NNetify

Netify question bank

The Netify SASE & SD-WAN RFP question bank

Analyst-written questions used by the RFP Builder and the marketplace: a canonical SASE set where every question carries the evidence suppliers should provide, which sectors it is mandatory for, a weighting hint, the red-flag answers to watch for and the follow-up to ask — plus four sector packs with buyer and supplier lenses. Use it in your own procurement with attribution, or let the builder assemble it for you.

Suggested citation

Netify SASE & SD-WAN RFP Question Bank 2026.1, Netify, available at https://netify.co.uk/sase/rfp-builder/questions/

Question bank version: sase-question-bank-2026.1

Methodology version: sase-rfp-methodology-2026.1

Last reviewed: 2026-05-18

Total questions: 386 (43 canonical + sector packs)

Canonical URL: /sase/rfp-builder/questions/

Machine-readable: /question-bank.json

Licence: public methodology. Reuse permitted with attribution to Netify and the canonical URL. Agents can also read the bank over the marketplace MCP at /api/mcp.

SASE canonical bank (43 questions)

The core set behind every Netify SASE, SSE and SD-WAN RFP. Sector tags show where a question is mandatory.

Identity / ZTNA (5)

SASE-ZTNA-001high weightmandatory: financial servicesmandatory: healthcare

Describe how your platform enforces zero trust access to private applications.

Private application access is a core SASE use case and should be controlled by identity, device and application context rather than broad network access.

Evidence: Architecture diagram; Policy example; Identity provider integration list

Red flags: VPN-only access model; No application-level policy; No identity provider integration

Follow-ups: Can policies differ by user group and device posture? Can access be restricted to specific private applications rather than subnets?

SASE-ZTNA-002high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Which identity providers do you support natively, and which protocols (SAML, OIDC, SCIM)?

Native IdP integration determines whether identity, group and lifecycle data drive access decisions in real time.

Evidence: Supported IdP list; Protocol matrix

Red flags: SAML only with no SCIM; Limited to one IdP

Follow-ups: How are deprovisioning events handled end to end?

SASE-ZTNA-003medium weightmandatory: financial servicesmandatory: healthcare

How is device posture evaluated and used in access decisions?

Device posture lets buyers enforce different access rules for managed, unmanaged and high-risk devices.

Evidence: Device posture signal list; Sample posture-based policy

Red flags: No posture signals; Posture only on a single OS

Follow-ups: Which posture signals are available on unmanaged devices?

SASE-ZTNA-004medium weightmandatory: financial servicesmandatory: healthcare

Describe step-up authentication and continuous session validation.

Continuous validation reduces the risk of stale sessions being used after the risk context changes.

Evidence: Step-up trigger list; Session validation cadence

Red flags: Session validation at login only

Follow-ups: Which signals can trigger step-up?

SASE-ZTNA-005high weightmandatory: healthcaremandatory: financial services

Describe how third-party and contractor access is managed.

Third-party access is a common breach vector and needs tight, audited control.

Evidence: Third-party access workflow

Red flags: Shared accounts for contractors

Follow-ups: Is access time-bound by default?

SWG / CASB / DLP (5)

SASE-SWG-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe your secure web gateway, including TLS inspection and URL category coverage.

The SWG is the primary control plane for web traffic and must inspect TLS to be effective.

Evidence: SWG architecture; TLS inspection approach; Category list

Red flags: No TLS inspection; URL filtering only

Follow-ups: How are TLS exceptions managed for sensitive sites?

SASE-SWG-002low weightmandatory: financial services

Describe browser-based isolation options and use cases.

Isolation is a useful control for risky categories without blocking access.

Evidence: Isolation architecture

Red flags: No isolation option

Follow-ups: Is isolation included or licensed separately?

SASE-CASB-001high weightmandatory: financial servicesmandatory: healthcare

Describe your inline and API-based CASB coverage for sanctioned and shadow SaaS.

CASB visibility is needed to control data movement to SaaS and to detect shadow SaaS use.

Evidence: List of API-integrated SaaS; Inline vs API coverage matrix

Red flags: No API CASB; Coverage of fewer than 10 major SaaS

Follow-ups: How are shadow SaaS apps discovered and triaged?

SASE-DLP-001high weightmandatory: financial servicesmandatory: healthcare

Describe your DLP capabilities, policy templates and incident workflow.

DLP is the primary control for preventing accidental and malicious data egress and must be content-aware.

Evidence: Sample DLP policy; Incident workflow; Template list

Red flags: Keyword matching only; No incident workflow

Follow-ups: Can DLP policies apply to unmanaged devices?

SASE-DLP-002medium weightmandatory: financial servicesmandatory: healthcare

How is policy kept consistent across managed and unmanaged devices?

Unmanaged devices are a common data egress channel and need consistent controls.

Evidence: Unmanaged device coverage approach

Red flags: No coverage of unmanaged devices

Follow-ups: Which browsers and OSes are supported on unmanaged devices?

FWaaS / Threat (4)

SASE-FW-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe your cloud-delivered firewall, including layer-7 application controls.

FWaaS replaces branch firewalls and must provide consistent layer-7 controls.

Evidence: FWaaS architecture; Layer-7 application list

Red flags: Stateless ACLs only

Follow-ups: How are policy changes audited?

SASE-IPS-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe your IPS, anti-malware and sandboxing stack and update frequency.

Threat protection effectiveness depends on inline inspection and timely intelligence.

Evidence: Signature update cadence; Sandbox file type list; Threat intel sources

Red flags: No inline malware inspection; Sandbox limited to a few file types

Follow-ups: How are false positives triaged?

SASE-FW-002medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How is policy kept consistent across branch, roaming and cloud egress traffic?

Inconsistent policy planes create gaps and operational overhead.

Evidence: Unified policy diagram

Red flags: Separate policy engines per traffic type

Follow-ups: How are policy conflicts resolved?

SASE-FW-003medium weightmandatory: retailmandatory: manufacturing

Describe DNS-layer security and its integration with the rest of the stack.

DNS-layer controls catch threats early and protect off-network devices.

Evidence: DNS security policy example

Red flags: No DNS-layer protection

Follow-ups: Does DNS security work off-network?

SD-WAN Integration (5)

SASE-SDWAN-001high weightmandatory: retailmandatory: manufacturing

Describe how SD-WAN integrates with your SSE stack.

Tight SD-WAN and SSE integration determines branch user experience and policy consistency.

Evidence: Reference architecture; Integration mode list

Red flags: Integration via IPsec only with no telemetry sharing

Follow-ups: Is the SD-WAN supplied by you or a partner?

SASE-SDWAN-002medium weightmandatory: retailmandatory: manufacturing

How are SASE PoPs selected for each branch and how is performance measured?

PoP selection drives branch latency and user experience.

Evidence: PoP map; Latency expectations; Telemetry samples

Red flags: Static PoP assignment with no telemetry

Follow-ups: How are PoP failovers handled?

SASE-SDWAN-003high weightmandatory: retailmandatory: manufacturing

Describe link failover behaviour, including 4G/5G or LTE failover.

