Articles - Writings

The Great SASE Consolidation

April 17, 2026 - By 

The Gorilla vs The Chimps

If you look at the Secure Access Service Edge (SASE) and Security Service Edge (SSE) market today, it looks like an explosion of early life slowly emerging from the primordial waters. Every networking and security vendor on the planet has slapped a “SASE” label on their website, armed with a slide deck showing how they map perfectly to Gartner’s framework.

But beneath the marketing veneer, the market is fundamentally unstable. SASE is not just a feature checklist; it is an architectural paradigm shift. And like all massive infrastructure shifts, gravity will eventually take hold and the competition will start to show their cracks.

Driven by the ruthless economics of network effects, traffic scaling, and artificial intelligence, the SASE market is going to congeal. We are moving rapidly away from a fragmented landscape toward a mature market dominated by a winner-takes-most “Gorilla vs. Chimps” dynamic. Today, I explore why most of today’s candidates won’t survive the transition.

The Unforgiving Math of Network Effects

To understand the end-state of SASE, you have to look at the underlying economics of traffic routing and security inspection. True SASE relies on a global footprint and economies of scale. The winners will be dictated by network effects across three vectors:

  • Cost of Goods Sold (COGS) and Peering: Inspecting TLS-encrypted traffic at scale is computationally brutal. Vendors who own their infrastructure, build custom proxy architectures, and establish direct peering relationships with major SaaS and IaaS providers have an insurmountable cost advantage. Those relying heavily on public cloud infrastructure (AWS/GCP/Azure) to run their SASE PoPs will eventually have their margins crushed by egress fees and transit costs as traffic scales.
  • Data Gravity and Threat Intelligence: The more traffic you process, the more anomalous behavior you see. The more you see, the better your machine learning models become at identifying zero-day threats. This creates a virtuous cycle where the largest platforms inherently provide the best security, drawing in more customers.
  • The “Single-Pass” Imperative: Customers are realizing that stringing together five different cloud security tools introduces latency. The market demands a single-pass architecture where decryption, CASB, SWG, DLP, and Firewalling happen simultaneously.

The Starting Line Dictates the Finish Line

Right now, vendors are desperately trying to claw, build, or acquire their way to a unified SASE platform. But architectural DNA is incredibly difficult to change. Many vendors have already pigeon-holed themselves based on where they started.

1. The Legacy Firewallers (The “Bolted-On Cloud” Problem) Vendors that originated in on-premise hardware view the world through the lens of a box. To become SASE, many resorted to spinning up virtual machines of their legacy code in the cloud. This isn’t cloud-native; it’s just somebody else’s computer. While Palo Alto Networks managed a brutal, massive architectural pivot with Prisma SASE to escape this gravity, others like Fortinet and Check Point are still navigating the tension between their massive hardware install bases and the realities of cloud-native elasticity.

2. The Networkers (The “Security-Light” Problem) SD-WAN pioneers conquered the branch office by optimizing routing. But when forced to pivot to SASE, they realized deep packet inspection and nuanced data loss prevention (DLP) are entirely different beasts. Look at Cisco—they bolted Umbrella onto Viptela, resulting in complex integration challenges and a “Franken-SASE” UI where the network and security layers clearly didn’t grow up in the same house. Broadcom’s acquisition of VMware (VeloCloud) and Symantec faces a similarly steep climb to true convergence.

3. The Point-Solution Pioneers (The Niche Trap) Several vendors got to market early by perfecting a single SSE capability. Early Zero Trust Network Access (ZTNA) or Remote Browser Isolation (RBI) players dug deeply into their niches. But enterprise buyers are suffering from agent fatigue. A brilliant standalone tool is fundamentally less valuable than a “good enough” tool that shares an agent and policy engine with a company’s SWG and CASB.

?? The “Enterprise Niche” Trap: > There is a seductive but lethal trap in the SASE market: over-engineering for the top 1% of the Fortune 500. Some vendors burn massive R&D capital building hyper-complex multi-cloud routing or extreme data sovereignty features for highly regulated monoliths. Fighting directly over this niche too early is a sunk cost. While a niche player spends years satisfying a 50,000-seat bank, the platform Gorillas capture the entire mid-market and the rest of the Fortune 500. Eventually, the Gorillas’ R&D budgets outpace the niche players, allowing them to build those advanced features as mere checkboxes down the line.

The AI Catalyst: Accelerating Consolidation

If network economics are the slow-moving gravity forcing consolidation, Artificial Intelligence is the catalyst accelerating it.

