Market Guide for Security Orchestration, Automation and Response Solutions

Market Guide for Security Orchestration, Automation and Response Solutions

Published 27 June 2019 – ID G00389446 – 26 min read

SOAR solutions are gaining visibility and real-world use driven by early adoption to improve security operations centers. Security and risk management leaders should start to evaluate how these solutions can support and optimize their broader security operations capabilities.


Key Findings

  • The SOAR technology market aims to converge security orchestration and automation (SOA), security incident response (SIR) and threat intelligence platform (TIP) capabilities into single solutions.
  • Early adopters of SOAR technologies have been organizations and managed security service providers with mature security operations centers (SOCs) that understood the benefits of incorporating SOAR capabilities into their operations. However, use cases implemented by early adopters have not evolved over the last 12 months and are stuck in a rut, limiting the long-term potential for SOAR in security operations.
  • SOAR solutions are not “plug-and-play.” Even though solutions have a library of out-of-the-box use cases and integrations, buyers are reporting multiweek professional services engagements to implement their initial use cases, as every organization’s processes and technologies deployed are different.
  • Orchestration and automation are starting to be localized in point security technologies, usually in the form of predefined, automated workflows. This is not the same as a full-featured SOAR solution.


Security and risk management leaders overseeing security operations should:
  • Prepare for their SOAR implementations by having a starting set of defined processes and workflows that can be implemented. Out-of-the-box plays and integrations are a starting point but can rarely be implemented without some customizations.
  • Plan for the implementation and the ongoing operation and administration of SOAR tools by using a mix of professional services and internal resources.
  • Put a contingency plan in place in the event the SOAR tool is acquired by another vendor. Acquisitions are occurring with some frequency as the market evolves. Buyers should be prepared.

Strategic Planning Assumption

By year-end 2022, 30% of organizations with a security team larger than five people will leverage SOAR tools in their security operations, up from less than 5% today.

Market Definition

This document was revised on 3 July 2019. The document you are viewing is the corrected version. For more information, see the Corrections page on
Gartner defines security orchestration, automation and response (SOAR) as technologies that enable organizations to take inputs from a variety of sources (mostly from security information and event management [SIEM] systems) and apply workflows aligned to processes and procedures. These can be orchestrated via integrations with other technologies and automated to achieve a desired outcome and greater visibility. Additional capabilities include case and incident management features; the ability to manage threat intelligence, dashboards and reporting; and analytics that can be applied across various functions. SOAR tools significantly enhance security operations activities like threat detection and response by providing machine-powered assistance to human analysts to improve the efficiency and consistency of people and processes.
Most SOAR tools are still strongest in their original “home offerings,” which are security incident and response platforms (SIRPs), security orchestration and automation (SOA), and threat intelligence platforms (TIPs). Currently, the most common use case for SOAR by an organization is to define incident analysis and response procedures in a digital workflow format — such as plays in a security operations playbook. Additionally, these tools facilitate the use and operationalization of threat intelligence in security operations, which enhances the ability to predict, prevent, detect and respond to the prevailing threat landscape that a company faces.

Market Description

To understand the evolving SOAR market, it is necessary to define the specific terms used — namely, orchestration and automation — in the context of security operations:
  • Aggregation: The ability to aggregate/ingest data across sources. This may take the form of alerts, signals or other inputs from other technologies such as an alert from a SIEM tool or an email sent to a group mailbox. Other data that is ingested may include user information from an identity and access management (IAM) tool or threat intelligence from multiple sources.
  • Enrichment: Whether after incident identification or during data collection and processing, SOAR solutions can help integrate external threat intelligence, perform internal contextual look-ups or run processes to gather further data according to defined actions.
  • Orchestration: The complexity of combining resources involves coordination of workflows with manual and automated steps, involving many components and affecting information systems and often humans as well.
  • Automation: This concept involves the capability of software and systems to execute functions on their own, typically to affect other information systems and applications.
  • Response: Manual or automated response provides canned resolution to programmatically defined activities. This includes activities from a basic level — ticket creation in an IT service desk application — to more advanced activities like applying some form of response via another security control, like blocking an IP address by changing a firewall rule. This functionality is the most impactful, but also applies to the most complex use cases.
Buyers are expressing demand for SOAR for several reasons:
  • Staff shortages: Due to staff shortages in security operations, clients describe a growing need to automate repeatable tasks, streamline workflows and orchestrate security tasks resulting in operational scale. For instance, if you have a team, SOAR can give them more reach — but this is not a tool to get instead of a team. Also, organizations need the ability to demonstrate to management the organization’s ability to reduce the impact of inevitable incidents.
  • Continued evolution of threats and increases in volume: As organizations consider threats that destroy data and can result in disclosure of intellectual property and monetary extortion, they require rapid, consistent, continuous and more frequent responses with fewer manual steps.
  • Improving alert triage quality and speed: Security monitoring systems (such as SIEMs) are known to cost a significant amount to run and generate a high number of alerts, including many found to be “false positives” or simply not relevant after additional investigation. Security and risk management leaders then treat alert triage in a very manual way, which is subject to mistakes by the analysts. This leaves real incidents ignored. SOAR helps improve the signal-to-noise ratio by automating the repeatable, mundane aspects of incident investigation. This creates a positive situation where analysts can spend more time investigating and responding to an event instead of spending most of their time collecting all the data required to perform the investigation.
  • Need for a centralized view of threat intelligence: A large number of security controls on the market today benefit from threat intelligence. SOAR tools allow for the centralized collection, aggregation, deduplication, enrichment of existing data with threat intelligence and, importantly, conversion of intelligence into action.
  • Reducing time to respond, contain and remediate: Organizations are dealing with increasingly aggressive threats, such as ransomware, where rapid response of only minutes at best is required in order to stand a chance of containing the threat that is spread laterally in your environment. This scenario forces organizations to reduce the time they take to respond to those incidents, typically by delegating more tasks to machines. Reducing the response time, including incident containment and remediation, is one of the most effective ways to control the impact of security incidents. Like a brush fire, the sooner you can get to it, the smaller it is, and therefore the easier it is to put out.
  • Reducing unnecessary, routine work for the analysts: SOC analysts are often working with multiple tools. They are looking at a stream of row and column SIEM console alerts, threat intelligence (TI) service portals for information about the entities involved, and endpoint detection and response (EDR) for context on what is happening on the affected endpoint. They may even be using workflow tools to control the triage and investigation processes.
SOAR supports multiple activities for security operations decision making such as, but not limited to, the following:
  • Prioritizing security operations activities: Use of a SOAR solution requires organizations to consider questions about their processes. Which are most critical? Which ones consume the most staff time and resources? Which ones would benefit from automation? Where do we have gaps in our documented procedures? The preparation and planning for SOAR, and its ongoing use, help organizations prioritize and manage where orchestration and automation should be applied and where it can help improve response. This response can then lead to improvements in security operations and showing a demonstrable impact on business operations (e.g., faster time to detect and respond to threats that could impact business operations and optimization of security operations staff and budget).
  • Formalizing triage and incident response: Security operations teams must be consistent in their responses to incident and threats. They must also follow best practices, provide an audit trail and be measurable against business objectives.
  • Automating response: Speed is of the essence in today’s threat landscape. Attacks are increasing in speed (e.g., ransomware is now being automated to spread with worm functionality), but security operations are not automated. Having the ability to automate response action offers SOC teams the ability to quickly isolate/contain security incidents. Some responses can be fully automated, but at this time many SOAR users still inject a human to make the final decision. However, even this reduces the mean time to respond for the organization compared to being fully dependent on “human power.”

Market Direction

In 2015, Gartner described SOAR (which was then considered “security operations, analytics and reporting”) as resources that utilized machine-readable and stateful security data to provide reporting, analysis and management capabilities to support operational security teams. In 2017, as this market matures, Gartner observes three previously distinct technologies: security orchestration and automation (SOA), security incident response platforms (SIRPs), and threat intelligence platforms (TIPs), as depicted in Figure 1.

Figure 1. SOAR Types

SOAR Types
This convergence is still valid in 2019, with vendors increasingly adding features from areas of SOAR other than the area from which they first started. The acquisitions that happened in the last two years, however, may expand the use of such solutions to a broader scope. For example, after the acquisition of Phantom by Splunk, SOAR may become embedded into its SIEM and also used for IT operations use cases such as infrastructure monitoring, application performance monitoring and troubleshooting. SOAR selection in 2019 and beyond is being driven by use cases such as:
  • SOC optimization
  • Threat monitoring and response
  • Threat investigation and response
  • Threat intelligence management
Several major acquisitions have occurred in the last several years, as shown in Table 1.

Table 1: SOAR Acquisitions

Enlarge Table
FireEye (Helix) acquired Invotas
IBM acquired Resilient Systems
ServiceNow acquired Brightpoint Security
Microsoft acquired Hexadite
Rapid7 acquired Komand
Splunk acquired Phantom Cyber
Palo Alto Networks acquired Demisto
Source: Gartner (June 2019)
The Future of SOAR
Numerous acquisitions have been occurring consistently for three years. Vendors are looking to build a “security platform” to add SOAR to, either natively or via acquisition, suggesting that more acquisitions are a real possibility. This scenario requires buyers’ attention to create a contingency plan in case their SOAR tool is acquired by another vendor. At the same time, SOAR products must be vendor-agnostic to maintain value due to integration. The reality will more likely be that for some time independent solutions will continue to do a better job with their singular focus on roadmap execution and better treatment of being “vendor neutral” with available integrations.
SOAR can be the central hub for an organization to achieve several goals: monitoring the event from SIEM or other security controls; orchestrating different security products to construct the context; helping prioritize multiple concurrent items and incidents; and then driving response.
It’s still early days for SOAR (see “Innovation Insight for Security Orchestration, Automation and Response” and “Preparing Your Security Operations for Orchestration and Automation Tools”). However, the promise of improving the efficiencies and consistencies of SOC activities, as well as being able to offer more customized processes to managed security service (MSS) customers, is compelling. Some managed security service providers (MSSPs) have adopted SOAR technologies in earnest and have embedded them at the core of their delivery platforms. Based on conversations with SOAR technology vendors and MSSPs, we expect most MSSPs to adopt and embed SOAR capabilities over the next three years.
Other vendors are exploring the ability to work with not just traditional technologies but also cloud security and even nonsecurity use cases. For instance, during the creation of a new workload in the cloud without proper authorization, the playbook would notify operations and security and isolate (or delete) the workload until it is properly approved. Gartner recognizes the potential of using the orchestration and automation capabilities outside of security use cases, but this is not a really among the reasons that Gartner clients are implementing SOAR.
Use cases will continue to determine the capabilities that are important for each organization. For example, in the case of incident response, case management is highly valued by Gartner clients, but there are organizations that consider themselves ticket-driven companies. In that case, the organization is not willing to give up its ticket system, making case management irrelevant for that specific enterprise.
SOAR solutions with a broader scope of use cases will require role-based access control (RBAC) capabilities to allow segregation of duties as well as views of information.

Market Analysis

The SOAR market is still an emerging market, as examined in “Emerging Technology Analysis: SOAR Solutions,” and it is forecast to grow up to $550 million in the five-year (2018-2023) time frame (see “Forecast Analysis: SOAR, Worldwide”). Gartner clients are still lagging in their incident response (IR) capabilities and are asking for other solutions that would help them to improve their IR. Many organizations implement SOAR tools with use cases primarily focused on making their SOC analysts more efficient such that they can process more incidents while having more time to apply human analysis and drive response actions much quicker. Historically, they were not aware of the existence of these types of solutions. There are now more clients aware of SOAR solutions, which is fueling further adoption. This awareness is broadening; even SOAR vendors claim to have less work evangelizing about the technology and more conversations about their capabilities and differentiators. However, improving detection and response activities is just one of several opportunities for the use of SOAR tools to support security operations activities.
Since SOAR is often used as an umbrella term that covers security operations, security incident response and threat intelligence, many vendors are driving their existing solutions in the fight for market leadership.
Clients should recall that the selection of the right product will depend on the use cases.
For example, some vendors can ingest security events from a SIEM and apply enrichment to promote better triage capabilities, which include threat intelligence correlation but lag in case management. In such cases, an integration with an external case management system would be imperative to fulfill the incident response needs.
For the security operations use case — often the main purpose of a SOAR solution (see Figure 2) — an organization must have mature processes to be successful (see “Make Sure Your Organization Is Mature Enough for SOAR”). Security and risk management leaders should have an SOC with well-established processes and verify the level of API integration that would be possible with their current security toolset.
Figure 2 reflects the use of the continuous adaptive risk and trust assessment (CARTA) strategy for continuous monitoring and visibility, which includes a continuous set of activities that can be performed by an SOC team by using SOAR technology. CARTA’s value is that it is continuous, and one element helps and inform other elements, allowing for continuous improvement in your organization’s ability to improve both security posture and digital resilience.

Figure 2. SOAR Overview

SOAR Overview
Another aspect of the SOAR market is the pricing models that exist. The most common models are based on number of analysts (named), number of events and three tiers (each tier will determine which capabilities are available). For more information, see “Negotiate a Favorable Contract for Security Event Monitoring Technologies by Analyzing Licensing Models.”
The most common models are based on:
  • The number of (named) analysts using the tool
  • The number of events coming to the SOAR
  • The number of playbooks or actions the SOAR will perform
  • A tiered approach with higher tiers unlocking additional functionality and value
Gartner clients have systematically expressed frustration with pricing models that are hard to predict. It is very hard on 1 January to know how many events will hit the SOAR, or how many actions/playbooks the SOAR will do for the whole year.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

A list of vendors is provided below. It is not, nor is it intended to be, a list of all vendors or offerings on the market or a competitive analysis of the vendors’ features and functions (see Note 1). This is also not a definitive list of each provider’s services.

Table 2: Representative Vendors in the Security Orchestration, Automation and Response Market

Enlarge Table
Product, Service or Solution Name
Ayehu NG Platform
D3 Security
Demisto Enterprise
EclecticIQ Platform
Security Operations
IR Flow
Source: Gartner (June 2019)

Vendor Profiles


Founded in 2017 in Turkey, ATAR helps manage SOC activities by offering three main capabilities: playbooks and automation, incident management, and SOC analytics. ATAR provides comprehensive automation and tight SIEM integrations. ATAR also has capabilities to monitor key performance indicators (KPIs) via customizable dashboards.


Founded in 2007, the Ayehu NG platform is a web-based IT automation and orchestration solution for security and IT operations. Its key features are playbook scheduling, enabling selective alerts to support remote control of incidents, audit trail generation, rollback of changes to workflows and role-based access to workflows in order to maintain access segregation for both teams (IT and security). Also, Ayehu NG uses machine learning to suggest playbooks and creation of rules. In addition, Ayehu NG bridges the gap between IT and security operations (network operations center [NOC] and SOC), streamlining automated workflow processes and tasks, and resolving IT and security alerts and incidents to improve SLAs.


Founded in 2015 as a spinoff of Elbit Systems, Cyberbit delivers SOAR through its SOC 3D platform. SOC 3D is based on three major capabilities: orchestration, automation and big data investigation, and includes a playbook builder for playbook creation and editing. Cyberbit also offers Cyberbit Range for training and simulation, SCADAShield and SCADAShield Mobile for OT visibility and detection of threats, and Cyberbit Endpoint Detection and Response (EDR) for endpoint detection and response. These products can optionally integrate with the SOAR platform for IT/OT detection and response.


Founded in 2011, CyberSponse is one of the few cybersecurity companies that is bootstrapped, with no outside investor or investment firm. Their current CyOps SOAR tool focuses mainly on incident response orchestration and automation, vulnerability management, fraud automation, and case management. Included within its playbook automation are some TIP features. CyOps has more than 275 out-of-the-box connectors and 200 out-of-the-box playbooks utilizing all major vendors and technologies.