Failover behaviour determines store, plant and clinic uptime during link events.

Evidence: Failover decision tree; Convergence times

Red flags: No cellular failover support; Slow convergence

Follow-ups: Are critical applications kept on cellular failover?

SASE-SDWAN-004medium weightmandatory: retailmandatory: manufacturing

Describe direct internet breakout behaviour at branches.

Local breakout reduces backhaul cost but must keep security policy consistent.

Evidence: Breakout policy example; Trust model

Red flags: No local breakout; Breakout without SSE inspection

Follow-ups: Which SaaS apps are typically broken out locally?

SASE-SDWAN-005high weightmandatory: manufacturing

Describe segmentation options for OT or sensitive networks at branch and plant sites.

Segmentation between OT and IT is essential in industrial environments.

Evidence: Segmentation reference design

Red flags: No OT segmentation guidance

Follow-ups: Which industrial protocols are supported?

Logging / SIEM (4)

SASE-LOG-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Which log types are captured and what retention options are available?

Log coverage and retention drive audit, investigation and regulatory reporting.

Evidence: Log schema; Retention options

Red flags: Short fixed retention with no export

Follow-ups: Are logs tamper-evident?

SASE-LOG-002high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How can logs be exported to our SIEM or storage?

Buyers need logs in their own SIEM for correlation and long-term retention.

Evidence: List of SIEM integrations; Sample export

Red flags: No native SIEM integration

Follow-ups: Is export available in near real time?

SASE-LOG-003medium weightmandatory: financial servicesmandatory: healthcare

How are administrative actions audited?

Admin audit trails are required for regulatory and forensic purposes.

Evidence: Admin audit log sample

Red flags: Sparse admin audit logs

Follow-ups: Can admin logs be exported to a separate audit store?

SASE-LOG-004low weight

How are user-experience metrics collected and shared?

UX telemetry helps prove SASE delivers a better user experience.

Evidence: UX telemetry sample

Red flags: No UX telemetry

Follow-ups: Are UX metrics available per site and per user?

Data Residency (4)

SASE-DR-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Where are customer data, logs and metadata stored and processed?

Data residency drives regulatory compliance and contractual obligations.

Evidence: Data flow diagram; Region list

Red flags: No choice of region

Follow-ups: Can residency be enforced for logs separately from tenant config?

SASE-DR-002medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

List your sub-processors and their locations.

Sub-processor disclosure is required for many regulated buyers.

Evidence: Sub-processor list with regions

Red flags: Undisclosed sub-processors

Follow-ups: How are sub-processor changes notified?

SASE-DR-003medium weightmandatory: financial servicesmandatory: healthcare

Describe support access controls and the regions from which support operates.

Support access can introduce cross-border data exposure if not controlled.

Evidence: Support access model

Red flags: Support access from unrestricted regions

Follow-ups: Can support access be restricted to named regions?

SASE-DR-004low weightmandatory: financial services

Describe support for customer-managed encryption keys.

CMK can be a requirement for highly regulated workloads.

Evidence: CMK approach

Red flags: No CMK option

Follow-ups: Which modules support CMK?

Service Model (4)

SASE-SVC-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe your service model, including managed, co-managed and self-managed options.

The service model defines the split of responsibilities and informs operational cost.

Evidence: Service description

Red flags: No clear co-managed option

Follow-ups: Can the split change over the term?

SASE-SVC-002high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

What SLAs apply to support response, restoration and change requests?

Operational SLAs matter more than platform availability for day-to-day experience.

Evidence: SLA matrix; Credit regime

Red flags: SLA only on platform availability

Follow-ups: How are SLA credits calculated and applied?

SASE-SVC-003medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How are service reviews structured and how often do they occur?

Regular reviews keep the service aligned with buyer priorities.

Evidence: Sample monthly service report

Red flags: No scheduled review cadence

Follow-ups: Who attends reviews on your side?

SASE-SVC-004medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe escalation paths, including out-of-hours.

Escalation matters most when incidents occur outside business hours.

Evidence: Escalation matrix

Red flags: No documented escalation

Follow-ups: Is out-of-hours included or chargeable?

Deployment (4)

SASE-DEP-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe a typical deployment plan for an estate of our size.

A credible deployment plan reduces project risk and surprises.

Evidence: Reference deployment plan

Red flags: No phased plan

Follow-ups: What are typical milestone durations?

SASE-DEP-002high weightmandatory: retailmandatory: manufacturing

How is configuration automated for sites, users and policy?

Automation drives rollout speed and consistency across multi-site estates.

Evidence: Automation tooling description

Red flags: Manual configuration per site

Follow-ups: Is configuration declarative or imperative?

SASE-DEP-003medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How are changes tested and rolled back?

Tested change and rollback procedures reduce outage risk.

Evidence: Test plan template; Rollback runbook

Red flags: No documented rollback

Follow-ups: Can changes be applied to a staged set first?

SASE-DEP-004medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How are user agents and clients distributed and updated?

Agent updates impact user experience and security posture.

Evidence: Agent lifecycle approach

Red flags: Manual updates only

Follow-ups: Are updates staged and reversible?

Commercials (4)

SASE-COM-001high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Describe your pricing model and what is included.

Clarity on the pricing model drives like-for-like supplier comparison.

Evidence: Pricing schedule

Red flags: Opaque add-on list

Follow-ups: Which modules are licensed separately?

SASE-COM-002high weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Provide a worked example for our user and site count.

Worked examples expose hidden charges and reveal true unit cost.

Evidence: Worked example with assumptions

Red flags: Refusal to provide worked examples

Follow-ups: What is the cost of doubling the user count?

SASE-COM-003medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

How are growth and reductions handled within the term?

Flex terms determine commercial exposure if estate size changes.

Evidence: Flex terms

Red flags: No reduction allowed during the term

Follow-ups: Is there a flex range that does not require renegotiation?

SASE-COM-004medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

List all items priced separately, including professional services.

Add-ons drive total cost of ownership and must be transparent.

Evidence: Add-on list

Red flags: Refusal to itemise

Follow-ups: Which add-ons are commonly required for our use case?

Vendor Evidence (4)

SASE-VE-001medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Provide your current certifications and expiry dates.

Current certifications support regulated buyer due diligence.

Evidence: Certification list; Expiry dates

Red flags: Expired certifications

Follow-ups: Which auditor performed the most recent audit?

SASE-VE-002medium weightmandatory: financial servicesmandatory: healthcare

Share recent independent test results relevant to SASE.

Independent test results reduce reliance on vendor claims.

Evidence: Test report references

Red flags: No independent testing

Follow-ups: When were the tests conducted?

SASE-VE-003medium weightmandatory: financial servicesmandatory: retailmandatory: manufacturingmandatory: healthcare

Provide customer references in our sector.

Sector-specific references increase confidence in fit.

Evidence: Reference list

Red flags: References only from unrelated sectors

Follow-ups: Can a reference call be arranged?

