Netify Marketplace Review
Cato Networks SD-WAN and SASE Review
Cato Networks is a cloud-native SASE platform built on its own global private backbone that spans more than 85 global Points of Presence and, unlike overlay-only vendors, Cato routes traffic across this owned infrastructure rather than public internet for greater application performance.
Frequently ranked as the easiest-to-use solution by Netify's experts (making it an ideal fit for SMBs or organisations with less in-house expertise), Cato operates a single converged SASE platform, which allows for everything (SD-WAN policies, security controls and logs) to all be accessible from the same system, reducing potential issues or the required troubleshooting that can be found in stacked point solutions. This is a standout feature of Cato, given that most vendors on the SASE market either started as SD-WAN platforms trying to bolt on security, or started as SSE platforms trying to bolt on SD-WAN, whereas Cato has built both from scratch, giving it a much more integrated and premium feel when compared to its competitors. This integration also removes the overhead that stacked architectures create, and the cloud-native console means teams without dedicated security staff can easily operate it day to day. At Netify, we frequently hear that mid-market IT teams who have tried to run a separate SD-WAN, a separate firewall, a separate web gateway and a separate ZTNA tool simultaneously have had much better results from Cato's SASE solution.
Furthermore, by utilising their own global private backbone of more than 85 global Points of Presence, Cato can reduce internet variability and this puts them ahead of competitors without a private backbone as alternatives can lead to disruptions for organisations with significant cross-border traffic or more latency-sensitive SaaS applications.
For target customer size, our recommendation is that Cato makes most sense from 25 sites upward, below that count, the pricing does not usually justify the platform, and simpler firewall-led alternatives tend to serve smaller organisations better. We would argue that mid-market at 25 to 100 sites is where organisations will start to see an ROI on the consolidation of previously separate point products and large enterprise up to around 1,000 sites are well-supported. However, we would warn that above 1,000 sites is a heavy MPLS migration that Cato is not perhaps best suited for and we would therefore recommend a global carrier (such as BT Global) before we would Cato in this instance.
Equally, if you have already committed to Zscaler or Netskope as your SSE platform and want to keep it, Cato will not work alongside it as the platform is intentionally closed and those vendors cannot be plugged in as the SSE layer. Alternatively, if you want one contract that covers the SASE platform and the underlying access circuits together, Cato is not the best fit either as circuits are sourced separately and you will still be coordinating multiple suppliers. Finally, if you are aiming for your architecture to utilise the best-of-breed solutions for each network component (such as selecting the best SD-WAN and the best SSE independently), Cato's converged model is a constraint rather than an advantage for you.
Reviewed by Harry Yelland, Cybersecurity Writer at Netify. Fact-checked by Robert Sturt, Managing Director, Netify. Last reviewed 3 June 2026.
Check Cato Networks against your requirements
Tick what you need. We will show you which capabilities Cato Networks delivers natively, via a partner, on the roadmap, or not at all.
Cato SASE platform components
The converged SASE platform Cato delivers. All native to one console, one policy domain and one log store.
Sector fit
How well Cato's platform suits each industry vertical. Tick the sector that matches your buyer profile.
Organisation size fit
How Cato suits each scale of organisation. Tick your size band.
Workload profile fit
How Cato handles each workload pattern. Tick what dominates your estate.
Operational model fit
Cato's delivery options. Tick the model that matches how your team operates.
Compliance support
Regulatory frameworks Cato's platform supports. Tick the frameworks that matter for your buyer.
Geographic capability
Where Cato has PoPs, NOCs and regional presence. Tick the regions you serve.
Cloud and identity integrations
Native integrations with hyperscalers, SaaS, identity providers and security tools. Tick the platforms your buyer uses.
Service delivery features
NOC presence, professional services and named resources. Tick what your engagement needs.
Your selection is shareable as a URL. The Netify RFP builder can pre-load these requirements when scoring shortlisted vendors.
