SSE / SASE platform
Zscaler
Sources evidence Zscaler ZIA/ZPA integration with SD-WAN and Zscaler Zero Trust SASE with fresh SD-WAN approach; historically SSE-led.
Netify profile
Zscaler in depth
Platform and architecture
Zscaler runs the Zero Trust Exchange, a security cloud of 160+ PoPs processing hundreds of billions of transactions daily. Users, workloads and devices connect to the nearest PoP where policy is enforced; there is no network to join, which is the architectural point. Zscaler does not ship SD-WAN appliances: branch connectivity pairs the Exchange with third-party SD-WAN, and Zscaler Zero Trust Branch options reduce branch hardware needs.
Security and SASE capability
ZIA (internet and SaaS security) and ZPA (private application access) are category-defining: SWG, CASB, DLP, sandboxing, browser isolation and the most widely deployed ZTNA in the market, with AI-powered phishing and command-and-control detection. Zscaler Digital Experience (ZDX) adds user experience monitoring. For SSE capability depth and scale, Zscaler sets the benchmark most rivals are measured against.
Service, support and channel
Strong UK presence direct and through security partners and carriers; BT, Vodafone and global SIs deliver managed Zscaler. Deployment is agent and tunnel based with substantial professional services ecosystems. Support tiers run to 24x7 with TAM options; operating Zscaler well still demands skilled policy ownership in-house or via partner.
Commercials and the Netify verdict
Per-user subscription bundles (Editions) that are quote based and premium; transaction volumes justify it for large estates. The Netify verdict: shortlist Zscaler when a zero trust programme leads the agenda, when SSE depth and global PoP scale matter, and when SD-WAN is solved separately. Small organisations and single-site estates are outside its sweet spot.
Questions
Zscaler: common buyer questions
Does Zscaler replace my SD-WAN?
Not entirely. Zscaler replaces the security stack and removes much branch security hardware, while site-to-site connectivity still wants an SD-WAN layer; common pairings include Catalyst, EdgeConnect, Fortinet and VeloCloud feeding traffic into the Exchange.
What is the difference between ZIA and ZPA?
ZIA secures traffic to internet and SaaS destinations (SWG, CASB, DLP, sandboxing). ZPA brokers least-privilege access to private applications without placing users on the network, replacing VPN concentrators. Most deployments run both.
Is Zscaler suitable for mid-market UK organisations?
Yes via managed routes: BT, Vodafone and UK MSPs wrap Zscaler with deployment and operations. Direct DIY suits organisations with capable security teams; smaller estates often find the licensing premium harder to justify.
Key differentiators
- Category leader in SSE with ZIA, ZPA and ZDX; widely adopted as the security layer in best-of-breed SASE architectures.
- Strong ecosystem of SD-WAN partners (Cisco, others) for buyers wanting Zscaler security with a separate SD-WAN platform.
- Mature Zero Trust platform with substantial enterprise deployment history.
Best fit for
- Enterprises selecting best-of-breed SSE alongside a separate SD-WAN platform.
- Security-driven SASE strategies where the SSE layer is the primary architectural decision.
- Buyers consolidating multiple security point solutions onto a single SSE vendor.
Watch-outs
- Historically SSE-led; native SD-WAN capability is less mature than dedicated SD-WAN platforms (validate path selection, QoS and packet loss in RFP).
- Premium pricing; typically per-user/workload/location with security modules adding cost.
- Buyers needing one vendor for both SD-WAN and security may prefer a converged platform (Cato, FortiSASE, Prisma).
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Partial | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Partial | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Partial | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Partial | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Partial | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Partial | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Partial | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Partial | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Unknown | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Partial | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Partial | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Partial | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Yes | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based subscription; typically per-user/workload/location modules; SD-WAN integrations may add partner/vendor cost.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.