SASE-VE-004medium weightmandatory: financial servicesmandatory: healthcare

Provide details of any recent security incidents and your handling of them.

Incident handling history shows operational maturity.

Evidence: Incident summary

Red flags: Refusal to discuss incidents

Follow-ups: What changed after the most recent incident?

Sector packs

Deep, sector-specific question sets with buyer and supplier lenses on every question. Browse them in full inside the RFP Builder or via the machine-readable bank.

Retail and e-commerce130 questions in 32 sections
SD-WAN: Payment Resilience & Connectivity (3)
  1. Does the solution support per-packet steering to ensure that a primary link "brownout" does not cause a timeout on a live PDQ/POS credit card transaction?
  2. Detail the appliance's ability to manage 4G/5G and Satellite (e.g. Starlink) as active-active underlays. How does the system handle the high-frequency latency spikes inherent in satellite?
  3. Can the appliance trigger a failover based on RSRP/RSRQ (cellular signal quality) thresholds rather than just "Up/Down" status?
SD-WAN: PCI DSS 4.0 & Security Segmentation (2)
  1. Can the solution enforce a hard VRF-level isolation between the Cardholder Data Environment (CDE) and the Guest WiFi network across all sites?
  2. Does the integrated IPS include virtual patching to protect legacy POS hardware that can no longer receive official security updates?
SD-WAN: In-Store WiFi & Customer Analytics (2)
  1. Does the integrated WiFi capability support the export of presence data (RSSI/MAC) to third-party analytics platforms to view dwell times and busy areas of the store?
  2. Can the solution enforce dynamic bandwidth caps on the Guest WiFi VLAN to ensure that a customer watching video doesn't slow down the stock-check application?
SD-WAN: Deployment & Rapid Provisioning (2)
  1. Describe the Zero-Touch Provisioning (ZTP) process for a store using only 4G/5G for the first 30 days. Can the device configure itself via cellular?
  2. How does the solution handle a golden template push to 1,000+ stores? Can site-specific variables (local IPs, VLAN IDs) be managed centrally?
SD-WAN: SLAs, Uptime & Performance (2)
  1. Does the vendor provide a financial SLA based on application performance (latency/jitter) rather than just link uptime?
  2. What is the Mean Time to Repair (MTTR) for a hardware failure in a Tier-1 city versus a remote regional town?
SD-WAN: Support & Operational Models (2)
  1. Can we grant our store managers read-only access to view their own shop's status while keeping write access with the central IT team?
  2. What is the average time for a configuration change to be pushed from the orchestrator to 500 edge devices?
SD-WAN: Reporting & Traffic Performance (2)
  1. Does the reporting dashboard distinguish between in-store sales, inventory sync, and guest traffic?
  2. Can the dashboard show per-user or per-device performance metrics for the last 60 minutes?
SD-WAN: Disaster Recovery & Backup (2)
  1. If the primary data centre hosting the SD-WAN orchestrator fails, what is the recovery time for store management?
  2. Are device configurations backed up automatically? Can a replacement device be restored simply by plugging it in (ZTP)?
SD-WAN: Device Capability & Throughput (2)
  1. What is the total PoE+ power budget of the appliance? Can it power 4 Access Points and 2 IP cameras simultaneously?
  2. What is the maximum throughput when AES-256 encryption and Deep Packet Inspection (DPI) are both enabled?
SD-WAN: Cloud Integration (1)
  1. How does the solution optimise the path from the store directly to our Azure-hosted ERP?
SD-WAN: WiFi Analytics & Customer Profile Data (2)
  1. Does the integrated WiFi solution support the export of anonymised MAC address and RSSI data via API to third-party retail analytics engines?
  2. Does the edge hardware include an integrated BLE radio for push-notifications and wayfinding within large-format stores?
SD-WAN: Traffic Performance & Application Failover (2)
  1. In the event of a link failure, does the solution maintain the session state for persistent TCP applications such as Inventory Management Systems (IMS)?
  2. Can the orchestrator dynamically adjust QoS profiles based on a schedule, such as Black Friday or Boxing Day peak trading hours?
SD-WAN: Admin, Ease of Configuration & Templates (2)
  1. Does the orchestrator provide automated alerts if a local store's configuration deviates from the golden template?
  2. Describe the process for pushing a security policy update to 500+ stores simultaneously. Can these be scheduled for out-of-hours windows automatically?
SD-WAN: DIY, Co-Managed & Fully Managed Models (2)
  1. Can the management portal provide granular Role-Based Access Control (RBAC) so our internal UK IT team can manage store WiFi while the vendor manages core routing?
  2. If a managed service is selected, do you take full ownership of third-party ISP fault reporting and escalation?
SD-WAN: Support, Backup & Disaster Recovery (2)
  1. Is the SD-WAN orchestrator hosted in a geo-redundant cloud environment? What is the impact on store operations if the orchestrator is offline?
  2. Does the edge appliance store a last known good configuration locally for emergency recovery without internet access?
SD-WAN: Reporting & Global Visibility (2)
  1. Can the reporting engine generate a top 10 worst performing sites report based on application latency and jitter?
  2. Can a service desk agent view the real-time performance of a single MAC address (e.g. a specific till) to see its current latency and signal strength?
SD-WAN: Device Capability & Throughput (Continued) (2)
  1. How many LAN ports are available on the branch appliance, and how many support PoE+ (802.3at)?
  2. Is the appliance fanless and rated for deployment in non-ventilated areas, such as a small cabinet under a till?
SD-WAN: Cloud Integration (Omnichannel ERP) (1)
  1. How does the solution automate the on-ramp to our cloud-hosted ERP? Does it use virtual appliances or API-integrated peering?
SSE: Zero Trust Network Access (ZTNA) (10)
  1. Describe the process for providing agentless, browser-based access to internal web-based POS management tools for third-party vendors.
  2. How does the ZTNA policy handle identity-aware access for staff who float between different retail branches?
  3. Does the ZTNA service mask internal store assets from public internet discovery (the dark cloud effect)?
  4. Can the solution enforce least privilege access, restricting a maintenance vendor to a single IP/Port on a specific store controller?
  5. Detail the session persistence logic when a store manager switches from the back-office WiFi to a 4G/5G mobile connection.
  6. Describe the inside-out connectivity model. Does it require any inbound ports (e.g. 443) to be opened on the store firewall?
  7. How does the ZTNA service handle high-latency links (e.g. Starlink or busy 4G) for RDP-based machine maintenance?
  8. Can the solution trigger a re-authentication prompt specifically when a user attempts to access sensitive production databases?
  9. Does the solution support continuous identity verification throughout the duration of the session?
  10. What is the average millisecond overhead added by your UK-based ZTNA brokers for a UK-to-UK connection?
SSE: Secure Web Gateway (SWG) (10)
  1. Can the SWG enforce a read-only policy for web-based personal email to prevent store staff from exfiltrating customer lists?
  2. Detail the latency overhead for TLS 1.3 decryption for users accessing web-based POS systems.
  3. How does the gateway handle newly registered domains (NRDs) registered within the last 24 hours?