D3 Security

Founded in 2002 to support incident/case management for security and privacy, D3 Security emerged in 2004 with a focus on incident response. D3 Security is self-funded by its founders with no outside investment. Today, D3 Security offers a SOAR tool designed to respond to adversarial intent with automated kill chain playbooks based on the MITRE ATT&CK framework or other tactics, techniques and procedures (TTP) resources. The tool has powerful RBAC and chain-of-custody features, TIP capabilities, and more than 200 connectors to date. The tool is sold as a modular platform with specific modules sold separately. For each module, pricing is based on the number of users (e.g., SOC analysts, not the number of employees in the organization).


Founded in 2015, Demisto raised $69 million and was acquired by Palo Alto Networks in February 2019 for $560 million — emphatic proof of the perceived value of these tools. Demisto’s focus has been to optimize the efficiency of security operations by offering a single platform for SOC analysts to manage incidents, automate and standardize incident response processes, and collaborate on incident investigations. Demisto makes use of machine learning (ML) to support functions such as incident triage or to offer SOC analysts some suggestions for next steps. Demisto offers a War Room for analysts to collaborate on investigating incidents, with action being autodocumented for post-incident reporting. Demisto offers robust incident/case management and playbook automation features, and more than 300 product integrations out-of-the-box. Pricing is based on the number of users (e.g., SOC analysts, not the number of employees in the organization).


As a technology company since 2013, DFLabs is a SOAR provider focusing on incident response and threat intelligence that can be used on the SOC, computer security incident response team (CSIRT) and MSSP. The SOAR solution promotes the security incident life cycle using R3 Rapid Response Runbooks (referred to as playbooks by other vendors) that execute workflows and data enrichment, notification, containment, and custom actions. DFLabs uses machine learning in two situations: for recommendation of actions based on steps for similar or related threats and for triage to prefilter security events. DFLabs’ incident management support enables the documentation of physical and logical evidence and audit logs, document policies, procedures, and best practices in the knowledge base.


Founded in 2014, EclecticIQ is a provider of technology and services for the aggregation, analysis and sharing of threat intelligence and its operationalization through downstream integrations. A key feature of EclecticIQ is the ability to enable analysts to leverage intelligence-led techniques for threat hunting, incident response, threat and threat actor enumeration, and tracking. Another capability, called Fusion Center, eases selection of upstream intelligence sources by offering single and fused bundles of intelligence at fixed prices. Clients can select from a wide range of commercial and open-source threat intelligence feeds that are fused according to the themes most relevant to the customer.

IBM Resilient

IBM Resilient, founded in 2010 as Co3 Systems and acquired by IBM in 2016, provides workflow, case management, and orchestration and automation capabilities for security and privacy teams at hundreds of customers. The three features that Resilient focuses on are case management, orchestration and automation, and human- and machine-based intelligence. The solution is delivered via software for on-premises deployments or via SaaS model; it is also available as an MSSP offering for managed service providers and forms part of IBM’s X-Force Threat Management Service offering. Resilient also leverages the IBM X-Force Exchange where IBM, technology partner and user-created apps can be shared.


Founded in 2000, Rapid7 acquired Komand — a SOAR vendor — in July 2017 and is now offering a SOAR called InsightConnect. InsightConnect’s security orchestration and automation helps security analysts optimize SOC operations through a library of more than 270 plug-ins and a visual workflow builder that requires little to no code. The automation capabilities in Rapid7’s vulnerability management (InsightVM) and cloud SIEM solutions with embedded UEBA solutions (InsightIDR) mean that customers can automate processes for automation-assisted patching and threat containment. InsightConnect is only available as a cloud-based solution, and is part of Insight, Rapid7’s broader security management platform.


Founded in 2014, Resolve’s orchestration and automation platform aims to bridge security and IT processes with prebuilt connectors for both security and IT infrastructure systems. The Resolve platform focuses mainly on incident response and case management but has expanded preventive measure capabilities such as secure provisioning, patch management and audit trails. The platform provides playbooks on NISTSP 800-61 Revision 2 (the Computer Security Incident Handling Guide | CSRC). Also, its case management capability stores all artifacts and actions that relate to the incident and provides a contextual recommendation for each step to accelerate response.


Security Operations is the product from ServiceNow that provides a security orchestration and automation solution that is used by hundreds of customers. Security Operations is delivered from the Now Platform as SaaS and provides workflow, case management, orchestration and automation, and threat intelligence management. Additional capabilities also address vulnerability management and security operations metrics, reporting and dashboards, and configuration compliance, as well as governance risk and compliance. Three service packages (Standard [security incident response or vulnerability response], Professional and Enterprise) are available with Enterprise being required to get the fullest set of SOAR capabilities, including orchestration.


Founded in 2015 in Tel Aviv, Israel, Siemplify is used mainly for SOC activities with an easy-to-use user interface. Siemplify provides context-driven investigation capabilities that visually correlate incidents and group alerts to help the analyst reduce time to respond. Along with case management, it helps control the flow of incidents across the SOC analysts. Also, Siemplify uses machine learning capabilities to prioritize and suggest which analyst would be best for a specific incident. Multitenancy capabilities are also promoted for managed service users. Siemplify also provides dashboards and reporting for tracking and SOC metrics, and recently added crisis management and analyst collaboration modules as part of version 5.0.


Phantom Cyber, founded in 2014, was acquired by Splunk in 2018. The Splunk Phantom solution provides orchestration and automation capabilities along with case management functionality. Splunk Phantom is deployed on-premises as software. Additional functionality includes its central view, called Phantom Mission Control, as well as its recommendation capability, called Mission Guidance. Logical data separation is available to provide multitenancy capabilities for managed services users. The licensing model is based on events per day (EPD). An event is only considered a notable event if it was acted upon. In other words, not everything ingested into the Phantom solution is actioned; thus, not all the events will be charged for. Once an event is actioned, the customer has unlimited actions within that specific event. They can do whatever they need to, for example, run playbooks multiple times.


Founded in 2014, Swimlane focuses on the orchestration and automation of existing security controls interacting with over 850 APIs for an organization’s existing technology stack and can let an organization reuse existing scripts. A key capability is for clients to develop playbooks that visually represent complicated security operations workflows using a drag-and-drop-type of paradigm where analytics and automation can be brought to bear on operations. This allows for security teams to achieve better accuracy, consistency and time efficiency for analysts.


Syncurity was founded in 2014. The Syncurity IR Flow solution focuses on orchestration, automation, dashboards and reporting, with alert triage, incident management and collaboration capabilities. The solution is positioned as end-to-end case management. Validated incidents that can be programmatically defined are handled through automation to allow for focusing on unvalidated events requiring analyst involvement. Dynamic risk scoring is a feature, and an analyst workbench is provided for investigation and cross-analyst collaboration. The solution is delivered as software, and support is provided as on-premises or private cloud deployment for enterprises and managed security service providers, including multitenancy and granular role-based access control (RBAC) features.


Founded in 2011, ThreatConnect has an architecture delivering both threat intelligence platform (TIP) and security orchestration and automation (SOA) features from the same product. ThreatConnect’s large ecosystem of integrations (built internally and by third parties) allows for the application of intelligence from both internal and external sources to security processes and workflows. In recent years, ThreatConnect has expanded on its TIP heritage to also deliver further orchestration and automation capabilities that aid in a wide range of SOAR use cases.


Founded in 2013, ThreatQuotient delivers the ThreatQ platform that relies on threat intelligence and contextual information to drive a score-driven triage process to help prioritize actions across a variety of security operations use cases. Also, ThreatQ delivers a user interface that supports investigation to: improve the understanding of threats, promote collaboration across different teams and enable the execution of playbooks to perform data enrichment and other response actions. Also, the offering uses a learning system that captures other systems feedback to collaborate with other incident triage, taking into consideration results of previous events using a self-tuning capability that makes the system more and more customer-specific over time.

Market Recommendations

Security and risk management leaders should consider SOAR tools in their security operations to meet the following goal: improve security operations efficiency and efficacy.
SOAR tools offer a way to orchestrate and automate response. A common use case would be consuming events from a SIEM to enrich the context of an alert. The events most amenable to automation are the ones with the lowest risk of being false positive. For example, with a user credential lockout, SOAR can be used to execute a playbook to validate if this event is based on human error (e.g., user forgot the password) or verify if this event might be a brute-force attack. For both options, the analyst would have to execute a series of steps that would force the account to change the password, which could be automated through consistent workflow execution. This is beneficial for many reasons, including:
  • Performing the task faster equals better time to resolution. The longer an issue is left unaddressed, the worse it can become, leaving the organization in a potentially risky situation for longer periods of time. Ransomware, for example, is a threat that can get exponentially worse with time.
  • Staff shortages are a critical issue for many organizations. The ability to handle processes more efficiently means that security analysts can spend less time with each incident and will thus be able to handle and respond to more incidents, allowing response to more incidents despite fewer resources being available.
SOAR Tool Advice
In terms of product selection, security and risk management leaders should favor SOAR solutions that:
  • Deliver the use cases needed to complement their set of security products to manage their SOC. For instance, some clients prefer to use the company ticket system instead of a dedicated case management solution; but, instead, they value the threat investigation capabilities more. Buying a SOAR solution today must be driven by the use case: SOC optimization, threat monitoring and response, threat investigation and hunting, and threat intelligence management.
  • Offer the capability to easily code an organization’s existing playbooks that the tool can then automate, either via an intuitive UI and/or via a simple script.
  • Optimize the collaboration of analysts in the SOC, for example, with a chat or IM framework that makes analysts’ communication more efficient, or with the ability to work together on complex cases.
  • Have a pricing cost that is aligned with the needs of the organization and that is predictable. Avoid pricing structures based on the volume of data managed by the tool or based on the number of playbooks run per month, as these metrics carry an automatic penalty for more frequent use of the solution.
  • Offer flexibility in the deployment and hosting of the solution — either in the cloud, on-premises or a hybrid of these — to accommodate organizations’ security policies and privacy considerations, or organizations’ cloud-first initiatives.

Note 1Representative Vendor Selection

Gartner is tracking 28 vendors in the SOAR market. The vendor list below, capped at 18, includes only sample representative vendors that appear most frequently in analyst interactions with Gartner clients.

Note 2Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market and focuses on the market definition, rationale for the market and market dynamics.

Threat Modelling – A practical method

Threat Modelling – A practical method

Threat modelling is an exercise to generate use cases/content aligned to key business risks or concerns around specific assets. Questions are no different than probing for cyber operations optimisation.

Asset Modelling

Capture asset value align to Traffic Light Protocol and allow for heighten response for red and yellow assets.

ArcSight Asset Modeling - YouTube 2020-01-23 13-36-07

Zoom Meeting ID: 552-878-997 2020-01-24 12-15-18


Security architecture anti-patterns


At the NCSC, our technical experts provide consultancy to help SMEs and larger organisations build secure networks and systems.

This security paper describes some common patterns we often see in system designs that you should avoid. We’ll unpick the thinking behind them, explain why the patterns are bad, and most importantly, propose better alternatives.

This paper is aimed at network designers, technical architects and security architects with responsibility for designing systems within large organisations. Technical staff within smaller organisations may also find the content useful.

 Download this security paper (PDF)


A few quick points on terminology before we start.


The term ‘anti-pattern‘ is now used to refer to any repeated (but ineffective) solution to a common problem, it is credited to Andrew Koenig who coined it in response to the seminal book ‘Design Patterns: Elements of Reusable Object-Oriented Software’.


Computer systems rarely exist in isolation. That is, they connect to networks and other systems. You might trust some of these other networks and systems more than others, and the owners of those might not trust yours at all. We use the terms:

  • less trusted (or low side) to refer to the system in which we have less confidence in its integrity
  • more trusted (or high side) to refer to the system in which we have more confidence in its integrity

Information technology vs operational technology

When thinking about trust and integrity, we consider administration of information technology to have broadly similar requirements to the operation of operational technology. Our examples below focus on the more typical information technology examples, but we think many of the concepts can be used in operational technology environments too.

Anti-pattern 1: ‘Browse-up’ for administration

When administration of a system is performed from a device which is less trusted than the system being administered. ​

Unfortunately it is all too common to see ‘browse-up’ approaches to administering systems, which proves that common practice isn’t always good practice. In such scenarios, an end user device used by an administrator can be one of the easiest paths into the target system, even if access is via a ‘bastion host‘ or ‘jump box’.

In computer systems where integrity is important (whether in digital services which handle personal data or payments, through to industrial control systems), if you don’t have confidence in devices that have been used to administer or operate a system, you can’t have confidence in the integrity of that system.

There’s a common misconception that a bastion host or jump box is a good way of injecting trust into the situation, to somehow get confidence in the actions an administrator is taking from a device you don’t trust. Unfortunately, that’s not possible.

Bastion hosts are useful for helping monitor and analyse the actions that administrators are performing, and they can help you avoid exposing more than one protocol outside of your system for administration purposes. But they won’t help you be confident that the user on the device is the person you intended to allow access to. Behind the scenes, the credentials used to authenticate to the jump box could have been compromised (a reasonable assumption, given the device is less trusted). Even if administrators are authenticating their sessions with two factors, there is still the potential for malware to perform session hijacking on remote desktop or shell connections in the same way that online banking sessions are hijacked. Having gained access, the attacker can perform additional actions on behalf of the administrator. The system is under their control.

How to identify this anti-pattern

Here are three ways you can identify browse-up administration:

  1. By looking for administration activities performed via a remote desktop (or remote shell) from a device which is part of a less trusted system.
  2. By looking for outsourcing or remote support connections where a third party uses a remote desktop or shell to reach into a network. If you’ve got confidence in the integrity of the device used by the third party, then this isn’t a browse-up problem, but if you have less confidence in their system than in yours, then it is.
  3. Finally, any device which browses the web or reads external email is untrusted. So if you find an administrator using a remote desktop or shell to perform administration from the same processing context that they browse the web (or read their external email) from, then that’s browsing-up too.

A better approach: ‘browse-down’

You should always use devices that you have confidence in the integrity of for administration of production systems. Those devices need to be kept hygienic (that is, they should not natively browse the web or open external email, as those are dangerous things for an administration device to do).

If, for convenience, you want to do those things from the same device, then we recommend that you ‘browse-down’ to do so. In a ‘browse-down’ model, the riskier activities are performed in a separate processing context. The strength of separation can be tailored to your needs, but the goal is to ensure that if an activity in the less trusted environment led to a compromise, then the attacker would not have any administrative access to the more trusted environment.

There are many ways in which you can build a browse-down approach. You could use a virtual machine on the administrative device to perform any activities on less trusted systems. Or you could browse-down to a remote machine over a remote desktop or shell protocol. The idea is that if the dirty (less trusted) environment gets compromised, then it’s not ‘underneath’ the clean environment in the processing stack, and the malware operator would have their work cut out to get access to your clean environment.

Further reading

Anti-pattern 2: Management bypass

When layered defences in a network data plane can be short-cut via the management plane.​

It’s good practice to separate management communications from the normal data or user communications on a network. In some system architectures, this would be known as separating the data plane from the management plane. However, whilst it is common to separate these types of communications with network controls, it is a common mistake to only apply the defence-in-depth concept to the data plane. If the management plane offers an easier route to the ‘crown jewels’ of a computer system than the data plane, then this a management bypass.

How to identify this anti-pattern

Look for any management interfaces from components within different layers of a system, all connected to a single switch used for management, without the corresponding layers.

A better approach: layered defences in management planes

The solution is simple; build similar layered defences into management planes to those you have in data planes. Good practices include:

  • manage from a higher trusted device, browsing down to lower trust layers
  • separate bastion hosts to manage systems in each trust boundary
  • different credentials for different layers to help prevent lateral movement
  • restrict how systems on the data plane communicate with management plane infrastructure and vice-versa

Further reading

Anti-pattern 3: Back-to-back firewalls

When the same controls are implemented by two firewalls in series, sometimes from different manufacturers.

