SSE competitive comparison

• All security services are managed through a single fully integrated interface, powered by AI.

• Zscaler has separate dashboards for ZIA, ZPA, ZDX, and ZCC.

• Prisma Access can be managed with Prisma Access Web user interface.
• Prisma Access can also be managed with Strata Cloud Manager.
• Strata Logging Service is a separate dashboard.

• Unified security policy creation, including intent-based rules, and management across internet, public SaaS apps, and private app access.
• Provides extensive logging and the ability to export logs to enterprise SIEM, and more.

• Complex and separated dashboard makes it hard for security admins to navigate, configure unified policies, and to quickly assess the status of security controls.

• Policy enforcement is managed with Prisma Access User interface or Strata Cloud Manager which can be purchased as an add-on.
• Global Protect portal manages mobile user onboarding.
• Global Protect gateways provide security for traffic from global protect apps.

• Generative AI capability that automatically converts conversational phrases in natural languages into security policies.
• Speeds up policy creation and administration by up to 70%.

• No AI to create policies or to provide policy guidance.

• Strata Copilot helps admins identify and understand threats and drive root cause analysis.
• Strata Copilot also recommends policies and automates ticket creation.

A single client with multiple functions reduces the effort in user onboarding and ongoing maintenance. It also simplifies the journey to ZTNA, and includes:  

• Secure internet access.
• Secure private access (ZTNA prioritized with VPNaaS as a fallback for unsupported private apps, such as custom/legacy/workload).
• Device posture.
• Digital experience monitoring (DEM).
• iOS and Android zero trust.

• Zscaler does not have a unified client that includes VPNaaS

• Global Protect client is used for user authentication, to enforce polices, and to monitor end device posture for Prisma Access including ADEM.

• Unified with OAuth 2.0 with short-lived tokens with unified endpoints path grouped by use cases.
• Create multiple unique API keys with meaningful names and configurable lifetimes.

• An organization can only have one single key.
• APIs are available with an add-on license only.

• APIs are available for Prisma Access for integrations.

• Client-based and clientless ZTNA.
• Granular, app-specific access to private applications in data centers or public/private cloud environments.
• Per app segmentation from client to SSE.
• Per identity-aware proxy design. 

• Zscaler offers client-based and clientless ZTNA.
• Dynamic private application discovery.

• Offers client-based and clientless ZTNA.
• Use ZTNA Connector virtual machine for private apps access; Must purchase ZTNA Connector as an add-on license.
• Offers auto discovery of private applications.

• Not all private apps can be covered by ZTNA (customized, legacy, peer-to-peer, and more).
• An automated, transparent fallback to VPNaaS is cloud-based option included.
• VPNaaS simplifies migration to ZTNA.
• No VPN hardware/load balancing/local maintenance and support needed.

• Zscaler offers client-based and clientless ZTNA.

• Mobile users connect to Global Protect gateway where traffic is managed and security is enforced for RA-VPN.
• Mobile users' policy can be configured on Panorama or Strata Cloud Manager.

• Threat intelligence at scale powered by Cisco Talos.
• Expansive telemetry uncovers 800 billion security events per day from SSE, SSX (FW), CSE (endpoint), Meraki, DUO, ESA (email), and integrations.
• 9 million malicious emails blocked per hour.
• 2000 new malware samples seen every minute.
• 2000 malicious domains blocked every second.

• Zscaler ThreatLabz provides threat intel-leveraging AI, based on visibility only from the company's SSE offering.
• Zscaler lacks visibility into endpoints, email, and other integrations, affecting the visibility and control it has on security events.

• Unit42 is PAN's threat intel research organization.
• According to Unit42, PAN analyzes 500 billion events per day.
• PAN lacks visibility into endpoints, email, and other integrations, affecting the visibility and control it has on security events. 

• Log and inspect all web traffic over ports 80/443 for greater transparency, control, and protection.
• IPsec tunnels, PAC files, and proxy chaining are used to forward traffic for full visibility, URL, and application-level controls, and client-based acquisition traffic.

• Zscaler offers URL filtering with a variety of traffic acquisition.

• Prisma Access offers 80/443 inspection, URL and content filtering with a variety of traffic acquisition.

• Detect and report on cloud applications, including generative AI apps, in use. 
• Manage cloud adoption and block use of select cloud applications.
• Multimode capabilities to detect, log, and control user/group activities. 
• Detect third-party cloud applications that have been granted OAuth-based permission to access a user's protected resources on Microsoft 365 and remediate unapproved apps.

• Zscaler CASB is available with an add-on license only.
• It offers the ability to monitor and protect users activity and traffic to cloud applications.

• Prisma Access CASB Security is available as an add-on license only.
• Must also purchase Strata Logging Service as an add-on license.

• Multimode data loss prevention, which includes both real-time and SaaS API-based DLP.
• Analyze data in-line to provide visibility and control over sensitive data.
• API-based DLP functionality for out-of-band analysis of data at rest in the cloud.
• Cisco uses several machine learning LLMs for dynamic document recognition and policy design, in conjunction with all the predefined document templates.
• Cisco DLP is designed for analysis and remediation. No need for different screens and data sources to determine how to remediate.

• To prevent data leaks, Zscaler does offer DLP policies that monitor and detect to stop sensitive data loss.
• SaaS API is offered as an add-on license.

• Enterprise DLP requires any of the following add-on licenses: Prisma Access CASB, next-generation CASB for Prisma Access, NGFW and Data Security license.