  4. Can the SWG block specific in-app functions, such as disabling the share button in LinkedIn or upload in Dropbox?
  5. Does the solution provide coaching pages that explain to a staff member why a site was blocked, in plain English?
  6. Describe the local breakout logic for trusted UK government or banking sites to reduce PoP load.
  7. How does the SWG handle credential phishing detection at the page-rendering level?
  8. Is there a bypass mechanism for specific mission-critical URLs that may break under SSL inspection?
  9. Can the SWG generate a top 10 high-risk users report based on web-browsing behaviour across the retail estate?
  10. Does the SWG integrate with your remote browser isolation (RBI) for uncategorised or suspicious URLs?
SSE: Cloud Access Security Broker (CASB) (10)
  1. Can the CASB distinguish between our corporate Microsoft 365 tenant and an employee's personal OneDrive account?
  2. Does the CASB provide real-time user entity behaviour analytics (UEBA) to detect bulk downloads from the cloud ERP?
  3. How does the CASB secure data accessed from unmanaged devices (e.g. an executive's home iPad)?
  4. Can the solution automatically redact sensitive customer data (like card numbers) as it appears in a cloud-based CRM?
  5. Describe the process for automatically unsharing a file that has been shared with an external Gmail/Outlook account.
  6. Does the CASB offer API-based scanning of our existing cloud data (at rest)?
  7. Can the CASB block app-to-app permissions (OAuth) for high-risk third-party integrations?
  8. How frequently is the cloud app discovery database updated with new SaaS ratings?
  9. Can the CASB detect impossible travel alerts (e.g. a login from London and Manchester within 5 minutes)?
  10. Does the CASB support self-healing remediation for M365 configuration drift?
SSE: Data Loss Prevention (DLP) (10)
  1. Can the DLP engine perform OCR on images to identify PDQ receipts or credit card numbers?
  2. Does the solution support exact data matching (EDM) for our specific 12-digit loyalty card formats?
  3. How does the DLP handle data in motion across encrypted chat applications like Slack or Teams?
  4. Can the DLP engine detect partial document matching for engineering or marketing designs?
  5. Describe the justification workflow when a user is blocked from sending a file.
  6. Can the DLP scan within compressed file formats (e.g. .zip, .rar) and multi-level nested folders?
  7. Does the system provide pre-built templates for the UK Data Protection Act 2018?
  8. Can the system prevent data exfiltration via print screen or copy to clipboard for web-based apps?
  9. How does the DLP engine handle fingerprinting of sensitive PDF or Excel templates?
  10. What is the process for triaging DLP alerts? Is there a dedicated forensics dashboard for our UK security officer?
SSE: Remote Browser Isolation (RBI) (10)
  1. Can RBI be triggered automatically for uncategorised websites visited from in-store kiosks?
  2. Does the RBI support pixel-pushing rendering to ensure no active code reaches the store endpoint?
  3. Can you enforce read-only mode within an RBI session to prevent any file downloads?
  4. How does the RBI handle clipboard controls? Can we block copy/paste between the isolated browser and the local machine?
  5. Does the RBI service sanitise downloaded files by converting them to safe PDFs?
  6. Describe the performance impact for streaming video (e.g. YouTube training) through an isolated browser.
  7. Can the RBI be used for safe previewing of email attachments?
  8. Is the RBI solution natively integrated into your SWG agent, or is it a separate client?
  9. Can we set a timed session for RBI to automatically log out users after their break?
  10. Does the RBI solution support in-session keyboard and mouse event monitoring for forensics?
SSE: Firewall as a Service (FWaaS) (10)
  1. Does the cloud firewall support geo-blocking to prevent all traffic from high-risk regions from hitting our till systems?
  2. Can the FWaaS enforce different security rules based on the store format (e.g. Flagship vs. Express)?
  3. Describe the local breakout capability for direct internet access at the store edge while maintaining cloud-delivered security.
  4. How does the FWaaS handle IP reputation filtering for incoming connections?
  5. Does the FWaaS provide dedicated egress IPs for our retail estate?
  6. Can the FWaaS perform Layer-7 application inspection to block proxy-bypass tools like Ultrasurf?
  7. Describe the failover process between your cloud PoPs. If your London PoP goes down, where does our traffic go?
  8. Can the FWaaS generate a top 10 blocked attacks report for our monthly security board meeting?
  9. How does the FWaaS integrate with our identity provider (Azure AD) for user-aware firewall rules?
  10. Is the FWaaS policy engine version controlled? Can we roll back a change if it breaks store connectivity?
SSE: IPS / IDS (5)
  1. Does the IPS provide virtual patching for legacy POS hardware that can no longer receive official security updates?
  2. How quickly are zero-day signatures updated in your global IPS engine?
  3. Does the IPS identify lateral movement attempts between store till VLANs and office VLANs?
  4. Does the IPS support high-throughput inspection for busy data centre backhaul links?
  5. Can the IPS generate an automated alert for DDoS activity targeting a specific store?
SSE: DNS Security (5)
  1. How does the DNS security layer handle command & control (C2) callbacks from infected IIoT devices?
  2. Can we enforce different DNS policies for guest WiFi versus staff WiFi?
  3. Does the DNS filtering support SafeSearch enforcement for search engines and YouTube?
  4. How does the system handle DNS over HTTPS (DoH) which often bypasses traditional filters?
  5. Can the DNS service provide a geo-heatmap of where blocked requests are trying to go?
SSE: Device Posture / Endpoint Context (10)
  1. Can access to the central Inventory system be denied if the device's antivirus is disabled or out of date?
  2. Does the posture check verify that disk encryption (BitLocker) is active before granting a ZTNA session?
  3. Can the system distinguish between a corporate managed laptop and a personal device?
  4. Does the posture check integrate natively with our EDR (e.g. CrowdStrike) to pull risk scores?
  5. Can we enforce a minimum OS version for all handheld scanners on the floor?
  6. Describe the remediation workflow for a user whose device fails a posture check.
  7. Can the posture check verify the presence of a specific corporate certificate in the local store?
  8. How frequently is the device posture re-evaluated during an active session?
  9. Can we set different posture requirements based on the sensitivity of the application?
  10. Does the posture check support geo-fencing? (e.g. deny access if the device is physically outside the UK).
SSE: SaaS Security Posture Management (SSPM) (2)
  1. Does the SSPM tool provide automated remediation for misconfigurations in our SAP S/4HANA or Microsoft 365 tenants?
  2. Can the SSPM audit the app-to-app permissions (OAuth) granted by our employees to third-party cloud tools?
SSE: Cloud Email Security (1)
  1. How does the solution protect against Business Email Compromise (BEC) and look-alike domain attacks targeting our supply chain?
SSE: Threat / Malware Protection — ATP & Sandboxing (1)
  1. Does the sandbox environment support human-interaction simulation to defeat malware that waits for a mouse click before executing?
SSE: Identity & Access (IdP) Integration (1)
  1. Does the solution support SCIM for automated user provisioning and de-provisioning?
SASE: Converged Outcomes (10)
  1. Does the SASE solution utilise a SLA-backed private Tier-1 backbone for the middle mile?
