ProductBeacon — State of Cyber Security Markets 2026, Front 6: The Edge Theater

Disclosure: This is ProductBeacon's independent, impartial market research, based solely on publicly verifiable signals, published on the open web. No vendor sponsors, no paywalled data, no analyst-firm reuse. It reflects ProductBeacon's independent view and is not investment advice. Full independence and sourcing methodology: Methodology →.

By Yohay Etsion · Head of Product (Fractional), AXIA · Creator of Product Org OS · Author of Leading the Charge (2023) and Vision to Value (coming 2026)

AXIA is an AI-powered data-security (Insider Risk Management / DLP) company.

6.1 The Playing Ground

The Edge segment is where an organization decides who and what is allowed to reach its applications, and inspects the traffic that flows to and from them, no matter where the user or the workload sits. For two decades that job lived in a hardware perimeter — a firewall at the office, a VPN concentrator for anyone outside it. The cloud and the remote-work shift dissolved that perimeter, and the security stack that replaced it moved to the edge of the network as a cloud-delivered service. Three terms describe that stack, and they are routinely conflated, so it is worth separating them cleanly.

Where Secure Service Edge Sits in the Cyber Stack PRODUCTBEACON — STATE OF CYBER SECURITY MARKETS 2026, FRONT 6 SASE — Secure Access Service Edge converged framework: security + the network plumbing (SD-WAN) from one cloud platform SD-WAN · Networking-as-a-Service the network half — present in SASE, removed in SSE SSE — Security Service Edge the security half of SASE: SWG · CASB · FWaaS · ZTNA · bundled DLP SWG · CASB web + cloud egress FWaaS firewall-as-a-service ZTNA — Zero Trust Network Access one access-control feature inside SSE — per-application access, no implicit network trust. A feature of SSE, not a synonym for it. SSE-bundled DLP module Netskope DLP · Zscaler DLP — inspects web/cloud egress Part-1 DLP front all-channel enforcement (outside SSE) In one line: ZTNA is a feature of SSE; SSE is the security half of SASE; SASE adds the network back. The DLP boundary — every SSE platform bundles DLP for web/cloud egress; the standalone DLP front (Part 1) enforces across endpoint, email, and removable media the SSE never sees. Bundle pressure, not absorption.

The wider ring is SASE — networking plus security converged. The inner security half is SSE. ZTNA is one access-control building block inside SSE, not a synonym for it.

SASE (Secure Access Service Edge) is the widest term: the converged framework that delivers software-defined wide-area networking (SD-WAN) and security from one cloud platform.1 SSE (Security Service Edge) is the security half of SASE with the networking removed — the bundle of Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero Trust Network Access (ZTNA), and Firewall-as-a-Service (FWaaS).2 ZTNA (Zero Trust Network Access) is narrower still: the VPN-replacement building block inside SSE that grants access to one named application at a time, after verifying identity and device posture, rather than dropping a user onto a flat network.3 In one line: ZTNA is a feature of SSE; SSE is the security half of SASE; SASE adds the network plumbing back.

What the Edge is not is as instructive as what it is. It is not a SOC platform — it enforces and inspects at the egress point, but the detection-investigation-response case workflow belongs to the detection segment, which consumes the Edge's anomalous-egress signal rather than the reverse. As the report's cross-front taxonomy frames it, SSE is an enforcement plane: it sits in the network-security layer and feeds the SOC, identity, and data-security layers around it.4

The DLP boundary. This boundary is decisive for the front. Every major SSE platform bundles a data-loss-prevention module — Netskope DLP and Zscaler DLP are the headline examples — because inspecting traffic at the egress is a natural place to stop sensitive data from leaving.5 That bundled DLP is mentioned here as cross-front presence. The pure-play DLP market is treated as its own front earlier in this report: those are the vendors whose defining capability is data-movement enforcement across every channel, not just the web/cloud egress an SSE sees. The strategic question of whether SSE-bundled DLP displaces the standalone vendors is a winning-and-losing question this front returns to later, not a category line.

Three buyer misconceptions are worth retiring first. One, that SASE and SSE are the same purchase — they are not; a buyer who already owns SD-WAN often wants only the SSE half, and vendors price the two separately.6 Two, that ZTNA is "just a better VPN." It replaces the VPN's job, but the architectural difference — per-application access with no implicit network trust — is precisely what narrows the blast radius when a credential is stolen, provided access policies are tightly scoped and continuously re-verified, which a VPN does not. It narrows that radius rather than eliminating it: a stolen, still-valid session token is exactly what the identity-threat-detection layer in the Identity front is there to catch.7 Three, that single-vendor SASE is already the default. Buyer preference leans single-vendor, but actual deployments remain stubbornly two-vendor in practice, and the gap between the two is one of the live tensions in this market.8

