Comparing Top SASE Players: ZS, NET, and PANW

•

By 2025, 65% of enterprises will have implemented a SASE component (up from 15% in 2021). I want to highlight the differences between the top players competing in SASE - primarily $ZS, $NET and $PANW based on my research with experts:

First, it's important to understand SASE and its many terminologies. Highly recommended revisiting my original thread here: twitter.com/InvestiAnalyst/status/1638015984140451840?s=20

IMO, there are two ways to evaluate SASE vendors from an investor perspective: 1. Product: The underlying technology infrastructure and delivery. 2. Distribution: credibility, implementation and channel partners on the GTM. Let's examine these:

1/ Product: This comes down to the underlying infra to deliver SASE on the cloud. There are a couple of ways to do so: a. Build your infrastructure (PoP - data center for the internet) b. Partner w/ a Telco Internet service provider (ISP) or the hyperscalers c. Mix of #1 and #2

PoPs (Point of presence) refers to a data center where network providers have an infrastructure set up to provide connectivity to their networks Internet service providers (ISPs), CDNs like $NET or Telcos use PoP to provide faster internet for customers in a wide range of places

Building your infra (i.e. PoP around the world) gives you greater control over your internet traffic. It's expensive to build, but you achieve scale economics overtime (like $NET G-margins) This is where most of Cloudflare's competitive strength lies. They exist in 275+ cities.

$NET started as a CDN platform for making websites faster. In their earlier days, they built out global PoP servers based on edge networks. ie. a user in New Zealand can stream a US website (by utilizing a local PoP data center in NZ) which makes the website experience faster.

The benefit for $NET w/ these PoPs is that they can be used for managing a company's network traffic & security over a central system. Hence $NET has a vertically integrated central system for managing internet traffic. They can roll out products quickly, as shown in their blogs

2/The second way of delivering SASE are partnerships. This is relevant if you don't own your PoP or have enough global presence. You either partner w/ a Telco ISP provider and an SD-WAN internet co like Cisco, or partner with the major global cloud providers.

$ZS combines #1 & #2 $ZS has 150+ global PoP data centers but partners w/ the cloud providers + ISPs to get wide global coverage. $PANW partners with the cloud providers to deliver SASE. If you recall, $NET doesn't partner, but they've BUILT their infra. This is a key leg-up.

$ZS also utilizes a proxy architecture leveraging some its own PoP and ISP partnerships. Proxy essentially means that $ZS serves as an internet backbone/intermediary, btw its customers and the internet. As a backbone, its conducts cybersecurity services right on the network.

SWG is a core feature of SASE. Another advantage to $ZS is that they have built a core competency in SWG (a way to protect + filter cloud website traffic) since they started here. Started as a startup in 2010, but in 10-yrs, outpaced the competition w/ a moat. WILD!

$PANW's approach to SASE: Partner w/ cloud providers (mostly GCP) & utilize their global presence to deliver SASE. As a prev firewall adv, they also have the inherent advantage of having a strong understanding of *virtual* firewalls and SD-WAN for protecting traffic for SASE

However, tech is not all to SASE. There is distribution and credibility needed that you can execute. Implementing SASE is difficult and, in many cases, takes years to deliver bcos you're giving up your entire company's network traffic and internet security to one SASE provider!

Lets talk distribution Since SASE requires a complete architecture change in an org, it's a CEO or C-level decision which requires a Top-down sales GTM. $ZS has built the sales org to navigate this GTM compared to say a D2C product where adoption takes place overnight.

Also due to the difficulty of implementation, companies can't fully do it themselves They rely on partners. Today, 93% of $ZS sales is channel driven ie system integrators & resellers. $NET is roughly 14% $ZS has the largest mindshare/expertise in the channel, hard to replicate

Another major $ZS moat - Zscaler achieved FedRAMP's Highest Authorization. They're the ONLY cloud sec provider to reach this level, even with the DoD. $NET only got the basic FedRAMP last qtr. Since this is a C-Suite product, credibility and trust are huge -edging out to $ZS

Today's market environment is primarily driven by slower sales cycles, deal scrutiny and vendor consolidation. When you combine all these with the fact that SASE is a large ACV product that requires a great deal of credibility, its gonna be hard for $NET and emerging upstarts..

$PANW @nikesharora and the team aren't resting on their laurels either. As of last Q, SASE was one of their strongest businesses, and $PANW just booked over $1B in business (within 6 months)! proving their architecture and ability to navigate these top-down GTM is working.

To summarize the tech aspect: $NET's advantages lie in owning one central network including edge compute + PoP $ZS has a mix of their PoP + partnerships. They also have an SWG moat + Gartner's highest ranking. $PANW utilizes the hyperscalers and has strengths in NGFW+SD-WAN.

The key Q is if $NET's product advantages can quickly emerge? But $ZS has strong tech - Owns distribution + the channel networks w/ the credibility of the highest FedRamp, especially with $ZS NPS score of 70+, there is no evidence to suggest cos want to switch... Time will tell

This thread is honestly just scratching the surface and there is still so much more to cover comparing both cos. I'll write about it and expand more on the differences between the key players and the technology in the newsletter. Hope the thread helped: investianalystnewsletter.substack.com/