  2. Describe the techniques used to optimise traffic across the global backbone, specifically regarding TCP Window Scaling and Packet Loss Mitigation.
  3. Detail how the SASE fabric provides direct cloud on-ramp to our ERP instance in Azure (UK South) without hair-pinning traffic.
  4. Can the SASE orchestrator manage Transit Gateway Peering across multiple cloud providers (e.g. AWS and Google Cloud) through a single interface?
  5. Does the solution offer application-specific acceleration for non-web protocols such as CIFS/SMB or MAPI?
  6. How does the solution ensure low-latency access for UK-based mobile users who are travelling to high-risk regions or areas with poor local peering?
  7. In a fully managed SASE model, who is the single point of contact for an end-to-end performance issue?
  8. What is the SLA for emergency security changes (e.g. blocking a specific IP during an active attack)?
  9. Does the managed SASE portal allow our internal team to view real-time digital experience metrics for individual store users?
  10. Can you provide static, dedicated egress IPs for our SASE traffic to ensure compatibility with our suppliers' IP-whitelisting firewalls?
Manufacturing117 questions in 15 sections
SD-WAN: The "OT-First" Performance Fabric (35)
  1. Can the solution dynamically steer traffic based on a Jitter threshold of <5ms?
  2. Can the system enable 1:1 Packet Duplication across dual-active circuits for critical safety/PLC traffic?
  3. Can the appliance trigger a failover based on RSRP/RSRQ thresholds rather than just a simple "Up/Down" ping?
  4. Detail the bandwidth overhead of your FEC algorithm when set to "Aggressive" mode.
  5. Does the solution support Starlink, 4G, and Fibre as active-active underlays without proprietary exchange equipment, especially in regions with diverse infrastructure risks?
  6. How does the solution specifically optimise non-cacheable SAP S/4HANA traffic into Azure/AWS?
  7. State the average millisecond latency between your primary UK PoP and the London Azure region (UK South).
  8. Does the system support "Local Breakout" for Microsoft 365 based on URL-path recognition?
  9. Do you offer TCP Termination to mitigate the impact of high-latency global hops on large file transfers?
  10. Can the orchestrator automatically provision VPN peering into Google Cloud (GCP) via a native API?
  11. State the AES-256 encrypted throughput with all security features (IPS/DPI) enabled.
  12. Do you offer hardware with IP67 rating or fanless designs for high-temperature machine cabinets?
  13. Does the edge appliance feature physical RS-232/485 ports for legacy machine connectivity?
  14. Does the appliance support Native WiFi 6 for rugged handheld scanners on the plant floor?
  15. Does the hardware support dual internal power supplies or 24V/48V DC inputs?
  16. Can we push a single "Golden Configuration" to 100+ sites simultaneously while maintaining site-specific variables?
  17. Describe the ZTP process: Does it require a "Staging" phase or is it truly "Plug-and-Play"?
  18. Describe the safety mechanism if a scheduled firmware update fails at a remote site.
  19. Can we grant "Read-Only" access to local OT engineers for diagnostics while central IT retains "Write" rights?
  20. Can the platform export network health data via REST API into our existing OEE dashboard?
  21. Can we retain control over Application Routing Policies while you manage the physical hardware and OS?
  22. What is the Mean Time to Repair (MTTR) for a hardware failure at a global site?
  23. What is the average "Config Propagation Time" from the orchestrator to 50 edge devices globally?
  24. Can your service desk manage third-party ISP tickets on our behalf using our existing LOAs?
  25. What site-specific documentation (e.g. "As-Built" diagrams) is provided post-deployment?
  26. Can the system map internal DSCP/CoS tags from the factory floor directly into SD-WAN priority queues?
  27. Can the SD-WAN create isolated "Islands" for OT vs IT traffic at Layer 2?
  28. Does the dashboard provide per-packet granularity reporting for the last 24 hours of traffic?
  29. Does the integrated IPS include specific signatures for SCADA/ICS vulnerabilities?
  30. What is the financial penalty/service credit if the "Application Performance SLA" is missed?
  31. Is the solution fully IPv6-ready for modern Industrial IoT (IIoT) sensor integration?
  32. How many PoE+ ports are available on the branch appliance to power local IP cameras?
  33. Can the IPS shield Legacy Windows XP/7 machines from "EternalBlue" style exploits?
  34. Quantify the latency overhead added by the encryption engine during high-throughput loads.
  35. Does the solution include DNS-layer protection to stop malware "phone-home" attempts from the factory?
SSE: Zero Trust Network Access (ZTNA) (10)
  1. Does the solution support an "Inside-Out" connectivity model that allows internal factory resources to remain invisible to the public internet?
  2. Describe the process for providing agentless, browser-based access to legacy web HMIs for third-party maintenance contractors.
  3. Can the ZTNA policy be restricted by time-of-day and specific geographical location for shop-floor management systems?
  4. How does the solution handle session persistence for industrial applications that are sensitive to micro-outages or IP address changes?
  5. Does the ZTNA service provide full Layer-4 protocol support, including RDP, SSH, and specific industrial protocols like Modbus/TCP?
  6. Can the solution perform a "Posture Check" to verify that a contractor's laptop has active antivirus and disk encryption before allowing a ZTNA connection?
  7. Describe the logging granularity: Does the system record every click/action within a session, or just the initial connection event? How does this logging stand up to forensic requirements in high-risk regions?
  8. How does the ZTNA solution mitigate the risk of "Lateral Movement" if a single user account is compromised?
  9. Can the ZTNA connector be deployed in a high-availability (HA) cluster within our local data centre?
  10. What is the average latency overhead introduced by the ZTNA cloud broker for a user in the UK accessing a resource in a UK-based factory?
SSE: Secure Web Gateway (SWG) (10)
  1. Detail your capability to inspect TLS 1.3 encrypted traffic at scale without impacting the performance of cloud-hosted ERP systems.
  2. Can the SWG enforce a "Read-Only" policy for web-based personal email or social media to prevent attachment uploads?
  3. How does the gateway handle URL filtering for sites categorised as "Malicious," "Newly Registered Domains," or those associated with known state-sponsored threats prevalent in high-risk regions?
  4. Does the SWG provide native protection against "Credential Phishing" by identifying when a user is typing their corporate password into a non-corporate site?
  5. Can you apply different web-filtering profiles based on the machine type (e.g. a kiosk on the floor vs a designer's workstation)?
  6. Describe the "Safe Search" enforcement for image and video platforms used for staff training.
  7. How does the solution handle "File Type Control"? Can we block the download of executable (.exe) files while allowing PDFs?
  8. Is the SWG capable of "Inline Sandboxing" for files downloaded from the internet?
  9. How does the system handle "Bandwidth Throttling" for non-essential web traffic (e.g. video streaming) during high-production hours?
  10. Can the gateway generate reports showing "High Risk" user behaviour that could indicate a compromised account or an insider threat?
SSE: Cloud Access Security Broker (CASB) (10)
