during failover, and SLA-backed availability guarantees.","netify_note":"PoP resilience is directly linked to FCA operational resilience obligations — firms must evidence that critical network services can withstand significant operational disruption."},{"id":"fin-7.5","text":"Is the FWaaS policy engine version-controlled? Can a change that causes unintended disruption to payment processing be rolled back within minutes?","buyer_lens":"If a firewall policy change inadvertently blocks payment traffic at 10 AM, we need to reverse it within seconds — not raise a ticket and wait for an engineer.","supplier_lens":"Describe policy versioning, change approval workflows, and the fastest possible rollback mechanism including who can initiate it and how long it takes to propagate.","netify_note":"Policy version control is a fundamental operational resilience requirement — financial institutions must be able to rapidly restore known-good configurations during incidents."},{"id":"fin-7.6","text":"Can the FWaaS generate board-ready threat reports showing top blocked attack categories, source geographies, and threat trends for our quarterly security committee?","buyer_lens":"Our board and risk committee require regular evidence of the value of security investment and the threat landscape we are navigating. These reports must be presentable, not raw log exports.","supplier_lens":"Describe executive security reporting capabilities including automated report generation, visual dashboards, and scheduled delivery to stakeholders without manual analyst effort.","netify_note":"Board-level reporting demonstrates ROI for security spend and supports FCA expectations for senior management oversight of cyber risk."}]},{"title":"SSE: Intrusion Prevention & Detection (IPS/IDS)","questions":[{"id":"fin-8.1","text":"Does the IPS include specific threat intelligence and signatures for financial malware families targeting banking systems (e.g. Emotet, Dridex, QakBot, TrickBot)?","buyer_lens":"Financial institutions are disproportionately targeted by banking trojans and credential-stealing malware. Standard IT IPS signature sets are insufficient — we need finance-specific threat intelligence.","supplier_lens":"Evidence of dedicated financial threat intelligence feeds covering banking malware, eCrime actor TTPs, and specific signatures for common financial sector attack vectors.","netify_note":"Banking trojans account for a significant proportion of financial sector incidents — generic IPS signatures frequently miss sector-specific malware variants."},{"id":"fin-8.2","text":"How quickly are zero-day signatures pushed to the IPS engine following a new threat disclosure targeting financial services infrastructure?","buyer_lens":"Financial institutions are named targets in threat actor campaigns. When a zero-day affecting banking infrastructure is disclosed, we need protection within hours, not the next patch cycle.","supplier_lens":"Provide the average time from threat disclosure to signature deployment in customer environments, with details of the emergency update process for critical financial sector threats.","netify_note":"The window between zero-day disclosure and weaponisation is shrinking — signature update latency is a direct measure of exposure time for targeted financial institutions."},{"id":"fin-8.3","text":"Can the IPS detect and block lateral movement attempts between financial system VLANs, such as a workstation attempting to scan the payment processing subnet?","buyer_lens":"If a staff endpoint is compromised, the attacker will attempt to pivot toward our payment systems or customer databases. The IPS must detect and block this scanning behaviour before it succeeds.","supplier_lens":"Describe east-west detection capabilities for cross-VLAN scanning, brute-force, and anomalous traffic patterns that indicate lateral movement within the network.","netify_note":"Lateral movement detection is the critical control that limits the blast radius of an initial compromise — preventing a single endpoint infection from becoming a systemic breach."},{"id":"fin-8.4","text":"Can the IPS generate automated alerts for DDoS activity targeting specific payment gateway or core banking IP ranges?","buyer_lens":"DDoS attacks against financial services are frequent and often used as a distraction during a simultaneous fraud campaign. Early detection is critical to coordinating both the defence and the fraud response.","supplier_lens":"Explain DDoS detection thresholds, payment system-specific alert policies, integration with upstream DDoS scrubbing services, and expected alert-to-response timelines.","netify_note":"DDoS attacks on financial services are routinely paired with simultaneous fraud attempts — rapid detection enables coordinated technical and fraud operations response."}]},{"title":"SSE: DNS Security (Protective DNS)","questions":[{"id":"fin-9.1","text":"How does the DNS security layer block newly registered domains and command-and-control infrastructure used by financially motivated threat actors?","buyer_lens":"Financial sector ransomware campaigns routinely use newly registered domains for C2 callbacks. We need NRDs blocked by default with tunable age thresholds.","supplier_lens":"Confirm real-time WHOIS integration, DGA detection algorithms, and sub-second blocking of identified C2 infrastructure for known financial sector threat actor campaigns.","netify_note":"DNS-layer blocking is often the last line of defence against malware C2 callbacks — even if malware reaches an endpoint, DNS blocking can prevent it from receiving instructions."