6.2 The Terrain

Market sizing — three lenses, deliberately not averaged. As with the SOC segment, there is no single Edge number, because analysts size SASE, SSE, and ZTNA as nested-but-distinct categories. Read them side by side. On the widest SASE lens, Mordor Intelligence sizes the 2026 market at USD 15.54 billion, growing to USD 39.14 billion by 2031 at a 20.29% CAGR. That definition bundles Network-as-a-Service and Security-as-a-Service across cloud-native, hybrid, and legacy-integrated deployments.9 MarketsandMarkets frames SASE more aggressively, near USD 19 billion in 2026 on a faster ~29% CAGR.10 The spread between the two is a definitional artifact of how much SD-WAN and managed networking each firm folds in, which is exactly why averaging them would destroy information. On the narrower SSE lens — the security half only — MarketsandMarkets puts the market at USD 6.08 billion in 2024 reaching USD 23.01 billion by 2030 at a 24.8% CAGR, spanning SWG, CASB, ZTNA, and FWaaS, with FWaaS the fastest-growing component.11 On the narrowest ZTNA lens, 2026 estimates cluster in the low single-digit billions — roughly USD 2.4 billion to USD 4.8 billion. The range depends on whether bundled-into-SSE deployments are counted as ZTNA spend or absorbed into the SSE line, at CAGRs above 20% on every estimate.12 The honest summary: the narrower the category, the faster the headline growth rate, because spend is migrating down the stack from the converged networking story toward the identity-aware access layer.

Buyer trends. The dominant procurement question is single-vendor versus best-of-breed. Gartner's well-cited (and now-aging) 2022 forecast held that 80% of enterprises would adopt a single-vendor SSE strategy by 2025.13 The more current signal complicates that. Roughly three in five CISOs prefer single-vendor in principle, but a majority actually deploy two-vendor combinations: SSE from one vendor, SD-WAN from another.14 I read this preference-versus-practice gap as the defining buyer tension of 2026, and the falsifiable test is public. Watch whether the single-vendor-SASE platform leaders (Fortinet and Cato are named Leaders in Gartner's 2025 SASE Platforms quadrant) grow their disclosed enterprise platform counts faster than best-of-breed SSE pure-plays grow theirs over the next four quarters.14 A second buyer trend is the VPN-displacement cycle reaching its late innings. The legacy VPN is being retired in favor of ZTNA at scale, with industry surveys reporting a majority of organizations actively replacing VPNs in 2026.15

Technology trends. Three are reshaping the Edge. The first is platform consolidation pressure from the SOC platform leaders. Palo Alto's Prisma Access, Cisco's Umbrella-plus-Hypershield, and Microsoft's Entra Internet Access push SSE as part of a wider bundle, applying the same bundling logic that drives the detection segment. The second, and the one I read as the most consequential for the category's next decade, is the AI-agent and non-human-identity access problem pushing ZTNA up-market. Non-human identities — service accounts, API keys, machine tokens, and now autonomous AI agents — already outnumber human identities in many enterprises by ratios reported between 40:1 and over 100:1, and the count is growing fast.16 ZTNA's per-application, continuously-verified model is the natural control point for an agent that must reach exactly one resource and no more. Zscaler's June 2026 Zenith Live announcement is the clearest production signal. It shipped an AI Broker for agent-to-agent traffic, an Agent Registry, and an AI Access Graph mapping identity-to-data lineage, all repositioning ZTNA from a remote-worker tool toward a machine-identity control plane.17 My falsifiable prediction, grounded only in observable product-page and earnings signals, runs two ways. If the agentic-access thesis holds, expect the SSE leaders to ship named non-human-identity / agent-access SKUs and report them as growth drivers within the next several quarters. If it is hype, those features stay buried as undifferentiated platform line-items. The third trend is the architectural divide between network-first and security-first SASE. Single-stack natives (Cato) and edge-network-first entrants (Cloudflare) are converging on the same category from opposite starting points. That convergence is visible in Netskope's September 2025 Nasdaq IPO (ticker NTSK, ~USD 908 million raised, ~USD 8.6 billion debut valuation), which gave the pure-play SSE thesis its first fully public benchmark.18

Regulatory trends. The regulatory driver most specific to the Edge is the zero-trust mandate. In the United States, federal civilian agencies operate under binding zero-trust-architecture requirements that explicitly name identity-aware, per-resource access — the ZTNA model — as the target end state. That mandate pulls the public sector onto modern edge platforms on a regulatory timetable rather than a discretionary one.19 The broader regulatory tailwind is indirect but real: data-residency and sovereign-cloud obligations in Europe make the where of traffic inspection a compliance question, and an SSE platform that can guarantee in-region enforcement points sells directly into that requirement.20

6.3 The Contenders

The Secure Service Edge Vendor Landscape — 2026 PRODUCTBEACON — STATE OF CYBER SECURITY MARKETS 2026, FRONT 6 SINGLE-FUNCTION ZTNA Stack scope → Single-function ZTNA Full SASE (incl. SD-WAN / networking) ↑ Buyer motion Enterprise / CISO-led Developer-led / bottoms-up TIER COLOR Gravity — sets the SSE reference price Attention — SASE + edge + data + WAN Wildcard — developer-led ZTNA bets Zscaler Zero Trust Exchange · SSE-pure Netskope data-aware SSE · NTSK Cato single-vendor SASE-native Versa SD-WAN-to-SASE Forcepoint data-first SSE Cloudflare edge-network-first · NET Tailscale identity-aware mesh Twingate VPN-replacement ZTNA Author's read of public material, June 2026. Vendor positions are conceptual, not data-derived.

Author's read of public material, June 2026. Vendor positions are conceptual, not data-derived.