There seems to be a widely believed myth that the security benefit of ‘doubling up’ on firewalls to implement the same set of controls is a worthwhile thing to do. Some also believe that it is preferable for the two firewalls to come from different manufacturers, their thinking being that a vulnerability in one is unlikely to be present in the other. In our experience this almost always adds additional cost, complexity, and maintenance overheads for little or no benefit.

Let’s explore why we see little benefit in back-to-back firewalls in almost all cases. Take the example of an OSI layer 3/4 firewall. It has a simple job to do; control which network communications can pass through the device, and which ones can’t. Putting two layer 3/4 firewalls in series is analogous to draining boiled potatoes with two colanders rather than one – it just creates more washing up.

But what if there was a vulnerability that can be exploited in a single firewall? Well, yes, that’s possible. There are vulnerabilities in most things after all. But firewalls don’t tend to have vulnerabilities that can be exploited to yield code execution from processing the header of a TCP/IP packet. They tend to have vulnerabilities in their management interfaces, so you shouldn’t expose their management interfaces to untrusted networks .

Even if there were vulnerabilities discovered in the data plane interfaces of a firewall, applying patches swiftly after their release would mean that any attack would need to exploit a zero-day vulnerability, rather than a well-known vulnerability. Furthermore, defence-in-depth design would mean that it should take more than a firewall breach to compromise sensitive data or the integrity of a critical system, and needing two zero-days to be exploited puts the attacker’s capability level well beyond the threat model for most systems.

Having two firewalls would also double your admin overhead, and if you require two different vendors then you need to retain expertise in both, which adds still more cost and complexity. Plus, you have more infrastructure to maintain, and most of us find it hard enough to keep up with patching one set of network infrastructure.

However, there is one exception where we’ve found two firewalls to be useful; for supporting a contractual interface between two different parties. We cover this exception at the end of this section.

How to identify this anti-pattern

Look for two firewalls in series in a network architecture diagram.

A better approach: do it once, and do it well

One well-maintained, well-configured firewall or network appliance is better than two poorly maintained ones. We also recommend the following good practices:

  • avoid exposing the management interfaces of network appliances to untrusted networks, and properly manage the credentials used with them
  • have a simple policy configuration to reduce the chance of mistakes being introduced
  • use configuration management tools to ensure you know what the configuration should be, so you can tell when it isn’t correct (a tell-tale sign of compromise or internal change procedures not being followed)

The one exception

There is one example of using two firewalls back-to-back that makes more sense; to act as a contract enforcement point between two entities that are connecting to each other. If both parties agree on which subnets in their respective networks can communicate using which protocols, then both can ensure this is enforced by applying the agreed controls on a firewall they each manage.

Further reading

Anti-pattern 4: Building an ‘on-prem’ solution in the cloud

When you build – in the public cloud – the solution you would have built in your own data centres.

Organisations taking their first step into the public cloud often make the mistake of building the same thing they would have built within their own premises, but on top of Infrastructure-as-a-Service foundations in the public cloud. The problem with this approach is that you will retain most of the same issues you had within your on-prem infrastructure. In particular, you retain significant maintenance overheads for patching operating systems and software packages, and you probably don’t benefit from the auto-scaling features that you were hoping you’d gain in the cloud.

How to identify this anti-pattern

Look for:

  • database engines, file stores, load balancers and security appliances installed on compute instances
  • separate development (and test, reference, production etc.) environments left running 24/7
  • virtual appliances used without considering whether cloud-native controls would be suitable

A better approach: use higher order functions

Unless you’re quicker at testing and deploying operating system patches than your public cloud provider is, you are probably better off letting them focus on doing that. Compare their track record of patching operating systems against your own, and judge for yourself.

Similarly, when it comes to patching database engines (or other storage services), their higher abstraction Platform-as-a-Service offerings are likely to be maintained to a level that many large enterprises will be envious of. Using higher level services like these means:

  • unnecessary infrastructure management overhead is reduced
  • you can focus on the things that are unique to your organisation
  • your system is easier to keep patched to address known security issues

Further reading

Anti-pattern 5: Uncontrolled and unobserved third party access

When a third party has unfettered remote access for administrative or operational purposes, without any constraints or monitoring in place.

Many organisations outsource support for some or all of their systems to a third party. This isn’t necessarily a bad thing, unless done without understanding and managing the risks involved. If you outsource administration or operational functions, you’re dependent on another organisation to keep your system secure. The staff, the processes and the technology of the third party all need to be considered.

Leaving the staff and processes to one side for the moment, if a third party is administering your system, they will require access, often remotely. It’s common to allow third parties to have access through a bastion host, either over the internet from whitelisted locations, or over a private network. However, there are often not enough controls in place to limit the operations that can be performed via the bastion host. If this is the case, and a bastion host (or the device used by the third party) is compromised, then an attacker could gain significant access to connected systems.

Let’s take an example. Suppose you have purchased some niche technology that comes with a specialist support contract where the vendor needs remote access to support the device. In this case, the support organisation only needs access to the component they are supporting, and not to any other parts of your system. If you provided a bastion host that gave access to an internal network (and relied on their processes to only access the component they supported, rather than technically enforcing that process), then a breach of the supplier’s system (or of your bastion) host would be much more damaging than it could have been.

By locking these accesses down and efficiently auditing the connection, the risk of third party compromise can be greatly reduced.

How to identify this anti-pattern

It’s often possible to identify these relationships with third parties by looking for ‘umbilical cords’ out of network diagrams.

A better approach: a good contract, constrained access and a thorough audit trail

A good approach includes the following:

  1. Choose third parties carefully with a sensible contract that sets out the controls relating to the people, processes and technology you need to have confidence in.
  2. Constrained access following the principle of least privilege; only allow remote and authenticated users to have logical access to the systems they need to reach.
  3. Ensure you have the audit trail you need to support incident response and support effective protective monitoring. When it comes to incident response, will you be able to confidently know which commands were executed by which user from the third-party supplier?

We also recommend the following good practices when designing a remote access solution for third parties:

  • ask your supplier how they prevent attackers moving laterally between their other clients and your systems
  • ensure that remote support staff use multi-factor authentication and ensure they do not share credentials – this will help you account for individual actions in event of a breach
  • provide separate isolated third party access systems for different third parties
  • consider using a just-in-time administration approach, only enabling remote administrative access in relation to a support ticket that is being actively worked on

Further reading

Anti-pattern 6: The un-patchable system

When a system cannot be patched due to it needing to remain operational 24/7.

Some systems need to run 24/7. A lack of foresight could mean a system can’t have security patches applied without scheduling a large window of downtime. Depending on the technologies and the complexity, it may require a window of hours (or days) to apply a patch, which could be unpalatable length of operational downtime. As time goes by, the option to defer applying security patches could mean you’re left with huge number to apply during a maintenance window. Applying so many patches has now become too much of a risk, so you’re trapped in a vicious circle with a system that’s virtually un-patchable.

How to identify this anti-pattern

Look for a lack of redundancy within system architectures. Systems which require all components to be operational at all times do not lend themselves to phased upgrades, where the system could remain operational whilst undergoing maintenance.

The lack of a representative development or reference system (or ability to quickly create one) can signify a related problem. If the system owners have no confidence that the development or reference system is similar to the production system, then this can contribute to a fear of affecting stability by patching.

A better approach: design for ‘easy’ maintenance, little and often

One of the NCSC’s design principles is to design for easy maintenance. In some systems, this could mean ensuring you can patch a system in phases, without needing to disrupt operations. Whist this would likely require higher infrastructure cost, some of the overall lifetime costs could be lower when factoring in:

  • fewer, shorter outages
  • reduced risk of compromise (which could incur a costly incident response)

Further reading


Network diagram

Security Architecture Anti-patterns

Six design patterns to avoid when designing computer systems.
  • PDF
  • 541 KB
  • 14

Using Mitre ATT&CK for Cyber Threat Intelligence Training

Using Mitre ATT&CK for Cyber Threat Intelligence Training

Module 1: Introducing training and understanding ATT&CK
Module 2 with Exercise 2: Mapping to ATT&CK from finished reporting

Exercise 2: Mapping from finished reporting

Cybereason Cobalt Kitty Report: we walk through this exercise in the video and slides.

FireEye APT39 Report: we do not walk through this exercise in the video and slides, but if you would like more practice mapping finished reporting to ATT&CK, we recommend you do this exercise on your own.

Module 3 with Exercise 3: Mapping to ATT&CK from raw data

Exercise 3: Working with raw data

Ticket 473822: we walk through this exercise in the video and slides

Ticket 4473845: we walk through this exercise in the video and slides

Module 4 with Exercise 4: Storing and analyzing ATT&CK-mapped intel

Exercise 4: Comparing layers in ATT&CK Navigator

  • Comparing Layers in Navigator
    Provides detailed instructions for using Navigator to compare techniques used by APT39 and Cobalt Kitty (OceanLotus). You may find it useful to print this document (in color if possible) to have it as a reference as you work through the exercise on your screen.
  • APT39 and Cobalt Kitty techniques
    A list of the techniques used by APT39 and Cobalt Kitty (OceanLotus) extracted from the reports in Exercise 2. If you are already familiar with Navigator, you could use these techniques to try to create and compare layers yourself.
Module 5 with Exercise 5: Making ATT&CK-mapped data actionable with defensive recommendations

Exercise 5: Making defensive recommendations

Guided Exercise: we walk through this exercise in the video and slides.

Guides you though steps for making defensive recommendations from ATT&CK techniques with specific questions and assumptions provided for each step.Unguided Exercise: we do not walk through this exercise in the video and slides, but if you would like more practice making defensive recommendations directly related to your own organization, we recommend you do this exercise on your own.

Provides steps for making defensive recommendations from ATT&CK techniques.


NICE Cybersecurity Workforce Framework

NICE Cybersecurity Workforce Framework

The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), published by the National Institute of Standards and Technology (NIST) in NIST Special Publication 800-181, is a nationally focused resource that establishes a taxonomy and common lexicon to describe cybersecurity work, and workers, regardless of where, or for whom, the work is performed.

Is Cybersecurity Insurance a Good Investment? Here Are 4 Factors to Consider

Is Cybersecurity Insurance a Good Investment? Here Are 4 Factors to Consider

By Michael A. Davis, CTO, GoSecure

In short:

  • Information security is an agenda item in every board meeting, said 72% of executives in a recent survey
  • CFOs should prepare for queries on whether existing insurance will protect the company (hint: probably not)
  • When evaluating specialized policies, dig into how mature the insurer requires your processes to be in order to pay a claim

Contractual requirements from third-party suppliers and funders as well as regulatory changes mean CFOs are increasingly being asked, “What are you doing to ensure the company can withstand the financial impact of a breach?”

A typical response: “We rely on insurance policies, such as general liability and errors-and-omissions coverage, to help reduce risk.”

Unfortunately, despite multiple court cases, attempts to have breach-related costs covered by these policies have failed. A successful attack can be devastating, especially for small businesses. Don’t assume standard insurance will protect you.

Cybersecurity insurance, which is specifically designed to address data-breach-related expenses including forensic investigations; monetary losses, such as for ransom payments, a key purchase driver; customer and supplier notifications; and ensuing lawsuits, may seem like the solution. A recent report by credit rating agency A.M. Best said direct premiums written for both standalone and packaged cyber policies grew about 12% in 2018, up from $1.8 billion to $2.0 billion.

Is this insurance right for your company? Here are important considerations.

Are we contractually required to buy a policy?

Regulators do not mandate cyber coverage, but many third-party contracts now routinely require some form of cybersecurity insurance for partners within the supply chain, with the goal of lowering the cost to the vendor for performing breach investigations.

Suppliers are getting much more diligent about asking for proof of insurance each year. If you are a link in a supply chain, ensure the CIO or CISO and legal team carefully and regularly review insurance requirements related to your suppliers, customers and regulatory bodies.

It’s likely at least one partner requires an up-to-date cybersecurity insurance policy.

Do we have the expertise and discipline to follow insurer requirements to the letter?

Despite these packages being widely marketed, historical information on how they perform in the real world is relatively sparse. One thing, however, is clear: If you don’t follow policy requirements exactly, you will not be covered.

Every cybersecurity insurance policy requires your organization to meet a minimum set of expectations regarding common IT processes, such as asset inventory, patching, vulnerability management and incident response. Do not just check the boxes because you assume IT is on top of it. If you do not have written policies, if you do not formally track patching processes and metrics, if you have not performed an incident response tabletop exercise, guess what? You will not be able to prove you are doing what the provider requires to reduce risk.

When a breach does occur, if you can’t readily provide documentation, your claim will likely be denied.

For example, say you attest that “encryption is strictly enforced on all laptops authorized to contain customer data.” If the CIO can’t prove that disk encryption was enabled on a stolen PC containing confidential customer information, you’re out of luck. Remember, IT won’t have the laptop in question. How will you prove that encryption was installed and running?

Similarly, you might need to agree that your organization “scans monthly for known vulnerabilities.” But if IT actually runs scans ad-hoc or not at all, and your organization is hacked via a known security flaw, you will not be covered. Note that truly unknown zero-day attacks account for a small percentage of successful breaches.

Your IT team can’t just talk the talk, they need to have mature processes in place. But in my experience, many don’t.

If you are deficient, answer honestly. Your premiums may go up, but that’s better than not getting the payment you’re depending on during a time of need. Alternatively, use the purchase as an opportunity to improve your security posture. Many insurance carriers offer free or low-cost services to help.

Do I know the lingo?

I have seen terminology variances lead to policies not covering what organizations thought they did. The primary place I see confusion with CFOs is the difference between first-party and third-party coverage.

First-party coverage includes costs directly related to your organization’s handling of a breach, items such as customer notification, business interruption and forensics fees. Third-party covers claims related to losses to your customers or vendors due to your breach. Many vendors require third-party coverage for their contracts, but your organization needs both!

Furthermore, IT terms are used differently by different providers. As your organization compares policies, keep in mind that one issuer’s required elements of a risk assessment may not be the same as another’s. Your standard practices may be perfectly acceptable for one provider but not good enough for another. Before launching an expensive overhaul of security policies, shop around.

Can we afford it?

If you have not shopped for cyber insurance, the bad news is, it’s more expensive than you expect. There’s not enough historical data to help actuaries assess likely breach costs, so providers are charging high premiums to make sure they won’t lose money.

In addition, there is no standard cybersecurity policy. Everything is modular and based on your organization’s maturity. Comparing policies from various providers can be difficult, and if you don’t select the right options, you may not get the coverage you need.

Spend time walking through scenarios — the closer they mirror your incident response tabletop exercise, the better. If you or anyone within your IT or security team is confused, stop. Make sure you understand every nuance before writing a check.

Keep in mind that these policies are not a replacement for a full set of technical controls. Most policies do not cover reputation damage or the cost of your IT organization identifying the problem, executing a response and continuing to operate the business during the breach — something most organizations never test or plan for.

So, should you have a cybersecurity insurance policy? My general recommendation is a resounding “YES!… But.”

If your organization is not mature enough to execute on the minimum requirements for a comprehensive policy, spend the money there before paying premiums.

Shop around. The top cyber insurance providers are Chubb, Axa US and AIG, with the top policy writers being Hartford, Liberty Mutual and Farmers. There is not much distinction in the coverage you can get from each; however, their processes, in terms of evaluating and assessing your risk, are very different. I recommend sticking with a top-tier provider, even though it may demand more mature IT processes and security policies versus a new or niche insurer. I believe a rising tide lifts all boats, and the work IT does to meet a blue-chip insurer’s requirements will pay dividends in your third-party supplier and regulatory relationships.

Magic Quadrant for WAN Edge Infrastructure

Magic Quadrant for WAN Edge Infrastructure

Published 26 November 2019 – ID G00376745 – 67 min read

WAN edge infrastructures are undergoing major changes as infrastructure and operations leaders responsible for networking face dynamic and expanding business demands. I&O leaders must identify vendors that address the requirement to support applications with on-premises and cloud-based deployments.

