Cato SASE Cloud Platform Architecture
Cato is architected to deliver on the promise of SASE: secure and optimized access for everyone, everywhere, at any scale, and to any application. Cato is focused on offloading day-to-day work from the customers’ IT and minimizing the dependency on scarce skills and resources.
Core Components
The Cato architecture is comprised of multiple cloud-native, scalable, and extensible components that enable a consistent SASE experience even as customers’ footprint, requirements and use cases expand.
Cloud-native Security Convergence
The Single Pass Cloud Engine (SPACE) is the core security engine of Cato. It converges multiple network security functions for flow control and segmentation (NGFW), threat prevention (SWG, IPS, NGAM, RBI), and application and data protection (CASB, DLP, ZTNA) into a cloud-native software stack. The SPACE consistently enforces security policies for both inline traffic and out-of-band access. With complete real-time traffic visibility, the SPACE captures rich context and event data for each inspected flow including network, device, application, and data attributes and feeds it to Cato’s open data lake for incident detection and response. All future network security capabilities will be built into the SPACE to benefit from the same single pass efficiency, cloud distribution readiness, and common data and policy management framework.
Purpose-built Global Cloud Service
Cato created the first purpose-built SASE Cloud service backbone. Numerous Points of Presence (PoPs) worldwide run bare metal compute nodes within top-tier physical hosting providers to deliver real-time scalable and efficient security protection and network optimization. Thousands of SPACEs are orchestrated to deliver a resilient, low-latency inspection within short proximity to every user or location. The Cato PoPs are interconnected with multiple tier-1 global and regional carriers to form a cloud network optimizing Internet access to both Web and SaaS destinations as well as WAN access to on-premises and cloud datacenters and applications. Cato control and ownership of the physical cloud architecture enables footprint extensibility to anywhere in the world without dependency on hyperscalers footprint expansion and cost structures.
Open Data Platform for AI/ML-driven Incident Detection and Response
The Cato SASE Cloud Platform is built on an open data lake that ingests both Cato-generated feeds and third-party feeds from threat intelligence services to support real-time threat prevention. Network and security events are generated through SPACE processing and include rich context of the device, user, network, applications, and data associated with each flow. Endpoint events are created by the Cato Client ZTNA and EPP/EDR engines or via 3rd party endpoint solutions such as Microsoft Defender and Crowdstrike. The complete data set is used by Cato’s AI/ML-based threat hunting and network degradation detection and underpins Cato’s AI-assisted incident investigation and response tools. The data lake can be accessed by customers using the Cato API to extract granular data for processing by external solutions such as SIEM.
Design Principles
The Cato architecture is built to maximize use case coverage and IT resource offload. Cato is committed to follow these principles as we grow the service, the capabilities, and the company itself.
360 Degrees Visibility and Control
The Cato SASE Cloud Platform was architected to consistently and equally support all edges: devices, users, branch locations, physical and cloud datacenters, and the applications used by the business. Cato’s holistic visibility to all traffic enables the replacement of multiple point solutions such as firewalls and cloud proxies to mitigate risks such as web-based attacks, malware propagation across locations, and continuous protection of business applications as they migrate to the cloud.
Autonomous Platform Life Cycle Management
Cato autonomously sustain the cloud platform resiliency, scalability, performance, and global reach. It takes away complex planning, design, deployment, and testing work from IT and enables agile response to new business needs.
- Self-evolving: new capabilities are seamlessly delivered through non-disruptive updates across the cloud service, edge SD-WAN devices, and clients.
- Self-healing: in case of a transport, PoP, or SPACE failure, Cato immediately migrates affected edges to an alternate component to ensure service continuity.
- Self-optimizing: Cato monitors the availability and performance of each path inside the cloud service to determine the fastest route between any source and destination.
- Self-scaling: Cato distributes traffic from high throughput locations across multiple SPACEs and can seamlessly scale with more compute nodes or new PoPs.
- Self-expanding: Cato builds new PoP locations, based on customers’ needs. New PoPs integrate into the global footprint to automatically serve nearby users and locations.