1. The Death of the Clunky UI Historically, complex point solutions justified their existence through highly granular, specialized policy controls. AI is leveling that playing field. With natural language processing, a network administrator can simply query, “Block all uploads of source code to unapproved generative AI tools for our contractors.” AI translates intent into policy across the entire platform. This radically reduces the need for hyper-specialized, standalone security tools whose main differentiator was their configuration engine.

2. The Data Lake Prerequisite AI is only as intelligent as the data it is trained on. SASE vendors operating a true, unified platform have a massive, normalized data lake comprising user identity, endpoint posture, network telemetry, and application context. Point-solution vendors simply do not have the holistic data required to train effective, context-aware AI agents.

The Forecast: Ranking the Top 5 Contenders

As enterprises look to consolidate vendors, cut costs, and simplify management, the middle of the SASE market will fall out. Here is how the top players stack up in the race to congeal the market:

  1. Palo Alto Networks: The Goliath. They threw immense capital at the problem, acquiring and aggressively integrating technologies until they built a platform that enterprise CISOs trust.
  2. Zscaler: The Cloud-Native Pioneer. They built the purest ZTNA architecture from the ground up. Their inline proxy scale is historically unmatched, even if they occasionally struggle with the network-heavy side of the SASE equation.
  3. Netskope: The Data-Centric Contender. They started in CASB and built out a phenomenally strong data-security-led SSE platform. They are a formidable player, but they are fighting against the sheer scale and gravity of the top two.
  4. Cato Networks: The Architectural Purist. Cato built single-vendor SASE right from day one—one codebase, one network, one console. They are incredibly strong in some markets, but face an uphill battle displacing entrenched enterprise behemoths.
  5. Cloudflare: The Rising Tide. They own the network. With an insanely massive global footprint and pure cloud-native DNA, their edge compute capabilities are terrifying to traditional security vendors.

The Final Bet: Who Takes the Crown?

If you look at the immediate horizon, the market appears to be settling into a classic Coke vs. Pepsi battle between Palo Alto Networks and Zscaler.

On the surface, this near-term head-to-head makes sense. Zscaler has the superior, born-in-the-cloud architectural purity (the Pepsi), while Palo Alto Networks has mastered the “platformization” narrative, leveraging its massive legacy footprint to aggressively bundle and upsell its way into the enterprise (the Coke). But I would argue that this heavyweight bout is ultimately a distraction.

The longer-term rising tide, and the ultimate Gorilla, of the SASE market, will be Cloudflare.

While PANW and Zscaler fight fiercely over the top 1% of enterprise budgets, Cloudflare is quietly executing a textbook Innovator’s Dilemma strategy. They are building an incredibly defensible moat from the bottom up, driven by three unique factors:

  1. The Broadest Market Appeal: By offering generous free tiers and developer-friendly tools, Cloudflare powers a massive chunk of the internet. They aren’t just fighting for Fortune 500 CISOs; they own the long tail, giving them an insurmountable data advantage.
  2. Accelerating AI Developer Infrastructure: Cloudflare isn’t just securing AI; they are becoming the infrastructure where AI is built and deployed at the edge. As developers default to Cloudflare for AI routing and edge compute (like Workers AI), security naturally follows the application.
  3. The Data Lake Advantage: Because they sit in front of millions of domains, their threat intelligence and data gravity are staggering.

The market is already quietly acknowledging this long-term potential, evident in the massive P/E and revenue multiples Cloudflare consistently commands over its traditional security peers. I’ve always summarized the ‘SASE’ offering as a vendor attempting to build an Enterprise network on the public Internet. When viewing through that lens, I’d look for whatever solution most mirrors the existing Internet – DNS on up.

To borrow an apt analogy from an essay by Shawn Wang (swyx): In the race to secure the cloud, everyone else in the market is playing Chess—focusing on capturing high-value pieces and attacking directly. Cloudflare is playing Go. They are focused on placing stones, surrounding the board, and capturing territory. By the time the legacy players realize they’ve been encircled, the game will already be over.

Disclaimer: I own stock in Cloudflare, Zscaler and PANW. This is not investment advice.

Technologist Poet. Dabbler Extraordinaire.

Related Posts

Missionary Vs Mercanary

Mercenaries vs Missionaries

April 15, 2026
Golden Gate Bridge at Night

4B or not 4B

August 5, 2024
Career scrabble tiles

The 10 P’s of Career Perfection

August 1, 2021