Log In

Cato Networks

Schedule a Zoom demo
Local sales contact
Request consultation

Create your own software shortlist and compare Cato to other options. Answer 10 questions, the Netify online quiz will analyse your answers and instantly shortlist your best fit options across 20+ vendors.

Take the assessment now →


Cato SD WAN & SASE: Review, Pros, Cons and Marketplace Research Data

Analyst: Thomas Stroude tstroude@netify.co.uk

If you have questions about Cato and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.co

(Please use the UK email for ROW - Rest of the World - questions or enquiries)


  • SD WAN 
  • SASE Security 


  • SD-WAN Managed Services 
  • SASE Managed Services 
  • SD WAN Vendor 
  • SASE Vendor 


  • Private Global Backbone - supported by 60+ points of presence (PoPs) worldwide that are connected to multiple Tier-1 providers. This is monitored in real-time by Cato’s software, selecting the optimum path to reduce latency across the network (See How Does Cato Support Remote Users?)

  • Offer their own SASE security services (See What is the Cato SASE Security Solution?)- no requirement to source from a third party.

  • Although Cato have a private backbone, they are also capable of dealing with regional requirements by creating site-to-site VPNs. This means traffic will not use their private backbone PoP’s, however customers can still leverage Cato’s cloud technology.

  • Cato’s global private backbone and application optimisation features are good for customers who suffer with latency and network inconsistency in global locations. They are able to achieve this with traffic engineering across their global backbone between core PoP sites. 


  • Some customers report Cato SD WAN as not being as granular as some competitors. Cato’s SD WAN offering may not be suited for large complex networks as their simplified features and portal could struggle to fully address complex requirements. 

Netify viewpoint:

Cato’s global private backbone and cloud-native SD WAN features are a good fit for large companies with worldwide connectivity requirements. Their 60+ PoPs worldwide are designed to combat latency and network inconsistency in multiple locations. Most notably are Cato’s PoPs located in China, an area that is typically difficult to reach. 

Cato mainly operate with small-medium sized businesses and have a strong presence in North American and Asia/Pacific markets. Although in a majority of use cases their out of the box SASE and SD WAN solutions are a good fit, for companies that require complex offerings, Cato lacks the essential granular features.  

Cato have expertise in security solutions (SASE) and a competitive edge across threat intelligence. Their security-as-a-service solution performs to a high degree of accuracy when compared to rival offerings. In a study carried out by Cato, they found in a group of 400+ customers over a three month period, only 7 false alarms were raised. This means that in most cases customers will statistically seldom experience a false alarm. With this level of accuracy, Cato’s security services avoid downtime by keeping applications running unless there is a genuine security threat.


  • About Cato SD WAN Solutions
  • What is the Cato SD WAN solution?
    • Configuration-Based Key Features
    • Security-Based Key Features
    • Performance-Based Key Features
  • What is the Cato SASE Security Solution?
  • How does Cato access Cloud vendors?
  • Does Cato offer WAN acceleration and optimisation?
  • How does Cato support remote users?
  • Which connectivity underlay services are supported?
  • Do Cato manage and support SD WAN underlay?
  • What is the Cato managed services solution?
  • What reporting and management is available via the Cato portal?
  • Does Cato offer DIY and Co-managed SD WAN?
  • What is the Cato SLA?

About Cato SD WAN Solutions:

Cato Networks is an SD WAN and SASE security vendor based in Tel Aviv, Israel. Their other deployment regions include North America, the United Kingdom, Canada, Latin America, South Africa, Africa, Europe, the Middle East, Australia and Asia/Pacific Countries, with approximately 400 employees worldwide. Cato caters to both regional and international needs, via a global private backbone for large worldwide firms, whereas regional needs are secured through a single cloud service. 

What is the Cato SD WAN solution?

Cato’s SD WAN offering combines the benefits of WAN Edge, a global backbone and their full network security stack (See What is the Cato SASE Security Solution?). Their SD WAN offering is available as a managed service, with full cloud functionality, connecting all enterprise resources, physical locations, cloud datacenters and mobile workforces into one seamless network - meaning there is no need for a multiple point solution. 

