Security as a Service

Enterprises are facing a tough choice between running complex infrastructure with multiple network and security point solutions or paying heavily to service providers to “bundle it” for them. Sizing security appliances for different locations often means having inconsistent security policies across the network. Cato, the cloud-native carrier, provides the only secure managed SD-WAN service built with the global reach, self-service, and agility of the cloud. Cato replaces security point solutions with a converged, uniform security stack built for the digital business.

Cato’s security as a service is a set of tools built directly into the Cato Cloud network as part of a tightly integrated software stack. Because of this, it can be applied consistently across all traffic traversing the network, eliminating the need for disparate edge security devices. Our security services cover access control and threat prevention and are powered by Cato’s Security Research Labs.

Security as a Service for Today’s Enterprises

With Cato’s security as a service, you gain the benefit of consistent security across your entire network while offloading the day to day management to Cato. No more capacity planning, software upgrades, operational complexities, or hidden costs. At the same time, you maintain granular control of all your security policies, with easy configuration through Cato’s centralized management portal.

Our network was designed with security in mind. All our PoPs are interconnected using fully-meshed, encrypted tunnels. Customers connect to Cato through encrypted tunnels, established by our Cato Socket (a zero-touch appliance deployed at physical locations), or through IPsec tunnels from existing security appliances.

All our security services are backed by our massive data warehouse to detect and protect your network from the most advanced threats. As part of the service, Cato employs a dedicated research team of security experts, Cato Security Research Labs, which continuously monitor, analyze and tune all the security engines, risk data feeds, and databases to optimize customer protection.

Access Control Across Your Network

Cato provides enterprises with access control capabilities through our next-generation firewall (NGFW) and secure web gateway (SWG). Our NGFW provides full application awareness with the ability to inspect the payload of packet data and distinguish between different types of web traffic. Cato’s SWG allows customers to monitor, control and block access to websites based on predefined and customizable categories.

Next-generation Firewall

The Cato NGFW inspects both WAN and Internet traffic. It can enforce granular rules based on network entities, time restrictions, and type of traffic. The Deep Packet Inspection (DPI) engine classifies the relevant context, such as application or services, as early as the first packet and without having to decrypt the payload. Cato provides a full list of signatures and parsers to identify common applications. In addition, custom application definitions identify account-specific applications by port, IP address or domain.

Secure Web Gateway

Cato provides a SWG to give you granular control over your Internet-bound traffic, enabling enforcement of corporate policies and preventing downloads of unwanted or malicious software. We provide predefined policies for dozens of different URL categories and support custom rules, enhancing the granularity of web access control. As with the rest of our service, the SWG is easily managed through Cato’s management portal and covered by a full audit trail.

Advanced Threat Prevention

As part of Cato’s Advanced Threat Protection, Cato offers anti-malware protection and Intrusion Prevention System (IPS) capabilities. Both services inspect WAN and Internet traffic. Additionally, Cato PoPs inspect TLS-encrypted traffic in the Cato Cloud, so there is no scaling constraints or additional latency.


Malware Detection and Prevention leverages multi-layered and tightly-integrated anti-malware engines. First, a signature and heuristics-based inspection engine, which is kept up-to-date at all times based on global threat intelligence databases, scans files in transit to ensure effective protection against known malware.

Second, we’ve partnered with SentinalOne , an industry leader, to leverage machine learning and artificial intelligence to identify and block unknown malware. Unknown malware can come as either zero-day attacks or, more frequently, as polymorphic variants of known threats that are designed to evade signature-based inspection engines. With both signature and machine learning-based protections, customer data remains private and confidential, as Cato does not share anything with cloud-based repositories.

IPS Protection Engine

Cato delivers a fully managed and adaptive cloud-based IPS service. Cato Research Labs updates, tunes and maintains context-aware heuristics, both those developed in house (based on big-data collection and analysis of customers’ traffic) and those originating from external security feeds. This dramatically reduces the risk of false positives compared to other IPSs that lack an experienced SOC behind them. Cato Cloud scales to support the compute requirements of our IPS rules, so customers don’t have to balance protection and performance to avoid unplanned upgrades as processing load exceeds available capacity.

Our IPS service applies several layers of inspection to provide context-aware protection. We collect the metadata of all the traffic flows that traverse our network. That information is stored in our big data warehouse and enriched with third-party data feeds. We are then able to apply machine learning algorithms to identify suspicious or malformed traffic, which is further refined by our SOC. As a result, Cato’s IPS can:

• Identify deviations from normal or expected traffic based on behavioral signatures
• Block known compromised or malicious IPs based on reputational feeds
• Stop traffic based on the source or destination country
• Validate packet conformance to the protocol, reducing the attack surface from exploits using anomalous traffic
• Protect against known CVEs and rapidly adapt to identify new vulnerabilities
• Stop outbound traffic to C&C servers
• Detect and block bots

Managed Threat Detection and Response to Reduce Dwell Time

Cato’s Managed Threat Detection and Response Service (MDR) enables enterprises to offload the resource-intensive and skill-dependent process of detecting compromised endpoints to the Cato SOC team. Cato seamlessly applies a full MDR service to customer networks. We automatically collect and analyze all network flows, verify suspicious activity, and notify customers of compromised endpoints. This is the power of networking and security convergence to simplify network protection for enterprises of all sizes.