},{"id":"fin-9.2","text":"Can different DNS filtering policies be enforced for payment processing systems versus general staff endpoints?","buyer_lens":"A payment processing server should only ever resolve DNS queries to known financial infrastructure. Any other DNS request from that system is a potential indicator of compromise.","supplier_lens":"Describe policy segmentation by network zone, device classification, or IP range, allowing strict allow-list DNS policies for payment systems without affecting general user access.","netify_note":"Zone-based DNS policy is a key micro-segmentation control — restricting what a payment system can 'call' at the DNS layer dramatically limits attacker options post-compromise."}]},{"title":"SSE: SaaS Security Posture Management (SSPM)","questions":[{"id":"fin-10.1","text":"Does the SSPM tool provide automated remediation for misconfigurations in Microsoft 365, Salesforce Financial Services Cloud, or other critical SaaS platforms?","buyer_lens":"We need a system that does not just identify a misconfigured sharing policy in our CRM but automatically corrects it — the window between detection and exploitation must be seconds, not hours.","supplier_lens":"Demonstrate a configuration drift dashboard with toggleable auto-remediation for critical security settings, with audit logging of all automated changes for compliance review.","netify_note":"Auto-remediation is the key differentiator in SSPM — detection without automatic correction still leaves a window of exposure that financial institutions cannot accept."},{"id":"fin-10.2","text":"Can the SSPM benchmark SaaS configurations against CIS Controls and FCA operational resilience expectations, generating evidence for regulatory examination?","buyer_lens":"FCA expects firms to demonstrate ongoing compliance with security frameworks. We need automated, continuous benchmarking that produces auditable evidence without manual assessment effort.","supplier_lens":"Provide coverage of CIS Level 1 and 2 controls for major SaaS platforms, with automated compliance scoring and evidence export in formats suitable for regulatory submission.","netify_note":"SSPM-generated compliance evidence dramatically reduces the cost and burden of FCA and PRA regulatory examinations for cloud security posture."}]},{"title":"SSE: Cloud Email Security","questions":[{"id":"fin-11.1","text":"How does the solution protect against Business Email Compromise (BEC) and look-alike domain attacks targeting financial counterparties and correspondent banks?","buyer_lens":"Invoice fraud and CEO impersonation attacks have cost UK financial institutions millions. We need AI-driven communication pattern analysis to detect identity spoofing before payments are authorised.","supplier_lens":"Describe AI and machine learning capabilities for detecting communication pattern anomalies, look-alike domain identification, and real-time BEC scoring for inbound financial correspondence.","netify_note":"BEC is the highest-value email fraud vector targeting financial services — attackers impersonate counterparties, executives, and regulators to authorise fraudulent payments."},{"id":"fin-11.2","text":"Does the solution enforce DMARC, DKIM, and SPF validation for all inbound email, and can it prevent spoofing of the organisation's own domain?","buyer_lens":"Attackers impersonating our own domain in emails to customers or counterparties could cause catastrophic reputational and regulatory harm. Domain spoofing prevention is non-negotiable.","supplier_lens":"Confirm enforcement of DMARC reject policy for inbound mail, domain spoofing detection, and outbound DMARC alignment monitoring with reporting dashboards for our domain reputation.","netify_note":"DMARC enforcement prevents attackers from impersonating your financial institution's domain — a key protection against fraud targeting your customers and counterparties."}]},{"title":"SSE: Threat / Malware Protection (ATP & Sandboxing)","questions":[{"id":"fin-12.1","text":"Does the sandbox support human-interaction simulation to detonate evasive malware specifically designed to remain dormant in automated analysis environments?","buyer_lens":"Sophisticated malware targeting financial institutions is designed to detect sandbox environments and stay dormant. We need a sandbox that simulates real user behaviour convincingly enough to trigger evasive malware.","supplier_lens":"Provide a detailed breakdown of anti-evasion techniques used, including mouse movement simulation, typing patterns, browser history, and time-based detonation triggers.","netify_note":"Human-interaction simulation defeats a common evasion technique used by advanced financial malware — malicious code that only executes when it detects legitimate human activity."}]},{"title":"SSE: Identity & Access (IdP) Integration","questions":[{"id":"fin-13.1","text":"Does the solution support SCIM for automated user provisioning and immediate de-provisioning when a staff member leaves the organisation?","buyer_lens":"When a regulated employee departs, their access to trading systems, customer data, and financial applications must be revoked instantly across the entire security stack — a manual process creates an unacceptable risk window.","supplier_lens":"Confirm native SCIM 2.0 integration with major identity providers (Azure AD, Okta, Ping), including the time from de-provisioning trigger to access revocation across all connected applications.","netify_note":"Automated de-provisioning is a core insider threat control in financial services — delayed access removal after staff departure is a significant and frequently exploited vulnerability."