SSE bundle cost: ZTNA plus SWG plus CASB plus FWaaS pricing
Security Service Edge bundles ZTNA, secure web gateway, cloud access security broker and firewall-as-a-service into one platform. This page compares SSE bundle pricing against the sum of unbundled point products, explains when SSE pays back versus over-buys, and frames the consolidation decision for mid-market and enterprise.
SSE versus SASE versus standalone components
Security Service Edge is the Gartner-defined category that bundles four cloud-delivered security capabilities: zero trust network access (ZTNA) for private application access, secure web gateway (SWG) for outbound traffic policy and malware scanning, cloud access security broker (CASB) for SaaS visibility and DLP, and firewall-as-a-service (FWaaS) for cloud-delivered firewalling. SSE is the security half of SASE; SASE adds SD-WAN to the same bundle. SSE emerged as a category in 2021 as Gartner recognised that organisations needed the security capabilities of SASE without necessarily replacing their existing WAN.
The credible enterprise SSE platforms per the latest Gartner Magic Quadrant for SSE and Forrester Wave for SSE are Zscaler, Netskope, Palo Alto Prisma Access, Cisco (combining Umbrella, Duo and Secure Access), Cloudflare One, and Microsoft (combining Entra Internet Access, Entra Private Access and Defender for Cloud Apps). The mid-market SSE-equivalent platforms include Skyhigh Security, iboss, Forcepoint and Versa. The category is still consolidating; some 2023 leaders have lost momentum (industry analysts have noted this in their reports) and some 2025 challengers have gained ground, particularly Microsoft as it has extended Entra Internet Access and Entra Private Access into a more credible SSE story.
SSE differs from buying the four components as standalone point products in three ways. First, integration: a single SSE platform presents one policy plane, one log stream, one identity integration, and one connector deployment, where four point products present four of each. Second, traffic plane: a single SSE platform inspects each user's traffic once and applies all four capabilities, where point products would each create their own traffic detour. Third, commercial: one vendor, one contract, one term, one support relationship, instead of four. The integration and traffic-plane benefits are real; the commercial benefit is often less material once procurement teams negotiate the four point products well.
Standalone versus SSE-bundled cost per component
| Component | Standalone per user / month | In SSE bundle | Notes |
|---|---|---|---|
| ZTNA | $5 - $20 / user / month | Included | Always the core SSE component. Sometimes the only one actually used. |
| Secure Web Gateway (SWG) | $3 - $8 / user / month | Included | Outbound traffic policy, URL filtering, malware scanning. |
| Cloud Access Security Broker (CASB) | $4 - $12 / user / month | Included | SaaS app visibility and DLP for sanctioned and unsanctioned cloud apps. |
| Firewall-as-a-Service (FWaaS) | $3 - $10 / user / month | Included | Cloud-delivered firewall, often replaces or augments branch-office firewall appliances. |
| DNS filtering | $1 - $3 / user / month | Included or add-on | Sometimes bundled, sometimes positioned as a separate add-on. |
| Browser isolation | $3 - $8 / user / month | Often add-on | Premium SSE tier. Renders risky web content in remote container. |
| Data Loss Prevention (DLP) | $5 - $15 / user / month | Often add-on | Network DLP integrated into the SSE traffic plane. Often a separate licence tier. |
Summing the four core SSE components at mid-market standalone pricing: $15 to $50 per user per month. SSE bundle pricing for the same four components is typically $15 to $25 per user per month, which is the 20 to 35 percent saving Gartner and the vendors quote. The saving is real for organisations that genuinely use all four components. For organisations that use only one or two, the bundle is over-buy and standalone point products are cheaper.
When SSE pays back, when it over-buys
| Scenario | Verdict | Detail |
|---|---|---|
| You need all four (ZTNA, SWG, CASB, FWaaS) and have none in place | SSE bundle pays back | Saves 20-35% vs buying four point products separately. |
| You need only ZTNA (VPN replacement) | Focused ZTNA-only is cheaper | SSE marginal cost is 2-4x ZTNA-only. SWG/CASB/FWaaS are feature-waste. |
| You have working SWG and CASB; need ZTNA + FWaaS | Hybrid: keep SWG/CASB, add point ZTNA + cloud firewall | Often cheaper than full SSE; lower lock-in. |
| You are also replacing SD-WAN | SASE (SSE + SD-WAN) consolidates the decision | Same SSE economics plus SD-WAN consolidation. 30-50% premium over SSE-only. |
| You have a complex existing security stack and SOC team | Focused platforms, not bundle | Consolidation operational cost (re-skilling, migration, alert workflow changes) often exceeds licensing saving. |
The lock-in profile of SSE bundles
SSE bundles create platform-level lock-in that grows with policy depth. In year one, switching SSE platforms is a meaningful but manageable migration: connector redeployment, policy re-authoring, SIEM integration changes, user training. By year three, the accumulated policy depth (often thousands of rules across the four components, with hundreds of exceptions and tens of integrations) makes switching genuinely difficult. By year five, SSE switching cost for a mid-market organisation can exceed first-year contract value of the new SSE platform, which is the lock-in trap vendors price into long-term commitments.
Three tactics reduce lock-in risk. First, negotiate term aggressively in the first deal: prefer one-year or two-year terms to five-year terms, accepting a higher per-user price in exchange for portability if the platform disappoints. Second, demand data portability in the contract: policy export in machine-readable format (CSV at minimum, ideally a vendor-neutral policy language), log export to your SIEM in real time, and configuration backup. Third, keep identity outside the SSE bundle: if your identity provider is also your SSE provider (some vendors offer this), switching SSE is much harder because identity is the deepest integration point in the stack. Keeping identity and SSE on separate vendors makes SSE meaningfully more portable.
For risk-averse organisations the right architecture is identity (separate vendor) plus ZTNA (separate vendor or SSE) plus everything else (SSE or focused point products as appropriate). For lock-in-tolerant organisations the right architecture is single-vendor consolidation across identity, SSE and increasingly endpoint, which simplifies operations at the cost of switching flexibility. The choice depends on organisational maturity and procurement strategy rather than on pure economics.