[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-security-solution?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.paloaltonetworks.com/deploybravely?ts=markdown) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown) 3. [How to Implement SASE: A Technical, No-Fluff Guide](https://www.paloaltonetworks.com/cyberpedia/sase-implementation?ts=markdown) Table of contents * [What it actually takes to implement SASE](#what-it-actually-takes-to-implement-sase) * [How to successfully execute a SASE implementation](#how-to-successfully-execute-a-sase-implementation) * [How to choose the right SASE architecture for your organization](#how-to-choose-the-right-sase-architecture-for-your-organization) * [What does the SASE rollout timeline actually look like?](#what-does-the-sase-rollout-timeline-actually-look-like) * [What defines a successful SASE rollout?](#what-defines-a-successful-sase-rollout) * [What does a real SASE policy model look like in practice?](#what-does-a-real-sase-policy-model-look-like-in-practice) * [Does SASE actually replace everything you already have?](#does-sase-actually-replace-everything-you-already-have) * [SASE implementation FAQs](#sase-implementation-faqs) # How to Implement SASE: A Technical, No-Fluff Guide 8 min. read Table of contents * [What it actually takes to implement SASE](#what-it-actually-takes-to-implement-sase) * [How to successfully execute a SASE implementation](#how-to-successfully-execute-a-sase-implementation) * [How to choose the right SASE architecture for your organization](#how-to-choose-the-right-sase-architecture-for-your-organization) * [What does the SASE rollout timeline actually look like?](#what-does-the-sase-rollout-timeline-actually-look-like) * [What defines a successful SASE rollout?](#what-defines-a-successful-sase-rollout) * [What does a real SASE policy model look like in practice?](#what-does-a-real-sase-policy-model-look-like-in-practice) * [Does SASE actually replace everything you already have?](#does-sase-actually-replace-everything-you-already-have) * [SASE implementation FAQs](#sase-implementation-faqs) 1. What it actually takes to implement SASE * [1. What it actually takes to implement SASE](#what-it-actually-takes-to-implement-sase) * [2. How to successfully execute a SASE implementation](#how-to-successfully-execute-a-sase-implementation) * [3. How to choose the right SASE architecture for your organization](#how-to-choose-the-right-sase-architecture-for-your-organization) * [4. What does the SASE rollout timeline actually look like?](#what-does-the-sase-rollout-timeline-actually-look-like) * [5. What defines a successful SASE rollout?](#what-defines-a-successful-sase-rollout) * [6. What does a real SASE policy model look like in practice?](#what-does-a-real-sase-policy-model-look-like-in-practice) * [7. Does SASE actually replace everything you already have?](#does-sase-actually-replace-everything-you-already-have) * [8. SASE implementation FAQs](#sase-implementation-faqs) SASE implementation is a five-phase process that involves baseline assessment, architecture design, policy modeling, phased deployment, and continuous optimization. Each phase builds on identity, application needs, and network readiness. Success depends on enforcing access policies consistently while migrating from legacy infrastructure to a unified, cloud-delivered framework. ## What it actually takes to implement SASE ![Architecture diagram titled 'SASE architecture' showing how secure access service edge combines networking and security. On the left, icons represent traffic sources labeled 'Mobile/Computer', 'Branch/Retail', and 'Home'. In the center, two columns are labeled 'SSE the secure service edge' and 'A the network access'. Under SSE are four icons labeled 'FWaaS firewall as a service', 'SWG secure web gateway', 'CASB cloud access security broker', and 'ZTNA zero trust network access'. Under network access are two icons labeled 'SD-WAN unified connectivity' and 'Internet global networks'. On the right, icons represent traffic destinations labeled 'HQ/Data center', 'SaaS applications', and 'Public cloud'. At the bottom, the left caption reads 'Your users traffic sources' and the right caption reads 'Your data traffic destinations'.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/SASE-architecture.png "Architecture diagram titled 'SASE architecture' showing how secure access service edge combines networking and security. On the left, icons represent traffic sources labeled 'Mobile/Computer', 'Branch/Retail', and 'Home'. In the center, two columns are labeled 'SSE the secure service edge' and 'A the network access'. Under SSE are four icons labeled 'FWaaS firewall as a service', 'SWG secure web gateway', 'CASB cloud access security broker', and 'ZTNA zero trust network access'. Under network access are two icons labeled 'SD-WAN unified connectivity' and 'Internet global networks'. On the right, icons represent traffic destinations labeled 'HQ/Data center', 'SaaS applications', and 'Public cloud'. At the