}]},{"title":"SSE: Device Posture / Endpoint Context","questions":[{"id":"fin-14.1","text":"Can the solution block access to financial systems if a device's EDR agent is disabled, disk encryption is inactive, or the device OS is below the minimum approved version?","buyer_lens":"A device without active endpoint security or disk encryption is a significant data protection risk. If a staff member's laptop is unprotected, it must not reach our trading platforms or customer data.","supplier_lens":"Describe integration with major EDR platforms (CrowdStrike, SentinelOne, Defender), disk encryption posture checks (BitLocker, FileVault), and OS version enforcement as access conditions.","netify_note":"Device posture checks enforce a baseline security standard at the network access layer — ensuring unmanaged or compromised devices cannot reach regulated financial systems."},{"id":"fin-14.2","text":"Can the solution distinguish between a corporate-managed device and a personal device, enforcing significantly more restrictive access policies for personal devices?","buyer_lens":"Staff occasionally access financial systems from personal devices. These devices should have heavily restricted access — read-only views only, no downloads, mandatory RBI for all sessions.","supplier_lens":"Describe how device ownership and management state are determined (certificate, MDM status, domain join), and the distinct access policies applied to personal versus corporate devices.","netify_note":"Personal device policy differentiation is a fundamental data governance control — it enables BYOD within appropriate risk boundaries without requiring an MDM deployment."}]},{"title":"SASE: Converged Outcomes","questions":[{"id":"fin-15.1","text":"Does the SASE solution use a contractually backed private Tier-1 backbone for the middle mile, rather than encrypted tunnels over the public internet?","buyer_lens":"For international trading and correspondent banking traffic, the public internet is too unpredictable. We need a backbone with guaranteed latency and jitter SLAs between UK and global financial centres.","supplier_lens":"Provide a list of Tier-1 peering partners and a contractually backed latency matrix between global PoPs covering major financial centres (London, New York, Hong Kong, Singapore, Frankfurt).","netify_note":"A private backbone acts as a private motorway for financial data — bypassing public internet congestion to deliver consistent, low-latency performance for global financial operations."},{"id":"fin-15.2","text":"How does the SASE fabric provide direct cloud on-ramp to cloud-hosted financial platforms (e.g. Temenos on Azure, Finastra on AWS) without hair-pinning through a central data centre?","buyer_lens":"If branch staff connect to a cloud core banking platform via a central data centre, the additional latency degrades transaction response times and customer service quality.","supplier_lens":"Confirm virtual PoPs or direct peering within the same cloud regions as major financial SaaS platforms, with evidence of on-ramp latency improvements versus traditional backhauling.","netify_note":"Hair-pinning — routing cloud traffic through a central hub before it reaches the cloud — is a common cause of unexplained core banking performance issues."},{"id":"fin-15.3","text":"Describe the TCP optimisation techniques used to accelerate SWIFT messaging and settlement traffic across high-latency global WAN paths.","buyer_lens":"Settlement file transfers and SWIFT messaging traffic degrades significantly over long-distance connections due to TCP window limitations. We need WAN acceleration for these specific financial protocols.","supplier_lens":"Describe TCP proxying, window scaling, and packet loss mitigation techniques that accelerate financial protocol traffic over high-latency global paths.","netify_note":"TCP window scaling issues cause large financial settlement files to transfer far slower than the underlying bandwidth would suggest — WAN optimisation resolves this without protocol changes."},{"id":"fin-15.4","text":"In a fully managed SASE model, who is the single point of accountability for an end-to-end performance issue spanning the ISP, the SASE backbone, and the cloud application?","buyer_lens":"When a branch reports slow core banking performance, we cannot have our IT team managing a three-way blame conversation between the ISP, the SASE vendor, and the cloud provider.","supplier_lens":"Define the SIAM (Service Integration and Management) accountability within the managed service, including SLA ownership for end-to-end user experience metrics.","netify_note":"Single-point accountability for end-to-end performance is a critical managed service requirement — financial institutions cannot afford extended resolution cycles during service degradation."},{"id":"fin-15.5","text":"What is the contractual SLA for emergency security changes — such as blocking a specific IP during an active payment fraud campaign or ransomware attack?","buyer_lens":"If we are under active attack at 2 AM, we cannot wait for a next-business-day change window. Emergency security changes for financial infrastructure must be measured in minutes.","supplier_lens":"Confirm 24/7 NOC/SOC availability with a defined emergency change SLA (e.g. 15-minute block deployment), backed by contractual service credits for missed response times.","netify_note":"Emergency change SLAs are a direct test of whether a managed SASE provider is genuinely 24/7 — a critical capability for financial institutions facing time-sensitive attack campaigns."