Cato Networks company facts
| Attribute | Value |
|---|---|
| Legal name | Cato Networks Ltd. |
| Founded | 2015 |
| Years in market | 11 years, having launched the platform commercially in 2015 |
| Headquarters | Tel Aviv, Israel |
| Vendor type | SASE vendor with a fully cloud-native platform and no on-premises infrastructure dependency |
| Active enterprise customers | Approximately 2,500 enterprise customers as referenced in the 2025 Gartner Magic Quadrant for SASE Platforms |
| Global Points of Presence | 85+ |
| Architecture | Single-pass cloud-native SASE architecture, delivered via an owned global private backbone rather than public internet routing |
| Primary security certifications | ISO 27001 certified; SOC 2 Type II audit reports provided under NDA on request |
| NOC locations | UK, United States, Israel, Australia |
| Website | https://www.catonetworks.com |
Performance, SLA and support
| Metric | Cato commitment |
|---|---|
| Platform uptime SLA | 99.999% |
| Uptime basis | Measured against the Cato Cloud SASE platform availability. Underlay circuits and customer-side equipment are not included in the platform SLA. |
| Standard support | Business-hours response within published SLA targets |
| Premium support | 24x7 response with faster SLAs for critical incidents and priority queue handling |
| Premium Plus support | Proactive monitoring, a named Technical Account Manager and priority escalation paths |
| MTTR targets | Critical incident MTTR targets documented per support tier, vary by severity classification (Severity 1 through 4) and contracted tier |
| Service credits | Available where platform availability falls below the contractual SLA, calculated per the published service level agreement and credited against future invoices |
| Deployment complexity | Moderate |
| Typical timeline | 4 to 12 weeks for mid-market multi-site deployments; 3 to 6 months for global enterprise programmes including MPLS migration |
Awards and analyst recognition
| Recognition | Status |
|---|---|
| Gartner Magic Quadrant for SASE Platforms (2025) | Leader (second consecutive year), per https://www.catonetworks.com/resources/gartner-magic-quadrant-for-sase-platforms-2025/ |
| Gartner Magic Quadrant for SASE Platforms (2024) | Leader, per https://www.catonetworks.com/news/cato-named-leader-in-the-2025-gartner-magic-quadrant-for-sase-platforms/ |
| Total Economic Impact of Cato SASE Platform Spotlight Study (2026) | Forrester Consulting commissioned TEI study covering six enterprise customers including a global chemicals company with $2.5B revenue, per https://tei.forrester.com/go/CatoNetworks/CatoSASESpotlight/index.html |
What Netify thinks
Frequently ranked as the easiest-to-use solution by Netify's experts (making it an ideal fit for SMBs or organisations with less in-house expertise), Cato operates a single converged SASE platform, which allows for everything (SD-WAN policies, security controls and logs) to all be accessible from the same system, reducing potential issues or the required troubleshooting that can be found in stacked point solutions.
This is a standout feature of Cato, given that most vendors on the SASE market either started as SD-WAN platforms trying to bolt on security, or started as SSE platforms trying to bolt on SD-WAN, whereas Cato has built both from scratch, giving it a much more integrated and premium feel when compared to its competitors. This integration also removes the overhead that stacked architectures create, and the cloud-native console means teams without dedicated security staff can easily operate it day to day. At Netify, we frequently hear that mid-market IT teams who have tried to run a separate SD-WAN, a separate firewall, a separate web gateway and a separate ZTNA tool simultaneously have had much better results from Cato's SASE solution.
Furthermore, by utilising their own global private backbone of more than 85 global Points of Presence, Cato can reduce internet variability and this puts them ahead of competitors without a private backbone as alternatives can lead to disruptions for organisations with significant cross-border traffic or more latency-sensitive SaaS applications.
For target customer size, our recommendation is that Cato makes most sense from 25 sites upward, below that count, the pricing does not usually justify the platform, and simpler firewall-led alternatives tend to serve smaller organisations better. We would argue that mid-market at 25 to 100 sites is where organisations will start to see an ROI on the consolidation of previously separate point products and large enterprise up to around 1,000 sites are well-supported. However, we would warn that above 1,000 sites is a heavy MPLS migration that Cato is not perhaps best suited for and we would therefore recommend a global carrier (such as BT Global) before we would Cato in this instance.