Strategic Planning Assumptions

Through 2021, more than 80% of SD-WAN solutions will continue to be delivered on dedicated hardware, rather than universal customer premises equipment (uCPE), due to performance, price and simplicity.
By 2023, to deliver cost-effective scalable bandwidth, 30% of enterprise locations will only have internet WAN connectivity, compared with fewer than 10% in 2019.
By 2024, to enhance agility and support for cloud applications, 60% of enterprises will have implemented SD-WAN, compared with fewer than 20% in 2019.

Market Definition/Description

Wide-area network (WAN) edge infrastructure provides network connectivity from distributed enterprise locations to access resources in both private and public data centers, as well as the cloud, via infrastructure as a service (IaaS) and software as a service (SaaS). It is typically procured by senior networking leaders in the infrastructure and operations (I&O) organization. This market is evolving from traditional branch routers (often called “customer edge routers” in a Multiprotocol Label Switching [MPLS] implementation). It is undergoing dramatic change, driven by the needs of digital business transformation and the demands of line of business (LOB) managers.
The market for branch office WAN edge functionality continues to shift from dedicated routing, security and WAN optimization appliances to feature-rich software-defined WAN (SD-WAN) and, to a lesser extent, uCPE platforms. SD-WAN is replacing routing and adding application aware path selection among multiple links, centralized orchestration and native security, as well as other functions. Consequently, it includes incumbent and emerging vendors from multiple markets (namely routing, security, WAN optimization and SD-WAN), each bringing its own differentiators and limitations.
WAN edge functionality can exist on or off the enterprise premises via physical or virtual appliances, and is typically sourced from network equipment providers (and their channels), network service providers (NSPs) or managed network service (MNS) providers. WAN edge infrastructure must be agnostic to the underlying network transport provider and services.
In the North American market, more than 60% of deployments are historically do-it-yourself (DIY). In much of the rest of the world, a managed service approach is favored. In general, we see a trend toward more managed services, even though SD-WAN makes managing the WAN easier. At the same time, this introduces new challenges, with the greater use of internet transport. Large global organizations usually prefer a DIY approach, whereas midsize organizations are more likely to favor a managed services approach. Many companies are now comparing DIY and managed service options as part of the evaluation process.
Increasingly, vendors are differentiating their SD-WAN solutions in the following categories:
  • Ease of use
  • Application performance — including WAN optimization, voice optimization and ensuring quality of experience (QoE)
  • Security
  • Pricing and pricing models
  • Support for cloud workloads

Magic Quadrant

Figure 1. Magic Quadrant for WAN Edge Infrastructure

Source: Gartner (November 2019)

Magic Quadrant for WAN Edge Infrastructure

Vendor Strengths and Cautions


Aryaka is a privately held company, based in San Mateo, California. Gartner estimates that Aryaka’s SmartCONNECT managed SD-WAN service has more than 800 customers. SmartCONNECT combines the Aryaka Network Access Point (ANAP) CPE with the Aryaka Global Core backbone, which the edge devices connect. The service includes SD-WAN, WAN optimization and visibility, as well as options for remote access, integrated perimeter security from third-party vendors, and the procurement and management of internet access. In addition, the Aryaka backbone supports the controlled routing of traffic, not only to applications in enterprise data centers, but also to cloud-hosted applications via both direct cloud gateways and internet gateways.
The solution is sold as a managed service, so it is not aligned for DIY customers. Gartner expects the vendor to focus on enhancing cloud connectivity integration, security vendor service chaining and advanced analytics going forward. Aryaka is well-suited for organizations that are geographically widely distributed and/or want SD-WAN with WAN optimization, delivered as a service.

  • Aryaka provides an all-in-one SD-WAN, private backbone and managed service solution, making procurement easier for customers interested in that model.
  • The private global backbone, with direct cloud gateways offered by Aryaka, provides a solution to optimize application performance.
  • Aryaka’s SD-WAN includes WAN optimization, to boost application performance, especially over long distances.

  • Aryaka supports only internet and Ethernet connections to its services, limiting hybrid SD-WAN configurations and making migrations from MPLS more complex.
  • SmartCONNECT is a managed service that will not appeal to those enterprises that prefer to manage their own SD-WAN networks (DIY clients).
  • Enterprises with footprints limited to a single country/smaller area or are too far from an Aryaka point of presence (POP), will not benefit as much from the Aryaka backbone and WAN optimization features.


Barracuda is a privately held company based out of Campbell, California. Gartner estimates that Barracuda has more than 20,000 WAN edge — mainly next-generation firewall (NGFW) — customers. Barracuda leverages its prior experience in selling security products as a basis for delivering SD-WAN functionality to its flagship CloudGen Firewall offering. CloudGen Firewall is available as a physical appliance and as a virtual network function (VNF), in addition to being available as a virtual appliance on Azure, Amazon Web Services (AWS) and Google Marketplaces. Beyond basic and advanced firewall functionality, CloudGen Firewall also includes features such as WAN optimization and real-time traffic remediation, using packet duplication.
Despite offering a broad mix of WAN edge functionality, CloudGen Firewall is not offered as a cloud management solution (but can be hosted in the public cloud) and offers limited path selection criteria. Gartner expects Barracuda to focus on delivering a cloud-based management platform to provide scale, easier deployment and configuration. Barracuda should be considered by enterprises for SD-WAN opportunities with the primary focus on security.

  • Barracuda includes comprehensive security capabilities including NGFW, antivirus, botnet and spyware protection, Domain Name System (DNS) security, and a built-in secure web gateway (SWG).
  • The solution has broad capabilities, including SD-WAN with enterprise-grade features, such as WAN optimization and real-time traffic remediation.
  • The vendor offers wide support for deployment as a VNF via most major virtualization platforms, including VMware, Xen, Kernel-based Virtual Machine (KVM) and Hyper-V.

  • Gartner has had few SD-WAN inquiries in which Barracuda has been mentioned, which suggests the vendor has limited visibility and awareness in the SD-WAN market.
  • The path selection mechanism uses less-sophisticated techniques for failover. For example, for real-time traffic, packet loss and jitter are not used in the failover algorithm.
  • At the time of this research, traffic analytics is overly technical and managing the data is cumbersome. This is in conflict with the otherwise simple operation of the solution.


Cisco is a publicly traded company based in San Jose, California, with more 100,000 WAN edge customers (primarily Integrated Services Routers [ISR] customers). Gartner estimates that more than 800 customers use Cisco’s flagship SD-WAN, powered by Viptela. More than 13,000 use Cisco’s SD-WAN powered by Meraki MX, which is deployed mainly as a security appliance. The Viptela offering can be delivered on dedicated vEdge appliances, recent models of ISR 1000 and ISR 4000; and Aggregation Service Routers (ASR) 1000 routers. It is also delivered as virtual software in cloud services or on Cisco’s Enterprise Network Compute Platform (ENCS) 5000 Series. Gartner has observed Cisco leading with the Viptela on IOS XE solution (deployed on the ISR) in the market with its rich set of features. However, many Gartner clients and Cisco channel partners have reported reliability and scalability issues with the product. As an alternative, Cisco does offer the vEdge solution. The Viptela offering supports complex architectures with sophisticated routing, application performance capabilities and a broad set of advanced security functionality.
The Cisco SD-WAN powered by Meraki solution is primarily marketed to lean IT organizations with basic requirements, promoting ease of use and simplicity, but it lacks native application performance capabilities. However, the Viptela and Meraki offerings do not share common hardware or management frameworks, limiting investment protection should the customer want the features of the other solution. Gartner expects the vendor to focus on application performance capabilities, advancing multidomain policy enforcement, as well as multicloud integration going forward. Cisco is relevant in all vertical industries, company sizes and geographic locations, and should be considered for all WAN edge opportunities globally when the preferred platform supports the required features and scale.

  • Cisco has a broad range of SD-WAN offers and platforms, together with complementary features, such as security, LAN/WLAN and application performance.
  • Cisco has strong enterprise network channels, brand awareness, and existing customer base, and it offers support for both DIY and MNS deployment.
  • Cisco’s cloud security platform, Umbrella, integration is supported on both the Viptela and Meraki platforms.

  • Cisco’s SD-WAN, powered by Viptela on the IOS XE platform, has stability and scaling issues, as reported by Gartner clients and Cisco channels. Also, some customers who’ve purchased Cisco ISR hardware during the past few years have informed Gartner that they had to upgrade their hardware platforms to support Viptela due to throughput limitations.
  • Cisco has broad, separate and overlapping SD-WAN offerings that don’t share a common management platform, hardware platform or sales teams. Consequently, clients and channel partners have a hard time choosing the most appropriate solution, which increases the likelihood of a suboptimal selection.
  • The Cisco licensing structure is complex and can be confusing to end clients.


Citrix is a publicly traded company based in Fort Lauderdale, Florida. Gartner estimates that Citrix has more than 1,200 WAN edge customers deployed globally. Citrix’s flagship WAN edge products are its Citrix SD-WAN appliances (physical, virtual and cloud), which are managed via the Citrix SD-WAN Center. The solution is cloud-managed and includes optional, fully featured WAN optimization, as well as an optional cloud gateway service for cloud onramp capabilities. The product scales from small sites to large headquarters and is increasingly demonstrating success with larger deployments. In addition, the vendor has some native security functionality, but it is not as advanced as some of the other vendors in this research.
Gartner expects this vendor to focus on delivering a lower-cost, smaller-footprint branch device, adding more-advanced native security features, as well as artificial intelligence/machine learning (AI/ML) performance diagnostics and remediation capabilities going forward. Citrix SD-WAN should be considered for organizations with existing Citrix software, as well as organizations of all sizes, geographic locations and vertical industries looking for SD-WAN solutions, especially when sourcing on a DIY basis.

  • Citrix SD-WAN includes an optional, fully featured WAN optimization capability, as well as cloud gateways for cloud onramp access to cloud workloads.
  • Citrix SD-WAN is managed via the same user interface (UI) as other Citrix products, which can simplify operations for existing Citrix customers.
  • Citrix can sell its SD-WAN solution in combination with its digital workspace solutions providing added performance and convenience for end customers.

  • Citrix only has a small number of service provider partners offering managed SD-WAN services using its platform; hence, this may limit the vendors’ ability to grow in the market.
  • Citrix SD-WAN lacks a full, native, advanced security suite beyond its native application layer firewall; instead, it relies on partners for unified threat management (UTM) or cloud security services.
  • Some enterprises don’t see Citrix as a network vendor, which may limit its growth in the market.


CloudGenix is a privately held company based in San Jose, California. Gartner estimates that CloudGenix has more than 800 WAN edge customers, primarily delivered as SD-WAN. Its flagship offering includes Instant-On Network (ION) devices, which support SD-WAN functionality, as well as basic firewalling capability. ION appliances are available in both hardware and software form factors and also exist in the AWS and Azure marketplaces. The vendor’s management portal is delivered as a cloud service, with intuitive workflow and strong analytics functionality.
CloudGenix supports a wide range of routing and network topologies, but no WAN optimization or native advanced security. We expect CloudGenix to continue focusing on autonomous networking and the cloud-delivered branch with its CloudBlades platform. CloudGenix should be considered by enterprises primarily in North America looking to deploy SD-WAN with a focus on application and network visibility as well as cloud-delivered solutions.

  • CloudGenix’s CloudBlades provides turnkey service chaining that allows users to integrate their SD-WAN with various cloud services that are part of the vendor’s ecosystem.
  • The vendor’s Clarity solution offers visibility into network health and application performance.
  • The vendor’s graphical user interface (GUI) is straightforward and intuitive for organizations to operate.

  • The vendor has a limited geographic installed base and channel coverage outside North America, which may limit the vendor’s growth in the market or support for customers in other regions.
  • CloudGenix has had limited adoption by carriers offering managed services as it tends to be adopted by more DIY-focused clients, so this may limit the vendor’s ability to grow.
  • The vendor lacks several capabilities offered by competitors, including support for WAN optimization and native advanced security features.


Cradlepoint is a privately held company headquartered in Boise, Idaho. Gartner estimates Cradlepoint has more than 5,000 WAN edge customers. Cradlepoint has been focused on enabling connectivity to small branch and retail locations, with a specific emphasis on 4G/Long Term Evolution (LTE) connectivity. It addresses the SD-WAN market with its NetCloud, AER series of routers and Cloud Virtual Router (CVR) products. The NetCloud suite includes an NGFW, with advanced features, such as intrusion prevention system/intrusion detection system (IDS/IPS) and URL filtering, which is in keeping with Cradlepoint’s historic focus of providing small form factor functionality.
Although Cradlepoint solutions focus on 4G/LTE-driven use cases, their support for wired transport analytics is not as sophisticated as other solutions included in this research. Its GUI is not as easy to use as other vendors in this research. Gartner expects that Cradlepoint will make investments on 5G integration, expanded cloud functionality via Azure, as well as expand the functionality and compatibility of its portfolio to address midsize and large enterprises. Cradlepoint should be considered by organizations in North America, Europe, and the Asia/Pacific (APAC) region, especially when 4G/LTE connectivity is a primary requirement.

  • Cradlepoint’s expertise in providing cost-effective small branch solutions makes it attractive for deployments in which integrated security, WAN edge and Wi-Fi functionality is required.
  • The vendor offers advanced built-in security including a NGFW, SWG, IPS and IDS, micro-segmentation capabilities, network access control (NAC), and content filtering.
  • Cradlepoint has proven experience with successful deployments larger than 1,000 sites with small footprint environments.

  • Although Cradlepoint offers traditional quality of service (QoS), it does not support real-time traffic remediation, such as forward error correction (FEC) or Packet Duplication, which may be a requirement for challenging WAN circuit environments such as broadband and LTE.
  • Lack of cloud provider support beyond AWS, as well as the lack of availability on cloud marketplaces, makes Cradlepoint a less attractive solution for enterprises that are expanding their cloud presence.
  • Cradlepoint’s solution lacks the ability to failover to another transport, due to elevated packet loss, and provides limited wireline performance metrics data.

FatPipe Networks

FatPipe Networks is a privately held company based in Salt Lake City, Utah. Gartner estimates that FatPipe has more than 1,600 WAN edge customers, primarily midmarket-focused and in North America. FatPipe offers a broad array of WAN products including secure routers, link aggregators/load balancers and WAN optimization appliances. Its flagship WAN edge offering is the FatPipe SD-WAN, which includes the company’s MPVPN CPE (physical and virtual) and its Symphony orchestrator.
FatPipe has deployed its SD-WAN products across multiple industries. The solution has broad capabilities with SD-WAN, application performance and security; however, the GUI is complex and not as easy to navigate, when compared with other products in this research. Gartner expects the vendor to focus on visibility and analytics, as well as supporting the Internet of Things (IoT) use cases going forward. FatPipe should be considered for WAN edge opportunities, primarily in the North American midmarket, particularly when mission-critical application performance is required.

  • FatPipe has a broad set of capabilities, including SD-WAN, application performance, and some security that have been deployed across customers, mainly in the midmarket.
  • FatPipe was a pioneer in path selection, which is now a key SD-WAN capability; thus, it has expertise supporting hybrid WAN use cases.
  • FatPipe has been operating for approximately 18 years, so it has proved itself over a long period of time.

  • FatPipe has limited market presence outside North America, which restricts the pool of networking personnel familiar with its products. This limits FatPipe’s ability to sell and support its products in geographic locations outside North America.
  • FatPipe has limited experience in complex deployments beyond 100 sites, which limits applicability for many larger organizations.
  • FatPipe has limited visibility in the market, as evidenced by Gartner taking few inquiry calls regarding its solution.