Part of Cato’s SD WAN offering is their Socket SD WAN Device. The device is designed to connect a physical location to the nearest Cato point of presence (PoP) using any number of last mile connections. Clients are able to choose a mix of fiber, cable, xDSL and 4G/LTE connections. 

Cato’s SD WAN offering is cloud native - it combines networking and security into one managed cloud. This means that no proprietary hardware is required to run in the cloud, such as global routing, security and management. They also offer a hybrid solution for enterprises looking to either augment or replace their MPLS, removing the need for branch security appliances and supporting cloud applications and mobile users. 

Configuration-Based Key Features:

  • Optimised Global Connectivity: Cato’s global backbone has built-in WAN and cloud optimisation, allowing them to deliver an SLA-backed high performance network connection worldwide, even for remote users. This can also benefit customers who suffer with high latency and network inconsistency across their locations.
  • Mobile Access Optimisation: Ideal for remote users such as staff working from home. Cato allow customers to use client or client-less browsers to access the closest Cato point of presence (PoP). This allows traffic to be optimally routed over Cato’s global private backbone direct to either on-premises or cloud applications

Security-Based Key Features:

Performance-Based Key Features:

  • Cloud Acceleration: designed to accelerate access to cloud applications such as AWS, Azure and Office 365. This helps to augment and potentially replace MPLS with its high quality Internet and Cato Cloud services.
  • Dynamic Path Selection: This allows available uplinks to be used to load balance and route traffic in real time, through the introduction of redundant packets or error recovery into the traffic flow. This works to avoid network blackouts and brownouts.
  • Link Aggregation: Cato employs link aggregation to increase throughput over multiple network connections rather than a single line. In the event of a failure in one link there is headroom available to ensure an alternate connection.
  • Quality of Service (QoS): Cato offer quality of service user and application aware prioritisation - this controls traffic and improves the performance of critical applications. 

What is the Cato SASE Security Solution?

Cato’s SASE security solution is cloud-native and built direct into their global backbone. Available both regionally and globally, it is accessible even by remote users. This is because user and resource is identity-driven, meaning that each network connection is associated with an identity, reducing operational overhead as users can have a set of networking and security policies regardless of their location. The SASE offering is also cloud-native, leveraging key cloud capabilities such as elasticity, adaptability, self-healing and self-maintenance - lowering costs and improving efficiency. Further, Cato’s security offering is able to support all Edges - meaning that the SASE creates one network for all company resources such as datacenters, branch offices, cloud resources and mobile users. 

Cato offer their full network security pack which is built direct into their global backbone, called ‘Security-as-a-Service’. This avoids the need for backhauling traffic to specific choke points and third party security products, that will require chaining together. All SASE policies are cloud native. Cato’s security-as-a-service, also directly integrated into the Cato Cloud network. This multi-layered system provides uniform security solutions and policies with global reach, provisioning integrated flexibility of the cloud. Cato uses Next Generation Firewall and a Secure Web Gateway to provide granular access management to internet-bound traffic and web access control. 

Cato’s cloud native SASE solution is distributed over the global private backbone to ensure that security and network requirements are addressed by a single, interconnected facility. 

Security as a Service comes with a number of key features: 

  • Firewall as a Service (FWaaS): Application aware ‘firewall-as-a-service’ (FWaaS). Cato is able to deliver firewall and network security capabilities with cloud service. This means that clients have access to network security (URL Filtering, IPS, AM, NG-AM, Analytics, MDR) in any location, and removes the need for appliance form factor firewalls.
  • Secure Web Gateway (SWG): Included in the security pack is Secure Web Gateway (SWG). This focuses on layer 7 web traffic inspection, inbound and outbound, protecting against phishing, malware and many other internet-borne threats. Because it is cloud-based, security is available to remote users outside the office.
  • Managed Threat Detection and Response Services (MDR): Designed to detect and eliminate malware threats, it offloads compromised endpoints to Cato’s security operation centre team. It offers: automated threat hunting, which looks for anomalies across flows in Cato’s data warehouse, correlating them with threat intelligence sources and complex heuristics; expert threat verification, Cato’s security researchers evaluate the validity and risk level in flagged endpoints, removing the risk of false threats; threat containment, verified threats are automatically contained by blocking IP addresses and C&C domains, which disconnects compromised machines and users from the network; and guided remediation, Cato’s  security operation centre offers advice on the risk’s level threat, and give recommendations on how to fix the problem, following up until the threat is completely removed. 