Netify's verdict. Our recommendation is that Cato Networks is best suited to mid-market and enterprise organisations that require a fully managed SASE platform and those for whom AI governance is becoming a growing priority.
Strengths
Single converged SASE platform.
Single converged SASE platform with one policy domain and one log store (across SD-WAN, NGFW, SWG, ZTNA, DLP and CASB), eliminating the integration and management overhead that comes with stacked or bolted-on point products.
Owned global private backbone.
Cato's owned global private backbone, with more than 85 Points of Presence, reduces internet variability for cross-border and SaaS-heavy traffic in a way that overlay-only platforms cannot match, which is particularly beneficial for organisations that have sites in regions with inconsistent public internet routing.
Cloud-native operating model.
Cato's cloud-native operating model enables lean IT teams to quickly roll-out new sites without specialist staff on location, which makes Cato more appealing than appliance-led alternatives.
Weaknesses
Closed platform: no best-of-breed SSE swap.
Less suited to best-of-breed buyers who want to combine leading SSE vendors (such as Zscaler or Netskope) with separate SD-WAN platforms as only Cato's tools can be natively integrated.
Access circuits sourced separately.
Access circuits are sourced and managed independently of the Cato platform, meaning that buyers still have to manage and coordinate multiple suppliers, which can be a deterrent for those looking for a single contract that covers both the SASE platform and the underlying connectivity.
Less mature for very large MPLS estates.
Less mature than global carriers for very large multinational deployments with heavy legacy MPLS estates and complex multi-supplier transition programmes.
Cato Networks vs Zscaler
Cato is a full single-vendor SASE platform with converged SD-WAN and security, whereas Zscaler is primarily an SSE specialist that enables their SSE solution to be paired with a separate SD-WAN.
| Attribute | Where Cato wins | Where Zscaler wins |
|---|---|---|
| Headline trade-off | Single-vendor SASE consolidation reduces operational integration overhead, integrated SD-WAN included rather than separately procured, owned private backbone reduces internet variability for cross-border traffic, lower coordination overhead from one converged platform. | Deeper SSE feature maturity particularly for large-enterprise SSE-led adoption, stronger fit for organisations wanting separate best-of-breed SSE and SD-WAN vendors, more established positioning with very large enterprises that have already chosen Zscaler for SSE. |
Cato Networks vs Fortinet
Both are Leaders in Gartner's 2025 SASE Magic Quadrant, though Cato is cloud-native by design, whereas Fortinet's SASE platform extends from its strong SD-WAN and firewall appliance heritage, with these differences in architecture typically determining their customer base.
| Attribute | Where Cato wins | Where Fortinet wins |
|---|---|---|
| Headline trade-off | Cloud-native architecture with no on-premises appliance dependencies, single converged platform across all SASE functions on one console, suited to cloud-first buyers preferring software-first operating models. | Strong SD-WAN in branch and small-enterprise estates, competitive pricing relative to many SASE platforms, hardware-led approach for buyers comfortable with appliance-based infrastructure, broader security portfolio for hybrid security needs. |
Cato Networks vs Palo Alto Networks
Both are Leaders in Gartner's 2025 SASE Magic Quadrant, though Cato is purpose-built single-vendor SASE, whereas Palo Alto's Prisma Access leads with SSE strength and integrates with Prisma SD-WAN.
| Attribute | Where Cato wins | Where Palo Alto wins |
|---|---|---|
| Headline trade-off | True single-platform architecture with one console and one policy domain, owned private backbone reducing internet variability, integrated SD-WAN included rather than separately licensed, often simpler total cost picture. | Deeper SSE security feature maturity particularly for advanced threat protection and CASB, stronger position with security-team-led adoption, established credibility with very large enterprises and government sectors, broader security platform portfolio beyond SASE. |
Cato Networks vs Cisco
Cisco is a Challenger in Gartner's 2025 SASE Magic Quadrant, and whilst Cato is a single-pane single-platform SASE, Cisco's SASE offering requires two management consoles (SSE via Cisco Secure Access and SD-WAN via Catalyst).