Fortinet is a public company headquartered in Sunnyvale, California. Gartner estimates that Fortinet has more than 21,000 WAN edge customers primarily used as UTM/NGFW for the midmarket. Fortinet addresses the SD-WAN market with its flagship product, FortiGate Secure SD-WAN, which leverages Fortinet’s strong position in delivering networks built around pervasive security. FortiGate is available in appliance, network function virtualization (NFV), and via all major cloud marketplaces, including Alibaba. FortiGate delivers a strong, built-in security stack to its WAN edge architecture and includes NGFW, IPS/IDS, Secure Sockets Layer (SSL) decryption/encryption, DNS filtering and antivirus. However, the vendor has been slow to develop cloud-based security solutions, as well as hosted cloud gateways.
Fortinet enables management of the FortiGate platform via FortiManager or via FortiGate Cloud. Both management platforms extend management capabilities across Fortinet’s network ecosystem, providing a single plane of glass for wired LAN/WLAN, SD-WAN and security (sometimes referred to as SD-Branch). Gartner expects Fortinet to make investments in increasing its cloud-based capabilities in access and security, as well as further investments in its SD-Branch portfolio. Fortinet should be considered by organizations of all sizes and verticals for SD-WAN projects globally, especially when strong, built-in security capabilities are a key requirement.

  • Fortinet’s direction of delivering a highly integrated solution consisting of SD-WAN, routing, advanced security and application performance gives them broad market and use case appeal, regardless of organizational size.
  • Fortinet’s investments in new custom SD-WAN-specific application-specific integrated circuits (ASICs) yield throughput and performance at a competitive price point when leveraging the full suite of SD-WAN features.
  • Fortinet’s global channel, managed services and partner ecosystem ensure that it can support both DIY and managed services adopters.

  • Fortinet has minimal presence with carrier-based SD-WAN service portfolios, which will limit its ability to be sourced globally.
  • Despite their enterprise-class features, Fortinet’s products have been used mainly as security appliances and less as networking solutions; this limits its experience in this market.
  • Fortinet has limited experience in highly complex networking solutions and cloud-first deployments.

HPE (Aruba)

Aruba operates as a subsidiary of Hewlett Packard Enterprise (HPE), which is a publicly traded company based in San Jose, California. Aruba is a long-established networking Wi-Fi and LAN switching vendor. Gartner estimates that Aruba has more than 250 WAN edge customers. This is low, compared with other vendors in this research, mainly due to Aruba’s recent entrance into the market. Its flagship WAN edge solution includes branch gateways, physical and virtual (for AWS and Azure) headend gateways, and the Aruba Central Cloud Platform. Aruba is repositioning itself from a predominantly leading wired LAN and WLAN vendor to a WAN edge vendor by developing its SD-Branch solution. This combines switching, WLAN, WAN and security in a simplified fully orchestrated solution.
On the WAN side, Aruba has scalable orchestration, some native advanced security capabilities (Layer 7 firewall and content filtering), but limited application performance capabilities in the areas of WAN optimization and voice optimization. We expect Aruba to focus on enhancing its UTM capabilities, expanding support for cellular wireless/LTE, and using AI/ML to drive WAN decision making. Aruba is relevant to Gartner clients in nearly all vertical industries, sizes and geographic locations, especially for users looking to simplify and consolidate their WAN/LAN management.

  • Aruba Central Cloud Platform is a solid, scalable orchestration platform that simplifies deployment, management and service assurance of wireless, wired and SD-WAN environments.
  • Aruba has experience supporting enterprise network clients with its existing WLAN and wired LAN customer base.
  • Aruba has seen some recent success in winning large WAN edge enterprise accounts.

  • Aruba is better known in the wired LAN and WLAN market segment and less known in the WAN edge segment, which may limit its ability to compete.
  • Aruba has limited application performance capabilities for real-time traffic, such as forward error FEC and packet duplication, and WAN optimization for non-real-time traffic.
  • Aruba has been late to this market, so many of the channel partners have already selected other SD-WAN solutions, which may limit its ability to compete.


Huawei is a privately held company headquartered in Shenzhen, China. Gartner estimates that Huawei has more than 50,000 WAN edge customers, many located in the APAC region. Huawei provides a full suite of networking infrastructure hardware, software, servers, cloud and consumer devices. Huawei addresses the WAN edge market with its CloudWAN, NetEngine AR series of routers, and the AR series uCPE devices. The NetEngine AR routers are available as an appliance, the AR1000 NFV, and as virtual appliances on AWS, Azure and Huawei Public Cloud.
Huawei offers a full-network-stack SD-WAN product, which includes a comprehensive security suite. This includes an NGFW, IDS/IPS, URL and content filtering. Although Huawei’s solution delivers broad functionality, the GUI seems more complicated and less user-friendly than others included in this research. Gartner expects Huawei to make investments in expanding automation in its WAN edge portfolio through the use of AI and ML, as well as intent-based networking and analytics. Huawei should be considered by organizations outside the U.S. and Canada of all sizes and verticals for all WAN edge solutions, when a turnkey solution from a single supplier is desired.

  • Huawei’s broad portfolio checks most of the WAN edge feature boxes, including full SD-WAN, flexible deployment form factors, a capable integrated security stack and basic WAN optimization.
  • Huawei is a dominant vendor in China, and it is also a major presence in the APAC region, as well as in South America, and Europe, the Middle East and Africa (EMEA).
  • Huawei has experience and proven scale, with extremely large deployments — more than 5,000 branch locations.

  • Geopolitical upheaval and security concerns by North American and, to a lesser extent, some EU governments have severely limited adoption and availability in these geographies. Potential adopters in these locations should verify government restrictions, which may preclude adoption.
  • Huawei SD-WAN cloud service, which is useful when deploying SD-WAN over public internet, is available only in China.
  • Huawei’s GUI is more complicated and less-user-friendly than other vendors included in this research.

Juniper Networks

Juniper Networks is a publicly traded company based in Sunnyvale, California. Gartner estimates that Juniper has more than 23,000 primarily security-focused WAN edge customers and is a long-established networking and security vendor. Its flagship WAN edge solution is its Contrail SD-WAN, comprising its SRX Series Services Gateways (physical, virtual and cloud) and Contrail Service Orchestration. The vendor provides a full portfolio of WAN edge platforms, including its MX routers and NFX secure uCPE network function virtualization appliances, which can host WAN edge functions.
Juniper supports many routing protocols and architectures for complex networks, SD-WAN and advanced security capabilities; however, it lacks WAN optimization functionality. Furthermore, the vendor primarily relies on managed service providers (MSPs) as a go to market. Gartner expects Juniper to focus on expanding the interfaces supported (both WAN and Wi-Fi), simplify LAN/WAN orchestration, and enhance application performance metrics. Juniper is relevant to Gartner clients in nearly all vertical industries and geographies and should be considered for all security-led WAN edge opportunities globally, particularly those that will be consumed as a service.

  • Juniper has a broad set of WAN edge network capabilities, including a variety of form factors, interfaces, a cloud-managed solution, routing and security, along with a service orchestrator (Contrail Service Orchestration), which simplifies deployment and management.
  • Juniper has longstanding relationships with communications service providers (CSPs), and a large and loyal installed base. This means there is a large pool of networking personnel familiar with Juniper’s products who can aid with implementation and operation.
  • Juniper is focused on leveraging its recent Mist Systems acquisition to incorporate more LAN/WLAN/WAN integration, which will simplify orchestration and management for end users.

  • Many of Juniper’s target service providers have already aligned with Juniper’s competitors for SD-WAN. As a result, it may be difficult for customers to obtain Juniper-based managed services from their preferred service providers.
  • Juniper lacks native WAN optimization and doesn’t support FEC for voice optimization.
  • Juniper lacks visibility and awareness in the market as evidenced by the vendor being mentioned in few SD-WAN inquiries, compared with the larger competitors in this market.

Nuage Networks

Nuage Networks is based in Mountain View, California, and is a division of publicly traded Nokia, based in Espoo, Finland. Gartner estimates that 1,400 enterprises are using Nuage’s Virtualized Network Service SD-WAN products, predominantly via its approximately 70 NSP partners. Nuage’s Virtualized Network Services (VNS) include its Virtualized Services Directory (VSD), the Virtualized Services Controller (VSC), and the Network Services Gateway (NSG) CPE (physical, virtual and cloud). The vendor has developed a scalable SD-WAN solution with comprehensive routing capabilities. It leverages well-established relations with NSPs worldwide to deploy SD-WAN as a service, although it has only limited experience dealing directly to support DIY enterprise accounts.
The solution does not include any WAN optimization functionality to support non-real-time traffic, but does support some optimization for real-time traffic. Gartner expects the vendor to focus on developing more ruggedized form factors for supporting IOT, enhancing support for voice applications and expanding its path selection capabilities. Nuage is a good fit for enterprises that require SD-WAN with scalability or that prefer to consume WAN Edge solutions as a managed service.

  • Nuage’s SD-WAN products are available through a large number of service provider partners.
  • The Nuage SD-WAN products are architected for software deployment on NFV platforms, allowing them to integrate easily with other virtual network software.
  • Nuage’s VNS SD-WAN offer integrates with its Virtualized Cloud Services (VCS) data center network overlay offering a more simplified solution.

  • Because Nuage predominantly delivers its products via service providers, it has a limited number of direct enterprise customers and channels, limiting its brand recognition and experience with customers who prefer a DIY approach to sourcing their SD-WAN products.
  • Nuage has limited native advanced security and WAN optimization functionality, preferring to rely on third-party software on NFV platforms to support these capabilities.
  • Nuage’s path selection capability is limited to supporting two underlay connections, thereby restricting its applicability to some enterprises.

Oracle (Talari Networks)

Headquartered in Redwood City, California, Oracle is a publicly traded company known primarily for its database, cloud and business applications. Gartner estimates that it has more than 500 WAN edge customers. Oracle acquired Talari Networks in late 2018 and rebranded its fail-safe SD-WAN to Oracle SD-WAN. Oracle SD-WAN offers comprehensive support for application analytics, path selection, and active real-time traffic mitigation. Although the solution is focused on delivering WAN edge connectivity for mission-critical applications including E911 networks, there is limited native advanced security. Consequently, Oracle relies on partnerships with Zscaler or Palo Alto to address NGFW requirements.
Oracle has a suboptimal small-platform solution with no integrated Wi-Fi or LTE and also lacks an Oracle-hosted, cloud-based management platform. Gartner expects Oracle to focus on delivering Oracle-hosted cloud management, in addition to increasing Oracle SD-WAN’s capability for supporting high-density, cloud-based architectures. We expect Oracle SD-WAN technology to enable greater WAN edge functionality in its session border controller (SBC) products. Oracle SD-WAN should be considered for regional and global deployments in which latency-sensitive and/or mission-critical traffic survivability (such as a contact center) and application performance is a primary requirement.

  • Oracle has experience supporting mission-critical traffic requirements, such as call centers, government agencies and emergency responders.
  • Oracle offers strong path selection, application analytics and application performance capabilities.
  • Oracle’s enterprise voice experience — with its widely deployed SBC and global sales, support, and partner network complement its SD-WAN offering, thereby increasing capabilities, as well as reach.

  • Oracle has limited experience deploying SD-WAN with networks greater than 250 branches.
  • Although Oracle has some native security features, it lacks a native advanced security stack (such as NGFW), which may limit the appeal of its SD-WAN product for companies requiring a turnkey WAN edge solution. Instead, it relies on partners to deliver this functionality.
  • Oracle’s SD-WAN solution has limited adoption into MSPs and carrier SD-WAN portfolios, reducing its appeal to organizations that prefer to consume from those providers.


Peplink is a public company listed on the Hong Kong Stock Exchange as Plover Bay Technologies. Peplink is headquartered in Hong Kong, and Gartner estimates that it has more than 8,500 WAN edge customers. Peplink addresses the WAN edge market with two SD-WAN products: Balance and Max, which deliver wired and wireless SD-WAN, respectively. Peplink SD-WAN platforms are administered via the InControl 2 cloud-based management platform. Peplink also addresses the need to remediate real-time application and voice traffic with its SpeedFusion WAN smoothing, which uses FEC as its active remediation mechanism. However, it offers no WAN optimization for non-real time traffic. The platform can be secured via its limited advanced native security suite, which includes IDS/IPS and web filtering.
Peplink has experience providing LTE-based connectivity as part of its SD-WAN functionality, but has limited application analytics. Gartner expects Peplink to invest in expanding virtual support for its products and integration of 5G support. Organizations in any geography should consider Peplink when LTE connectivity is a primary consideration for a WAN edge deployment.

  • Peplink’s SpeedFusion technology enables link bonding flexibility, which can enable capabilities to use multiple links to be combined to meet increased bandwidth needs, while keeping costs low.
  • Peplink has experience with WAN edge deployments in challenging environmental conditions, such as those found in the oil and gas, maritime, and transportation markets.
  • Peplink has proven scalability in large, distributed deployments with more than 5,000 sites.

  • Peplink’s application analytics capabilities are not as granular as the other solutions described in this research.
  • Although most of Peplink’s customers are in North America and Europe, it has limited sales and support resources of its own in these areas. The company relies heavily on its limited channel partnerships at all levels of the sales and support cycle.
  • Peplink’s security capabilities are not as comprehensive as some other solutions described in this research.


Riverbed is privately owned and is based in San Francisco, California. Gartner estimates that Riverbed has more than 30,000 customers, with 3,000 SD-WAN customers. Riverbed’s flagship WAN edge offerings are SteelConnect and SteelHead SD, which supports SD-WAN with WAN optimization in a single integrated appliance. Riverbed devices are available as physical and virtual form factors and are centrally administered by SteelConnect Manager (cloud-based or on-premises). Riverbed does not offer vendor-hosted cloud gateways as a service. However, virtual appliances are available on AWS, Azure, Google Cloud, IBM Cloud and Oracle Cloud, and global SaaS acceleration is offered as a vendor-hosted managed service.
The vendor doesn’t have native advanced security or FEC/packet duplication functionality for real time traffic optimization. After the cut-off date for this research, Riverbed announced an OEM agreement with Versa to deliver scalable routing, SD-WAN and advanced security to address large-enterprise use cases. Gartner expects this OEM relationship to be a core focus going forward. Riverbed is suitable for midsize and large organizations worldwide across verticals, particularly those that want SD-WAN and WAN optimization in a single, integrated device.

  • The vendor has substantial experience in large global enterprises with WAN optimization and has incumbency in many accounts. Leveraging this capability, Riverbed provides an integrated appliance that includes WAN optimization and SD-WAN.
  • Riverbed recently announced an OEM partnership with Versa in an attempt to address the large-enterprise market more effectively.
  • Riverbed offers a vendor-hosted SaaS acceleration solution offered as a cloud-managed service.

  • The Versa deal attempts to offer an SD-WAN solution for large-enterprise organizations; however, Riverbed is the only vendor in this research that will be sourcing core SD-WAN functionality via an OEM agreement. Consequently, there is increased risk going forward, as opposed to Riverbed having full organic control.
  • Riverbed has limited native advanced security capabilities and needs to rely on partners for this functionality; this complicates sourcing and management for enterprise clients.
  • Gartner has received reports of code instability from clients, which has limited Riverbed’s ability to grow in the market.

Silver Peak

Silver Peak is a privately held company headquartered in Santa Clara, California. Gartner estimates that it has approximately 3,000 customers, with more than 1,500 on its flagship WAN edge platform. Silver Peak’s WAN edge product is Unity EdgeConnect SD-WAN appliances (e.g., physical, virtual and cloud), with optional Unity Boost WAN optimization and Unity Orchestrator (on-premises or cloud). Silver Peak’s SD-WAN products are available from a wide range of partners, including multiple NSPs.
Silver Peak has strong application performance with WAN optimization and real-time optimization, as well as strong analytics. However, the vendor has limited native advanced security capabilities. Gartner expects Silver Peak to focus on orchestration, extending orchestration for ecosystem services and cloud analytics. Silver Peak should be considered by organizations in all verticals and sizes for WAN edge opportunities in North America, EMEA and the APAC region, especially when WAN optimization functionality and path conditioning are required.

  • Silver Peak’s SD-WAN product has strong application performance capabilities, including WAN optimization and real-time traffic optimization (e.g., FEC). Its WAN optimization solution also can be priced as a subscription and shared across a domain.
  • Gartner sees more channels and MSPs selling the Silver Peak solution, which shows the vendor’s channel expansion and relevance to various client consumption models.
  • Silver Peak’s roadmap is aligned with future client needs, with a focus on automation and ease of use.

