Cumulative SASE spending across Security Service Edge (SSE) and SD-WAN will reach $97 billion over the 2025–2030 period, according to Dell’Oro Group’s February 2026 forecast. That figure is nearly three times the total SASE investment recorded during 2020–2024, signaling a structural shift from appliance-based network security to cloud-delivered architectures. For network engineers holding or pursuing CCIE Security, this acceleration creates both urgency and opportunity — the skills that defined network security for two decades are being reshaped around SASE-native design patterns.

Key Takeaway: SASE has moved from an emerging framework to a $97 billion spending commitment, and network engineers who master SSE, SD-WAN convergence, and AI-driven security architecture will lead the next generation of enterprise network design.

Why Is SASE Spending Tripling to $97 Billion by 2030?

The Dell’Oro Group forecast, published on February 3, 2026, projects cumulative SASE spending at $97 billion for 2025–2030 — representing a near-triple increase over the roughly $33 billion spent from 2020 to 2024. According to Mauricio Sanchez, Senior Director of Enterprise Security and Networking at Dell’Oro Group, “Security policy is no longer a downstream control that follows network design; it is becoming the architectural layer that dictates how access and connectivity are built.” This shift reflects enterprises aligning WAN networking and security decisions around governance, accountability, and audit readiness rather than treating SD-WAN and SSE as independent technology choices.

Three structural forces are driving this acceleration:

Growth DriverImpact on SASE SpendingTimeframe
Hybrid cloud architecture expansionEnterprises need consistent security across on-premises, IaaS, and SaaS environments2025–2028
AI-driven workload proliferationAI models require real-time inspection at scale, pushing demand for GPU-accelerated security2026–2030
Regulatory governance tighteningCompliance frameworks (NIS2, DORA, updated NIST CSF) mandate unified audit trails across network and security2025–2027

According to MarketsandMarkets (2026), the annual SASE market alone will reach $44.68 billion by 2030, growing at a 23.6% CAGR from 2025. The SSE segment specifically — covering ZTNA, CASB, SWG, and FWaaS — is projected to hit $23 billion annually by 2030, according to MarketsandMarkets. Meanwhile, Virtue Market Research (2026) pegs the SASE market at $15.5 billion in 2025, expanding at 23.7% CAGR to $45 billion by 2030.

The consistency across these independent forecasts confirms this isn’t speculative — SASE is the dominant architectural trajectory for enterprise WAN and security.

SASE Spending $97 Billion Technical Architecture

What Did Cato Networks Announce with GPU-Powered SASE?

Cato Networks on March 17, 2026, unveiled the industry’s first GPU-powered SASE platform by deploying NVIDIA GPUs across its 85+ global Points of Presence (PoPs). The announcement introduced two capabilities: Cato Neural Edge for GPU-accelerated traffic inspection and Cato AI Security for unified AI governance and protection. This makes Cato the first SASE vendor to embed GPU compute directly into its enforcement infrastructure rather than offloading AI workloads to external hyperscaler environments.

Cato Neural Edge: GPUs Inside the SASE Backbone

Cato Neural Edge positions NVIDIA GPUs at each PoP in Cato’s global private backbone, enabling three critical functions:

  • Real-time AI-driven traffic inspection — deep semantic analysis of encrypted traffic patterns without decryption performance penalties
  • Inline threat detection — machine learning models executing directly in the data path at wire speed
  • Policy enforcement at scale — AI-powered classification and response running at the enforcement point, not in a separate cloud

The architectural distinction matters for network engineers. Traditional SASE platforms offload AI inspection to external GPU clouds, introducing latency variability and separating intelligence from enforcement. According to 650 Group (2026), “This appears to be the first SASE platform embedding GPU compute directly into its global infrastructure to support AI-driven inspection and security analytics at scale.”

Cato AI Security: Governing the AI Era

Cato AI Security addresses a gap that most SASE platforms haven’t touched — securing how enterprises use AI tools internally. The platform governs three categories:

  1. Employee AI tool usage — monitoring and controlling access to ChatGPT, Copilot, and other generative AI tools
  2. Homegrown AI application security — protecting internally developed AI models and APIs
  3. Autonomous AI agent guardrails — enforcing security policies on agentic AI workflows operating within enterprise networks

According to Gartner (2026), “By 2028, over 75% of enterprises will be using AI-amplified cybersecurity products for most cybersecurity use cases, up from less than 25% in 2025.” Cato is positioning to capture this demand by converging AI security with SASE.

Marc Crudgington, VP of Cybersecurity at Crane Worldwide Logistics, confirmed the operational value: “AI security isn’t another console or separate enforcement layer. It’s built directly into the Cato SASE Platform. We can govern AI usage, secure homegrown AI applications, and manage agent workflows using the same policy engine.”

How Does Versa’s Inbound SSE Change Network Architecture?