Automated Security Posture Management
The Cato SASE Cloud Platform automatically ingests hundreds of security feeds, developed by Cato and by third parties, and distributes them to all SPACEs globally in near real-time. Cato Security Research uses an AI/ML-based system to continuously validate the quality of each feed recommendation against the universe of feeds used by Cato to reduce the likelihood of false positives. Cato further mitigates emerging threats by developing and simulating the impact of new prevention rules on real customer traffic, and only then deploying these rules into production with 24-48 hours without any involvement of IT or impact to the end users.
Feed quality management and the automated mitigation of threats maximizes the stopping power of Cato and offloads complex and resource intensive processes from IT security.
Gradual, Fast, and Flexible Deployment
Cato enables customers to easily migrate to the Cato SASE Cloud. Cato instantly connects physical locations to the Cato Cloud using zero-touch provisioning of Cato edge SD-WAN devices. Cato Clients are easily deployed through a self-service portal or enterprise endpoint mangement (MDM) platforms.
Cato is often used to fully migrate an organization to SASE. However, the Cato platform is modular, and can co-exist with current IT networking and security infrastructure including routers, firewalls, and cloud-based security services. Organizations can deploy Cato selectively and gradually, by use case, geography, or organizational unit, to address business and technical constraints until such a time they are ready to achieve full convergence.
Universal Management with Single Pane of Glass
The Cato SASE Cloud Platform was architected to deliver current and future network security capabilities through a single cloud service. All capabilities are managed through a single pane of glass that follows the same approach to configuring, troubleshooting, and analyzing all aspects of the service. Customers and partners use the Cato Management Application to define policies that are seamlessly distributed to all PoPs, SPACEs, and Cato Clients for consistent enforcement. Similarly, a single universal API is available to access all platform data to automate integrations with other business processes and 3rd party applications.
Consistent Policy Enforcement
Scalable and Resilient Protection
Autonomous Life Cycle Management
Single Pane of Glass
Cato SASE Cloud Platform Powers the Digital Business
Customers use Cato to eliminate complex legacy architectures comprised of multiple security point solutions and costly network services. Cato’s unique SASE platform consistently and autonomously delivers secure and optimized application access everywhere and to everyone.
Swissport Elevates Security, Global Operations with Cato Networks
Carlsberg Group Gains Flexibility and Visibility with Cato SASE
O-I Taps Augmented Reality and Cato SASE Cloud to Realize “Impossible-to-Count” Savings
Alewijnse Transforms Global, Real-Time WAN with Cato Secure SD-WAN
Brake Masters Puts the Brakes on Outages Across 71 Sites with Cato
Flügger Group Gains Network Flexibility and Security with Cato SASE Cloud
Juki reduces network costs by using one security policy for all group companies
Komax Drives Innovation, Cloud Connectivity, and Mobile Collaboration with Cato
Vitesco Technologies Builds New Global Enterprise Network with Cato
Haulotte Reduced Costs and Improved Application Performance by Migrating from MPLS to Cato SASE
Waseda University Enables Universal Secure Remote Learning and Digital Transformation with Cato
Topcon Achieves a Fast, Secure Global WAN with Cato
Fidal Boosts WAN Performance, Cuts Costs in Half by Switching from MPLS to Cato
CloudFactory Boosts Network Scalability, Agility, and Security with Cato
Cato SASE Cloud secures networking of Bank Avera locations and its mobile employees
Fiskars Group Boosts Business Agility and Security with Cato SASE
Fullerton Health Builds a Secure SASE Linking 550 Locations and the Cloud
AFI Properties Cures Network, Security, and Remote Access Headaches with Cato SASE
How Redner’s Markets Transformed the Retail Experience by Transforming its Network with Cato
Chemical Manufacturer ESI Reduces the Time to Integrate Acquired Companies by 80% with Cato
Gamuda Redefines IT Operations with the Cato SASE Cloud Platform
Cato Networks Named a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE 2024
Cato Networks Named a Leader and an Outperformer in the GigaOm 2025 SASE Radar
Cato Networks recognized as a Growth and Innovation Leader in SASE
Cato Networks Recognized as Global SSE Product Leader
WAN Transformation with SD-WAN: Establishing a Mature Foundation for SASE Success
“We ran a breach-and-attack simulator on Cato, Infection rates and lateral movement just dropped while detection rates soared. These were key factors in trusting Cato security.”
Try Cato
The Solution that IT teams have been waiting for.
Prepare to be amazed!