  • The Silver Peak SD-WAN products lack a native full advanced security suite, instead relying on third-party firewalls or cloud security services.
  • Silver Peak’s WAN edge offering lacks cloud gateways, requiring enterprises or MSPs to create these, if required.
  • Silver Peak has limitations with their small footprint devices (such as not having integrated Wi-Fi) typically required for small, remote branch offices.


Teldat is an established, privately held communications company based in Madrid, Spain, and Nuremberg, Germany. Gartner estimates that Teldat has more than 1,000 WAN edge customers. Teldat offers a broad range of voice and data products, including LAN, WAN, WLAN and voice. Its flagship WAN edge offering is the Teldat M8 Smart, an SD-WAN edge gateway and the Cloud Network Manager (CNM) controller. The vendor provides routing, SD-WAN, some native advanced security functionality including IDS, A/V, and cloud content filtering. However, the vendor offers no WAN optimization or real-time optimization capabilities.
Teldat operates globally, but focuses primarily in Western Europe and Latin America, and delivers products primarily through carriers and MSPs. Gartner expects Teldat to focus on offering automatic customization for service providers, as well as AI/ML for improved network operations. Teldat should be considered by customers in Western Europe and Latin America who prefer a managed service for their WAN edge devices.

  • Teldat has a strong presence in Europe and Latin America, where more than 95% of its customers are headquartered.
  • Teldat has successfully deployed large-scale WANs of more than 1,000 locations.
  • Teldat offers a management console that is available as an over-the-top service, which many customers prefer to simplify operations.

  • Teldat has limited expertise with DIY enterprises, because it focuses heavily on selling through carrier and MSP partnerships in Europe and Latin America.
  • Teldat doesn’t support WAN optimization capabilities, nor does it support any voice optimization capabilities.
  • Although hard down failover is immediate, performance-based path selection rerouting can take up to 30 seconds.


Versa is a privately held company based in San Jose, California. Gartner estimates that Versa has more than 1,000 WAN edge customers. Versa focuses on branch and WAN functions, including routing, SD-WAN and security. Its flagship WAN edge offering is Versa FlexVNF software, and the requisite management and orchestration. FlexVNF supports scalable and advanced routing, comprehensive SD-WAN, multiple advanced security functions (such as NGFW, A/V, and content filtering), as well as the hosting of third-party VNFs. Although Versa supports FEC and packet duplication for real-time traffic, there are no native WAN optimization features. Instead, Versa supports hosting third-party WAN optimizations solutions as a VNF.
FlexVNF can be delivered on a branded appliance, on a whitebox hardware appliance or as a virtual instance in AWS. Azure, Google, Alibaba and Tencent clouds and as a software appliance delivered on white boxes Versa has been more successful selling through managed services providers versus do it yourself (DIY) customers. Gartner expects Versa to focus on its midmarket solution and small or midsize business (SMB) clients through its Versa Titan secure cloud service, which delivers an SD-Branch solution integrating routing, SD-WAN and security for LAN and WAN connectivity. Versa should be considered primarily by all enterprises in North America, the APAC region and EMEA, particularly when enhanced security functions, flexible deployments options and a managed service are desired.

  • Versa offers advanced feature depth and breadth, with enhanced security, SD-WAN and voice optimization in an integrated solution.
  • Versa has strong relationships with CSPs and managed service partners as its primary go to market.
  • Versa has expanded its partner base with a strategic OEM partnership with Riverbed (integrating Versa VNFs on Riverbed platforms). This will give it access to large global enterprises in which Riverbed is the incumbent and increase its ability to grow and sustain in the market.

  • Versa lacks native WAN optimization, relying instead on hosting third-party virtual appliances.
  • Versa has less experience with direct enterprise DIY, because most of its customers are sold through MSPs.
  • Current production network deployments are limited beyond 800 branches.


VMware is a publicly traded company based in Palo Alto, California. Gartner estimates that VMware has more than 5,500 WAN edge customers deployed globally. VMware’s SD-WAN offering is VMware SD-WAN by VeloCloud, which includes physical and virtual edge appliances, cloud gateways and orchestration, which can be on-premises, or hosted by an MSP or VMware. The solution includes strong SD-WAN functionality that, when combined with its gateways (some of which are hosted by carriers and some by the vendor), offers enterprises a scalable platform for accessing cloud workloads. VMware has proved itself able to scale for large global deployments. VMware offers three subscription levels to align with different use cases and price points primarily based on network scale and cloud connectivity.
The vendor’s solution doesn’t have native advanced security capabilities or traditional WAN optimization functionality, but it does have optimization for real-time traffic and cloud based applications. Gartner expects VMware to focus on multicloud integration, performance analytics and self-healing networks going forward. VMware should be considered by organizations of all sizes and verticals for all SD-WAN opportunities globally.

  • The VMware SD-WAN solution offers a wide range of deployment options for the edge devices. They can be physical or virtual with optional cloud gateways and orchestration, which can be cloud-based, MSP-hosted or cloud-hosted.
  • VMware SD-WAN has a proven track record of being able to fulfill large, complex global networks of greater than 1,000 sites. In fact, it has some of the largest SD-WAN deployments.
  • VMware has a wide range of go-to-market partners, including multiple global NSPs, as well as VMware and Dell channels; this provides enterprises with many ways to consume the solution.

  • The VMware product lacks native advanced security functionality; instead, it relies on partner firewalls instantiated on its platform or cloud security services.
  • VMware lacks traditional WAN optimization capabilities.
  • VMware lacks native support for IPv6, which may limit the vendor’s ability to support certain types of deployments.

Vendors Added and Dropped

We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor’s appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may reflect a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.


HPE (Aruba) was added due to a new product offering that meets the inclusion criteria.


Cato Networks was dropped, because it failed to meet inclusion criteria based on our assessment and data provided by the vendor.
Forcepoint was dropped because it failed to meet inclusion criteria based on our assessment and data provided by the vendor.

Inclusion and Exclusion Criteria

To qualify for inclusion, vendors need to show relevance to Gartner clients by:
  • Providing hardware and/or software that addresses the enterprise WAN edge requirements outlined in the Market Definition/Description section. Alternatively, they may address this need by delivering a managed service that uses in-house developed hardware/software to deliver the service.
  • Producing and releasing enterprise WAN edge networking products for general availability as of 1 June 2019. All components must be publicly available, be shipping and be included on the vendors’ published price list as of this date. Products shipping after this date, and any publicly available marketing information may only have an influence on the Completeness of Vision axis.
  • Provide commercial support and maintenance for their enterprise WAN edge products (24/7) to support deployments on multiple continents. This includes hardware/software support, access to software upgrades, and troubleshooting and technical assistance.

Product Capabilities

Vendors must have generally available products that support all of the following capabilities. These capabilities must be supported natively on branch CPE:
  • The ability to function as/replace the branch office router/CPE (including BGP, OSPF, support hub and spoke, mesh, and partial mesh topologies for a minimum of a 100-site network) with traffic shaping and/or QoS
  • Centralized management for devices (with GUI), including reporting and configuration changes, and software upgrades
  • Zero-touch configuration for branch devices
  • VPN (Advanced Encryption Standard [AES] 256-bit encryption) and NGFW or firewall with the ability to redirect to an SWG
  • Dynamic traffic steering based on business or application policy (not limited to only DiffServ Code Point [DSCP]/ports, IPs/circuits or 5tuple) that responds to network conditions (changes in packet loss, latency, jitter, etc.) in an active/active configuration
  • At least 100 well-known application profiles included (auto discovered)
  • Application visibility identifying specific traffic that traverses the WAN
  • At least two of the following WAN interfaces: Ethernet, xDSL, Tx/Ex, fiber and 4G/LTE
  • Software (ability to operate as a VNF at the branch or in the network and to be hosted in at least one cloud provider, such as AWS) and hardware form factors

Financial Performance

Vendors must show relevance to Gartner’s enterprise clients by meeting at least one of the following with their WAN edge infrastructure solutions that meet the product inclusion criteria:
  • Demonstrate scalability by servicing at least three customers with active support contracts that have at least 100 sites each.
  • Show relevance to Gartner’s enterprise clients on a global basis with at least one of the two below criteria:
    • At least 25 customers with active support contracts and 10 sites each headquartered in two or more geographic regions (NA, SA, EMEA or APAC). This means 25 customers in one region and another 25 customers in a different region.
    • At least 10 customers with active support contracts and 10 sites each headquartered in three or more geographic regions (North America, South America, EMEA or APAC). This means 10 customers each in three different regions, for a total of more than 20 customers.
  • Meet at least one of the four criteria below:
    • Total WAN edge infrastructure revenue of at least $20 million in the 12 months ending December 2018
    • Total WAN edge infrastructure revenue of $13 million in the 12 months ending December 2018, with at least a 100% growth rate during the previous 12 months
    • At least 20,000 WAN edge infrastructure sites deployed and under active support contracts
    • At least 300 WAN edge infrastructure customers under active support contracts with 10 or more sites deployed each

Exclusion Criteria

We exclude NSPs, non-NSPs or other providers/vendors that do not own their WAN edge technologies because they deliver their offerings with commercial vendor products as the underpinning technology.

Vendors of Note

Gartner estimates that more than 70 vendors compete in the WAN edge market; many with specialized offerings. The vendors listed below, along with several others, did not meet the inclusion criteria, but are notable for their offerings and may be of interest to readers of this research:
  • 128 Technology is a privately held company based in Burlington, MA. Although 128 Technology didn’t meet the inclusion criteria, it is relevant to enterprises looking for a software-driven solution.
  • Bigleaf Networks is a privately held company based in Beaverton, Oregon. Although Bigleaf didn’t meet the inclusion criteria, they are relevant to some midmarket customers.
  • Cybera is a privately held company based in Franklin, Tennessee. Although Cybera didn’t meet the inclusion criteria, it is relevant to large, distributed retail enterprises that are primarily U.S.-based.
  • Infovista is a privately held company based in Massy, France. Although Infovista didn’t meet the inclusion criteria, it is relevant to enterprises with a specific focus on application performance.
  • Forcepoint is a privately held company based in Austin, Texas. Although Forcepoint didn’t meet the inclusion criteria, it is relevant to enterprises with a specific focus on security.
  • Cato Networks is a privately held company based in Israel. Although Cato didn’t meet the inclusion criteria, it is relevant to the midmarket, with security and cloud access requirements.
  • Sangfor Technologies is a public company based in China. Although Sangfor didn’t meet the inclusion criteria, it is relevant to enterprises that have a specific focus on security and are based in the APAC region.
  • Lavelle Networks is a private company based in India. Although Lavelle didn’t meet the inclusion criteria, it is relevant for enterprises located in India.
  • Multapplied is a private company based in North Vancouver, BC, Canada. Although Multapplied didn’t meet the inclusion criteria, it is relevant to organizations that purchase from selected service providers.
  • Lancom Systems is a private company based in Munich, Germany. Although Lancom didn’t meet the inclusion criteria, it is relevant to distributed organizations that are based primarily in Europe.

Evaluation Criteria

Ability to Execute

Product/Service: Core goods and services that compete in and/or serve the defined market. This includes current product and service capabilities, quality, feature sets, skills, etc. This can be offered natively or through OEM agreements/partnerships, as defined in the Market Definition and detailed in the subcriteria.
Evaluates vendors by looking at their overall WAN edge networking portfolios, including all hardware and software aspects of WAN edge networking. This includes physical and virtual CPE, controllers, gateways, and the relevant automation, management and orchestration of those components. We consider the breadth and depth of WAN Edge functions that the vendor offers, as well as automation and integration within broader networking workflows and orchestration. Particular attention will be paid to management that is application/business-outcome-focused. We consider product and architectural migration strategies, and the ability to address customers’ multicloud deployment requirements, application performance, security, traffic steering, scalability and resiliency needs. We focus on the vendor’s flagship enterprise offering and/or the products they lead with for enterprise accounts.
Overall Viability: Viability includes an assessment of the organization’s overall financial health, as well as the financial and practical success of the business unit. This evaluates the likelihood of the organization to continue to offer and invest in the product, as well as the product position in the current portfolio.
Sales Execution/Pricing: The organization’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support and the overall effectiveness of the sales channel. We also include the vendor’s estimated market share and growth.
Evaluates presales and go-to-market sales activities of both the vendor and its channels, and includes analysis of how the vendor interacts with its customers and prospects. The second aspect of this criterion includes our evaluation of the cost-effectiveness of the solutions for purchase and support over their useful life, and the ability to recognize and position the most appropriate solution in specific sales situations.
Market Responsiveness and Track Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness to changing market demands. This includes how well the vendors’ offerings match buyer’s requirements at the time of purchase.
We assess the vendor’s track record in delivering new capabilities when the market needs them in terms of timing and scope. This criterion also considers the vendor’s history of responsiveness in terms of changing market demands. This evaluation is not limited to products, it involves pricing/licensing as well.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message in order to influence the market, promote the brand, increase awareness of products and establish a positive identification in the minds of customers. This “mind share” can be driven by a combination of publicity, promotional, thought leadership, social media, referrals and sales activities.
Focuses on how the vendor is perceived in the market, and how well its marketing programs are recognized in generating awareness. For WAN edge infrastructure, the evaluation focuses on how well the vendor is able to influence and shape perception in the market through marketing activities and thought leadership. An additional indicator for this criterion is how often Gartner clients inquire about a specific vendor in terms of its capabilities and reputation or in a shortlist evaluation process.
Customer Experience: Products and services and/or programs that enable customers to achieve anticipated results with the products evaluated. Specifically, this includes quality supplier/buyer interactions technical support, or account support. This may also include ancillary tools, customer support programs, availability of user groups, service-level agreements (SLAs), etc.
Looks at all aspects of the customer experience (including pricing, setup, day-to-day production, as well as support), with a heavier weighting on postsales service and support activities. This includes customer’s experience with the vendor’s WAN edge products and services used in their production environments. This also includes initial provisioning, as well as the day-to-day operation and management of WANs. It includes the ability to upgrade software and work with technical support to solve problems. Hardware and software quality and how customers describe their experience with the vendors’ products are evaluated.