The edge-security field sorts along two questions. The first is whether the vendor built from the network outward (SD-WAN and SASE heritage) or from the security cloud outward (SSE and ZTNA heritage). The second is whether the buyer is consolidating an entire branch-and-cloud estate onto one platform or buying a single sharp capability — secure private access — and nothing else. The eight vendors below are grouped into three tiers. Gravity holds the two pure-play SSE/ZTNA platforms whose pricing and packaging set the market's reference point. Attention holds the SASE-native challenger, the edge-network incumbent, the repositioning data-security house, and the SD-WAN-to-SASE migrant. Wildcard holds two developer-led ZTNA bets characterized descriptively only. Each card is anchored to a single dated vendor-controlled surface and at least one verbatim messaging pillar lifted from that vendor's live site on 2026-06-16.

Gravity tier

Zscaler

"Secure Private Access with ZTNA. Extend fast, secure, and reliable private app access for all users from any device or location." — [Zscaler Private Access, zscaler.com/products-and-solutions/zscaler-private-access, accessed 2026-06-16]21

Zscaler is the gravity well of this front — the pure-play that built the security-cloud-outward model and proved that a SaaS security edge could displace the appliance stack the rest of the field grew up on. Its stated USP is zero trust delivered as a cloud service: the Zero Trust Exchange brokers every user-to-app connection so that no traffic touches the corporate network and the network itself disappears as an attack surface. Zscaler Private Access carries the ZTNA pillar — "seamless zero trust connectivity for all users, with AI-powered user-to-app segmentation and context-aware policies." Zscaler Internet Access and the broader SSE bundle (secure web gateway, CASB, DLP) cover the outbound side.22 The target buyer is the large enterprise retiring VPN concentrators and on-premise security appliances; the pricing signal is per-user subscription tiering that rewards bundling the full exchange over single modules. Architecturally Zscaler classifies as SSE-pure and cloud-native, platform-over-best-of-breed — the cleanest articulation of the SSE-first pole. The one fact that complicates the pure-play label is its acquisition of Red Canary, a managed-detection-and-response house, for roughly $651 million completed in August 2025. That move pushes Zscaler across the boundary into the SOC/MDR adjacency mapped in Front 5, blurring the long-standing "we are pure SSE" story.23 The financials behind the position are the strongest available: in fiscal Q3 2026 (period ended 2026-04-30) Zscaler reported roughly $850 million in revenue, up about 25% year over year, and ARR of roughly $3,525 million, also up about 25%.24 Published-material tier is the strongest in the front: named-outlet plus SEC-grade (ZS, NASDAQ). My read: Zscaler still sets the SSE reference point the entire field prices against, but the Red Canary move signals it no longer intends to stay inside the SSE box. The pure-play is becoming a platform, and that ambition is the more interesting story than the leadership it already holds.

Netskope

"Netskope: modern security and networking for the cloud and AI era." — [netskope.com, accessed 2026-06-16]25

Netskope is the other gravity-tier pure-play, and the detail that an out-of-date read would miss is that it is no longer private. Netskope went public on Nasdaq in September 2025, raising roughly $908 million (47.8 million shares at $19) at a valuation of roughly $8.6 billion.26 Its stated USP is breadth of the SSE estate delivered from a single cloud. The homepage frames the company as "modern security and networking for the cloud and AI era," and the portfolio spans SSE, CASB, SSPM and DSPM, firewall-as-a-service, and private access — a wider security-data surface than the ZTNA-led pure-plays carry.25 The target buyer is the enterprise consolidating data-aware web, cloud, and private-access security onto one inline platform. The architecture classifies as SSE-pure and cloud-native, platform-over-best-of-breed, with data context (the CASB and DSPM heritage) as the differentiating thread. The currency note that matters for any forward read is profitability: in the first half of 2025 Netskope reported ARR of roughly $707 million but remained unprofitable, with a net loss of roughly $170 million for the period. This is a growth-over-margin posture the public markets are now pricing in real time. By its first fiscal quarter as a public company (the quarter ended 2026-04-30) ARR had reached roughly $845 million, up about 29% year over year.2728 Published-material tier is now the strongest available — newly public reporter (NTSK, NASDAQ) plus named-outlet IPO coverage. My read: Netskope's IPO converts it from a late-stage private peer into a public yardstick alongside Zscaler. Its data-security DNA gives it the most natural overlap with the Part-1 DLP story — the same single platform carries both the SSE and the data-protection module, which is exactly why characterizing it cleanly here matters for cross-front coherence.