},{"id":"fin-15.6","text":"Does the managed SASE portal provide real-time digital experience monitoring at a per-user level, enabling rapid triage of performance complaints from branch staff?","buyer_lens":"When a branch manager reports that core banking is slow, we need to determine instantly whether the issue is the local broadband, the SASE PoP, or the cloud application — without dispatching an engineer.","supplier_lens":"Demonstrate hop-by-hop digital experience monitoring showing ISP performance, SASE PoP latency, and application response time, with drill-down to individual user and device level.","netify_note":"Per-user digital experience monitoring is the modern equivalent of a helpdesk — it transforms incident diagnosis from guesswork into immediate, data-driven root cause identification."},{"id":"fin-15.7","text":"Can the SASE platform generate reports aligned to DORA (Digital Operational Resilience Act) requirements, including ICT incident classification, third-party dependency mapping, and resilience testing evidence?","buyer_lens":"From January 2025, DORA requires detailed ICT risk management and incident reporting. We need our SASE platform to contribute directly to our DORA compliance evidence pack.","supplier_lens":"Describe specific DORA-aligned reporting capabilities including ICT incident logging, third-party provider dependency tracking, and evidence generation for resilience testing requirements.","netify_note":"DORA compliance is now mandatory for UK and EU financial institutions and their ICT providers — the ability to generate DORA-aligned evidence directly from the SASE platform reduces compliance overhead significantly."}]}],"count":82},"healthcare":{"label":"Healthcare","sections":[{"title":"Vendor Pedigree & Healthcare Track Record","questions":[{"id":"hea-1.1","text":"Healthcare Operational Scale","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-1.2","text":"Peer References & Customers","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-1.3","text":"Specialised Clinical Support Teams","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-1.4","text":"Financial Stability & Long-term Strategy","buyer_lens":"","supplier_lens":"","netify_note":""}]},{"title":"Infrastructure, PoPs & Connectivity Underlay","questions":[{"id":"hea-2.1","text":"Private Backbone & PoP Proximity","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-2.2","text":"Private vs. Public Gateway Options","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-2.3","text":"Managed Connectivity Underlay","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-2.4","text":"LTE/5G Failover for Community Sites","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-2.5","text":"HSCN Peering & Integration","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-2.6","text":"FirstNet & Public Safety LTE","buyer_lens":"","supplier_lens":"","netify_note":""}]},{"title":"SASE Features & Clinical Security","questions":[{"id":"hea-3.1","text":"Clinical Application-Aware Routing","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.2","text":"Sub-Second Session Persistence","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.3","text":"Medical Protocol Support","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.4","text":"IoMT & Medical Device Isolation","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.5","text":"ZTNA for Shared Workstations","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.6","text":"DLP for Clinical Identifiers","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-3.7","text":"TLS 1.3 Inspection Performance","buyer_lens":"","supplier_lens":"","netify_note":""}]},{"title":"Operations, Reporting & SLAs","questions":[{"id":"hea-4.1","text":"Digital Experience Monitoring (DEM)","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-4.2","text":"Managed vs. Co-Managed Flexibility","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-4.3","text":"Support SLA for Acute Sites (Clinical P1)","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-4.4","text":"Automated Compliance Reporting","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-4.5","text":"Real-Time Analytics & Shift-Change Heatmaps","buyer_lens":"","supplier_lens":"","netify_note":""}]},{"title":"Deployment & Regional Compliance","questions":[{"id":"hea-5.1","text":"Zero-Touch Provisioning Lead Times","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.2","text":"Adds, Moves, and Changes (MACDs)","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.3","text":"DSPT Version 8 & DTAC Alignment","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.4","text":"Clinical Safety Officer (CSO) & DCB0129","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.5","text":"Business Associate Agreement (BAA)","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.6","text":"TEFCA & QHIN Connectivity","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.7","text":"Patient Data Residency & Sovereignty","buyer_lens":"","supplier_lens":"","netify_note":""},{"id":"hea-5.8","text":"NHS Net Zero & Social Value","buyer_lens":"","supplier_lens":"","netify_note":""}]},{"title":"Bespoke Requirements","questions":[]}],"count":30}},"sase_extended":{"version":"sase-question-bank-2026.1","methodology_version":"sase-rfp-methodology-2026.1","last_reviewed":"2026-05-18","category_labels":{"identity_ztna":"Identity / ZTNA","swg_casb_dlp":"SWG / CASB / DLP","fwaas_threat":"FWaaS / Threat","sdwan_integration":"SD-WAN Integration","logging_siem":"Logging / SIEM","data_residency":"Data Residency","service_model":"Service Model","deployment":"Deployment","commercials":"Commercials","vendor_evidence":"Vendor Evidence"},"count":43,"questions":[{"question_id":"SASE-ZTNA-001","category_id":"identity_ztna","question":"Describe how your platform enforces zero trust access to private applications.","answer_type":"long_text","evidence_required":["Architecture diagram","Policy example","Identity provider integration list"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"high","why_it_matters":"Private application access is a core SASE use case and should be controlled by identity, device and application context rather than broad network access.","red_flag_answers":["VPN-only access model","No application-level policy","No identity provider integration"],"follow_up_questions":["Can policies differ by user group and device posture?","Can access be restricted to specific private applications rather than subnets?"]},{"question_id":"SASE-ZTNA-002","category_id":"identity_ztna","question":"Which identity providers do you support natively, and which protocols (SAML, OIDC, SCIM)?","answer_type":"long_text","evidence_required":["Supported IdP list","Protocol matrix"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Native IdP integration determines whether identity, group and lifecycle data drive access decisions in real time.","red_flag_answers":["SAML only with no SCIM","Limited to one IdP"],"follow_up_questions":["How are deprovisioning events handled end to end?"]},{"question_id":"SASE-ZTNA-003","category_id":"identity_ztna","question":"How is device posture evaluated and used in access decisions?","answer_type":"long_text","evidence_required":["Device posture signal list","Sample posture-based policy"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Device posture lets buyers enforce different access rules for managed, unmanaged and high-risk devices.","red_flag_answers":["No posture signals","Posture only on a single OS"],"follow_up_questions":["Which posture signals are available on unmanaged devices?"]},{"question_id":"SASE-ZTNA-004","category_id":"identity_ztna","question":"Describe step-up authentication and continuous session validation.","answer_type":"long_text","evidence_required":["Step-up trigger list","Session validation cadence"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Continuous validation reduces the risk of stale sessions being used after the risk context changes.","red_flag_answers":["Session validation at login only"],"follow_up_questions":["Which signals can trigger step-up?"]},{"question_id":"SASE-ZTNA-005","category_id":"identity_ztna","question":"Describe how third-party and contractor access is managed.","answer_type":"long_text","evidence_required":["Third-party access workflow"],"mandatory_for":["healthcare","financial-services"],"optional_for":["retail","manufacturing"],"weighting_hint":"high","why_it_matters":"Third-party access is a common breach vector and needs tight, audited control.","red_flag_answers":["Shared accounts for contractors"],"follow_up_questions":["Is access time-bound by default?"]},{"question_id":"SASE-SWG-001","category_id":"swg_casb_dlp","question":"Describe your secure web gateway, including TLS inspection and URL category coverage.","answer_type":"long_text","evidence_required":["SWG architecture","TLS inspection approach","Category list"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"The SWG is the primary control plane for web traffic and must inspect TLS to be effective.","red_flag_answers":["No TLS inspection","URL filtering only"],"follow_up_questions":["How are TLS exceptions managed for sensitive sites?"]},{"question_id":"SASE-SWG-002","category_id":"swg_casb_dlp","question":"Describe browser-based isolation options and use cases.","answer_type":"long_text","evidence_required":["Isolation architecture"],"mandatory_for":["financial-services"],"optional_for":["healthcare","retail","manufacturing"],"weighting_hint":"low","why_it_matters":"Isolation is a useful control for risky categories without blocking access.","red_flag_answers":["No isolation option"],"follow_up_questions":["Is isolation included or licensed separately?"]},{"question_id":"SASE-CASB-001","category_id":"swg_casb_dlp","question":"Describe your inline and API-based CASB coverage for sanctioned and shadow SaaS.","answer_type":"long_text","evidence_required":["List of API-integrated SaaS","Inline vs API coverage matrix"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"high","why_it_matters":"CASB visibility is needed to control data movement to SaaS and to detect shadow SaaS use.","red_flag_answers":["No API CASB","Coverage of fewer than 10 major SaaS"],"follow_up_questions":["How are shadow SaaS apps discovered and triaged?"]},{"question_id":"SASE-DLP-001","category_id":"swg_casb_dlp","question":"Describe your DLP capabilities, policy templates and incident workflow.","answer_type":"long_text","evidence_required":["Sample DLP policy","Incident workflow","Template list"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"high","why_it_matters":"DLP is the primary control for preventing accidental and malicious data egress and must be content-aware.","red_flag_answers":["Keyword matching only","No incident workflow"],"follow_up_questions":["Can DLP policies apply to unmanaged devices?"]