Table 1: Ability to Execute Evaluation Criteria

Enlarge Table
Evaluation Criteria
Product or Service
Overall Viability
Sales Execution/Pricing
Market Responsiveness/Record
Marketing Execution
Customer Experience
Not Rated
Source: Gartner (November 2019)

Completeness of Vision

Market Understanding: Ability to understand customer needs and translate them into products and services. Vendors with a clear vision of their market listen, understand customer demands, and can shape or enhance market changes with their added vision.
Assesses the vendor’s ability to look into the future needs and drive new ideas into product roadmaps and offerings. This includes the vendor’s understanding of the core WAN edge infrastructure buyers as described in the Market Definition, as well as understanding the competitive nature of the market. In this market, we look at the vendor’s ability to address the challenges associated with distributed branch office locations. This may include simplified central management, large-scale deployments, latency/bandwidth challenges, automation, multicloud networking, changing application deployment scenarios (including on-premises), IaaS/PaaS, and SaaS architectures, openness, choice and investment protection.
Marketing Strategy: Clear, differentiated messaging consistently communicated internally, externalized through social media, advertising, customer programs and positioning statements.
Evaluates the ability of the vendor to influence the market through its messaging and marketing campaigns. Furthermore, this includes the extent to which the vendor articulates a clear, consistent and differentiated message that is aligned with end-user needs. We look for consistent communication throughout the organization and through its website, advertising, customer programs and positioning statements, as well as statements of direction and product roadmaps.
Sales Strategy: A sound strategy for selling that uses the appropriate networks, including direct and indirect sales, marketing, service, and communication. This also includes partners that extend the scope and depth of market reach, expertise, technologies, services and their customer base.
Evaluates the vendor’s use of direct and indirect sales to extend the scope and depth of its market reach. Furthermore, this includes the extent to which the vendor articulates a clear, consistent and differentiated sales strategy that engages with buyers. It involves the development of effective go-to-market strategies, alliances and partnerships leveraging value-added resellers (VARs), SIs, Master Agents, NSPs, MSPs and OEM resellers as appropriate. In addition, this includes how the vendor exploits new business models that are emerging due to market and technology transitions.
Offering (Product) Strategy: An approach to product development and delivery that emphasizes market differentiation, functionality, methodology and features as they map to current and future requirements.
Evaluates how the vendor plans and invests in R&D to continue to innovate in the key market transitions identified in the Market Definition/Description and Extended Market Definition sections. This includes product roadmaps around existing and future WAN edge functions. This also includes not just the raw functions, but also the vendor’s overall architecture across the portfolio.
Business Model: The design, logic and execution of the organization’s business proposition to achieve continued success.
Assesses the soundness and logic of a technology provider’s underlying business proposition and how revenue/profitability is derived.
Vertical/Industry Strategy: The strategy to direct resources (e.g., sales and product development), skills, and products to meet the specific needs of individual market segments, including verticals.
Measures the vendor’s ability to address the unique requirements of particular vertical industries and to employ the associated sales channels to build a sustainable business advantage.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes.
Measures the vendor’s ability to address emerging WAN edge requirements, and/or increasing value to enterprise customers. We look at how the vendor invests in new technologies to move its business and the market forward, with a focus on technologies that are differentiated, unique and offer high value to the enterprise buyer. Specific examples include application centricity, intent-driven networking, security, improved management and automation, and even nonproduct innovations, such as consumption-based pricing and new models (e.g., hybrid offerings that bundle product and managed services).
A key attribute in the WAN edge market is for the vendor to innovate in technology areas that meet emerging enterprise market requirements around simplified management of hybrid WAN architectures, including increasing levels of automation. Innovation is not a checkbox of current and proposed product features. It is not limited to product; it can cover multiple aspects of the vendor’s strategy that delivers new capabilities that differentiates it in the marketplace, including new pricing and operational models.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries, as appropriate, for that geography and market.
It measures the vendor’s ability to address any unique product requirements of particular geographies and to use the associated messaging, partnerships, as well as sales channels, to build a sustainable business advantage.

Table 2: Completeness of Vision Evaluation Criteria

Enlarge Table
Evaluation Criteria
Market Understanding
Marketing Strategy
Sales Strategy
Offering (Product) Strategy
Business Model
Vertical/Industry Strategy
Geographic Strategy
Source: Gartner (November 2019)

Quadrant Descriptions


A Leader has demonstrated a sustained ability to address changing requirements for enterprise WAN edge. A Leader also can drive, shape and transform the market, as well as maintain strong relationships with its channels and customers.


A Challenger has demonstrated sustained execution in the marketplace, and has clear, long-term viability in the market. However, a Challenger has not shown the ability to drive, shape and transform the market.


A Visionary has innovated in some key areas of WAN edge, such as path selection, link remediation, automation, operational efficiency and cost reductions. Visionaries often help to transform the market, from driving new ideas, including new business models, to solving enterprise challenges.

Niche Players

A Niche Player has a complete or near-complete product offering, but has limitations, such as geographic reach or vertical market focus. A Niche Player has a viable product offering, but has not shown the ability to transform the market or maintain sustained execution.


Market Forecast

The WAN edge market (which comprises SD-WAN plus traditional branch routers) is forecast to generate a compound annual growth rate (CAGR) of −6.5% in end-user spending from 2018 through 2023. However, this is the result of the robust growth of SD-WAN (+23.4% CAGR) and the decline of traditional branch office routers (—23.9% CAGR). The decline is due to the lower average selling price of SD-WAN hardware and software.
Gartner expects a functional consolidation of WAN edge functions into a single device to cause declines in the number of devices shipped and the total market size. This is evidenced by dedicated WAN optimization appliances, which are increasingly delivered as an added feature as part of SD-WAN. This bodes well for buyers, as multifunction devices typically sell for less than several dedicated devices.
The increase in WAN speeds from 1.5/2.0 Mbps legacy interfaces and 10 Mbps Ethernet interfaces to speeds and throughputs of 1 Gbps and beyond will drive up the prices of WAN edge equipment, although at a slower rate than the corresponding increase in link speeds, because there isn’t a linear relationship. In other words, the price per bit will go down.

Popular and Emerging Topics

Internet Substitution for MPLS Connections

Many Gartner clients hope to fund their WAN expansion/updates by replacing or reducing the bandwidth of expensive MPLS connections with internet-based virtual private networks (VPNs), often from alternative providers. However, suitability of internet connections varies by geography, access types and oversubscription levels, and service providers mixing connections from multiple vendors increases complexity. SD-WAN has simplified this approach for the following reasons:
  • Due to the simpler operational environment and the ability to use multiple circuits from multiple carriers, enterprises can abstract the transport layer from the logical layer and depend less on their service providers.
  • This decoupling of layers is enabling new MNS providers to emerge to take advantage of the above for customers that still want to outsource their WANs.

Thin Versus Thick Branch

We see one of the major decisions that customers will increasingly need to make in the next few years is whether to select a thick branch with all functions deployed at the customer location or more of a thin branch with some functions on the edge supplemented by functions hosted in the cloud. The former would be for organizations with stronger IT organizations that want more control. The latter is for learner IT and, ultimately, more operational flexibility.

Merging of Security and Networking

It used to be that security and network procurements were handled separately. Increasingly, we see network and security decisions being made at the same time and at times with the same solution. This is largely driven by the move to distribute internet access and change the security perimeter. This goes with the deployment of SD-WAN at the branch locations to manage the internet transport. As part of a desire to minimize branch sprawl, we expect to see more customers looking for vendors with a combined security and networking solution or part of a broader ecosystem. And the deployment model will also be determined by the decision of the thin versus the thick branch (see “Market Trends: How to Win as WAN Edge and Security Converge into the Secure Access Service Edge”).

Virtualization and NFV

This is primarily driven by the traditional NSPs with their NFV-based offerings, such as uCPE, that combine and orchestrate services (e.g., SD-WAN, security and WAN optimization) from multiple popular and best-of-breed vendors. We also see functions moving more to the cloud or hosted in the service providers’ networks.
Although virtualizing WAN edge functions has been an emerging topic, there are some near-term inhibitors to adoptions, such as standardized and consistent orchestration, networking integration challenges between VNFs, pricing, and performance. As these limitations get addressed, we expect to see more deployments (see “Pump the Brakes on Network Function Virtualization Services”).
DIY virtualization is rare, primarily due to the complexity and lack of standardized solutions.

Routing From Nontraditional Suppliers

Traditionally, enterprise routing has been the domain of a few trusted suppliers. The emergence of SD-WAN has demonstrated that routing has become more commoditized, and many vendors are as good, or perhaps even better, at branch office routing than the incumbents. As a result, trusted suppliers from adjacent markets, typically security and WAN optimization, have aggressively expanded into this market. Client inquiries often involve the suitability of these supplier solutions and the possible saving of as much as 40% when refreshing routing. However, it should be noted that prices have been increasing, due to elevated demand as a result of product and vendors maturing and success realized in the market.

Feature Breadth Versus Feature Depth

There are two approaches to selecting WAN edge equipment. Some Gartner clients prefer feature depth, and they often favor dedicated devices per function in the belief that they can achieve a more robust solution via best-of-breed products. Others prefer the simplicity of a single device and management console in the belief that the consolidated function device is more than good enough, especially since it can be easier to correctly configure the entire technology stack via one interface.

Automation and Agility

Many WAN changes remain manual and CLI-driven (approximately 70% for many enterprises). Thus, in many inquiries regarding WAN, Gartner clients mention a desire to improve automation and agility. In some instances, the focus is on dedicated SD-WAN tools; however, this desire occasionally drives investment in nontraditional tooling, such as Ansible or intent-based networking. Gartner clients report operational savings as high as 90%, when comparing the better WAN Edge solutions with traditional router-based deployments (administration time of five minutes/month versus one hour/month).

Combining LAN, WLAN and WAN

Gartner increasingly sees vendors building a common orchestration between the LAN, WLAN and WAN, and, sometimes, security, which is increasingly known as SD-Branch. Although this is not a formal Gartner term, it offers increased simplicity in managing WLAN, LAN and WAN policies and profiles with a single solution. Integrating these domains will increasingly be a differentiating factor for some vendors. Although Gartner still sees customers procuring LAN/WLAN separate from WAN, there is increasing evidence that this may change for certain customer environments.

Leveraging AI/ML

There is a trend to more autonomous and self-driving networks where leveraging AI/ML technologies can learn and adapt to network traffic patterns. The objective is to make networking even easier for end users, reduce operating expenditures (opex), increase speed/agility and improve uptime/performance. Although it is still early in many vendors’ product development, we are seeing this functionality being incorporated into an increasing number of vendor solutions offering differentiation.

Application Analytics

Application visibility and analytics are becoming more important to get better feedback as to the applications running on the network. Whether this is for on-premises applications or applications in the cloud, enterprises are looking for more details to help troubleshoot, plan and confirm that specific applications performance and QoE is being delivered for end users.

Market Overview

Gartner’s view of the market is focused on transformational technologies or approaches delivering on the future needs of end users. It is not exclusively focused on the market as it is today.
This dynamic market, with emerging client needs, has created a deeply fragmented vendor landscape, with both large established vendors and smaller providers from multiple segments competing for market share. Differentiation can be feature-based (e.g., ease of cloud connectivity, embedded NGFW or application performance), business-model-based (e.g., pure subscription or WAN as a service using proprietary technologies) or go-to-market (e.g., direct, master agents, product-focused VARs or system integrators [SIs] as MSPs). Some vendors focus on feature depth on a specific use case or two, while others choose an “all-in-one offering” approach. Scale of deployment and the ability to support complex environments remain differentiators at the high end of the market, where some customers require deployments of several thousand branches across multiple geographies.

Market Drivers

The WAN edge market is primarily driven by seven factors:
  • Refresh of existing branch office router equipment that is at end of support or lacks the desired capabilities
  • Renewal of NSP or managed service contracts, where a new service provider also means new equipment
  • The changing traffic patterns resulting from the increasing use of cloud and multicloud resources, which renders the traditional hub-and-spoke from remote branch to on-premises data center WAN architecture obsolete
  • By distributing internet access to the branch, the security perimeter changes, which typically drives new solutions
  • The expansion of capacity (i.e., physical build-outs) within existing locations
  • The desire to increase agility and automation to address the needs of digital business transformation and lower opex
  • The desire to consolidate more than one branch function, such as routing, security and WAN optimization
Moving forward, Gartner views SD-WAN and NFV as key technologies to help enterprises transform their networks from fragile to agile. NFV can be in the cloud or on-premises, and Gartner expects to see more functions supported in the cloud. The resulting deployments will increasingly become a choice between a thick branch with more functions operated locally, versus a thin branch with more functions operated in the cloud. Increasingly, we see the consolidation and integration of network and security functions to be a driver in this decision.

Vendor Landscape Changes

Just a few years ago, the WAN edge market was dominated by a few suppliers with long histories of providing routing. Security and WAN optimization was often provided by separate dedicated appliances, and even when device consolidation was available, cost savings were small.
With the acceptance of SD-WAN and the demonstration that routing was increasingly becoming commoditized, companies that often offered adjacent solutions are now aggressively competing.
This Magic Quadrant covers well-known incumbent vendors, as well as a number of smaller suppliers. In total, the WAN edge market is estimated to have more than 70 suppliers that Gartner is aware of, and more are likely to enter the market. We expect this market to remain extremely fragmented during the next few years, with little sign of significant consolidation. It is likely that more than 10 mainstream suppliers will remain, as we look out five years.
WAN refresh opportunities often now involve several trusted existing suppliers and one or two new providers. In many cases, vendors from adjacent markets are competing by bundling multiple functions (e.g., security plus routing) in a single offering that is priced only slightly higher than a single-function offering. Additionally, some of these incumbent solutions can be upgraded to offer SD-WAN by just updating the software on-site and retaining the hardware already deployed.

Market Recommendations

I&O leaders responsible for building and operating WANs should:

Extended Market Definition

Characteristics of the Market

Typical business outcomes: The fundamental business outcome is connectivity between enterprise users, applications and services that reside in distributed locations. Locations include headquarters, branches, corporate data centers, colocation/hosting facilities, SaaS providers and cloud service providers. Increasingly, buyers require improved agility, automation, flexibility and application control.
Market: WAN edge infrastructure provides network functions that support connectivity for distributed locations (typically branches). This market includes functionality that Gartner defines as traditional routers, security appliances, WAN optimization controllers (WOCs), WAN path controllers and SD-WAN.
Typical buyers: Within the enterprise, CIOs, CTOs, the vice president of I&O, the director of networking, and network and telecom managers are typically the buyers of WAN edge infrastructure. Branch managers, as well as enterprise architects, are strong influencers in larger enterprises as well.
How buyers shape their buying decisions: When selecting WAN edge infrastructure, buyers typically focus on several factors including vendor incumbency and familiarity, feature/functionality, pricing options, performance, form factor, deployment options, ease of management, visibility/analytics, customer support/experience, overall product architecture, vertical focus and geographical strength. The solution set is strongly influenced by changing traffic patterns affecting the enterprise WAN.
Deliverables: The primary deliverables include network functions that enable connectivity for users at branches. Typical network functions include edge routing, security and VPN, WAN optimization, WAN path control and SD-WAN. These functions can be delivered to the enterprise as integrated, dedicated hardware appliances (such as routers, WOCs, security or SD-WAN edge-devices) or as a software instance of these functions (e.g., a VNF). These may reside at the customer premises, in provider points of presence (POPs) or as a network-based/cloud service.
How providers package, market and deliver: Buyers typically source their WAN edge infrastructure products directly from network equipment suppliers, or via a network or MSP (that is, as a managed service). WAN edge infrastructure can be procured via purchase, leasing, subscription or consumption-based pricing models. Furthermore, there is a diverse set of deployment options for these networking functions, including via hardware appliances, software (e.g., VNF) or cloud-based services.

Characteristics of WAN Edge Solutions

WAN edge solutions are characterized by the following elements:
Physical interfaces: This refers to physical interfaces to plug into the service providers’ circuits. Ethernet is rapidly becoming the default connection and link speeds are increasing to multigigabit speeds. Flexible options beyond just Ethernet offer more value to customers.
Physical topology: Traditional hub-and-spoke WAN architectures are no longer suitable for most enterprises. Enterprises are altering their WAN architectures in support of new digital business initiatives and the adoption of public cloud services (e.g., SaaS, IaaS and PaaS). The rationale behind this is that migration of applications to the public cloud can lead to distinct challenges, including:
  • Network performance problems as traffic is backhauled, which typically increases latency and congestion
  • WAN expenses increase due to backhauled internet traffic with cost of paying for bandwidth twice (MPLS to the data center and from the data center to the internet).

Routing, WAN Optimization and Security

With part of the first phase of SD-WAN, we saw some SD-WAN deployments deployed behind traditional routers. However, as SD-WAN routing functionality has improved, vendor products have largely been proved, and traditional routers are reaching end of life, we see SD-WAN operating as the main WAN edge function in customer networks.
Increasingly we are seeing two approaches from vendors where they are natively incorporating multiple functions into their solution (e.g., SD-WAN, WAN optimization and security) or partnering with other point solution vendors.