  1. Can the CASB distinguish between a corporate-managed instance of a cloud application and a personal instance of the same application?
  2. Describe the process for automatically "quarantining" sensitive files found in cloud storage that have been shared with unauthorised external email addresses.
  3. How does the solution identify anomalous behaviour, such as a single user downloading an unusually high volume of data from the ERP or cloud storage, especially when originating from or destined for high-risk regions?
  4. Does the CASB provide a "Risk Score" for new cloud applications discovered on the network, and what criteria are used for this score?
  5. Can the solution enforce "Step-up Authentication" (MFA) specifically when a user attempts to access a high-risk folder within a SaaS application?
  6. How does the CASB protect data being accessed from unmanaged devices (e.g. an employee's home PC) without requiring an agent?
  7. Can the CASB inspect the content of encrypted files (e.g. password-protected ZIPs) being uploaded to cloud services?
  8. Describe the integration between the CASB and the Secure Web Gateway (SWG) for consistent policy enforcement.
  9. Can the system automatically "Mask" or "Redact" sensitive data (like customer credit card numbers) as it is being viewed in a cloud application?
  10. How frequently is the "Cloud App Discovery" database updated with new SaaS applications and their security ratings?
SSE: Data Loss Prevention (DLP) (10)
  1. Does the DLP engine support "Exact Data Matching" (EDM) for protecting our specific manufacturing part numbers or chemical formulas, especially considering the increased risk of industrial espionage in certain regions?
  2. Can the DLP solution identify sensitive information within images or scanned documents (OCR)?
  3. How does the system handle DLP for "Data in Motion" versus "Data at Rest" in cloud storage?
  4. Can the DLP engine detect "Partial Matches" or "Small Snippets" of proprietary code or engineering data?
  5. What is the process for a user to "Justify" a DLP block if they believe it is a false positive?
  6. How does the solution prevent the exfiltration of data via "Printing" or "Copying to Clipboard" for remote users?
  7. Can the DLP system scan compressed files (e.g. .7z, .rar) and nested folders within those files?
  8. Does the DLP solution offer a "Unified Policy Builder" that works across Email, Web, and Cloud?
  9. How are DLP incidents triaged? Is there a dedicated "Incident Management" dashboard for our security officer?
  10. Does the system provide "Out-of-the-Box" templates for UK-specific regulations like the Data Protection Act 2018?
SSE: Remote Browser Isolation (RBI) (10)
  1. Does the RBI solution support "Pixel-pushing" rendering to ensure that no active web content or code ever reaches the local endpoint?
  2. Can the solution enforce "Read-Only" mode for web-based document viewing to prevent the downloading of proprietary engineering files?
  3. Describe the user experience impact (latency) when RBI is triggered for "Uncategorised" or "High-Risk" websites.
  4. How does the RBI handle "Clipboard Controls" between the isolated browser and the user's local applications?
  5. Can the RBI service "Sanitise" downloaded files by converting them to a safe PDF before they reach the user?
  6. Does the solution support "Targeted RBI" where only high-risk URLs are isolated, rather than the entire web session?
  7. Can RBI be used as a "Secure Virtual Desktop" for third-party vendors to access internal web-based HMIs?
  8. Describe how the RBI handles streaming media (e.g. training videos) and interactive web elements like maps or 3D CAD viewers.
  9. How are "Isolated Sessions" logged for audit purposes? Do you record a video of the session or just text-based activity?
  10. Is the RBI solution natively integrated into the SSE agent, or does it require a separate browser extension or client?
SSE: Firewall as a Service (FWaaS) (10)
  1. Does the FWaaS support Identity-Aware Rules that follow a user from the factory floor to their home office?
  2. Detail the FWaaS capability to perform Layer-7 Application Identification for industrial protocols like Modbus, S7, and OPC-UA.
  3. Can the FWaaS enforce Geo-Blocking at the network layer to prevent any traffic from high-risk regions reaching our production servers, with dynamic threat intelligence for rapidly changing geopolitical landscapes?
  4. How does the FWaaS handle IPsec VPN Terminations from small, remote IoT gateways or sensors?
  5. What is the "Egress IP" strategy? Do our sites share a public IP with other customers, or can we have a Dedicated Static IP for our cloud firewall?
  6. Describe the FQDN-based Filtering capabilities for managing software update paths for factory machinery.
  7. Does the FWaaS include a Global Policy Manager to push rule changes to all international sites simultaneously?
  8. How does the FWaaS handle Large File Transfers (FTP/SFTP) between manufacturing sites and external partners?
  9. Can the FWaaS generate an alert if it detects "Port Scanning" or "Reconnaissance" activity originating from within our own factory floor?
  10. What is the SLA for Service Availability for the FWaaS? Is it backed by financial credits if the cloud firewall goes offline?
SSE: Intrusion Prevention & Detection (IPS/IDS) (4)
  1. Does the IPS service include a dedicated signature set for Industrial Control Systems (ICS) and SCADA protocols?
  2. Can the IPS perform Virtual Patching for legacy operating systems (e.g. Windows XP, Windows 7) that can no longer receive official security updates?
  3. Describe the "Fail-Open" vs "Fail-Closed" logic of the IPS engine during a period of extreme traffic congestion or cloud PoP resource exhaustion.
  4. How does the IDS/IPS identify Lateral Movement attempts between different factory segments or VLANs?
SSE: DNS Security (Protective DNS) (2)
  1. How does the DNS filtering layer handle "Newly Registered Domains" (NRDs) and "Domain Generation Algorithms" (DGAs)?
  2. Can we enforce different DNS policies for IIoT sensors versus office-based staff laptops?
SSE: SaaS Security Posture Management (SSPM) (2)
  1. Does the SSPM tool provide automated remediation for misconfigurations in our SAP S/4HANA or Microsoft 365 tenants?
  2. Can the SSPM audit the "App-to-App" permissions (OAuth) granted by our employees to third-party cloud tools?
SSE: Cloud Email Security (1)
  1. How does the solution protect against Business Email Compromise (BEC) and "Look-alike" domain attacks targeting our supply chain?
SSE: Threat / Malware Protection (ATP & Sandboxing) (1)
  1. Does the sandbox environment support "Human-Interaction Simulation" to defeat malware that waits for a mouse click before executing?
SSE: Identity & Access (IdP) Integration (1)
  1. Does the solution support SCIM (System for Cross-domain Identity Management) for automated user provisioning and de-provisioning?
SSE: Device Posture / Endpoint Context (1)
  1. Can the system deny access to the production environment if the device's Anti-Virus (EDR) is disabled or if a specific "Corporate Certificate" is missing?
SASE: Converged Outcomes (10)
  1. Does the SASE solution utilise a SLA-backed Private Tier-1 Backbone for the "Middle Mile", or does it rely on encrypted tunnels over the public internet?
  2. Describe the techniques used to optimise traffic across the global backbone, specifically regarding TCP Window Scaling and Packet Loss Mitigation.
  3. Detail how the SASE fabric provides Direct Cloud On-Ramp to our SAP S/4HANA instance in Azure (UK South) without "Hair-pinning" traffic through a central data centre.
  4. Can the SASE orchestrator manage Transit Gateway Peering across multiple cloud providers (e.g. AWS and Google Cloud) through a single interface?