},{"question_id":"SASE-DLP-002","category_id":"swg_casb_dlp","question":"How is policy kept consistent across managed and unmanaged devices?","answer_type":"long_text","evidence_required":["Unmanaged device coverage approach"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Unmanaged devices are a common data egress channel and need consistent controls.","red_flag_answers":["No coverage of unmanaged devices"],"follow_up_questions":["Which browsers and OSes are supported on unmanaged devices?"]},{"question_id":"SASE-FW-001","category_id":"fwaas_threat","question":"Describe your cloud-delivered firewall, including layer-7 application controls.","answer_type":"long_text","evidence_required":["FWaaS architecture","Layer-7 application list"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"FWaaS replaces branch firewalls and must provide consistent layer-7 controls.","red_flag_answers":["Stateless ACLs only"],"follow_up_questions":["How are policy changes audited?"]},{"question_id":"SASE-IPS-001","category_id":"fwaas_threat","question":"Describe your IPS, anti-malware and sandboxing stack and update frequency.","answer_type":"long_text","evidence_required":["Signature update cadence","Sandbox file type list","Threat intel sources"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Threat protection effectiveness depends on inline inspection and timely intelligence.","red_flag_answers":["No inline malware inspection","Sandbox limited to a few file types"],"follow_up_questions":["How are false positives triaged?"]},{"question_id":"SASE-FW-002","category_id":"fwaas_threat","question":"How is policy kept consistent across branch, roaming and cloud egress traffic?","answer_type":"long_text","evidence_required":["Unified policy diagram"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Inconsistent policy planes create gaps and operational overhead.","red_flag_answers":["Separate policy engines per traffic type"],"follow_up_questions":["How are policy conflicts resolved?"]},{"question_id":"SASE-FW-003","category_id":"fwaas_threat","question":"Describe DNS-layer security and its integration with the rest of the stack.","answer_type":"long_text","evidence_required":["DNS security policy example"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"medium","why_it_matters":"DNS-layer controls catch threats early and protect off-network devices.","red_flag_answers":["No DNS-layer protection"],"follow_up_questions":["Does DNS security work off-network?"]},{"question_id":"SASE-SDWAN-001","category_id":"sdwan_integration","question":"Describe how SD-WAN integrates with your SSE stack.","answer_type":"long_text","evidence_required":["Reference architecture","Integration mode list"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"high","why_it_matters":"Tight SD-WAN and SSE integration determines branch user experience and policy consistency.","red_flag_answers":["Integration via IPsec only with no telemetry sharing"],"follow_up_questions":["Is the SD-WAN supplied by you or a partner?"]},{"question_id":"SASE-SDWAN-002","category_id":"sdwan_integration","question":"How are SASE PoPs selected for each branch and how is performance measured?","answer_type":"long_text","evidence_required":["PoP map","Latency expectations","Telemetry samples"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"medium","why_it_matters":"PoP selection drives branch latency and user experience.","red_flag_answers":["Static PoP assignment with no telemetry"],"follow_up_questions":["How are PoP failovers handled?"]},{"question_id":"SASE-SDWAN-003","category_id":"sdwan_integration","question":"Describe link failover behaviour, including 4G/5G or LTE failover.","answer_type":"long_text","evidence_required":["Failover decision tree","Convergence times"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"high","why_it_matters":"Failover behaviour determines store, plant and clinic uptime during link events.","red_flag_answers":["No cellular failover support","Slow convergence"],"follow_up_questions":["Are critical applications kept on cellular failover?"]},{"question_id":"SASE-SDWAN-004","category_id":"sdwan_integration","question":"Describe direct internet breakout behaviour at branches.","answer_type":"long_text","evidence_required":["Breakout policy example","Trust model"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"medium","why_it_matters":"Local breakout reduces backhaul cost but must keep security policy consistent.","red_flag_answers":["No local breakout","Breakout without SSE inspection"],"follow_up_questions":["Which SaaS apps are typically broken out locally?"]},{"question_id":"SASE-SDWAN-005","category_id":"sdwan_integration","question":"Describe segmentation options for OT or sensitive networks at branch and plant sites.","answer_type":"long_text","evidence_required":["Segmentation reference design"],"mandatory_for":["manufacturing"],"optional_for":["retail","healthcare","financial-services"],"weighting_hint":"high","why_it_matters":"Segmentation between OT and IT is essential in industrial environments.","red_flag_answers":["No OT segmentation guidance"],"follow_up_questions":["Which industrial protocols are supported?"]},{"question_id":"SASE-LOG-001","category_id":"logging_siem","question":"Which log types are captured and what retention options are available?","answer_type":"long_text","evidence_required":["Log schema","Retention options"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Log coverage and retention drive audit, investigation and regulatory reporting.","red_flag_answers":["Short fixed retention with no export"],"follow_up_questions":["Are logs tamper-evident?"]