bottom, the left caption reads 'Your users traffic sources' and the right caption reads 'Your data traffic destinations'.") A lot of [SASE](https://www.paloaltonetworks.com/cyberpedia/what-is-sase) implementation advice sounds familiar: define your goals, assess your environment, pick a vendor, start small. Those steps aren't wrong. But they don't explain why so many rollouts still go sideways even when those steps are followed. Here's the thing. The real challenges aren't about planning. They're about execution. Identity alignment. Policy enforcement. Change control. Observability. And the mismatch between how platforms are designed---and how real environments actually work. That's why this guide goes deeper than a planning checklist. It breaks down what it actually takes to implement SASE: how to sequence the rollout, choose an architecture model, structure policies, and integrate the tools that make it operational. Because SASE isn't a one-time rollout. It's a long-term shift. It means knowing what to deploy first. Where legacy coexistence is required. And how to design for ongoing change. The sections that follow walk through it step by step. ## How to successfully execute a SASE implementation ![A vertical, left-aligned process diagram lists five phases stacked top to bottom, each with a colored square icon and a row of rectangular task boxes extending to the right. Phase 1, Baseline assessment and requirements gathering, includes boxes for mapping users, applications, and SaaS regions, inventorying the WAN and security stack, identifying early wins, and documenting identity structure. Phase 2, Architecture design and decision making, includes selecting a vendor model, defining control and data plane operation, evaluating PoP placement, planning traffic steering, and designing the identity model. Phase 3, Proof of concept and policy modeling, includes defining PoC scope, testing real SASE workflows, and shaping the policy abstraction layer, with a note emphasizing identity as central. Phase 4, Deployment and migration, includes selecting a rollout strategy, defining a coexistence plan, planning the cutover, and incorporating lessons from the PoC. Phase 5, Monitoring, optimization, and governance, includes establishing tooling, defining what to monitor, building the governance model, and tuning the environment over time.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/How-to-implement-SASE.png) Implementing SASE is not a single action. It's a staged transformation. Which means you need a structure that helps you move from initial discovery to full operational maturity without breaking the environment along the way. The five phases below follow how real SASE programs unfold. Let's walk through each phase one step at a time. ### Phase 1: Baseline assessment and requirements gathering The first phase is about understanding how your environment works today. * **Start by mapping your users, applications, and SaaS regions.** Identify who needs access to what. Observe where traffic enters and leaves the network. Chart how cloud services are used across business units. * **Next, inventory the WAN and security stack.** That includes [MPLS](https://www.paloaltonetworks.com/cyberpedia/mpls-what-is-multiprotocol-label-switching), [VPN concentrators](https://www.paloaltonetworks.com/cyberpedia/what-is-a-vpn-concentrator), existing [SD‑WAN](https://www.paloaltonetworks.com/cyberpedia/what-is-sd-wan), [firewalls](https://www.paloaltonetworks.com/cyberpedia/what-is-a-firewall), and any [cloud security](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-security) layers already in place. This helps you understand what SASE will replace, what it will augment, and what must run in parallel for a period of time. * **Then look for early wins.** These are areas where SASE delivers immediate value without high risk. For example, high‑latency [VPN](https://www.paloaltonetworks.com/cyberpedia/what-is-a-vpn) paths. Overloaded branch links. SaaS traffic bottlenecks caused by backhauling. * **Finally, document your identity structure.** That means your IdP, group structure, device trust signals, [MFA](https://www.paloaltonetworks.com/cyberpedia/what-is-mfa-implementation) posture, and RBAC gaps. SASE depends heavily on identity, so you need a clean foundation before anything else begins. **Tools \& telemetry:** * Export app usage and identity logs from your IdP, VPN, and [proxy](https://www.paloaltonetworks.com/cyberpedia/what-is-a-proxy-server). * Capture MPLS utilization, [VPN tunnel](https://www.paloaltonetworks.com/cyberpedia/what-is-a-vpn-tunnel) volumes, and ingress and egress points. * Use NPM tools such as NetFlow or SD‑WAN analytics to trace where latency hits users. ***Tip:*** *Don't skip app or user mapping. Blind spots here lead to major PoP placement issues and long‑term performance problems. You can't optimize what you haven't inventoried.* ### Phase 2: Architecture design and decision‑making This phase defines how your SASE platform will be built. It's where you decide what you want SASE to look like in your environment. * **First, select your vendor model.