Attention tier

Cato Networks

"World's Leading Single-Vendor SASE Platform. One Platform. Start Anywhere. Grow Everywhere." — [catonetworks.com, accessed 2026-06-16]29

Cato Networks is the SASE-native challenger — the vendor that built networking and security as one converged cloud service from the ground up rather than stitching SD-WAN and security clouds together after the fact. Its stated USP is single-vendor SASE: the homepage claims the title of "World's Leading Single-Vendor SASE Platform" and frames the architecture as "Cato's SASE platform converges networking, security, and access into a single, global, AI-powered cloud service."30 The current hero copy has shifted toward an agentic-defense and time-to-patch frame — "From CVE to Protection in Minutes" and "Agentic defense beyond time-to-patch. Cloud-delivered at machine speed" — layering an AI-operations message over the converged-platform foundation.29 The target buyer is the mid-market-to-enterprise organization that wants one vendor for branch connectivity and security rather than a best-of-breed assembly; the pricing signal is platform subscription rewarding the "start anywhere, grow everywhere" land-and-expand motion. Architecturally Cato is SASE-native and cloud-native, the purest platform-over-best-of-breed play in the set. The capital behind the position is substantial. Cato extended its Series G to roughly $409 million in total at a valuation of more than $4.8 billion (over $1 billion raised across its history). It reports an ARR run-rate of roughly $350 million, up about 43% year over year, with a named place on the 2026 Fortune Cyber 60 for the third year. A public listing that had been discussed has been pushed toward late 2026 or beyond.31 Published-material tier is named-outlet plus vendor-controlled (funding announcements, analyst lists). My read: Cato has the cleanest architectural story in the Attention tier — genuinely single-vendor, genuinely converged — and the growth rate to back it. That makes it the most credible private threat to the public pure-plays even though its absolute scale still trails them.

Cloudflare

"The agile SASE platform. Connect and protect your workforce, AI agents, and infrastructure." — [Cloudflare One, cloudflare.com/sase, accessed 2026-06-16]32

Cloudflare reaches this front from a different starting point than anyone else in the set. It built the largest edge network first and added the security service edge on top, so Cloudflare One is an SSE delivered from infrastructure the company already operated for performance and DDoS protection. Its stated USP is reach and composability. The homepage frames Cloudflare One as "the agile SASE platform" with "SASE architecture unified by design — on a global connectivity cloud," and leans on the network footprint claim that "Cloudflare delivers full SASE from 300+ cities — >3× more than other SASE vendors."33 The 2026 messaging tilts hard toward AI-era access — "identity-first zero trust access for every employee, contractor, and AI agent," plus first-mover claims on securing connections to MCP servers and on post-quantum encryption across the stack.32 The target buyer is the organization that already trusts Cloudflare's edge for web performance and wants to extend it into zero-trust access; the pricing signal favors bundling Zero Trust into an existing Cloudflare relationship. Architecturally Cloudflare classifies as edge-network-first and cloud-native, platform-over-best-of-breed by ambition, and it carries a third consecutive year in the Gartner SSE Magic Quadrant. The financials are healthy: Q1 2026 (period ended 2026-03-31) revenue of roughly $639.8 million, up about 34% year over year, with roughly $4.2 billion in cash and roughly $84.1 million in free cash flow. The period also brought an announced workforce reduction of about 20% (1,100-plus roles, framed as an AI-first restructuring) carrying roughly $140-150 million in charges, a note worth registering on organizational health even though it does not change the competitive tier.34 Published-material tier is named-outlet plus SEC-grade (NET, NYSE). My read: Cloudflare's edge footprint is a structural advantage no pure-play can replicate quickly. But its SSE remains one product line inside a much larger network business — which is both its distribution advantage and the reason its security focus is harder to read than a pure-play's.

Forcepoint

"AI Moves Fast. Your Data Shouldn't Move Uncontrolled. Secure data everywhere from a single platform." — [forcepoint.com, accessed 2026-06-16]35

Forcepoint is the data-security incumbent repositioning into the edge — the vendor whose center of gravity is data protection (DLP, classification) and whose SSE story is framed around securing the data flowing through web, cloud, and private access rather than around the network. Its current hero copy makes the data-first frame explicit: "AI Moves Fast. Your Data Shouldn't Move Uncontrolled" and "Secure data everywhere from a single platform," with the AI-era pitch that "AI Is Only as Secure as Your Data" and a claim to "The Most Advanced Data Classification Available."36 The stated USP is data-aware SSE: protecting sensitive data "across AI tools, cloud apps, web, email, endpoint and network" from one console. The target buyer is the mid-market and regulated-enterprise organization that already knows Forcepoint for DLP and wants its edge security anchored on the same data engine; the pricing signal is platform-and-module subscription aimed at that installed base. Architecturally Forcepoint classifies as SSE with a data-security center, cloud-delivered, platform-over-best-of-breed within its data-first scope. The ownership structure is the decisive currency fact. Francisco Partners has owned the commercial Forcepoint business since acquiring it from Raytheon in January 2021. The government business (G2CI) was acquired separately by TPG in a deal worth roughly $2.45 billion that closed on 2023-10-02, leaving the commercial SSE entity as a distinct, PE-held company.37 No new 2026 ownership or capital change surfaced in the bounded scan. Published-material tier is named-outlet (acquisition coverage) plus vendor-controlled; as a private PE-held company there is no public reporter. My read: Forcepoint's data-first framing is its genuine differentiator in a field crowded with network-first and access-first stories. But it competes from a mid-market incumbent position against pure-plays with more capital and faster cloud-native momentum. The repositioning is a defense of its installed base as much as an offensive play.