How does Cato access Cloud vendors?

Cato use their global backbone to integrate with major Cloud vendors (such as Amazon AWS, Microsoft Azure and Google Cloud) via IPsec tunnels. Traffic is optimally routed from the Edge direct to cloud providers - this eliminates the need for premium cloud connectivity solutions (such as AWS DirectConnect or Microsoft Azure ExpressRoute) making Cato’s offering simpler and more cost-effective. 

Does Cato offer WAN acceleration and optimisation?

Cato’s WAN offering is optimised via a native cloud software, Cato Cloud. Cato uses packet duplication, correction and last-mile methods to improve the reliability of the network. Cato Cloud, integrated with the global private backbone has a 99.999% uptime SLA and the global PoP network is supported by various Tier-1 ISPs. The network is optimised to improve traffic flow by reducing latency issues. Cato’s offering reduces costs as its functionality does not require the use of Azure ExpressRoute or AWS Direct Connect. Optimisation for mobile negates the need for backhauling as remote users can access the network through the nearest Cato PoP. 

How does Cato support remote users?

Cato is able to provide substantial support to individual remote users by connecting on-site or cloud data centres to the Cato SASE cloud. The global private backbone can be accessed either through the Cato client or client-less browser by remote users whose traffic can be routed to cloud applications on premises through the nearest PoP. Remote access is available to multiple users globally and is guarded by Cato’s security-as-a-service stack to ensure data traffic is protected.

Which connectivity underlay services are supported?

Cato supports underlay services that can be a mix of fibre, cable, xDSL and 4G/LTE.

Do Cato manage and support SD WAN underlay?

Cato do not manage an SD WAN underlay, however they do support a global private backbone. Cato’s private backbone is accessible via over 60 PoPs worldwide, reinforced by an enterprise grade security stack to provide an accessible worldwide connection, even for remote workers. 

What is the Cato managed services solution?

Cato’s managed services offering includes: Hands-free management, Intelligent last-mile management, managed SASE service, managed threat detection and response (MDR).  The advantage of Cato’s SASE platform offering is that due to its strong in house support and partnerships, it is very cost efficient with a notable lack of third party royalties. Cato’s offering is reliable and affordable for a global connectivity solution. 

What reporting and management is available via the Cato portal?

The Cato portal provides users with traffic summaries and application usage data. The system is single glass plane and shows network activity from different resources and top applications in the previous 24 hour period. The Cato portal allows users to view overall network activity and the ability to configure, manage & troubleshoot networks from a single system. 

Does Cato offer DIY and Co-managed SD WAN?

Cato’s SD WAN offering can be DIY, co-managed or fully managed with support from Cato and partners. 

What is the Cato SLA?

Priority (Lvl.1-3)



Status Update


Full Cato Network Service outage, multiple PoP services down.

Up to 2 hours 

Every 2 hours 


Single PoP service down however customer can access alternate PoP. Cato management application service interruption.

Up to 4 hours 

Every 1 business day


Other concerns that do not hinder customer access to significant service features.

Up to 1 business day 

4 business days 


Proposition Focus

Managed services
SASE security

Cloud Focus


Other Focus

Remote users
Complex requirements


Current Vendor
Cato Networks

Add to Compare

Additional Vendors

Add to Compare


Add to Compare


Add to Compare

Cato Networks

Once you have submitted, Netify will use your IP location to put you in touch with your local Cato Networks vendor contact.

Once you have submitted, Cato Networks will be in contact to provide availability. Your data will not be shared outside of Cato Networks and you will not be added to any mailing lists.

Please provide the following details:

Compare Vendors
Remove All