** Single‑vendor SASE is simpler. Dual‑vendor SASE offers flexibility. Managed SASE can reduce operational load. DIY modular architectures give maximum control but require more internal skill. None are universally better. They each succeed in different conditions. *(More on this in a later section.)* * **Next, determine how your control plane and data plane will work.** That includes whether policy decisions live centrally or are distributed. It determines how enforcement points talk to each other. It affects troubleshooting and visibility. * **Then evaluate PoP placement.** User geography, app hosting regions, and cloud service footprints all influence latency paths. The platform needs to be geographically aligned with how your traffic actually flows. * **Plan traffic steering.** Decide where dedicated internet access (DIA) makes sense. Decide where backhaul is still needed. Tune BGP and [DNS](https://www.paloaltonetworks.com/cyberpedia/what-is-dns) strategy for SASE‑routed traffic. * **Finally, design your identity model.** That includes SAML or OIDC. It includes device trust requirements. It includes MFA. It includes conditional access. These choices shape how [ZTNA](https://www.paloaltonetworks.com/cyberpedia/what-is-zero-trust-network-access-ztna) and [SWG](https://www.paloaltonetworks.com/cyberpedia/what-is-secure-web-gateway) enforcement will work. **Tools \& telemetry:** * Determine what telemetry the architecture provides. For example, whether you receive per‑session ZTNA logs. * Design log flows for SWG, [CASB](https://www.paloaltonetworks.com/cyberpedia/what-is-a-casb-cloud-access-security-broker), ZTNA, SD‑WAN, and identity sources. * Align timestamp formats for [SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-siem) correlation. * Ensure PoP availability metrics and routing telemetry are accessible via API or dashboard. ***Tip:*** *Don't assume 'vendor-managed' means hands off. Most default templates won't reflect your identity model, security posture, or traffic needs. You still have to define and maintain the policy model yourself.* ### Phase 3: Proof of concept and policy modeling Phase 3 is where implementation moves from theory to reality. * **Begin with defining the scope of your PoC.** Choose the use cases, users, applications, and metrics that will validate whether the platform works as expected. Build a PoC playbook. Define duration. Define success criteria. Define a rollback plan. * **Next, test real SASE workflows.** For example, remote ZTNA access. Branch internet breakout. Or third‑party access. Each of these validates policy enforcement, routing paths, and user experience. * **In parallel, begin shaping your policy abstraction layer.** This is when you define what "an application" means in your environment. Determine which user groups interact with which classes of apps. Establish policy ownership. And decide how rules move from design → approval → enforcement. * **Identity is front and center here.** Group structure. Device trust. Application naming. User attributes. These all influence how ZTNA, SWG, and CASB operate across every edge. **Tools \& telemetry:** * Instrument everything: session logs, auth logs, blocked flows, and latency. * Run packet captures when performance issues arise. * Set up dashboards to visualize PoC KPIs such as connectivity, policy hits, block rates, and success or failure patterns. ***Tip:*** *Watch for identity misalignment. Inconsistent groups, device signals, or app definitions often cause access failures---or worse, over-permissioned users.* ### Phase 4: Deployment and migration Now you begin full deployment. This phase determines how your live environment begins shifting from legacy access models to SASE‑driven ones. * **Select your rollout strategy.** Some teams prefer a phased approach. Others choose region‑first. Others choose function‑first. The right approach depends on the structure of your workforce, your WAN, your regulatory requirements, and the tolerance for coexistence. * **Define a coexistence plan.** You might need dual access paths for a period of time. For example, VPN and ZTNA running together. MPLS and DIA operating in parallel. This protects you from premature cutovers. * **Plan for the cutover itself.** Routing. DNS changes. App readiness. Edge device upgrades. Client deployment. These steps need to be staged and reversible. * **Finally, incorporate lessons from the PoC before any large‑scale migration.** The PoC gives you patterns. It gives you performance insights. It gives you operational warning signs. Use these to refine your playbook. **Tools \& telemetry:** * Monitor cutover success with real‑time traffic flow visualizations. * Track ZTNA sessions compared to legacy VPN usage during coexistence. * Validate DNS resolution paths, TLS handshake errors, and failed app connections. * Alert on any fallback to unmanaged or unknown paths. ***Tip:*** *Don't launch without a rollback plan. Many cutovers fail because routing or DNS behaves differently under production load.