Versa Networks

"Extend SASE to every part of your network with VersaONE. Universal SASE protects and connects every part of your business — from headquarters to branch, cloud to data center, and every user and device in between." — [versa-networks.com, accessed 2026-06-16]38

Versa Networks is the SD-WAN-to-SASE migration story — the vendor that came up through software-defined wide-area networking and has spent the converged-edge era repackaging that heritage as "Universal SASE." Its stated USP is breadth of footprint from a single platform. VersaONE is pitched as "a unified platform with one console, one policy, one data lake, and one OS." It spans networking, security, and access across headquarters, branch, cloud, and data center, with VersaAI layered as "AI FOR SASE" and "SASE FOR AI" across the stack.39 The target buyer is the distributed enterprise modernizing a large branch-and-WAN estate that wants security folded into the network rather than bought separately. The pricing signal is platform subscription aimed at network-led buyers. Architecturally Versa classifies as SASE with an SD-WAN-network-first heritage, cloud-delivered, platform-over-best-of-breed. The funding picture requires a plain currency note. The latest verifiable round is the $120 million pre-IPO financing led by BlackRock in October 2022 (roughly $632 million raised across its history), and the public listing the company signaled around that round has not been realized in the years since. So this card makes no implication of recent capital or imminent IPO.40 Published-material tier is named-outlet (the 2022 funding coverage) plus vendor-controlled; as a private company there is no public reporter. My read: Versa has a real footprint among network-led buyers. But the four-year gap since its last verifiable raise and the unrealized IPO are the most honest framing of its current standing — the migration story is sound, the capital and liquidity narrative is the open question.

Wildcard tier

Tailscale

"The best secure connectivity platform for the AI era. A Zero Trust identity-based connectivity platform that replaces your legacy VPN, SASE, and PAM." — [tailscale.com, accessed 2026-06-16]41

Tailscale is the developer-led ZTNA wildcard — the identity-aware mesh that grew bottoms-up inside engineering teams as an easier replacement for the corporate VPN. Descriptively, its surfaces position it as a Zero Trust identity-based connectivity platform that replaces, in its own words, "your legacy VPN, SASE, and PAM" together. The pillars cover "remote access for your global team," "infrastructure access to wherever your resources live, including Kubernetes clusters," and "easy, secure, identity-based access to anything."42 On its surfaces the described buyer skews toward developers and infrastructure teams adopting it for resource access rather than a security organization rolling out a full edge platform. Architecturally it presents as ZTNA-first and identity-based mesh, cloud-coordinated. On the funding and scope picture, Tailscale raised a $160 million Series C in April 2025 (led by Accel) and acquired Border0, a privileged-access-management vendor, in March 2026. Per its surfaces, that move extends the platform from ZTNA into PAM and frames it as a Zero-Trust platform replacing legacy VPN, SASE, and PAM together.43 Published-material tier is vendor-controlled plus named-outlet funding and acquisition coverage. As a small, early-stage private vendor, Tailscale is read here descriptively only and sits out of this front's pattern claims — at this stage and scale, the responsible read is positional, not a directional verdict on the company itself.

Twingate

"Security, Performance, Simplicity. Pick Three. Identity-based access for users, services, and AI agents that deploys in minutes, scales to every resource, and finally lets you retire your VPN." — [twingate.com, accessed 2026-06-16]44

Twingate is the bottoms-up ZTNA wildcard — the VPN-replacement vendor that, like Tailscale, lands inside teams as an easy zero-trust access layer rather than a top-down platform purchase. Descriptively, its surfaces lead with "Security, Performance, Simplicity. Pick Three" and frame the product as "identity-based access for users, services, and AI agents that deploys in minutes, scales to every resource, and finally lets you retire your VPN," with pillars "Zero Trust with No Boundaries," "Protect Every Click," and "Democratize Privileged Access."45 The newest descriptive thread on its surfaces is access for AI agents alongside users and services. The described buyer skews toward teams wanting a fast VPN replacement and identity-aware access without a heavy rollout. Architecturally it presents as ZTNA-first and identity-based, cloud-coordinated. On funding, the most recent verifiable round is the $42 million Series B from 2022-04-14 (roughly $67 million raised in total). No newer raise surfaced in the bounded scan, so this card states the 2022 vintage plainly and makes no implication of recent capital.46 Published-material tier is vendor-controlled plus the 2022 named-outlet funding coverage. As with Tailscale, Twingate is read descriptively only and is held out of this front's pattern claims; at this stage and scale, the responsible read is positional, not a verdict on the vendor.

6.4 Their Plays

The edge-security market is not arguing about whether to consolidate the stack. It settled that argument years ago. The argument now is about who consolidates into whom, and from which direction the consolidation arrives. It might arrive from a single-vendor SASE fabric built as one system, or from a security-operations platform reaching outward to the edge. It might also arrive from an identity-and-productivity incumbent folding network access into a bundle the buyer already owns, or from a developer-led access tool graduating up-market into the enterprise. Four plays are in motion in 2026, and each is a different answer to the same question. Below, each is stated as an observation grounded in a public signal, the named participants, and a conditional outcome that resolves against something an outsider can watch happen.

Play 1: The Single-Vendor-SASE vs Best-of-Breed Consolidation Play

Play 2: The Incumbent Cross-Front Bundle Pressure Play

Play 3: The SSE-to-SOC Boundary Move Play

Play 4: The Identity-First ZTNA Up-Market Port Play

6.5 War Chests & Casualties

The capital picture for the edge front splits along the same line as the contender field: public incumbents financing the move outward from their own balance sheets, and privately held specialists whose last fundraises range from very recent to several years old. The snapshot below mixes both.