},{"question_id":"SASE-LOG-002","category_id":"logging_siem","question":"How can logs be exported to our SIEM or storage?","answer_type":"long_text","evidence_required":["List of SIEM integrations","Sample export"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Buyers need logs in their own SIEM for correlation and long-term retention.","red_flag_answers":["No native SIEM integration"],"follow_up_questions":["Is export available in near real time?"]},{"question_id":"SASE-LOG-003","category_id":"logging_siem","question":"How are administrative actions audited?","answer_type":"long_text","evidence_required":["Admin audit log sample"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Admin audit trails are required for regulatory and forensic purposes.","red_flag_answers":["Sparse admin audit logs"],"follow_up_questions":["Can admin logs be exported to a separate audit store?"]},{"question_id":"SASE-LOG-004","category_id":"logging_siem","question":"How are user-experience metrics collected and shared?","answer_type":"long_text","evidence_required":["UX telemetry sample"],"mandatory_for":[],"optional_for":["financial-services","retail","manufacturing","healthcare"],"weighting_hint":"low","why_it_matters":"UX telemetry helps prove SASE delivers a better user experience.","red_flag_answers":["No UX telemetry"],"follow_up_questions":["Are UX metrics available per site and per user?"]},{"question_id":"SASE-DR-001","category_id":"data_residency","question":"Where are customer data, logs and metadata stored and processed?","answer_type":"long_text","evidence_required":["Data flow diagram","Region list"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Data residency drives regulatory compliance and contractual obligations.","red_flag_answers":["No choice of region"],"follow_up_questions":["Can residency be enforced for logs separately from tenant config?"]},{"question_id":"SASE-DR-002","category_id":"data_residency","question":"List your sub-processors and their locations.","answer_type":"long_text","evidence_required":["Sub-processor list with regions"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Sub-processor disclosure is required for many regulated buyers.","red_flag_answers":["Undisclosed sub-processors"],"follow_up_questions":["How are sub-processor changes notified?"]},{"question_id":"SASE-DR-003","category_id":"data_residency","question":"Describe support access controls and the regions from which support operates.","answer_type":"long_text","evidence_required":["Support access model"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Support access can introduce cross-border data exposure if not controlled.","red_flag_answers":["Support access from unrestricted regions"],"follow_up_questions":["Can support access be restricted to named regions?"]},{"question_id":"SASE-DR-004","category_id":"data_residency","question":"Describe support for customer-managed encryption keys.","answer_type":"long_text","evidence_required":["CMK approach"],"mandatory_for":["financial-services"],"optional_for":["healthcare","retail","manufacturing"],"weighting_hint":"low","why_it_matters":"CMK can be a requirement for highly regulated workloads.","red_flag_answers":["No CMK option"],"follow_up_questions":["Which modules support CMK?"]},{"question_id":"SASE-SVC-001","category_id":"service_model","question":"Describe your service model, including managed, co-managed and self-managed options.","answer_type":"long_text","evidence_required":["Service description"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"The service model defines the split of responsibilities and informs operational cost.","red_flag_answers":["No clear co-managed option"],"follow_up_questions":["Can the split change over the term?"]},{"question_id":"SASE-SVC-002","category_id":"service_model","question":"What SLAs apply to support response, restoration and change requests?","answer_type":"long_text","evidence_required":["SLA matrix","Credit regime"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Operational SLAs matter more than platform availability for day-to-day experience.","red_flag_answers":["SLA only on platform availability"],"follow_up_questions":["How are SLA credits calculated and applied?"]},{"question_id":"SASE-SVC-003","category_id":"service_model","question":"How are service reviews structured and how often do they occur?","answer_type":"long_text","evidence_required":["Sample monthly service report"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Regular reviews keep the service aligned with buyer priorities.","red_flag_answers":["No scheduled review cadence"],"follow_up_questions":["Who attends reviews on your side?"]},{"question_id":"SASE-SVC-004","category_id":"service_model","question":"Describe escalation paths, including out-of-hours.","answer_type":"long_text","evidence_required":["Escalation matrix"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Escalation matters most when incidents occur outside business hours.","red_flag_answers":["No documented escalation"],"follow_up_questions":["Is out-of-hours included or chargeable?"]},{"question_id":"SASE-DEP-001","category_id":"deployment","question":"Describe a typical deployment plan for an estate of our size.","answer_type":"long_text","evidence_required":["Reference deployment plan"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"A credible deployment plan reduces project risk and surprises.","red_flag_answers":["No phased plan"],"follow_up_questions":["What are typical milestone durations?"]