* ### Phase 5: Monitoring, optimization, and governance The final phase is about running SASE as a permanent operational framework. Now you shift from deployment to continuous improvement. * **First up, establish the right tooling.** SIEM. [UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba). NPM. Identity telemetry. Audit logging. These systems help you monitor performance, detect anomalies, and track how policies evolve over time. * **Then define what you monitor.** Latency. Drop rate. PoP reachability. Traffic steering decisions. MPLS vs. DIA cost impacts. ZTNA vs. VPN fallback. Each metric tells you something about adoption and coverage. * **Next, build your governance model.** Assign ownership for policy changes. Structure approval workflows. Define SLAs. Define review gates. Align network and security teams around access engineering. * **Last, tune the environment over time.** Applications change. User behavior changes. Network paths change. SASE gives you the tools to adjust policies and routing faster than legacy architectures ever allowed. **Tools \& telemetry:** * A full log ingestion pipeline spanning SWG, CASB, ZTNA, [FWaaS](https://www.paloaltonetworks.com/cyberpedia/what-is-firewall-as-a-service), SD‑WAN, and identity. * SIEM or SOAR integration for anomaly detection and incident response. * SLA dashboards for latency, error rates, and PoP health. * Audit logs for policy drift or unauthorized changes. * UEBA monitoring for unexpected user behavior. ***Tip:*** *Prioritize log correlation across ZTNA, SWG, and SD‑WAN. It's the only way to avoid blind spots in troubleshooting and prevent policy drift from going unnoticed.* ## How to choose the right SASE architecture for your organization ![Four vertical panels are arranged side by side and titled Single-vendor, Double-vendor, Managed SASE, and DIY modular. The Single-vendor panel shows a dashed enclosure containing a storefront icon above a blue SASE circle and an orange SSE circle. The Double-vendor panel shows a blue SASE circle connected to two separate storefront icons and a separate orange SSE circle positioned below. The Managed SASE panel shows a dashed enclosure around both the blue SASE and orange SSE circles beneath a storefront icon. The DIY modular panel shows multiple standalone circular icons labeled DLP, SD-WAN, RBI, SWG, CASB, ZTNA, and FWaaS arranged around a central user icon with dotted connecting lines.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/sase-arc-deployment-models.png "Four vertical panels are arranged side by side and titled Single-vendor, Double-vendor, Managed SASE, and DIY modular. The Single-vendor panel shows a dashed enclosure containing a storefront icon above a blue SASE circle and an orange SSE circle. The Double-vendor panel shows a blue SASE circle connected to two separate storefront icons and a separate orange SSE circle positioned below. The Managed SASE panel shows a dashed enclosure around both the blue SASE and orange SSE circles beneath a storefront icon. The DIY modular panel shows multiple standalone circular icons labeled DLP, SD-WAN, RBI, SWG, CASB, ZTNA, and FWaaS arranged around a central user icon with dotted connecting lines.") Not every organization starts from the same place. And not every SASE architecture works the same way. That's why you'll need to match your deployment model to how your teams operate, how your vendors integrate, and how much complexity you're prepared to manage. There's no one right answer. But there are clear patterns. ### Option 1 --- Single-vendor full stack Best if you want one policy engine, one UI, and full-stack coverage with minimal integration effort. In this model, the SASE platform comes from a single vendor and includes SD-WAN, SWG, CASB, ZTNA, and FWaaS. Everything runs through a unified management plane. It's easier to deploy. Easier to support. And easier to monitor. ***Tip:*** *A single-vendor platform means full dependency on one roadmap. So pick a vendor with strong alignment to your long-term goal. Note that customization can be limited if the platform prioritizes simplicity over control.* ### Option 2 --- Best-of-breed dual-vendor Best if you want to pair a preferred SD-WAN solution with an [SSE](https://www.paloaltonetworks.com/cyberpedia/what-is-security-service-edge-sse) vendor and are comfortable managing two control planes. This model gives you more flexibility. Especially if you already have an SD-WAN provider in place or want to preserve a security partner relationship. But you'll need to plan for integration. That includes syncing identity, aligning policies, and resolving differences between logging formats and enforcement behavior. This model works best when your internal teams already have some experience managing multi-vendor infrastructure. ### Option 3 --- MSP-managed portfolio Best if you want a simplified experience, outsourced complexity, and unified support. Especially in teams without deep in-house expertise. In this model, a service provider manages your SASE stack across multiple vendors. You get one support line. One consolidated policy surface. And someone else handles integration. It's attractive for organizations with limited internal resources or fragmented IT coverage across geographies. ***Note:*** *You lose visibility and direct control. If troubleshooting is a priority---or if regulatory requirements limit third-party management---this may not be the right model.