• Over 1200 generative-AI platforms detected.
• Assign DLP policies to AI applications.
• Detects and blocks risky content.
• Block uploads of proprietary source code.
• Block download of content produced from generative AI.

• Configuration for internet-based apps requires additional DLP licensing. 

• Enterprise DLP requires the Prisma Access CASB add-on license.
• Also requires the next-generation CASB add-on license for Prisma Access and NGFW license.
• Also requires Data Security add-on license.
• Supports over 600 GenAI applications.

• Included in license.
• Customizable policies (IP, port, protocol, application and IPS policies).
• Layer 3 / 4 firewall to log all activity and block unwanted traffic.
• Layer 7 application visibility and control.

• Zero Trust Firewall is available with an add-on license only.
• Zscaler cloud firewall offers granular control for outbound web apps and some non-web apps.

• Prisma Access offers NGFW capabilties as a virtual machine in the cloud.

• Protects both internet and private traffic.
• Includes an added layer of threat prevention using SNORT 3 technology, signature-based detection, and encryption.
• Cisco Secure Access offers IPS/decryption for private apps.

• Zero Trust Firewall is available with an add-on license only.
• Zscaler cloud firewall offers granular control for outbound for web and some non-web apps.

• Prisma Access offers Advanced Threat protection for internet and private app on all ports and protocols. 
• Requires an Advanced Threat Prevention add-on license.

• Provide air gap between user, device, and browser-based threats.
• Deliver a secure browsing experience and protection from zero-day threats.

• Cyber Isolation Advanced and Unlimited Plus offers granular control and threat detection as an add-on license only.

• Provides web browser-based protection from threats.
• Requires Prisma Access 5.0 Innovation, Prisma License from Mobile and Network License and RBI add-on license.
• Delivered through CloudBlades for Prisma Access.

• 99.999% uptime since 2009.
• Recursive DNS security services since 2012.
• Protection against DNS Tunneling with a detection rate of 99% and powered by AI.
• Cache poisoning attacks, without having to perform validation locally.
• Supports both IPv4 and IPV6 addresses.
• Newly Seen Domain category to protect against day/emerging threats.

• Zscaler recently updated its DNS security service to detect and prevent DNS-based attacks with some limitations on workload traffic.

• Prisma Access does not provide recursive DNS resolution in the cloud.
• Prisma Access DNS capability resolves internal and external domains using the Advanced DNS Security license and the Advanced Threat Prevention license included in the Prisma Access basic package.

• TLS version 1.3 is natively supported.

• Zscaler supports TLS 1.3 natively.

• Prisma Access supports TLS 1.3 natively.

• Modern network protocols like MASQUE and QUIC for enhanced performance and stability, especially in lossy networks, and when moving between networks. 
• Improved security and compatability of private apps.

• Does not utilize QUIC and/or MASQUE in Zscaler architecture.

• Does not utilize QUIC and/or MASQUE in Prisma architecture.

• Cloud-native security services are run in parallel, not sequentially, ensuring that connections are processed quickly without compromising on performance or security.
• Built on top of vector packet processing (VPP), this modern, high-speed pipeline in software ensures efficiency and high performance, even with sophisticated software-as-a-service (SaaS) apps such as Microsoft 365.

• Zscaler requires application bypass for some SaaS applications such as Microsoft 365.
• Zscaler has Single-Scan, Multi-Action (SSMA).
• Zscaler leverages Microsoft API for endpoints to optimize traffic for O365 apps.

• PAN leverages its firewall hardware in the cloud and offers a Single Pass Architecture that enables high throughput and low latency. 
• Prisma Access leverages Microsoft API for endpoints to optimize traffic for O365 apps.

• Socket-based intercept combined with our unified policy management ensures endpoint traffic is optimally sent to ZTNA or VPNaaS without user intervention.
• Single client for internet-bound and private traffic, with support for private apps (ZTNA/VPNaaS) and without impact to user experience.

• User intervention is required to select Zscaler or third-party VPN for application access.
• Independent policy configuration and two solutions separately managed by operators. 
• Two separate endpoint clients on the end-user devices also requires additional maintenance.

• Independent dashboard configuration and policy enforcement at the Global Protect portal or gateway.

• Cisco offers native integration of Cisco Secure Access with Cisco SD-WAN for a unified Cisco SASE solution from a single vendor.

• Zscaler offers Zero Trust SD-WAN through edge appliances with a focus on connecting branches to Zero Trust Exchange primarily. It does not cover advanced SD-WAN use-cases such as Predictive path performance.

• Provides a SASE solution with Prisma SD-WAN, which was formerly Cloudgenix. 
• Prisma SD-WAN offers limited route-filtering capabilities and without full-mesh implementations.

• Cisco Secure Access can integrate with third-party SD-WAN solutions.
• Cisco SD-WAN (Catalyst or Meraki) can integrate with third-party SSE solutions.

• Zscaler ZIA and ZPA can integrate with third-party SD-WAN solutions.
• Zscaler offers SD-WAN through its Zero Trust appliances for branch connectivity.

• Prisma Access can integrate with other third-party SD-WAN solutions with a Prisma Access SD-WAN license.

• Cisco Secure Access offers the ability to configure logging to Cisco- or customer-owned AWS S3 bucket at no additional cost.

• Zscaler Nanolog servers capture logs and also streams logs to SIEM systems as an add-on license.

• Strata Logging service is required and is available as an add-on license.