| Attribute | Where Cato wins | Where Cisco wins |
|---|---|---|
| Headline trade-off | Single-vendor architecture with one console rather than two, cloud-native operational model, simpler licensing structure, faster deployment for cloud-first buyers. | Deep networking incumbency in large enterprises, established global partner ecosystem, broader networking portfolio (LAN through WAN to security), strong fit for Cisco-standardised customers wanting platform consistency. |
Cato Networks vs Aryaka
Both operate global private backbones and are often compared to each other. Cato leads with full SASE convergence and broader integrated security feature breadth, whereas Aryaka leads with managed-service delivery and WAN optimisation heritage.
| Attribute | Where Cato wins | Where Aryaka wins |
|---|---|---|
| Headline trade-off | Broader integrated security stack (NGFW, SWG, ZTNA, DLP, CASB all native to the platform), Gartner SASE Leader position vs Aryaka's narrower Gartner coverage, larger feature scope across SASE functions. | Managed-service-first delivery model with fully-managed positioning as the default, deeper WAN optimisation heritage, stronger fit for customers wanting hands-off operational model from a single provider that owns delivery end-to-end. |
Cato Networks vs Cloudflare One
Cato runs on an owned private backbone with more than 85 Points of Presence, meanwhile Cloudflare One runs on Cloudflare's Anycast network (spanning over 330 cities). Cato is a Gartner SASE Leader; Cloudflare is positioned as a Visionary.
| Attribute | Where Cato wins | Where Cloudflare wins |
|---|---|---|
| Headline trade-off | Private backbone provides predictable cross-border performance for SaaS-heavy enterprise traffic, mature single-vendor SASE positioning with broader enterprise sector adoption, deeper integrated SSE feature set. | Massive global network footprint, cost-effective for high-volume web traffic patterns, strong developer-platform integration, attractive for cloud-native and edge-focused organisations. |
Cato Networks cost model
Cato's model is a quote-based subscription, structured around site count, user count, bandwidth and the security services included. Premium support tiers carry additional cost. Consolidating onto Cato typically reduces total network and security spend by rationalising the number of point products, though Cato itself is priced as a premium platform rather than a budget option.
Migration paths
Typical transition patterns from common starting points. Timelines vary with site count, complexity and contract retirement schedules.
From MPLS
3 to 12 months depending on site count and the retirement schedule of MPLS contracts · Coexistence supported during transition
Phased migration with Cato deployed alongside existing MPLS as a hybrid configuration. Sites progressively cut over from MPLS-dependent routing to direct-to-internet routing through Cato Sockets. MPLS retired site-by-site as the new architecture proves stable, with the retirement schedule aligned to existing carrier contract expiry to avoid penalty charges.
Notes: Most common Cato migration scenario. Cato has a documented MPLS-to-SASE migration playbook supporting phased cutover patterns.
From Legacy VPN (Cisco AnyConnect, Pulse Secure, Ivanti, etc.)
4 to 12 weeks for a phased ZTNA roll-out replacing remote VPN · Coexistence supported during transition
Cato ZTNA deployed alongside the existing VPN concentrator. Users gradually migrated to ZTNA by application or by user group. Legacy VPN concentrator retired once all critical access has moved to ZTNA. Often coupled with a broader Zero Trust adoption programme.
Notes: Often paired with broader Zero Trust adoption programme and identity provider modernisation.
From Cisco SD-WAN (Catalyst or Meraki)
3 to 9 months depending on site count and operational complexity · Coexistence supported during transition
Cato deployed site-by-site replacing Cisco SD-WAN edge devices. Cato Socket replaces Cisco vEdge or Meraki MX hardware. Network policy reimplemented in Cato's unified console. Often combined with security stack consolidation, eliminating separate firewall and proxy infrastructure at the same time.