* ### Option 4 --- DIY modular Best if you need full customization, control, and vendor flexibility but have the resources to build and operate it yourself. This model gives you maximum architectural control. You choose each component: SD-WAN, SSE, observability, policy enforcement---and integrate them directly. That also means full responsibility for orchestration. Policy drift becomes your problem. So does log correlation. And enforcement consistency. It's rare. But it works for large, mature teams with complex environments or regulatory constraints. ***Key takeaway:*** *There's no wrong starting point. Many organizations evolve from one model to another over time. What matters most is choosing an architecture that fits your operational maturity today. And gives you space to adapt later..* | ***Further reading:** [A Complete Guide to SASE Architecture](https://www.paloaltonetworks.com/cyberpedia/sase-architecture)* ![Icon of hand and the Prisma logo](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-architecture/icon-prisma-airs-demo.svg) ## INTERACTIVE WALKTHROUGH See firsthand how Prisma SASE components work together. [Launch experience](https://www.paloaltonetworks.com/sase/how-it-works) ## What does the SASE rollout timeline actually look like? ![A horizontal three-step timeline is divided into vertical columns labeled Step 1, Step 2, and Step 3, each with a numbered colored circle at the top and a year-range badge beneath. Step 1, ZTNA and remote access coverage, shows a year range of typically year 1 and key points including replacing VPN for remote users, identity-based access becoming the default, and pilot DIA rollout at branches. Step 2, DIA expansion and firewall decommissioning, shows typically years 2–3 with key points for local internet breakout, winding down MPLS contracts, extending ZTNA to internal apps, and beginning to phase out on-prem firewalls. Step 3, CASB, SSPM, and cloud-native enforcement, shows typically years 3–5 with key points for mature data protection and SaaS governance, unified endpoint agents across controls, and consistent cloud-native inspection. A footer note states that sequencing is consistent even if timelines vary.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/SASE-rollout-timeline.png "A horizontal three-step timeline is divided into vertical columns labeled Step 1, Step 2, and Step 3, each with a numbered colored circle at the top and a year-range badge beneath. Step 1, ZTNA and remote access coverage, shows a year range of typically year 1 and key points including replacing VPN for remote users, identity-based access becoming the default, and pilot DIA rollout at branches. Step 2, DIA expansion and firewall decommissioning, shows typically years 2–3 with key points for local internet breakout, winding down MPLS contracts, extending ZTNA to internal apps, and beginning to phase out on-prem firewalls. Step 3, CASB, SSPM, and cloud-native enforcement, shows typically years 3–5 with key points for mature data protection and SaaS governance, unified endpoint agents across controls, and consistent cloud-native inspection. A footer note states that sequencing is consistent even if timelines vary.") SASE isn't deployed all at once. It's a staged journey that usually unfolds over several years. Each phase builds on the one before it, based on infrastructure readiness, team maturity, and priority use cases. In other words: you move through capability layers, not fixed dates. Here's what it looks like. * **Stage 1: ZTNA and remote access coverage** (typically year  1) The first step is replacing VPN for remote users. Identity-driven access becomes the default. Some pilot branches may begin testing direct internet access to reduce backhaul and observe performance gains. * **Stage 2: DIA expansion and firewall decommissioning** (typically years  2--3) Internet-bound traffic starts breaking out locally. MPLS contracts begin to wind down. ZTNA is extended to internal applications. Some on‑premises firewalls are removed as traffic shifts to cloud-delivered inspection. * **Stage 3: CASB, [SSPM](https://www.paloaltonetworks.com/cyberpedia/what-is-saas-security-posture-management), and cloud-native enforcement** (typically years  3--5) Data protection becomes a focus. SaaS usage is governed more granularly. Endpoint agents begin to unify across access and security controls. Traffic inspection becomes consistent across users, branches, and cloud environments. Timelines vary by organization. But the sequence stays the same. Identity first. Network transformation