  5. Does the solution offer Application-Specific Acceleration for non-web protocols such as CIFS/SMB or MAPI?
  6. How does the solution ensure low-latency access for UK-based mobile users who are travelling to high-risk regions or areas with poor local peering?
  7. In a Fully Managed SASE model, who is the "Single Point of Contact" for an end-to-end performance issue involving a third-party ISP and the cloud security layer?
  8. What is the SLA for Emergency Security Changes (e.g. blocking a specific IP during an active attack) in a managed service environment?
  9. Does the Managed SASE Portal allow our internal team to view real-time "Digital Experience" metrics for individual shop-floor users?
  10. Can you provide Static, Dedicated Egress IPs for our SASE traffic to ensure compatibility with our suppliers' IP-whitelisting firewalls?
Financial services82 questions in 15 sections
SD-WAN: Low-Latency Financial Network Fabric (16)
  1. Can the solution perform per-packet path steering in under 1ms to prevent trading order execution delays during link degradation?
  2. Does the solution support 1:1 packet duplication across dual-active circuits for real-time payment processing and settlement traffic?
  3. Can the SD-WAN enforce dedicated QoS queues for real-time market data feeds, separating them from general branch internet and voice traffic?
  4. Detail the bandwidth overhead of your Forward Error Correction (FEC) algorithm in Aggressive mode on a 1Gbps trading floor uplink.
  5. How does the solution optimise the path from branch offices to cloud-hosted core banking platforms (e.g. Temenos, Finastra on Azure/AWS)?
  6. State the average millisecond latency between your primary UK PoP and the London Azure region (UK South) and AWS eu-west-2.
  7. State the AES-256 encrypted throughput when IPS, DPI, and application identification are all simultaneously enabled on the branch appliance.
  8. Does the solution support 4G/5G and satellite as active-active underlays? How is high-frequency jitter from satellite smoothed for payment traffic?
  9. Describe the ZTP process for a new bank branch. Can a non-technical branch manager plug in the device and have it configure itself automatically?
  10. Can a single golden security and routing template be pushed to 200+ financial services branches simultaneously, with site-specific variables managed centrally?
  11. Can we grant regional IT teams read-only diagnostics access while central security operations retain full write access to routing and firewall policies?
  12. Does the orchestrator generate automated alerts if a branch device's configuration deviates from the approved golden template?
  13. Describe the safety mechanism if a firmware update fails at a remote branch during overnight maintenance windows.
  14. Do you offer a financial SLA based on application-level performance metrics (latency and jitter) rather than simply link uptime percentage?
  15. If a managed service is selected, do you take full ownership of third-party ISP fault reporting, escalation, and resolution on our behalf?
  16. If the primary SD-WAN orchestrator suffers an outage, what is the impact on branch operations and what is the RTO for management restoration?
SSE: Zero Trust Network Access (ZTNA) (9)
  1. Does the ZTNA solution use an inside-out connectivity model, ensuring internal banking applications are never exposed to public internet scanning?
  2. Can the solution provide agentless, browser-based ZTNA access to internal systems for external auditors or regulatory inspectors who cannot install software?
  3. Can ZTNA policies be restricted by time-of-day, such as blocking access to trading platforms outside market hours unless explicitly authorised?
  4. How does the ZTNA solution prevent lateral movement if a trader or advisor's account is compromised?
  5. Does the solution continuously re-evaluate user risk scores throughout the duration of a session, and can it terminate an active session if risk increases?
  6. Can the ZTNA policy trigger a step-up MFA prompt when a user attempts to access specific high-value transaction systems or payment authorisation portals?
  7. Does the system provide granular, immutable audit logs of every access event, including session duration, actions taken, and data accessed, for regulatory examination?
  8. Can the ZTNA connector be deployed in a high-availability cluster to ensure that a single connector failure does not interrupt access to critical banking systems?
  9. What is the average latency overhead introduced by the ZTNA cloud broker for a UK-based user accessing a UK data centre application?
SSE: Secure Web Gateway (SWG) (7)
  1. Detail your capability to inspect TLS 1.3 encrypted web traffic at scale without impacting the performance of cloud-hosted financial applications.
  2. Does the SWG provide protection against credential phishing by detecting when a user is typing their corporate credentials into a fraudulent login page?
  3. How does the gateway handle newly registered domains (NRDs) and domain generation algorithm (DGA) traffic used by malware command-and-control infrastructure?
  4. Can the SWG enforce a read-only policy for personal cloud storage and webmail to prevent staff from uploading customer financial data to personal accounts?
  5. Can the SWG allow trusted financial and regulatory domains (e.g. FCA, Bank of England, SWIFT) to break out locally without full SSL inspection?
  6. Can the SWG generate reports identifying high-risk user browsing behaviour patterns that could indicate a compromised account or insider threat?
  7. Is the SWG capable of inline sandboxing for files downloaded by financial staff, holding delivery until the sandbox verdict confirms the file is safe?
SSE: Cloud Access Security Broker (CASB) (8)
  1. Can the CASB distinguish between a corporate-managed Microsoft 365 or Salesforce tenant and an employee's personal account of the same application?
  2. How does the CASB identify anomalous behaviour such as a staff member bulk-downloading customer account records or pricing models from cloud systems?
  3. Does the CASB provide a risk score for unsanctioned cloud applications discovered on the network, assessed against financial services compliance standards?
  4. Can the CASB automatically redact sensitive customer financial data (account numbers, sort codes, card numbers) as it appears in cloud-based CRM systems?
  5. How does the CASB protect financial data accessed from unmanaged devices such as an employee's personal laptop or a contractor's device?
  6. Can the CASB automatically quarantine or remove sharing permissions on files containing financial data that have been accidentally shared with external email addresses?
  7. Can the CASB audit and revoke OAuth app-to-app permissions that employees have granted to third-party cloud integrations?
  8. Does the CASB offer API-based scanning of existing cloud data at rest to identify historical exposure of customer financial data?
SSE: Data Loss Prevention (DLP) (9)
  1. Does the DLP engine support Exact Data Matching (EDM) for specific customer account numbers, IBAN formats, and sort codes held in our systems?
  2. Can the DLP engine perform OCR on images and scanned documents to identify account numbers, payment details, or regulatory classifications within image files?
  3. Can the DLP engine detect partial matches of proprietary financial models, pricing schedules, or regulatory reports if only a fragment is copied or sent?
  4. How does the DLP solution handle data in motion across encrypted collaboration tools such as Microsoft Teams, Slack, or Bloomberg Terminal chat?