},{"question_id":"SASE-DEP-002","category_id":"deployment","question":"How is configuration automated for sites, users and policy?","answer_type":"long_text","evidence_required":["Automation tooling description"],"mandatory_for":["retail","manufacturing"],"optional_for":["financial-services","healthcare"],"weighting_hint":"high","why_it_matters":"Automation drives rollout speed and consistency across multi-site estates.","red_flag_answers":["Manual configuration per site"],"follow_up_questions":["Is configuration declarative or imperative?"]},{"question_id":"SASE-DEP-003","category_id":"deployment","question":"How are changes tested and rolled back?","answer_type":"long_text","evidence_required":["Test plan template","Rollback runbook"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Tested change and rollback procedures reduce outage risk.","red_flag_answers":["No documented rollback"],"follow_up_questions":["Can changes be applied to a staged set first?"]},{"question_id":"SASE-DEP-004","category_id":"deployment","question":"How are user agents and clients distributed and updated?","answer_type":"long_text","evidence_required":["Agent lifecycle approach"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Agent updates impact user experience and security posture.","red_flag_answers":["Manual updates only"],"follow_up_questions":["Are updates staged and reversible?"]},{"question_id":"SASE-COM-001","category_id":"commercials","question":"Describe your pricing model and what is included.","answer_type":"long_text","evidence_required":["Pricing schedule"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Clarity on the pricing model drives like-for-like supplier comparison.","red_flag_answers":["Opaque add-on list"],"follow_up_questions":["Which modules are licensed separately?"]},{"question_id":"SASE-COM-002","category_id":"commercials","question":"Provide a worked example for our user and site count.","answer_type":"long_text","evidence_required":["Worked example with assumptions"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"high","why_it_matters":"Worked examples expose hidden charges and reveal true unit cost.","red_flag_answers":["Refusal to provide worked examples"],"follow_up_questions":["What is the cost of doubling the user count?"]},{"question_id":"SASE-COM-003","category_id":"commercials","question":"How are growth and reductions handled within the term?","answer_type":"long_text","evidence_required":["Flex terms"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Flex terms determine commercial exposure if estate size changes.","red_flag_answers":["No reduction allowed during the term"],"follow_up_questions":["Is there a flex range that does not require renegotiation?"]},{"question_id":"SASE-COM-004","category_id":"commercials","question":"List all items priced separately, including professional services.","answer_type":"long_text","evidence_required":["Add-on list"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Add-ons drive total cost of ownership and must be transparent.","red_flag_answers":["Refusal to itemise"],"follow_up_questions":["Which add-ons are commonly required for our use case?"]},{"question_id":"SASE-VE-001","category_id":"vendor_evidence","question":"Provide your current certifications and expiry dates.","answer_type":"long_text","evidence_required":["Certification list","Expiry dates"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Current certifications support regulated buyer due diligence.","red_flag_answers":["Expired certifications"],"follow_up_questions":["Which auditor performed the most recent audit?"]},{"question_id":"SASE-VE-002","category_id":"vendor_evidence","question":"Share recent independent test results relevant to SASE.","answer_type":"long_text","evidence_required":["Test report references"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Independent test results reduce reliance on vendor claims.","red_flag_answers":["No independent testing"],"follow_up_questions":["When were the tests conducted?"]},{"question_id":"SASE-VE-003","category_id":"vendor_evidence","question":"Provide customer references in our sector.","answer_type":"long_text","evidence_required":["Reference list"],"mandatory_for":["financial-services","retail","manufacturing","healthcare"],"optional_for":[],"weighting_hint":"medium","why_it_matters":"Sector-specific references increase confidence in fit.","red_flag_answers":["References only from unrelated sectors"],"follow_up_questions":["Can a reference call be arranged?"]},{"question_id":"SASE-VE-004","category_id":"vendor_evidence","question":"Provide details of any recent security incidents and your handling of them.","answer_type":"long_text","evidence_required":["Incident summary"],"mandatory_for":["financial-services","healthcare"],"optional_for":["retail","manufacturing"],"weighting_hint":"medium","why_it_matters":"Incident handling history shows operational maturity.","red_flag_answers":["Refusal to discuss incidents"],"follow_up_questions":["What changed after the most recent incident?"]}],"note":"Extended SASE canonical bank: each question carries evidence_required, mandatory_for/optional_for sectors, weighting_hint, why_it_matters, red_flag_answers and follow_up_questions. The top-level `canonical` array is a condensed subset kept for compatibility."},"publisher":"Netify Group Limited","note":"Analyst-written SASE and SD-WAN RFP question bank with buyer and supplier lenses."}