As the COVID-19 pandemic drags on and continues to impact the way people work, SD-WAN vendors are responding by investing heavily in new capabilities that extend the enterprise edge to wherever workers happen to be\u2014branches, campuses, home offices, co-working spaces, mobile, etc.\nThe main thrust of this evolution in SD-WAN technology is the merger of networking and security functions into a single platform, which most vendors now call Secure Access Service Edge (SASE).\n\nSASE, a term coined by Gartner in 2019, converges SD-WAN with basic security offerings, including encryption, anti-malware, and firewalls, while adding advanced services, such as Next-Generation Firewall (NGFW), Firewall-as-a-Service (FWaaS), Data Leak Prevention (DLP), Secure Internet Gateway (SIG), and Zero Trust Network Access (ZTNA).\nWhile the top SASE vendors largely agree on the table stakes outlined by Gartner, they are also looking to gain an edge on the competition by developing innovative new features, such as 5G for WAN links, advanced behavior-and context-based security capabilities, and integrated AIOps for troubleshooting and automatic remediation.\nThe six vendors below are listed in order of their market share, according to IDC\u2019s most recent Worldwide SD-WAN Infrastructure Market Share report. The top six accounted for 78.3% of the market. These same vendors are also the only ones listed in the \u201cleaders\u201d category in Gartner\u2019s latest Magic Quadrant for WAN Edge Infrastructure.\nCisco: Orchestration and automation\nMarket position: Cisco leads the SD-WAN market, with 37% market share. IDC puts Cisco\u2019s SD-WAN revenues of $630.3 million in the first half of \u00a02021, a 20.3% increase over the same period in 2020.\nCisco\u2019s SD-WAN revenue comes from internal SD-WAN development and a series of strategic acquisitions that include Meraki (2012), Viptela (2017), Duo Security (2018), and ThousandEyes (2020).\nCurrent SD-WAN\/SASE offerings: Cisco offers a range of SD-WAN options. These include Meraki SD-WAN appliances, which connect to branch offices and public clouds via auto-provisioned IPsec VPNs, and SD-WAN Cloud OnRamp, a SaaS offering that connects branches, colocation centers, and various clouds.\nCisco\u2019s approach to SASE combines network, security, and observability capabilities into a single cloud-managed offering. In recent months, Cisco has added SIG service level and network health checks. A\u00a0Layer 7 Application Health Check proactively sends notifications if the SIG connection deteriorates to help customers automatically meet SLAs.\nCisco has also enabled policy-based routing from Cisco Cloud OnRamp for SaaS with Cisco Umbrella to provide security for SaaS traffic.\u202fThrough ThousandEyes integration with Cisco\u2019s SD-WAN, Cisco can now measure,\u00a0test, and report on the underlay connectivity and the condition of Internet circuits.\nNew Features: In January, Cisco released the Meraki Umbrella SD-WAN Connector, which integrates networking and security into a SaaS offering. For organizations that have both Meraki MX and Umbrella SIG licenses, Meraki Umbrella SD-WAN connector simplifies the deployment of cloud security across distributed locations into a task that only takes a few clicks in the management dashboard.\nIn February, Cisco extended Meraki virtual MX appliances (vMX) to the Google Cloud Platform (GCP). Organizations can now securely connect branch sites with a physical MX appliance to resources in GCP with Auto VPN.\u00a0\nCisco also integrated cloud-native, zero-trust security tools into its SD-WAN portfolio. Duo Passwordless authentication uses platform authenticators and security keys from devices to secure application access without passwords.\nRoadmap: In November, Cisco provided a preview of a forthcoming addition, Remote Desktop Protocol (RDP) support for Duo Network Gateway (DNG). This will enable VPN-less remote access, secured with risked-based authentication, including device posture assessments and access control.