Notes: Customers consolidating from Cisco SD-WAN to Cato typically also retire separate security appliances at the same time, capturing the consolidation benefit.
From Zscaler (SSE swap to single-vendor SASE)
2 to 6 months for SSE swap alone; longer if combined with SD-WAN consolidation · Coexistence supported during transition
Less common migration pattern. Customers replacing Zscaler with Cato are typically pursuing single-vendor SASE consolidation, replacing both Zscaler SSE and a separate SD-WAN with Cato's converged platform. ZTNA, SWG and CASB policies reimplemented in Cato.
Notes: Buyers should consider the trade-off honestly: Cato's full SASE convergence vs Zscaler's best-of-breed SSE depth. Not the right move for every Zscaler customer.
From Fortinet SASE / FortiSASE
3 to 9 months depending on Fortinet estate complexity · Coexistence supported during transition
Customers moving from Fortinet-led architectures to Cato typically do so to shift from appliance-led to cloud-native operations. Phased site cutover replacing FortiGate and FortiSASE components with Cato Sockets and cloud policy. Identity, policy and security configurations re-implemented in Cato's unified console.
Notes: Major architectural philosophy shift; buyers should validate whether moving from appliance-led to cloud-native operations is genuinely desired before committing.
Typical deployment patterns
1. MPLS replacement with phased cutover
Cato deployed alongside existing MPLS as a hybrid configuration. Sites progressively cut over from MPLS-routed to direct-internet routing through Cato Sockets. MPLS retired site-by-site aligned to carrier contract expiry. Most common Cato deployment pattern globally.
Typical customer: Mid-market and large enterprise with 25 to 1,000 sites currently on MPLS, looking to reduce circuit costs and modernise WAN architecture while embedding security at each site.
2. Direct-to-internet branch with embedded security
Cato Socket at each site provides direct internet breakout with Cato's integrated NGFW, SWG, DLP and CASB enforcing security policy before traffic leaves the site. No backhaul to a data centre is required. Suited to greenfield branch deployment or full MPLS exit.
Typical customer: Cloud-first organisations with SaaS-heavy traffic, distributed retail or hospitality estates, multi-site mid-market organisations with limited dedicated security staff at each location.
3. Remote-worker-first with ZTNA
Cato Client (and clientless) ZTNA deployed for the workforce first, replacing legacy VPN. Branch deployment follows as a second phase. Common for organisations starting their SASE programme by addressing remote workforce security before tackling branch WAN.
Typical customer: Hybrid workforce organisations, professional services firms, organisations responding to a VPN scalability problem or a Zero Trust mandate.
4. Single-vendor SASE consolidation
Cato replaces multiple incumbent point products simultaneously: SD-WAN, NGFW, SWG, ZTNA, DLP, CASB all consolidated to the Cato platform in one strategic programme. Often combined with MPLS retirement and vendor portfolio rationalisation.
Typical customer: Buyers explicitly pursuing vendor consolidation as a strategic outcome, typically with mid-market or large-enterprise estates, often after a CISO or CIO-led portfolio review concluded that multiple point products were creating operational drag.
5. MSP-delivered managed SASE
Cato deployed and operated by an MSP partner using Cato's multi-tenant management capability. The MSP handles policy configuration, monitoring, change control and end-user support; the customer retains policy authority and audit access via co-managed console rights.
Typical customer: Organisations preferring an outsourced operating model, lean IT teams without dedicated security operations capacity, or customers procuring through a managed services framework.
Case studies
Reliance Cyber
Professional services · United Kingdom, with hybrid workforce across multiple regions · Mid-market (25 to 100 sites)
Challenge. Reliance Cyber were moving towards SASE to better support their hybrid workforce and the scale they were growing to, needing unified access for both security and performance without the operational overhead of managing multiple platforms. Their previous network stack had separate networking and security tools, with each requiring their own management and policy configurations.