VendorMost Recent RoundValuation (if public)Strategic InvestorDistress Signal
Netskope (NASDAQ: NTSK)Public; IPO Nasdaq Sep 2025, raised ~$908M; ~$1.5B raised pre-IPO58~$8.6B at IPOPublic-market funded(empty — no public distress event)
Zscaler (NASDAQ: ZS)Public; acquired Red Canary ~$651M; ARR ~$3,525M, fiscal Q3 202659Public market capPublic-market funded(empty — no public distress event)
Cloudflare (NYSE: NET)Public; Q1 2026 revenue $639.8M (+34%), ~$4.2B cash60Public market capPublic-market funded~20% workforce reduction (~1,100 roles), $140–150M restructuring charges, AI-first reorg announced May 202661
Cato Networks (private)$409M Series G at >$4.8B, 2025; >$1B lifetime; IPO deferred62>$4.8B (private)Vitruvian, ION Crossover, Lightspeed(empty — no public distress event)
Tailscale (private)$160M Series C, Apr 2025 (Accel); acquired Border0, Mar 202663Not disclosedAccel (lead)(empty — no public distress event)
Versa Networks (private)$120M pre-IPO round, 2022 (BlackRock); ~$632M lifetime; IPO unrealized64Not disclosedBlackRock(empty — no public distress event)

The dynamic is asymmetric. The public incumbents extend their footprint off balance-sheet cash, with Zscaler buying its way across the SOC boundary. Cloudflare is the one company carrying a citable recent corporate event, and it is not a failing one. Q1 2026 revenue grew 34% to $639.8 million even as it announced a roughly 20% workforce reduction and $140–150 million in restructuring charges tied to an agentic AI-first operating model. That is a strong-growth company restructuring around AI, not a casualty, and should be read that way. Among the private specialists, capital recency is the tell. Cato's $409 million 2025 Series G and Tailscale's $160 million April 2025 Series C both signal recent strength. Versa, by contrast, last raised in 2022 and has not realized the IPO that round preceded, so its position rests on standalone traction rather than an implied war chest. No other vendor here carries a citable public distress event.

6.6 Winning & Losing

The Edge is not contested the way the SOC platform war is contested. There is no single piece of high ground that every vendor is storming at once. Instead, the front is a set of overlapping campaigns fought along the seams between categories. SSE-bundled DLP presses on the standalone data-security vendor below it. Developer-led ZTNA ports up into the enterprise the incumbents thought they owned. And the single-vendor-SASE native wins the mid-market while the question of whether it can hold the enterprise stays open. The vendors who advance here are the ones who can move across a seam: turn a bundled module into a budget displacement, turn a developer tool into a machine-identity control plane, turn operational simplicity into an enterprise reference. The ones who stall are the ones defending a single category line while the spend migrates underneath them.

Three patterns explain the movement, and each is contestable on public evidence. The first is a compression line: the DLP module that ships inside every SSE platform pressing the standalone DLP vendor at the total-cost-of-ownership line. The second is a category in motion: identity-first ZTNA porting up-market, accelerated by the AI-agent access problem, displacing the legacy VPN. The third is an open question with a clock on it: whether single-vendor SASE wins only the mid-market or breaks into the enterprise. Each is a named thesis with an observation, a labeled read, and a falsifiable conditional — not a forecast. Where the evidence points at a Wildcard vendor too small to characterize individually, the claim stays at the category level by design.

Pattern Claim 1 — The Bundle-vs-Best-of-Breed DLP Compression Thesis

Observation.

My read.

Conditional prediction.

Sources. 28 65 66

The Bundle-vs-Best-of-Breed DLP Compression Thesis PATTERN CLAIM 1 — STATE OF CYBER 2026, FRONT 6 SSE-bundled DLP compresses the standalone vendor where risk lives in web/cloud egress — not across all channels SSE-bundled DLP a module inside a platform already bought Wins the mid-market egress profile Netskope ~$845M ARR (+29% YoY) $100K+ customers +23% (~1,600) Zscaler ~$3,525M ARR (+25% YoY) DLP bundled with SWG · CASB · ZTNA "Is your detection enough better, across enough extra channels, to justify a 2nd product, console, bill?" Inspects the same web/cloud egress the platform already sees NTSK / ZS — SEC-grade public ARR Standalone DLP (Part 1) the standalone strength: all-channel enforcement Holds where coverage spans Endpoint Email Removable media On-premise repositories Channels the SSE egress never touches Bundle = complement, not replacement, where risk is broad Coexistence along a coverage line TCO pressure FALSIFIABLE TEST — FY2026–FY2027 CONFIRMED if Netskope and Zscaler keep disclosing DLP/DSPM as a named platform growth driver in FY2026–FY2027 earnings AND a named outlet documents an enterprise consolidating off a standalone DLP product onto SSE-bundled DLP on TCO grounds. REFUTED if the SSE vendors stop breaking out data-security attach as a growth driver AND standalone DLP vendors hold or grow disclosed enterprise channel-coverage wins — the bundle is a coexistence story bounded by coverage, not compression.

