NNetify

SSE RFP path

Build an SSE RFP

SSE is the security half of SASE: right when your WAN is fine but VPN, proxy and CASB point products are not. The pitfalls are inspection coverage (TLS, unmanaged devices), data residency and what happens to policy when you later add SD-WAN. This builder asks those questions up front.

Who this path is for

  • Replacing VPN concentrators with ZTNA
  • Consolidating proxy, CASB and DLP into one policy plane
  • Security-led buyers keeping the existing WAN
  • Buyers who may add SD-WAN later and need a compatible platform

What the RFP covers

  • ZTNA with device posture and continuous validation
  • SWG with TLS inspection and category coverage
  • Inline and API CASB, DLP templates and incident workflow
  • FWaaS and DNS-layer security
  • Logging, SIEM export, data residency and sub-processors
  • Future SD-WAN compatibility and commercials

Sample questions from the Netify bank

Drawn from the sase-question-bank-2026.1 canonical bank (43 questions). Every question carries the evidence suppliers should provide and the red-flag answers to watch for.

Identity / ZTNA

Describe how your platform enforces zero trust access to private applications.

Evidence: Architecture diagram; Policy example; Identity provider integration list

Identity / ZTNA

Which identity providers do you support natively, and which protocols (SAML, OIDC, SCIM)?

Evidence: Supported IdP list; Protocol matrix

Identity / ZTNA

How is device posture evaluated and used in access decisions?

Evidence: Device posture signal list; Sample posture-based policy

Identity / ZTNA

Describe step-up authentication and continuous session validation.

Evidence: Step-up trigger list; Session validation cadence

Identity / ZTNA

Describe how third-party and contractor access is managed.

Evidence: Third-party access workflow

SWG / CASB / DLP

Describe your secure web gateway, including TLS inspection and URL category coverage.

Evidence: SWG architecture; TLS inspection approach; Category list

SWG / CASB / DLP

Describe browser-based isolation options and use cases.

Evidence: Isolation architecture

SWG / CASB / DLP

Describe your inline and API-based CASB coverage for sanctioned and shadow SaaS.

Evidence: List of API-integrated SaaS; Inline vs API coverage matrix

Common questions

SSE now, SASE later — will this RFP lock me in?

The builder includes SD-WAN compatibility questions in SSE RFPs precisely so a later SASE consolidation stays open.

Is this only for large enterprises?

No — question depth adapts to your estate. A 200-user organisation gets a shorter, sharper RFP than a 10,000-user one.

Methodology and citations

Questions cite the Netify question bank, sample RFP and research methodology. Machine-readable bank: /question-bank.json. Other paths: Build a SASE RFP · Build an SD-WAN RFP · Not sure? Get a recommendation