\u00a0\u00a0\nCisco intends to further enhance its SD-WAN with capabilities that target MSPs and large enterprises. These new features will simplify the complexity of implementations at scale and enable new services. \u00a0\nFurther SD-WAN\/SASE investments will focus on unifying orchestration beyond secure connectivity and application experience. Cisco also plans further investments into the automation of AI\/ML-powered predictive inferences, so network infrastructure is able to react in real time to the demands of applications.\nVersa: Beefed up sandboxing, DLP, CASB; future expansion of AI\/ML\nCurrent market position: According to IDC, Versa captured 11.8% of the market in the first half of 2021 with revenues of $200.6M, a year-over-year jump of 77.2%.\nVersa is backed by $196 million in venture capital funding and has landed major customers that include BP and Capital One. The company has also established strong channel partnerships with carriers and service providers, including Comcast and NTT Communications.\nCurrent SD-WAN\/SASE offerings: Versa\u2019s Secure SD-WAN is now part of its SASE Portfolio. Secure SD-WAN provides a range of capabilities, including sub-second packet steering across multiple WAN interfaces, packet loss reduction, and poor performing link avoidance. Versa SD-WAN also acts as a DNS Proxy with SD-WAN Traffic steering, MP-BGP route exchange with SDN controllers, link aggregation, hierarchical QoS, per tunnel QoS, and overlay encapsulation options (VXLAN, IPSec).\nVersa SASE uses its proprietary Versa Operating System (VOS) to tightly integrate networking and security services into a platform that supports cloud, on-premises, and hybrid environments. Versa SASE includes VPN, secure SD-WAN, edge compute protection, NGFW, FWaaS, SWG, DLP, ZTNA, Cloud Access Security Broker (CASB), network obfuscation, and Remote Browser Isolation (RBI).\nVersa SASE also provides contextual security based on user, role, device, application, location,\u00a0security posture of the device, and content.\nNew features: Over the past few months, Versa has expanded support for cloud-based malware sandboxing. Before a file is sent to the sandboxing infrastructure, it is processed on the Versa Cloud Gateway (VCG) through the following services: IP-filtering, URL-filtering, Antivirus (AV), Intrusion Prevention System (IPS), file-filtering, DNS-Filtering, CASB, and DLP. If there is no definitive verdict on the file, then it is sent to the Versa Sandboxing Infrastructure, which analyzes the file in greater detail.\nVersa has also beefed up its DLP capabilities, adding support for contextual DLP based on user, group, application, file-type, geo-location, device posture, and all Layer 3-4 fields. The DLP engine now also supports redaction, quarantine, tokenization, encryption, block, allow, notify, alert, and others automatic reactions.\u00a0\nOther recent additions include improvements to CASB to support fine-grained security access control policy rules based on application, user, group, device, device-posture, geolocation, compliance status, etc.; support for Scalable\/Security Group Tag (SGT); extended RBI capabilities that provide an air-gapped web browsing environment; and DNS tunneling support. \u00a0\nRoadmap: According to a Versa spokesperson, SD-WAN is a critical component of Versa SASE, and both services will continue to improve in 2022. Innovations and improvements on Versa\u2019s near-term SASE\/SD-WAN roadmap include Cloud Security Posture Management (CSPM) functionality that includes cloud workload discovery and visibility into multi-cloud workloads, as well as automated remediation of security vulnerabilities; identity-based segmentation for datacenter workload protection; and expansion of AI\/ML capabilities to apply them to more use cases.\u00a0\u00a0\nFortinet: Heavy on AI, automation, IAM\nCurrent market position: Fortinet captured 9.2% of the market over the first half of \u00a02021, according to IDC, with \u00a0$157.8M in revenues, up 48.2% year-over-year.\nFortinet acquired startup Opaq in 2020, which coincided with its pivot from SD-WAN to SASE. Fortinet\u2019s hardware is based on its own proprietary ASICs, and with the addition of Opaq\u2019s SASE capabilities, Fortinet\u2019s already strong security capabilities have been bolstered.