Solution. By migrating to Cato SASE in a phased approach, Reliance Cyber were able to minimise disruption to users and stakeholders, as well as consolidating networking and security to be delivered through one integrated platform.
Outcome. Reliance Cyber found that operations were simplified by consolidating all services and performance improved owing to Cato's global private backbone, all whilst enabling Reliance Cyber to meet their long-term goals of unified access, security and performance for the hybrid workforce.
Source: https://www.reliancecyber.com/case-studies/cato-networks/
Saintex Industrial Group
Manufacturing · Multinational industrial group with international operations · Large enterprise (100 to 1,000 sites)
Challenge. Saintex needed to increase network capacity and operational agility to support its digitalisation programme and international expansion strategy, especially given that their legacy network infrastructure was becoming rather outdated.
Solution. By leveraging Cato's SASE platform and global private backbone, they were able to replace outdated network infrastructure, whilst also scaling the multi-site industrial estate.
Outcome. Saintex were able to increase their network capacity and operational agility, enabling global expansion and for Saintex to move towards industry 4.0.
Sapporo Real Estate Development
Professional services · Japan, Asia-Pacific · Small (5 to 25 sites)
Challenge. Sapporo Real Estate Development faced difficulties setting up consistent LAN configurations across commercial facilities, where infrastructure was outsourced to subcontractors of varying scale. They wanted to secure all externally outsourced infrastructure to a uniform standard, as well as manage contractors' use of unsanctioned external services.
Solution. By utilising Cato SASE, (delivered by Cato's partner NRI Secure Technologies), the rollout took 3 months and was completed remotely.
Outcome. Sapporo Real Estate Development were able to gain a secure network environment for each subcontractor regardless of location or scale, detected previously overlooked threats, deepened security and operational understanding with contractors, as well as gaining performance improvements for Microsoft 365 traffic and preventing unsanctioned external storage services being used.
Source: https://www.macnica.co.jp/en/business/security/manufacturers/cato/case_03.html
Best suited for
Cato Networks is best suited to mid-market and enterprise organisations that are looking to consolidate SD-WAN and security all into a single SASE platform (from one vendor). Cato SASE is particularly well-suited for SaaS-heavy traffic, owing to Cato's private global backbone, whilst also being ideal for IT teams that prefer a cloud-native operating model that enables management via a cloud console (rather than individual appliances) across multiple sites.
- Mid-market and enterprise buyers consolidating SD-WAN and security onto a single SASE platform from one vendor.
- Global organisations with SaaS-heavy traffic patterns where internet variability is a recurring operational problem.
- IT teams without dedicated security operations capacity who want managed detection and response embedded in the SASE platform rather than as a separate product to integrate, Cato's MDR service is natively built into the platform, reducing the overhead that a separate MDR solution would introduce to alternative SASE platforms.
- Cato is a good fit when organisations are looking to move towards a single converged SASE platform with predictable performance from a private backbone, delivered cloud-first and without the administrative overhead of managing and integrating separate SD-WAN and security stacks.
Less suited for
Cato is less well-suited to organisations that like to get best-of-breed components from separate leading SSE and SD-WAN vendors to bolt them together (such as pairing Zscaler SSE with an SD-WAN platform), given that Cato offers a unified platform SASE solution. Further to this, Cato is a less natural fit for organisations with very large legacy MPLS estates or those that want full circuit ownership given that Cato does not offer these.
- Less suited to best-of-breed buyers who want to combine leading SSE vendors (such as Zscaler or Netskope) with separate SD-WAN platforms as only Cato's tools can be natively integrated.
- Access circuits are sourced and managed independently of the Cato platform, meaning that buyers still have to manage and coordinate multiple suppliers, which can be a deterrent for those looking for a single contract that covers both the SASE platform and the underlying connectivity.
- Less mature than global carriers for very large multinational deployments with heavy legacy MPLS estates and complex multi-supplier transition programmes.
Frequently asked questions
- Is Cato Networks good for healthcare?
