What's the difference between SASE and SSE?

SSE (Security Service Edge) is the security half of SASE — SWG + CASB + ZTNA + FWaaS + DLP. SASE adds SD-WAN. If you're replacing your VPN and perimeter firewall but keeping your existing SD-WAN platform, you're buying SSE. If you're replacing both at once, you're buying SASE.

Do I need to replace my firewall?

Not immediately. Most UK customers adopt SASE for remote / hybrid workforce first (replacing VPN), keep their perimeter firewall for on-prem / DMZ traffic, then consider replacing perimeter firewall 2-3 years later when refresh is due. Hybrid is the realistic 5-year state.

How long does VPN-to-ZTNA migration take?

Typical UK enterprise (500-2,000 users): 6-12 weeks. Phase 1: pilot 20-50 users (2-3 weeks). Phase 2: department-by-department rollout (4-6 weeks). Phase 3: legacy VPN decommission (2-4 weeks). See our full playbook.

Can users keep their existing apps without changes?

For TCP-based apps + most web apps: yes, no app changes needed. For UDP-heavy apps (VoIP, video conferencing, some custom protocols): some platforms handle, some don't. Zscaler ZPA + Palo Alto Prisma support both; older ZTNA platforms can struggle.

What does SASE cost per user?

UK list pricing varies wildly. Roughly: Zscaler £8-25/user/month depending on bundle; Palo Alto Prisma £10-30/user/month; Netskope £8-22/user/month; Cato £12-25/user/month (includes SD-WAN appliance); Microsoft Entra Internet Access bundles into E5+Entra Suite. Servnet negotiates net pricing — typically 25-40% off list.

Best SASE platform UK 2026: Zscaler vs Palo Alto Prisma vs Netskope vs Cato vs Microsoft Entra Internet Access

Secure Access Service Edge (SASE) is now the default replacement for legacy VPN + perimeter firewall + URL filtering. The UK shortlist is Zscaler, Palo Alto Prisma Access, Netskope, Cato Networks — and as of 2025, Microsoft Entra Internet Access is a credible fifth option for Microsoft-shop customers. This is the honest UK partner read on which fits whom.

Zscaler · Netskope · Cato — UK SASE shortlist

The short answer

Zscaler is the safe default — biggest global presence (160+ data centres including multiple UK), most-deployed UK estate, broadest ZTNA capability via Zscaler Private Access (ZPA).

Palo Alto Prisma Access is the right call if you already run Palo Alto NGFW estate. Same Strata Cloud Manager console, same security policy language, same vendor relationship.

Netskope is the right call when CASB + DLP is the primary driver. Netskope's data security posture management (DSPM) is the best in the category.

Cato Networks is the right call for multi-site organisations where SD-WAN convergence matters as much as security. Cato is built as a single converged SASE + SD-WAN platform from the ground up.

Microsoft Entra Internet Access is the right call for pure Microsoft shops where simplicity + tenant consolidation matter more than category-leading features.

Where Zscaler wins

UK data centre coverage. Zscaler has multiple UK PoPs (London Docklands, Manchester, plus aggregation through dedicated peering). For a UK-only customer base, sub-30ms latency from any UK office is achievable.

ZTNA scale. ZPA replaces VPN at any scale. For an organisation with 5,000+ concurrent users, ZPA performs where most ZTNA competitors degrade.

Skills market. Zscaler-certified engineers in the UK are now common; most large MSSPs have a Zscaler practice.

Where Palo Alto Prisma Access wins

Strata Cloud Manager consolidation. If your NGFW is already Palo Alto, the SAME console manages your SASE policy. This is operationally enormous for security teams.

App-ID + URL Filtering quality. Inherited from PAN-OS, this is the deepest application visibility in the SASE category.

Cortex XDR integration. End-to-end visibility from endpoint → network → cloud is tighter than any competitor.

Where Netskope wins

Data security. Netskope DLP + DSPM is genuinely best-in-class. If you're trying to control SaaS data exfiltration (a real concern for FS, healthcare, legal), Netskope leads.

CASB depth. Inline + API-based CASB coverage of 60,000+ SaaS apps is unmatched.

Per-app inspection granularity. You can apply different policies to different actions within the same SaaS app (e.g. allow Salesforce read but block bulk export).

SASE stack — what the platform must deliver

Where Cato Networks wins

Converged SASE + SD-WAN. Cato's "Cato Cloud" is the only platform built as a single converged platform from the start. For multi-site UK retail, manufacturing, hospitality operators, Cato's deployment simplicity is the genuine differentiator.

Pricing simplicity. Cato bundles SD-WAN + ZTNA + SWG + FWaaS + CASB into one per-site / per-user line. No subscription Tetris.

Mid-market sweet spot. Cato is well-positioned for 100-2,000 user UK organisations where ops capacity is constrained.

Where Microsoft Entra Internet Access wins

Microsoft tenant consolidation. If your identity is Entra ID, your endpoint security is Defender for Endpoint, your email is Exchange Online, and your security team lives in Defender XDR — Entra Internet Access + Entra Private Access (the ZTNA twin) keep everything in one tenant + one bill.

Pricing inclusion. Entra Suite licensing bundles these alongside Entra ID Premium P2 + Entra ID Governance. For customers already on Microsoft 365 E5 + Entra Suite, marginal cost is low.

Honest trade-off: feature depth lags Zscaler / Palo Alto by 18-24 months. Acceptable if Microsoft consolidation is the priority.

What Servnet does

Servnet is a UK partner of Zscaler, Palo Alto Prisma Access, and Cato. We have Netskope-experienced engineers and Microsoft Entra Internet Access is part of our Microsoft 365 Modern Workplace practice.

A typical SASE selection engagement: 1) scoping (current VPN posture + identity + ops capacity), 2) sized recommendation + commercials, 3) PoV for 2 weeks at 5-20 pilot users, 4) phased rollout (typically 6-12 weeks for a 1,000-user organisation), 5) legacy VPN decommission.