\nCurrent SD-WAN\/SASE offerings: Launched five years ago, Fortinet Secure SD-WAN consolidates routing, SD-WAN, and NGFW into one platform. Other features include threat protection, SSL inspection, centralized management and orchestration, and built-in ZTNA access proxies. \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\nThe FortiOS operating system is designed to support multiple networking environments, including on-premises, cloud, and hybrid. Fortinet\u2019s cloud-based SWG provides CASB and ZTNA solutions for remote users.\u00a0\u00a0\nNew features: Since the release of FortiOS 7.0 in early 2021, Fortinet says that it has added 40 SD-WAN features that focus on boosting application performance, enhancing operations, and improving monitoring and visibility.\u00a0\nRoadmap: According to Fortinet, the pandemic-driven, work-from-anywhere model has changed the edge dramatically, with users moving between on-premises locations, interconnected branches, home offices, and temporary locations during travel, to name only a few locations where employees now conduct business. This means that SD-WAN offerings cannot just focus on a single architecture, such as the cloud.\u00a0\u00a0\nA Fortinet spokesperson says the company will continue to invest heavily in developing a \u201cSecurity Fabric Platform\u201d that further converges networking and security into a single solution that establishes a \u201cZero Trust Edge.\u201d The goal is for the platform to automatically adapt to dynamic changes to the underlying network infrastructure, including connectivity, while also providing explicit access to applications based on continuous validation of user identity and context.\nIn order to achieve this, other near-term enhancements planned for Fortinet Secure SD-WAN\u00a0include integrating AI\/ML security functionality, improving management capabilities, boosting security features, and adding AIOps and digital experience monitoring\u200b.\nVMware: Self-healing plus services based on 5G WANs\nCurrent market position: According to IDC, VMware captured 8.2% of the market in the first half of 2021, with revenues of $139.8 million, a year-over-year increase of 18.8%. VMware became a serious SD-WAN contender in 2017 with its acquisition of VeloCloud.\nCurrent SD-WAN\/SASE offerings: VMware\u2019s SD-WAN offering is comprised of three main components: VMware SD-WAN Orchestrator, the central management platform; VMware SD-WAN Gateways, which are deployed at 3,000+ PoPs around the globe; and VMware SD-WAN Edge, the on-premises appliances that connect to the VMware global network.\nVMware SASE is cloud-native platform that integrates SD-WAN with security services delivered from the cloud. Security features include ZTNA, SWG, CASB, DLP, URL Filtering, and RBI.\nVMware Edge Network Intelligence offers an AIOps solution that provides AI\/ML-enabled visibility from the WAN to branch to Wi-Fi\/LAN to deliver actionable insights for performance assurance and self-healing of the network.\u00a0\nNew Features: VMware enhanced protection against enterprise data leaks by providing new capabilities to detect and prevent sensitive data from exiting the network. Full IPv6 support was added to VMware SASE, as well as self-healing features that enable users to quickly detect, understand, and remediate issues with AIOps.\nRoadmap: VMware notes that SD-WAN is evolving from an \u201cedge-to-edge technology\u201d and is now expanding through the cloud deeper into the branch to the individual clients (whether at home, on a mobile device, in a large campus setting, etc.). SD-WAN is also becoming application-aware, all the way down to individual application containers in public or private clouds.\nFuture enhancements will focus on expanding security features, bolstering work-from-anywhere performance, building multi-cloud interconnects, adding edge compute features, and furthering self-healing capabilities. VMware also intends to invest in features for carriers and service providers that will enable new services, such as 5G-based WAN links.\nHPE: Silver Peak meets Aruba to support home offices\nCurrent market position: According to IDC, HPE captured 6.5% of the market in the first half of 2021, with revenues of $111 million. This was a decrease of 4.3% year-over-year.\nHPE entered the SD-WAN market with its acquisition of Silver Peak in 2020, integrating it into the Aruba platform. (HPE acquired Aruba in 2015.)