Versa Networks announced Inbound SSE on March 19, 2026, extending Security Service Edge from its traditional outbound focus to also inspect inbound internet traffic before it reaches enterprise applications, APIs, and services. This capability fundamentally changes how network engineers think about perimeter security for internet-facing workloads.

The Inbound Traffic Problem

Traditional SSE protects outbound traffic — users accessing the internet and cloud applications. But enterprise applications increasingly face inbound threats:

  • Partner portals exposed to the public internet for B2B integration
  • REST APIs serving mobile apps, IoT devices, and third-party consumers
  • Remote management interfaces accessible to distributed operations teams
  • IoT-connected services ingesting data from field sensors and edge devices

According to Rahul Vaidya, Senior Director of Product Management at Versa, “Enterprise applications are now distributed everywhere, and traffic flows in every direction. Versa Inbound SSE extends our unified SASE architecture to protect the inbound path.”

How Inbound SSE Works

The architecture redirects inbound connections through Versa SSE cloud gateways before they reach the application:

  1. External user or system initiates connection to an enterprise application
  2. DNS or routing policy redirects the connection to the nearest Versa SSE gateway
  3. Gateway applies full security inspection: IP/location-based access control, DDoS detection, bot filtering, IDS/IPS, and malware blocking
  4. Only authorized and verified traffic is forwarded to the application

This eliminates the need for dedicated firewall and load balancer stacks deployed at every application environment. Swisscom’s Chief Technology Officer, Egon Steinkasserer, confirmed the operational impact: “Versa’s Inbound SSE capability enables beem to inspect and control internet traffic before it ever reaches customer applications. Customers can remove redundant on-premises firewalls without giving up the ability to host applications locally.”

For CCIE Security candidates, this represents a fundamental shift: the firewall is no longer a physical or virtual appliance sitting in front of applications — it’s a cloud-delivered function consumed as a service.

SASE Spending $97 Billion Industry Impact

How Does the SASE Vendor Landscape Look in 2026?

The SASE market in 2026 has consolidated into distinct competitive tiers, each with different architectural approaches. Understanding these differences is critical for network engineers designing enterprise SASE deployments.

VendorArchitecture ApproachKey Differentiator (2026)
Cato NetworksSingle-pass cloud-native, GPU-powered PoPsFirst GPU-embedded SASE backbone, native AI security
Versa NetworksVersaONE Universal SASE platformInbound SSE, service provider multi-tenancy
Palo Alto NetworksPrisma SASE (Prisma Access + SD-WAN)Largest enterprise install base, Strata Cloud Manager
ZscalerZero Trust Exchange cloud securitySSE market leader by revenue, 150+ global data centers
CiscoUnified SASE (Meraki SD-WAN + Umbrella SSE)Deepest integration with campus/branch switching
FortinetFortiSASE (FortiGate + FortiClient)ASIC-accelerated security, converged networking stack

According to Dell’Oro Group (2026), “Enterprises are aligning enterprise WAN networking and security decisions around governance, accountability, and audit readiness rather than treating SD-WAN and SSE as independent technology choices.” This means the vendors winning in 2030 will be those offering truly converged platforms rather than stitched-together SD-WAN and SSE products.

What SASE Skills Should Network Engineers Prioritize?

The $97 billion SASE spending trajectory creates specific skills demand that network engineers should address now. According to NetworkWorld (2026), seven vendor-specific SASE certifications now exist — but the underlying architecture skills matter more than any single vendor credential.

Core SASE Architecture Skills

These foundational capabilities apply across all SASE platforms:

  • SSE component mastery — understand how ZTNA, CASB, SWG, and FWaaS interact within a unified policy engine, including user-to-app vs. app-to-app traffic flows
  • SD-WAN overlay design — fabric architecture, application-aware routing, and WAN optimization across MPLS, broadband, and cellular underlay transports
  • Cloud-delivered security architecture — PoP selection, anycast routing, split tunneling decisions, and regional data residency compliance
  • AI-driven threat detection — log correlation at scale, ML model outputs for security operations, and GPU-accelerated inspection concepts
  • Zero Trust implementation — identity-driven micro-segmentation, continuous authentication, and least-privilege access enforcement

CCIE Security Relevance

The CCIE Security certification lab exam already covers several SASE-adjacent technologies. Cisco ISE, Firepower/FTD, and VPN technologies remain on the blueprint, but understanding how these map to cloud-delivered equivalents is increasingly expected in both the exam and real-world design scenarios.

For engineers working toward CCIE Security, the practical recommendation is to build lab environments that combine traditional Cisco security controls with at least one SASE platform trial. Cato, Versa, and Zscaler all offer free trials or sandbox environments where you can observe traffic inspection, policy enforcement, and reporting in a cloud-delivered model.

Salary Impact

Network engineers with demonstrated SASE/SSE architecture skills command measurable salary premiums. According to Tufin (2026), SASE certification programs typically require foundational understanding of SD-WAN design, Zero Trust fundamentals, and cloud security architecture. Engineers who combine CCIE-level depth with SASE platform experience position themselves for senior architect and principal engineer roles at enterprises undergoing SASE transformation.