- Yes, Cato is well-suited for healthcare environments as its ZTNA enforces identity-aware access to clinical applications, integrated DLP supports protection of Protected Health Information in SaaS and Cato's unified audit trail (across network and security) simplifies the production of HIPAA compliance evidence.
- How does Cato Networks compare to Zscaler?
- Cato is a full single-vendor SASE platform converging SD-WAN and security, whereas Zscaler is predominantly an SSE leader (that can be paired with separate SD-WAN). As per Gartner's 2025 Magic Quadrant for SASE Platforms, Cato is considered a Leader, meanwhile Zscaler is a Visionary, highlighting Cato's strengths in SASE. We would therefore recommend that you choose Cato if you want one converged platform from one vendor with integrated SD-WAN included, or, alternatively choose Zscaler if you want to combine best-of-breed SSE depth alongside a separate SD-WAN partner.
- Does Cato Networks own its underlay?
- No, Cato operates a global private backbone for their SASE platform itself, however customers must source access circuits separately, which leads to multi-supplier coordination (not ideal for organisations wanting a single contract covering both the SASE platform and the underlying internet or MPLS circuits). We should caveat this by saying that Cato partners with carriers globally for bundled underlay provisioning, though it is not a first-party offering.
- What is the typical Cato Networks deployment timeline?
- Mid-market multi-site deployments typically complete in 4 to 12 weeks. Global enterprise programmes including MPLS migration typically run 3 to 6 months. Single-site deployments can complete in days using zero-touch device provisioning. Whilst these timelines are generalised, they vary with site count, complexity, identity integration and the level of legacy infrastructure needing to be phased out during migration.
- Is Cato Networks suitable for MSPs?
- Yes, Cato's multi-tenant management capability and partner programme support MSP-delivered managed SASE, with partners able to access provisioning APIs, multi-tenant management consoles, certification tiers and white-glove deployment options.
- What identity providers does Cato Networks integrate with?
- Cato offers native integration with Microsoft Entra ID, Okta, Ping Identity, Google Workspace Identity, and on-premises Active Directory via SAML federation or LDAP connector. JumpCloud and Cisco Duo can be layered via the upstream IdP or via standard SAML federation. SCIM user provisioning is supported with major IdPs for automated identity lifecycle management. ZTNA and management console SSO both use the IdP integration.
- Does Cato Networks have UK presence?
- Yes, Cato operates Points of Presence in both London and Manchester, with EMEA-region support hours covering UK business hours. Furthermore, UK customers utilising Cato SASE can confine data residency and traffic processing to UK PoPs (where required by data residency policy).
- How does Cato handle PCI DSS or HIPAA compliance?
- Cato's controls align with PCI DSS and HIPAA technical requirements through network segmentation, encryption in transit and at rest, identity-aware access (ZTNA), DLP for sensitive data, and a unified audit trail across network and security functions. Cato itself holds ISO 27001 and SOC 2 Type II certifications. PCI and HIPAA compliance typically remains the customer's responsibility, with Cato providing the technical controls, audit evidence and SOC2 reports under NDA.
Build your SASE or SD-WAN RFP
Interested in how Cato Networks compares to other SASE and SD-WAN solutions? Use the Netify RFP Builder today to compare Cato Networks against the full SASE and SD-WAN vendor market on a vendor-neutral basis. Each RFP returns scored, structured responses from shortlisted providers and it is free to get started.
Build your SASE or SD-WAN RFPHarry Yelland
Cybersecurity Writer
Harry holds a BSc (Hons) in Computer Science from the University of East Anglia and is ISC2 Certified in Cybersecurity (CC). He serves as a Cybersecurity Writer here at Netify, where he specialises in enterprise networking technologies. With expertise in Software-Defined Wide Area Networks (SD-WAN) and Secure Access Service Edge (SASE) architectures, Harry provides in-depth analysis of leading vendors and network solutions.
Fact checked by: Robert Sturt, Managing Director, Netify