second. Data protection and cloud-native enforcement last. ## What defines a successful SASE rollout? ![A left-to-right stepped visual path with dotted connectors shows three circular stages labeled Early success, Mature success, and Executive view of success, each marked by colored icons. The Early success section on the left includes a user icon and bullet points listing 80–95% VPN traffic reduction, expanding ZTNA and SWG policy coverage, and logged policy hits with enforcement accuracy. The middle Mature success section includes a code-style icon and bullet points for full traffic inspection including unmanaged users, fully consolidated SSE enforcement, and integrated logging with fewer bypass paths. The rightmost Executive view of success section uses an orange briefcase icon and lists improved end-user access performance, tool and vendor consolidation, and audit-ready reporting with governance clarity.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/What-success-looks-like-at-each-stage-of-SASE-rollout.png "A left-to-right stepped visual path with dotted connectors shows three circular stages labeled Early success, Mature success, and Executive view of success, each marked by colored icons. The Early success section on the left includes a user icon and bullet points listing 80–95% VPN traffic reduction, expanding ZTNA and SWG policy coverage, and logged policy hits with enforcement accuracy. The middle Mature success section includes a code-style icon and bullet points for full traffic inspection including unmanaged users, fully consolidated SSE enforcement, and integrated logging with fewer bypass paths. The rightmost Executive view of success section uses an orange briefcase icon and lists improved end-user access performance, tool and vendor consolidation, and audit-ready reporting with governance clarity.") Going live with a SASE platform doesn't mean the job is done. Success depends on what changes after deployment and whether those changes are measurable. That includes early coverage targets, operational maturity, and stakeholder alignment. **Practitioner teams often define early success by the percentage of VPN traffic they've retired.** * A common target is 80--95% reduction in the first few years. * Success also shows up in enforcement: how much traffic is covered by ZTNA or SWG, how reliably policy hits are logged, and whether coverage has expanded beyond remote users to internal apps and branch sites. **As the deployment matures, the signals change.** * You should see full traffic inspection including unmanaged or mobile users. * Policy enforcement should consolidate across SSE functions. * Logging pipelines should be integrated. * And bypass paths should shrink or disappear entirely. **Executives will ask different questions.** * Are users getting faster, more reliable access? * Are security and networking teams relying on fewer tools? * Is the environment more predictable and easier to report on for audit or governance? The most successful SASE rollouts are the ones that deliver outcomes everyone can measure and agree on. ## What does a real SASE policy model look like in practice? SASE isn't just about routing traffic through cloud PoPs. It's about enforcing access based on identity, risk, and context at every edge. **That means your policy model needs to reflect who the user is, what they're accessing, how sensitive the traffic is, and where enforcement actually happens.** Most organizations define policy tiers based on combinations of users, apps, and data categories. Enforcement then happens through ZTNA, SWG, CASB, and FWaaS---depending on the use case. Here's what a real-world structure might look like: | Example SASE policy model | |---------------------------| | Identity group | App type | Traffic category | Policy tier | Sample rules | Enforcement point | Policy owner | |----------------|-------------------------|--------------------------|-----------------------|---------------------------------------------------------------------|-------------------|-------------------------| | Employees | Public SaaS (e.g. O365) | Low-risk browsing | Standard user | Allow outbound access, inspect with SWG, block file uploads | PoP | Security team | | Contractors | Internal dev tools | Sensitive data | Restricted access | Require ZTNA + MFA, allow read-only access, log all sessions | Client + PoP | App owner | | Admins | HR systems | High-sensitivity uploads | Privileged + approval | Just-in-time access, log full session, enable DLP inspection | Client + on-prem | Security + HR jointly | | Third parties | Finance systems | Regulated content | Limited \& monitored | ZTNA with IP restrictions, no uploads, DLP alerting and auto-logoff | PoP + CASB | Risk + compliance teams | | BYOD users | General internet access | Untrusted destinations | Guest access | SWG only, no uploads or downloads, no internal app access | PoP only | Security + IT jointly | **In mature environments, these policies aren't hardcoded into individual apps or locations.