Pattern Claim 2 — The Identity-First ZTNA Thesis

Observation.

My read.

Conditional prediction.

Sources. 67 68 69

The Identity-First ZTNA Thesis PATTERN CLAIM 2 — STATE OF CYBER 2026, FRONT 6 A category in motion: the AI-agent / non-human-identity access problem makes per-application ZTNA the control point The access prize Enterprise retiring legacy VPN per-app, continuously-verified access for one resource and no more Developer-led challengers Tailscale — $160M Series C (Accel), acquired Border0 (PAM), Mar 2026 identity-aware overlay climbing up-market Incumbent acquisition cluster PANW / CyberArk (~$25B) CRWD / SGNL ($740M) Cisco / Astrix (~$400M) Microsoft Entra Agent ID The accelerant: AI-agent access non-human identities now 40:1 to 100:1+ vs humans an agent should never get network-level trust port up push down Category-level claim only — sub-scale developer vendors not called as winners or casualties FALSIFIABLE TEST — FY2026–FY2027 CONFIRMED if 2+ SSE/ZTNA leaders ship and report named non-human-identity / agent-access SKUs as disclosed growth drivers (earnings or product-page hero) AND the incumbent identity-access cluster (PANW/CyberArk, CRWD/SGNL, Cisco/Astrix) closes and integrates into shipping access products — a durable enterprise shift. REFUTED if agent-access stays buried as undifferentiated line-items with no disclosed attribution AND the legacy-VPN displacement cycle stalls in named survey data.

Pattern Claim 3 — The Single-Stack SASE Thesis

Observation.

My read.

Conditional prediction.

Sources. 70 71 72

The Single-Stack SASE Thesis PATTERN CLAIM 3 — STATE OF CYBER 2026, FRONT 6 Single-vendor SASE wins the mid-market on operational simplicity — the enterprise stays genuinely open Mid-market — WON smallest security team, highest appeal of one console Cato Networks (single-vendor SASE) $350M+ ARR (+43% YoY), 2025 $409M Series G at >$4.8B valuation 3rd consecutive Fortune Cyber 60 (a pre-IPO / pre-exit cohort) One console, one policy engine, one vendor for network + security IPO explicitly kept on ice Gartner 2025 SASE Platforms: Leader named-outlet + vendor-controlled Enterprise — OPEN entrenched best-of-breed, board preference for swappable layers The unproven ground Best-of-breed around an SSE core: Netskope (NTSK) — public Sep 2025 Zscaler (ZS) — scaled public SSE two public anchors to assemble around Single-stack SASE not yet shown, in public material, to win at scale Both motions funded, both real — neither falsified by the other's growth: the decision stays open won vs open FALSIFIABLE TEST — H2 2026 / next two-to-four quarters CONFIRMED if Cato converts its Series G war chest into a public S-1 filing OR a named-outlet-documented enterprise (rather than mid-market) logo mix — single-vendor SASE validates as an enterprise architecture, not just a mid-market simplification. REFUTED if the IPO stays deferred through 2026 and Cato's disclosed traction stays concentrated below the enterprise tier while Netskope's and Zscaler's public ARR keeps compounding — single-vendor SASE remains the mid-market's answer and best-of-breed-around-an-SSE-core stays the default enterprise motion. Watch: SEC EDGAR S-1 · Gartner Magic Quadrant for SASE Platforms refresh · named-outlet enterprise coverage

Winners

Zscaler is winning the scaled-platform dimension of the front. Roughly $3,525M in ARR at about 25% year-over-year growth is, in my read, the clearest evidence available that the security-cloud-outward model it pioneered has become the reference point the entire field prices against 65. My opinion: its moat in 2026 is as much commercial gravity as it is detection efficacy. The buyer who has standardized on the Zero Trust Exchange finds it cheaper to add a module than to evaluate a competitor. And the Red Canary MDR acquisition shows it intends to expand the box rather than defend it 73.

Netskope is winning the public-benchmark argument it set out to win. Consider the public record: reaching the Nasdaq in September 2025 at a ~$8.6B debut, and posting Q1 fiscal 2027 (quarter ended 2026-04-30) ARR of $845M up 29% with $100K+ customers up 23%. That, in my view, is the strongest available public evidence that the SSE-pure thesis converts to durable public-market revenue rather than just messaging 28. It is not winning at Zscaler's scale, but it has given best-of-breed buyers a second fully public SSE anchor to assemble around.

Cato Networks is winning the mid-market on operational simplicity. $350M+ ARR at 43% growth and a third consecutive Fortune Cyber 60 placement is, in my read, the clearest public signal that single-vendor SASE has real pull. That pull is strongest where the security team is small and the appeal of one console is highest 70 71. The win I am attributing is the mid-market, not the enterprise — that second ground is the open question of Pattern Claim 3.

Losers / Casualties

This front has few clean casualties, and I will not manufacture one. The honest read is that the Edge is a growth market where the live pressure is compression and displacement between growing vendors, not collapse — which is why most of the contested vendors below belong under Watch, not here.

