SSE RFP path
Build an SSE RFP
SSE is the security half of SASE: right when your WAN is fine but VPN, proxy and CASB point products are not. The pitfalls are inspection coverage (TLS, unmanaged devices), data residency and what happens to policy when you later add SD-WAN. This builder asks those questions up front.
Who this path is for
- Replacing VPN concentrators with ZTNA
- Consolidating proxy, CASB and DLP into one policy plane
- Security-led buyers keeping the existing WAN
- Buyers who may add SD-WAN later and need a compatible platform
What the RFP covers
- ZTNA with device posture and continuous validation
- SWG with TLS inspection and category coverage
- Inline and API CASB, DLP templates and incident workflow
- FWaaS and DNS-layer security
- Logging, SIEM export, data residency and sub-processors
- Future SD-WAN compatibility and commercials
Sample questions from the Netify bank
Drawn from the sase-question-bank-2026.1 canonical bank (43 questions). Every question carries the evidence suppliers should provide and the red-flag answers to watch for.
Identity / ZTNA
Describe how your platform enforces zero trust access to private applications.
Evidence: Architecture diagram; Policy example; Identity provider integration list
Identity / ZTNA
Which identity providers do you support natively, and which protocols (SAML, OIDC, SCIM)?
Evidence: Supported IdP list; Protocol matrix
Identity / ZTNA
How is device posture evaluated and used in access decisions?
Evidence: Device posture signal list; Sample posture-based policy
Identity / ZTNA
Describe step-up authentication and continuous session validation.
Evidence: Step-up trigger list; Session validation cadence
Identity / ZTNA
Describe how third-party and contractor access is managed.
Evidence: Third-party access workflow
SWG / CASB / DLP
Describe your secure web gateway, including TLS inspection and URL category coverage.
Evidence: SWG architecture; TLS inspection approach; Category list
SWG / CASB / DLP
Describe browser-based isolation options and use cases.
Evidence: Isolation architecture
SWG / CASB / DLP
Describe your inline and API-based CASB coverage for sanctioned and shadow SaaS.
Evidence: List of API-integrated SaaS; Inline vs API coverage matrix
Common questions
SSE now, SASE later — will this RFP lock me in?
The builder includes SD-WAN compatibility questions in SSE RFPs precisely so a later SASE consolidation stays open.
Is this only for large enterprises?
No — question depth adapts to your estate. A 200-user organisation gets a shorter, sharper RFP than a 10,000-user one.
Methodology and citations
Questions cite the Netify question bank, sample RFP and research methodology. Machine-readable bank: /question-bank.json. Other paths: Build a SASE RFP · Build an SD-WAN RFP · Not sure? Get a recommendation