** They're abstracted and centrally enforced, usually through a combination of ZTNA and SWG policies mapped to identity groups and traffic classification. **But enforcement still needs cross-team agreement. Policy ownership typically spans app owners, security leads, and compliance stakeholders depending on the risk involved.** This is where SASE becomes more than a network upgrade. It becomes a control framework. One that replaces fragmented [access control](https://www.paloaltonetworks.com/cyberpedia/access-control) lists (ACLs) and manual VPN provisioning with real-time, identity-based enforcement that works everywhere users connect. ![Prisma AIRS logo coming box](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-implementation/icon-register.svg) ## VIRTUAL ULTIMATE TEST DRIVE Sign up for a hands-on, in-depth experience of Prisma® SASE. [Register](https://www.paloaltonetworks.com/resources/test-drives?topic=sase) ## Does SASE actually replace everything you already have? Not always. And assuming it does can derail your rollout before it even starts. SASE typically replaces legacy access infrastructure: VPN concentrators, MPLS backhaul, branch firewalls, and standalone secure web gateways. That's where the biggest operational and performance gains tend to come from. But it doesn't replace everything. You'll likely keep [next-gen firewalls](https://www.paloaltonetworks.com/cyberpedia/what-is-a-next-generation-firewall-ngfw) at [data centers](https://www.paloaltonetworks.com/cyberpedia/what-is-a-data-center). OT environments still need dedicated industrial firewalls. Deep [data loss prevention (DLP)](https://www.paloaltonetworks.com/cyberpedia/what-is-data-loss-prevention-dlp) tools may remain for [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data) workflows. SIEMs continue to serve as your long-term analytics and compliance backbone. And some systems are phased out. Others run in parallel for months or years. For example, you might deploy ZTNA for remote workers while keeping VPN for internal developers until full app segmentation is complete. The key is knowing what SASE can displace cleanly. And where coexistence still makes sense. ![Prisma AIRS logo coming box](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/sase-architecture/icon-prisma-airs-demo.svg) ## PERSONALIZED DEMO: PRISMA SASE Schedule a demo with a specialist to see how Prisma SASE protects all users, apps, data and devices. [Book demo](https://start.paloaltonetworks.com/sase-contact-us.html) ## SASE implementation FAQs ### How do you set up SASE? You deploy SASE in phases: assess your environment, select an architecture model, integrate identity, run a scoped PoC, migrate users and branches gradually, and centralize monitoring and policy enforcement. Rollouts typically begin with ZTNA, followed by network transformation and full SSE integration. ### What are the 4 SASE architectural requirements? Core cloud-delivered capabilities include ZTNA for application access, SWG for internet filtering, CASB for SaaS governance, and FWaaS for cloud-based L7 inspection. These must be unified through a single policy framework and globally distributed enforcement. ### Does SASE replace firewalls and VPNs? SASE typically replaces VPN concentrators, MPLS backhaul, branch firewalls, and legacy SWGs. It doesn't replace data center NGFWs, OT firewalls, deep DLP, or SIEM. Many environments run SASE and legacy controls in parallel during transition. ### How long does a SASE rollout take? SASE maturity typically unfolds over 3 to 5 years. Organizations often start with ZTNA, then expand to DIA and firewall consolidation, followed by full data protection and cloud-native inspection. Timelines vary based on environment complexity and organizational readiness. Related content [Report: 2025 Gartner® Magic Quadrant™ for SASE Platforms. See which SASE platforms lead the market.](https://start.paloaltonetworks.com/gartner-sase-mq-2025) [Guide: Driving the future of work through enterprise-wide SASE Learn how your organization can benefit from SASE and what it takes to get there.](https://start.paloaltonetworks.com/cio-driving-the-future-of-work-with-enterprise.html) [eBook: SASE For Dummies, 3rd Edition Grab the basics on secure access service edge.](https://www.paloaltonetworks.com/resources/ebooks/sase-for-dummies) [eBook: Set a Secure Foundation for a New World of Possibilities with Prisma SASE Read about how AI-powered Prisma SASE meets the needs of today's hybrid workforce.](https://www.paloaltonetworks.com/resources/ebooks/set-secure-foundation-for-new-world-of-possibilities-with-prisma-sase) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=How%20to%20Implement%20SASE%3A%20A%20Technical%2C%20No-Fluff%20Guide&body=SASE%20implementation%20is%20a%20five-phase%20process%20involving%20assessment%2C%20design%2C%20policy%20modeling%2C%20deployment%2C%20and%20optimization.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/sase-implementation) Back to Top {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language