\nCurrent SD-WAN\/SASE offerings: HPE EdgeConnect SD-WAN gives organizations the ability to create virtual WAN overlays for different classes of traffic. After classes are set, application performance, security, and routing policies are automatically programmed to all sites. Other capabilities include real-time monitoring of network and application performance, automated remediation in the event of an outage, integrated firewall, and WAN optimization.\nEdgeConnect is tightly integrated with the broader Aruba platform, which includes a range of switches, gateways, and controllers.\u00a0\nAruba SASE unifies WAN edge functions with advanced security services delivered in the cloud, including SWG, CASB, and ZTNA.\u00a0Aruba SASE also provides APIs to integrate other best-in-class cloud security tools, such as Zscaler, Netskope, Check Point, Palo Alto Prisma Access, and McAfee.\nNew features: In December, Aruba introduced a new\u00a0EdgeConnect Microbranch solution. With the rise of remote working, this solution was developed to provide remote workers with an in-office connectivity experience by extending SD-WAN and SASE security services via a single access point.\nWith\u00a0EdgeConnect Microbranch, IT departments can ensure the employee experience is consistent no matter where workers are located, while also accelerating troubleshooting and maintaining corporate protections by\u00a0extending on-campus Zero Trust and SASE security frameworks to the home office\/small office.\nRoadmap: HPE\u2019s future plans include accelerating the ability for their customers to consume Networking- and Security-as-a-Service. HPE will continues to develop SaaS offerings that provide on-demand usage, a consumption-based billing model, self-service capabilities, and elements such as network routers, switches, gateways, and firewalls.\nPalo Alto Networks: 5G and stronger AIops support\nCurrent market position: Palo Alto Networks captured 5.1% of the market in the first half of 2021, according to IDC, based on revenues of $86.8 million. That represented a year-over-year increase of 19.3%.\nPalo Alto Networks entered the SD-WAN market with its acquisition of CloudGenix in 2020. It has a number of named customers, including Salesforce, AutoNation, and Aaron\u2019s.\nCurrent SD-WAN\/SASE offerings: The foundation of Palo Alto\u2019s Prisma SD-WAN solution is Instant-On Network (ION) devices deployed at both branches and central sites. Its AppFabric software consolidates WAN resources (MPLS, broadband, cellular), giving enterprises the ability to create policy-based connectivity for each application and site. ION devices automatically establish secure connectivity among sites and continually monitor the health and performance of WAN links and applications, dynamically choosing the best performing path. Autonomous Digital Experience Management (ADEM) manages the digital experience for mobile users. It enables organizations to gain end-to-end visibility from the management console without the need to deploy additional agents or appliances.\nPalo Alto\u2019s Prisma SASE integrates the SD-WAN capabilities from Prisma SD-WAN with cloud-based SASE security capabilities, including ZTNA, Cloud SWG, CASB, and FWaaS.\nNew features: In 2021, Palo Alto introduced several new security capabilities, including such CASB features as real-time data and zero-day protections. To accommodate hybrid workforces, it also integrated CSWB capabilities to offer web security rules with predefined recommendations and continuous assessments.\nPalo Alto released a new version of ION, the ION 1200, which includes 5G support. This gives organizations the ability to deliver 5G WAN connectivity to branch networks as part of the Prisma SASE solution, including the ability to run active\/active 5G WAN interfaces for carrier redundancy. Palo Alto also added AIOps capabilities to use ML and analytics to automate IT operations. AIOps provides real-time analysis and detection of IT issues.\nRoadmap: In the coming year, Palo Alto plans to invest in a range of additions and upgrades to its SASE\/SD-WAN portfolio. These include bandwidth-on-demand service models that give users the flexibility to move bandwidth across branches, home offices, mobile users, etc.; deeper integrations between security and SD-WAN; and further enhancements to multi-cloud and collaboration use cases.