The job market data confirms the demand: LinkedIn job postings mentioning “SASE” or “SSE” in network engineering roles have increased consistently year-over-year since 2023, with the most significant jump occurring in late 2025 as enterprises began implementing their SASE migration plans ahead of NIS2 enforcement deadlines.

What Does the SSE vs. SD-WAN Spending Split Reveal?

The Dell’Oro Group forecast reveals a critical structural insight: security risk — not routing — is driving SASE adoption. The SSE component (ZTNA, CASB, SWG, FWaaS) is growing faster than SD-WAN within the overall $97 billion envelope, confirming that enterprises are prioritizing security transformation over WAN optimization.

This has direct implications for how network engineers allocate their learning time:

Skill CategoryPriority LevelWhy
SSE architecture (ZTNA, CASB, SWG, FWaaS)CriticalLargest growth segment, highest employer demand
SD-WAN overlay designHighFoundation of SASE, but slower growth than SSE
AI/ML security operationsHighGPU-powered SASE creates new skill requirements
Traditional firewall administrationModerateStill needed for hybrid deployments, declining long-term
On-premises WAN routing (EIGRP/OSPF)FoundationalRequired for CCIE, but not a primary growth area

According to Dell’Oro Group’s Mauricio Sanchez (2026), “What stands out in this forecast is not just growth, but scale, as enterprises align enterprise WAN networking and security decisions around governance, accountability, and audit readiness.” The message is clear: network engineers who can bridge security policy and network architecture will be the most valuable professionals in this $97 billion market.

How Should Network Engineers Prepare for the SASE-First Future?

The convergence of $97 billion in projected spending, GPU-powered security platforms, and inbound traffic protection signals that SASE is no longer optional infrastructure — it’s the default architecture for enterprise WAN and security. Here’s a practical 90-day action plan:

  1. Deploy a SASE trial environment — sign up for Cato, Versa, or Zscaler free trials and route test traffic through their platform to understand PoP-based inspection firsthand
  2. Build an SD-WAN lab in EVE-NG — pair virtual SD-WAN controllers with cloud SSE integration to see the convergence in action
  3. Study SSE component interactions — map how ZTNA, CASB, SWG, and FWaaS share policy context in a unified platform vs. disaggregated point products
  4. Review CCIE Security blueprint — identify which CCIE Security exam topics map to SASE concepts and focus study time on the overlap
  5. Track vendor roadmaps — follow Cato’s GPU-powered SASE evolution, Versa’s Inbound SSE expansion, and Cisco’s Unified SASE convergence for career positioning

The $97 billion question isn’t whether SASE will dominate — Dell’Oro Group, MarketsandMarkets, and Virtue Market Research all agree it will. The question is whether your skills portfolio matches the architecture enterprises are buying.

Ready to fast-track your CCIE journey? Contact us on Telegram @firstpasslab for a free assessment.

Frequently Asked Questions

How much will SASE spending reach by 2030?

According to Dell’Oro Group (February 2026), cumulative SASE spending across SSE and SD-WAN will reach $97 billion over the 2025–2030 period. This represents nearly three times the approximately $33 billion spent during the prior five-year period (2020–2024), reflecting a structural shift from appliance-based to cloud-delivered network security.

What is GPU-powered SASE and why does it matter?

GPU-powered SASE embeds NVIDIA GPUs directly into SASE Points of Presence for real-time AI-driven traffic inspection, threat detection, and policy enforcement. Cato Networks pioneered this approach on March 17, 2026, deploying GPUs across 85+ global PoPs. This eliminates the latency and architectural fragmentation of offloading AI workloads to external hyperscaler GPU environments.

What is Inbound SSE?

Inbound SSE, introduced by Versa Networks on March 19, 2026, extends Security Service Edge to inspect inbound internet traffic before it reaches enterprise applications, APIs, and services. Traditional SSE only protected outbound traffic — Inbound SSE eliminates the need for dedicated firewall stacks deployed at each application environment by routing inbound connections through cloud security gateways first.

What SASE skills do CCIE Security candidates need?

CCIE Security candidates should master SSE components (ZTNA, CASB, SWG, FWaaS), SD-WAN overlay design, cloud-delivered security architecture, and AI-driven threat detection. Understanding how Cisco ISE, Firepower, and VPN technologies map to cloud-delivered SASE equivalents bridges the gap between the exam blueprint and modern enterprise deployments.

Is SASE replacing traditional firewalls?

SASE is progressively replacing on-premises firewall appliances with cloud-delivered security functions. Versa’s Inbound SSE explicitly eliminates traditional firewall stacks for internet-facing applications, and Cato’s converged platform replaces multiple point products. However, hybrid deployments mixing on-premises and cloud security will persist through at least 2028 for organizations with complex compliance requirements.