  5. Can the solution prevent exfiltration of financial data via clipboard copy or screen capture from web-based banking and trading applications?
  6. What is the process for a user to justify and override a DLP block if they believe it is a false positive on a legitimate financial communication?
  7. Can the DLP system scan inside compressed files (.zip, .7z, password-protected archives) to inspect financial data before it leaves the network?
  8. Does the DLP system include out-of-the-box policy templates for UK GDPR, the Financial Services and Markets Act, and PCI DSS 4.0?
  9. How are DLP incidents triaged? Is there a dedicated forensics dashboard providing a clear chain of evidence for the information security officer and legal team?
SSE: Remote Browser Isolation (RBI) (6)
  1. Does the RBI solution use pixel-pushing rendering so that no active web content from counterparty or vendor portals ever executes on a financial staff member's endpoint?
  2. Can RBI enforce read-only mode for specific financial or regulatory portal sessions, preventing downloads of documents to the local endpoint?
  3. Can the RBI service sanitise downloaded documents — stripping macros and active content — before they reach a financial staff member's endpoint?
  4. Does the SWG integrate with RBI so that uncategorised or high-risk websites are automatically isolated rather than blocked outright?
  5. How are isolated sessions logged for compliance and forensic purposes? Are URL access logs and session activity captured with timestamps?
  6. What is the latency overhead when RBI is triggered for financial research or market data sites used by analysts and traders?
SSE: Firewall as a Service (FWaaS) (6)
  1. Does the FWaaS enforce identity-aware firewall policies that follow a staff member from the office to their home network without requiring policy reconfiguration?
  2. Can the FWaaS enforce geo-blocking to prevent inbound connections from high-risk regions to payment systems and core banking infrastructure?
  3. Can you provide static, dedicated egress IPs for our SASE traffic to maintain compatibility with correspondent banks and financial counterparties that enforce IP whitelisting?
  4. If your primary UK PoP fails, how is financial services traffic rerouted and what is the maximum expected performance degradation during failover?
  5. Is the FWaaS policy engine version-controlled? Can a change that causes unintended disruption to payment processing be rolled back within minutes?
  6. Can the FWaaS generate board-ready threat reports showing top blocked attack categories, source geographies, and threat trends for our quarterly security committee?
SSE: Intrusion Prevention & Detection (IPS/IDS) (4)
  1. Does the IPS include specific threat intelligence and signatures for financial malware families targeting banking systems (e.g. Emotet, Dridex, QakBot, TrickBot)?
  2. How quickly are zero-day signatures pushed to the IPS engine following a new threat disclosure targeting financial services infrastructure?
  3. Can the IPS detect and block lateral movement attempts between financial system VLANs, such as a workstation attempting to scan the payment processing subnet?
  4. Can the IPS generate automated alerts for DDoS activity targeting specific payment gateway or core banking IP ranges?
SSE: DNS Security (Protective DNS) (2)
  1. How does the DNS security layer block newly registered domains and command-and-control infrastructure used by financially motivated threat actors?
  2. Can different DNS filtering policies be enforced for payment processing systems versus general staff endpoints?
SSE: SaaS Security Posture Management (SSPM) (2)
  1. Does the SSPM tool provide automated remediation for misconfigurations in Microsoft 365, Salesforce Financial Services Cloud, or other critical SaaS platforms?
  2. Can the SSPM benchmark SaaS configurations against CIS Controls and FCA operational resilience expectations, generating evidence for regulatory examination?
SSE: Cloud Email Security (2)
  1. How does the solution protect against Business Email Compromise (BEC) and look-alike domain attacks targeting financial counterparties and correspondent banks?
  2. Does the solution enforce DMARC, DKIM, and SPF validation for all inbound email, and can it prevent spoofing of the organisation's own domain?
SSE: Threat / Malware Protection (ATP & Sandboxing) (1)
  1. Does the sandbox support human-interaction simulation to detonate evasive malware specifically designed to remain dormant in automated analysis environments?
SSE: Identity & Access (IdP) Integration (1)
  1. Does the solution support SCIM for automated user provisioning and immediate de-provisioning when a staff member leaves the organisation?
SSE: Device Posture / Endpoint Context (2)
  1. Can the solution block access to financial systems if a device's EDR agent is disabled, disk encryption is inactive, or the device OS is below the minimum approved version?
  2. Can the solution distinguish between a corporate-managed device and a personal device, enforcing significantly more restrictive access policies for personal devices?
SASE: Converged Outcomes (7)
  1. Does the SASE solution use a contractually backed private Tier-1 backbone for the middle mile, rather than encrypted tunnels over the public internet?
  2. How does the SASE fabric provide direct cloud on-ramp to cloud-hosted financial platforms (e.g. Temenos on Azure, Finastra on AWS) without hair-pinning through a central data centre?
  3. Describe the TCP optimisation techniques used to accelerate SWIFT messaging and settlement traffic across high-latency global WAN paths.
  4. In a fully managed SASE model, who is the single point of accountability for an end-to-end performance issue spanning the ISP, the SASE backbone, and the cloud application?
  5. What is the contractual SLA for emergency security changes — such as blocking a specific IP during an active payment fraud campaign or ransomware attack?
  6. Does the managed SASE portal provide real-time digital experience monitoring at a per-user level, enabling rapid triage of performance complaints from branch staff?
  7. Can the SASE platform generate reports aligned to DORA (Digital Operational Resilience Act) requirements, including ICT incident classification, third-party dependency mapping, and resilience testing evidence?
Healthcare30 questions in 6 sections
Vendor Pedigree & Healthcare Track Record (4)
  1. Healthcare Operational Scale
  2. Peer References & Customers
  3. Specialised Clinical Support Teams
  4. Financial Stability & Long-term Strategy
Infrastructure, PoPs & Connectivity Underlay (6)
  1. Private Backbone & PoP Proximity
  2. Private vs. Public Gateway Options
  3. Managed Connectivity Underlay
  4. LTE/5G Failover for Community Sites
  5. HSCN Peering & Integration
  6. FirstNet & Public Safety LTE
SASE Features & Clinical Security (7)
  1. Clinical Application-Aware Routing
  2. Sub-Second Session Persistence
  3. Medical Protocol Support
  4. IoMT & Medical Device Isolation
  5. ZTNA for Shared Workstations
  6. DLP for Clinical Identifiers
  7. TLS 1.3 Inspection Performance
Operations, Reporting & SLAs (5)
  1. Digital Experience Monitoring (DEM)
  2. Managed vs. Co-Managed Flexibility
  3. Support SLA for Acute Sites (Clinical P1)
  4. Automated Compliance Reporting
  5. Real-Time Analytics & Shift-Change Heatmaps
Deployment & Regional Compliance (8)
  1. Zero-Touch Provisioning Lead Times
  2. Adds, Moves, and Changes (MACDs)
  3. DSPT Version 8 & DTAC Alignment
  4. Clinical Safety Officer (CSO) & DCB0129
  5. Business Associate Agreement (BAA)
  6. TEFCA & QHIN Connectivity
  7. Patient Data Residency & Sovereignty
  8. NHS Net Zero & Social Value
Bespoke Requirements (0)