The one dated public restructuring event in the front is Cloudflare's May 2026 workforce reduction of approximately 1,100 people (~20% of headcount), announced 2026-05-07 and disclosed in its FY2026 8-K, with charges of $140–150M 74. I would not label Cloudflare a casualty, and the same source forecloses it. The company framed the action as architecting for an agentic-AI-first operating model — its co-founders stated explicitly that it was not a cost-cutting exercise. That framing sits against a backdrop of a still-growing security and developer-platform business and a Visionary placement in Gartner's 2025 SASE Platforms quadrant 74 75. The restructuring is the dated evidence of an AI-first reshaping at a growing company, not a distress signal — and the distinction matters precisely because the headcount number invites the wrong label without the framing the filing supplies.

Watch

Cato Networks is the watch signal I would track most closely on the enterprise-versus-IPO question. The Series G is funded and the ARR is compounding, but the trajectory that resolves Pattern Claim 3 — an S-1 filing or a documented enterprise logo mix — has not yet surfaced in public material 70. A deferred IPO extending through 2026 without an enterprise-traction disclosure would warrant reassessment at the next refresh; an S-1 would resolve it the other way.

The developer-led ZTNA category is the wildcard motion to watch, characterized at the category level only. The public signals — Tailscale's $160M Series C and its Border0 PAM acquisition, and adjacent identity-aware-access positioning elsewhere in the category — point to developer-led access tools porting up-market. But the individual sub-scale vendors are early-stage bets whose individual outcomes I cannot responsibly call from public material 67. Whether identity-first ZTNA becomes a standalone enterprise wedge or gets absorbed into the platform incumbents' identity-access acquisitions (PANW/CyberArk, CRWD/SGNL, Cisco/Astrix) is the open category question 68.

Cloudflare is worth watching post-restructuring on a different axis than its headcount. The question I would track has two sides. Does the agentic-AI-first reorganization translate into shipped, differentiated edge-and-SSE capability that improves its Gartner SASE-quadrant position from Visionary toward the Leaders? Or does the AI-first pivot pull focus from the SSE roadmap while Zscaler and Netskope compound 75?

6.7 The Campaign Ahead

The Edge will be decided in public over the next several quarters, and every signal that decides it is observable without privileged access. These are the five I would put on the H2 2026 watchlist, each with a falsifiable threshold and a primary source class anyone can monitor.

  1. SSE-bundled DLP as a disclosed growth driver. Signal: whether Netskope and Zscaler name DLP/DSPM/data-security attach as a growth driver in their FY2026–FY2027 earnings commentary, plus any named-outlet report of an enterprise consolidating off standalone DLP onto SSE-bundled DLP on TCO grounds. Threshold: a documented standalone-DLP-to-SSE-bundled-DLP consolidation cited specifically on total-cost-of-ownership confirms the compression thesis at the middle of the market; continued attach growth without a documented migration does not. Primary source: Netskope (NASDAQ: NTSK) and Zscaler (NASDAQ: ZS) earnings transcripts and 10-Q filings, plus named-outlet enterprise coverage 76.
  1. Named non-human-identity / agent-access SKUs reported as growth. Signal: whether two or more SSE/ZTNA leaders ship and disclose named agent-access or non-human-identity SKUs as growth drivers — in earnings commentary or as a product-page hero change — through the period. Threshold: two or more leaders attributing disclosed revenue or pipeline to agent-access SKUs confirms the identity-first ZTNA category motion; agent-access features remaining buried as undifferentiated line-items with no disclosed attribution does not. Primary source: vendor product-page hero snapshots and Zscaler/Netskope earnings transcripts 77.
  1. The incumbent identity-access acquisition cluster closing. Signal: whether the Palo Alto Networks–CyberArk (~$25B, closed 2026-02-11), CrowdStrike–SGNL ($740M, January 2026), and Cisco–Astrix (reported ~$400M, May 2026) transactions integrate into shipping access products. Threshold: two or more of the three closing and surfacing integrated agent/machine-identity access capability in shipping products confirms the incumbents are competing seriously for the same access ground as the developer-led challengers. Deals stalling or integration not surfacing publicly leaves the category motion unconfirmed on the incumbent side. Primary source: acquirer SEC filings (8-K) and vendor product announcements 78.
  1. Cato's IPO-or-enterprise trajectory. Signal: whether Cato Networks files a public S-1 or has a named-outlet-documented enterprise (rather than mid-market) logo mix surface, versus a deferral extending through 2026. Threshold: an S-1 filing OR a documented enterprise logo mix validates single-vendor SASE as an enterprise architecture; a continued deferral with traction concentrated below the enterprise tier confirms it as the mid-market's answer. Primary source: SEC EDGAR S-1 filings and named-outlet (Calcalist / SecurityWeek / Bloomberg) enterprise coverage 79.
  1. The Gartner SASE / SSE quadrant refresh. Signal: the next Gartner Magic Quadrant for SASE Platforms (and the SSE coverage beneath it), and whether Cloudflare moves from Visionary toward Leaders or holds, and whether the pure-play SSE leaders' positions shift relative to the single-vendor-SASE natives. Threshold: a Cloudflare move into the Leaders quadrant confirms the AI-first restructuring translated into category-recognized capability; a held or weakened position signals the pivot pulled focus from the SSE roadmap. Primary source: the published Gartner Magic Quadrant for SASE Platforms / Security Service Edge and vendor announcements citing placement 80.

References & Footnotes

References

Section