Deployment Options

We see several deployment methods available for the enterprise to consume network functions:
  • Dedicated hardware appliance — This is the traditional style of deployment, in which a single network function is delivered as a turnkey integrated hardware appliance. Although still common, the trend is to move aware from this option as on-site technology becomes obsolete or inefficient. If retained, we do see the trend of at least the on-site router migrating to an SD-WAN solution.
  • Multifunctional integrated platform — This platform combines proprietary hardware and software to deliver multiple functions, such as WAN optimization, routing and security. This can be deployed in two ways:
    • Native functionality by the vendor
    • Partnership by the vendor with another best-of-breed solution that is tightly integrated
  • Examples include FortiGate appliances, Silver Peak Unity EdgeConnect with Unity Boost, VMware SD-WAN by VeloCloud, and Versa’s FlexVNF.
  • Virtualized network function — This is a software-based instance of a network function that can be delivered on an x86-based computing platform. Nearly all routing, WAN optimization and SD-WAN vendors deliver a VNF version of their software.
  • uCPE platform — This multifunctional platform supports an NFV architecture, designed around industry standards to run multiple virtual functions, with possibly different vendors’ functions in the same device. The platform allows multiple VNFs to be installed, and typically makes use of industry-standard x86 devices, rather than function-specific appliances. Juniper Networks’ NFX and Cisco ENCS are examples of a hardware uCPE platform. Universal CPE is one delivery method for an NFV deployment with the functions residing on-premises. With the goal to increase the agility of enterprise networks, enabling them to respond to changing needs more rapidly in a more on-demand manner and avoid vendor lock-in. Today, uCPE is primarily a carrier-driven technology, and has near-term adoption challenges with pricing, performance, standard orchestration and networking integration. However, we expect these challenges to subside in the next couple of years.
  • Cloud-based OTT — Network function is delivered via a cloud platform, and the enterprise subscribes to the functionality. An example is Aryaka, which provides WAN optimization and other application performance functionality. Additionally, we are seeing security delivered in this model, which will drive adoption of the thin CPE model.

Consumption Models for WAN Edge Infrastructure

Enterprises consume WAN edge infrastructure functionality in multiple ways, including:
  • DIY — Enterprise owns and manages WAN edge functionality itself.
  • NSP — NSP manages the WAN transport and, optionally, the WAN edge equipment.
  • MNS — Managed NSPs include SIs, MSPs, and ISP aggregators that managed the WAN edge equipment and may resell third-party access or, in some cases, allow organizations to bring your own access (BYOA)
  • Hybrid — This is a combination of at least two of the above.
On a global basis, most WAN edge infrastructure is provided as a managed service, either via a NSP, SI, MSP or ISP aggregator. Conversely, in North America, the predominant way of managing WAN edge infrastructure for a large enterprise is DIY. Overall, Gartner sees the trend for more MNSs and the growth is expected to come from non-NSP providers. Additionally, we see an increasing trend of co-management where the client retains control over business policies and the MSP controls how those policies are enforced.
In this research, we focus primarily on WAN edge functionality that can address multiple consumption models.


Gartner analysts conducted more than 3000 Gartner client inquiries on the topic of WAN between 1 July 2018 and 30 June 2019.
Gartner analysts conducted more than 700 Gartner client inquiries on the topic of SD-WAN between 1 July 2018 and 30 June 2019.
All vendors in this research responded to an extensive questionnaire regarding their current/future data center networking solutions.
We surveyed reference customers provided by vendors in this research. All vendors in this research provided reference customers, although not all reference customers completed the survey (n = 125).
Analysts reviewed Gartner Peer Insights data for this market.
Social Media Conversation Analysis: Gartner analyzed social media activity regarding WAN edge topics and applicable vendors. Automated social media listening tools were used to track user responses on social media and public discussion forums as leading indicators for consumer sentiment, preferences and activities.
  • The data tracked is specific to quantifiable keywords and phrases, as well as qualitative assessments and evaluations of results and use cases.
  • Definition of social media mentions: “Mentions” are the text inclusion of a monitored keyword in a post on a social media platform. High mention count should NOT be interpreted as “positive sentiment” by default.
Duration of the Research: The time period for the analysis of the overall mention count was considered to be between 1 August 2016 and 23 July 2019. Considering a different time interval may change the most-talked-about conversations.

Evaluation Criteria Definitions

Ability to Execute

Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization’s financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization’s portfolio of products.
Sales Execution/Pricing: The vendor’s capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor’s history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization’s message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This “mind share” can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.

Completeness of Vision

Market Understanding: Ability of the vendor to understand buyers’ wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers’ wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor’s approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor’s underlying business proposition.
Vertical/Industry Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor’s strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the “home” or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.

Web Application Penetration Testing – Training

Web Application Penetration Testing

Phase 1 – History

  1. History of Internet –

Phase 2 – Web and Server Technology


  1. Basic concepts of web applications, how they work and the HTTP protocol –
  2. HTML basics part 1 –
  3. HTML basics part 2 –
  4. Difference between static and dynamic website –
  5. HTTP protocol Understanding –
  6. Parts of HTTP Request –
  7. Parts of HTTP Response –
  8. Various HTTP Methods –
  9. Understanding URLS –
  10. Intro to REST –
  11. HTTP Request & Response Headers –
  12. What is a cookie –
  13. HTTP Status codes –
  14. HTTP Proxy –
  15. Authentication with HTTP –
  16. HTTP basic and digest authentication –
  17. What is “Server-Side” –
  18. Server and client side with example –
  19. What is a session –
  20. Introduction to UTF-8 and Unicode –
  21. URL encoding –
  22. HTML encoding –
  23. Base64 encoding –
  24. Hex encoding & ASCII –


Phase 3 – Setting up the lab with BurpSuite and bWAPP




  1. Setup lab with bWAPP –
  2. Set up Burp Suite –
  3. Configure Firefox and add certificate –
  4. Mapping and scoping website –
  5. Spidering –
  6. Active and passive scanning –
  7. Scanner options and demo –
  8. Introduction to password security –
  9. Intruder –
  10. Intruder attack types –
  11. Payload settings –
  12. Intruder settings –




  1. 1 Penetration testing tool –
  2. Environment Setup –
  3. General concept –
  4. Proxy module –
  5. Repeater module –
  6. Target and spider module –
  7. Sequencer and scanner module –


Phase 4 – Mapping the application and attack surface


  1. Spidering –
  2. Mapping application using robots.txt –
  3. Discover hidden contents using dirbuster ––nu9Jq07gA
  4. Dirbuster in detail –
  5. Discover hidden directories and files with intruder –
  6. Directory bruteforcing 1 –
  7. Directory bruteforcing 2 –
  8. Identify application entry points –
  9. Identify application entry points –
  10. Identify client and server technology –


  1. Identify server technology using banner grabbing (telnet) –
  2. Identify server technology using httprecon –
  3. Pentesting with Google dorks Introduction –
  4. Fingerprinting web server –
  5. Use Nmap for fingerprinting web server –
  6. Review webs servers metafiles for information leakage –
  7. Enumerate applications on web server –
  8. Identify application entry points –
  9. Map execution path through application –
  10. Fingerprint web application frameworks –


Phase 5 – Understanding and exploiting OWASP top 10 vulnerabilities


  1. A closer look at all owasp top 10 vulnerabilities –




  1. Injection –
  2. Broken authentication and session management –
  3. Cross-site scripting –
  4. Insecure direct object reference –
  5. Security misconfiguration –
  6. Sensitive data exposure –
  7. Missing functional level access controls –
  8. Cross-site request forgery –
  9. Using components with known vulnerabilities –

  1. Unvalidated redirects and forwards –





  1. Injection –
  2. Broken authentication and session management –
  3. Insecure deserialisation –
  4. Sensitive data exposure –
  5. Broken access control –
  6. Insufficient logging and monitoring –


  1. XML external entities –
  2. Using components with known vulnerabilities –
  3. Cross-site scripting –
  4. Security misconfiguration –




  1. Injection explained –
  2. Broken authentication and session management –
  3. Cross-site scripting –
  4. Insecure direct object reference –
  5. Security misconfiguration –
  6. Sensitive data exposure –
  7. Missing functional level access control –
  8. Cross-site request forgery –
  9. Components with known vulnerabilities –
  10. Unvalidated redirects and forwards –


Phase 6 – Session management testing


  1. Bypass authentication using cookie manipulation –
  2. Cookie Security Via httponly and secure Flag – OWASP –
  3. Penetration testing Cookies basic –
  4. Session fixation 1 –
  5. Session fixation 2 –
  6. Session fixation 3 –
  7. Session fixation 4 –
  8. CSRF – Cross site request forgery 1 –
  9. CSRF – Cross site request forgery 2 –
  10. CSRF – Cross site request forgery 3 –
  11. CSRF – Cross site request forgery 4 –
  12. CSRF – Cross site request forgery 5 –
  13. Session puzzling 1 –
  14. Admin bypass using session hijacking –


Phase 7 – Bypassing client-side controls


  1. What is hidden forms in HTML –
  2. Bypassing hidden form fields using tamper data –
  3. Bypassing hidden form fields using Burp Suite (Purchase application) –
  4. Changing price on eCommerce website using parameter tampering –
  5. Understanding cookie in detail –
  6. Cookie tampering with tamper data-
  7. Cookie tamper part 2 –
  8. Understanding referer header in depth using Cisco product –
  9. Introduction to ASP.NET viewstate –
  10. NET viewstate in depth –
  11. Analyse sensitive data in ASP.NET viewstate –
  12. Cross-origin-resource-sharing explanation with example –
  13. CORS demo 1 –
  14. CORS demo 2 –
  15. Security headers –
  16. Security headers 2 –


Phase 8 – Attacking authentication/login


  1. Attacking login panel with bad password – Guess username password for the website and try different combinations
  2. Brute-force login panel –
  3. Username enumeration –
  4. Username enumeration with bruteforce password attack –
  5. Authentication over insecure HTTP protocol –
  6. Authentication over insecure HTTP protocol –
  7. Forgot password vulnerability – case 1 –
  8. Forgot password vulnerability – case 2 –
  9. Login page autocomplete feature enabled –
  10. Testing for weak password policy –
  11. Insecure distribution of credentials – When you register in any website or you request for a password reset using forgot password feature, if the website sends your username and password over the email in cleartext without sending the password reset link, then it is a
  12. Test for credentials transportation using SSL/TLS certificate –
  13. Basics of MySQL –
  14. Testing browser cache –
  15. Bypassing login panel -case 1 –
  16. Bypass login panel – case 2 –





Phase 9 – Attacking access controls (IDOR, Priv esc, hidden files and directories)


Completely unprotected functionalities


  1. Finding admin panel –
  2. Finding admin panel and hidden files and directories –
  3. Finding hidden webpages with dirbusater ––nu9Jq07gA&t=5s


Insecure direct object reference

  1. IDOR case 1 –
  2. IDOR case 2 –
  3. IDOR case 3 (zomato) –


Privilege escalation

  1. What is privilege escalation –
  2. Privilege escalation – Hackme bank – case 1 – 87cWM
  3. Privilege escalation – case 2 –


Phase 10 – Attacking Input validations (All injections, XSS and mics)


HTTP verb tampering


  1. Introduction HTTP verb tampering –
  2. HTTP verb tampering demo –


HTTP parameter pollution


  1. Introduction HTTP parameter pollution –
  2. HTTP parameter pollution demo 1 –
  3. HTTP parameter pollution demo 2 –
  4. HTTP parameter pollution demo 3 –


XSS – Cross site scripting


  1. Introduction to XSS –


  1. What is XSS –
  2. Reflected XSS demo –
  3. XSS attack method using burpsuite –
  4. XSS filter bypass with Xenotix –
  5. Reflected XSS filter bypass 1 –
  6. Reflected XSS filter bypass 2 –
  7. Reflected XSS filter bypass 3 –
  8. Reflected XSS filter bypass 4 –
  9. Reflected XSS filter bypass 5 –
  10. Reflected XSS filter bypass 6 –
  11. Reflected XSS filter bypass 7 –
  12. Reflected XSS filter bypass 8 –
  13. Reflected XSS filter bypass 9 –
  14. Introduction to Stored XSS –
  15. Stored XSS 1 –
  16. Stored XSS 2 –
  17. Stored XSS 3 –
  18. Stored XSS 4 –
  19. Stored XSS 5 –


SQL injection


  1. Part 1 – Install SQLi lab –
  2. Part 2 – SQL lab series –
  3. Part 3 – SQL lab series –
  4. Part 4 – SQL lab series –
  5. Part 5 – SQL lab series –
  6. Part 6 – Double query injection –
  7. Part 7 – Double query injection . –
  8. Part 8 – Blind injection boolean based –
  9. Part 9 – Blind injection time based –
  10. Part 10 – Dumping DB using outfile –
  11. Part 11 – Post parameter injection error based –
  12. Part 12 – POST parameter injection double query based –
  13. Part 13 – POST parameter injection blind boolean and time based –
  14. Part 14 – Post parameter injection in UPDATE query –


  1. Part 15 – Injection in insert query –
  2. Part 16 – Cookie based injection –
  3. Part 17 – Second order injection –
  4. Part 18 – Bypassing blacklist filters – 1 –
  5. Part 19 – Bypassing blacklist filters – 2 –
  6. Part 20 – Bypassing blacklist filters – 3 –
  7. Part 21 – Bypassing WAF –
  8. Part 22 – Bypassing WAF – Impedance mismatch –
  9. Part 23 – Bypassing addslashes – charset mismatch –


NoSQL injection

  1. Introduction to NoSQL injection –
  2. Introduction to SQL vs NoSQL – Difference between MySQL and MongoDB with tutorial –
  3. Abusing NoSQL databases –
  4. Making cry – attacking NoSQL for pentesters –


Xpath and XML injection

  1. Introduction to Xpath injection –
  2. Introduction to XML injection –
  3. Practical 1 – bWAPP –
  4. Practical 2 – Mutillidae –
  5. Practical 3 – webgoat –
  6. Hack admin panel using Xpath injection –
  7. XXE demo –
  8. XXE demo 2 –
  9. XXE demo 3 –


LDAP injection

  1. Introduction and practical 1 –
  2. Practical 2 –


OS command injection

  1. OS command injection in bWAPP –
  2. bWAAP- OS command injection with Commiux (All levels) –


Local file inclusion

  1. Detailed introduction –
  2. LFI demo 1 –


  1. LFI demo 2 –





Remote file inclusion

  1. Detailed introduction –
  2. RFI demo 1 –
  3. RFI introduction and demo 2 –


HTTP splitting/smuggling

  1. Detailed introduction –
  2. Demo 1 –


Phase 11 – Generating and testing error codes


  1. Generating normal error codes by visiting files that may not exist on the server – for example visit php or chintan.aspx file on any website and it may redirect you to 404.php or 404.aspx or their customer error page. Check if an error page is generated by default web server or application framework or a custom page is displayed which does not display any sensitive information.
  2. Use BurpSuite fuzzing techniques to generate stack trace error codes –


Phase 12 – Weak cryptography testing


  1. SSL/TLS weak configuration explained –
  2. Testing weak SSL/TLS ciphers –
  3. Test SSL/TLS security with Qualys guard –
  4. Sensitive information sent via unencrypted channels –



Phase 12 – Business logic vulnerability


  1. What is a business logic flaw –
  2. The Difficulties Finding Business Logic Vulnerabilities with Traditional Security Tools –
  3. How To Identify Business Logic Flaws –
  4. Business Logic Flaws: Attacker Mindset –
  5. Business Logic Flaws: Dos Attack On Resource –
  6. Business Logic Flaws: Abuse Cases: Information Disclosure –


  1. Business Logic Flaws: Abuse Cases: iPod Repairman Dupes Apple –
  2. Business Logic Flaws: Abuse Cases: Online Auction –
  3. Business Logic Flaws: How To Navigate Code Using ShiftLeft Ocular –
  4. Business Logic Security Checks: Data Privacy Compliance –
  5. Business Logic Security Checks: Encryption Compliance –
  6. Business Logic Security: Enforcement Checks –
  7. Business Logic Exploits: SQL Injection –
  8. Business Logic Exploits: Security Misconfiguration –
  9. Business Logic Exploits: Data Leakage –
  10. Demo 1 –
  11. Demo 2 –
  12. Demo 3 –
  13. Demo 4 –
  14. Demo 5 –
  15. Demo 6 –