Back 
SASE has transformed how organizations approach secure networking, uniting security and connectivity into a single, cloud-delivered model. As one of the original architects of SASE (along with Neil MacDonald), I was invited at ONUG Dallas to reflect on the state of SASE and what we might have missed in our original research.
While we originally described what SASE is, a cloud-delivered, converged service of networking and security, we didn’t really talk about what it takes to build it. That lack of architectural and implementation specificity created so much variation in how vendors deliver SASE today. Delivering security at the edge, strong performance, and true resilience relies on a purpose-built global infrastructure. Without it, SASE becomes just another bundle of features, rather than the transformational shift it was meant to be.
In a nutshell, without the right architecture and implementation, SASE can’t fulfill its promise.
Security without sacrifices
Some vendors will tell you that to get security, you have to sacrifice performance. That’s simply not true.
Even in today’s world of 100 gigabit networking, latency is still a problem, and it comes from four key sources: round-trip delay, app chattiness, the processing hit of the security stack, and service chaining between fragmented security services. This matters because business leaders won’t tolerate degraded user experiences, even in the name of security. When that happens, the pushback is real, and network teams often get pressured to route around security tools entirely.
Why NewEdge had to be built
Most cloud networks aren’t designed for high performance security processing at the edge, they’re designed for search, streaming, or ecommerce. They may be global, but they’re not optimized for deep packet inspection, inline DLP, or real-time policy enforcement. And when a SASE provider piggybacks on one of those networks, they inherit those limitations.
If you’re relying on a network built to deliver dancing cat videos, it’s no surprise your security experience struggles under load. That’s why Netskope took a fundamentally different approach, not to stand out, but because it was the only way to deliver SASE as it was truly intended. Rather than relying on third-party infrastructure, they built Netskope One NewEdge network: a global, high-performance cloud fabric with full-stack capabilities designed to provide robust, inline security without compromising user experience. It’s a global overlay network with dense compute at the edge and a global Internet-based backbone that they control. It has full data centers implemented in more than 75 regions. This overlay has its own routing which they control and their own peering that they control. They can localize to more than 220 countries and territories, so you always get the right content and their highly peered network has roughly 6,000 adjacencies to hundreds of unique ASNs.
NewEdge isn’t just large; it’s designed and built for a specific purpose: to deliver SASE services with uncompromising security and performance. When you look at global Internet Exchange participation, for example, Netskope is number 12 globally; none of their leading competitors even make it into the top 20. That’s a nice number but why does it matter? It matters because you want to be able to reach applications with the lowest possible latency, regardless of where they are located.
Pairing AI-driven analytics built into NewEdge with tools like Netskope One Digital Experience Management (DEM) allows customers to proactively troubleshoot user experience and application performance issues. But this is only possible if the vendor controls the network. Otherwise, visibility is limited and remediation becomes guesswork or well outside the vendors direct control if they are reliant on a public cloud, for example. With the combination of the NewEdge infrastructure, endpoint telemetry collected from Netskope One DEM, and AI/ML insights, issues in the end-to-end network path can be identified and resolved proactively, before users are impacted. This shift from reactive firefighting to automated and real-time optimizations is not possible.unless you purposely build and fully control the network to support it.”
That shift is part of why organizations need to rethink what SASE means today, not just as a cloud service, but as an architectural strategy rooted in resilience, intelligence, and performance. A recent Gartner® report, “Make Three Strategic Moves to Maintain Future SASE Effectiveness,” reinforces the importance of architectural control and resilience in the face of rising AI adoption, evolving encryption, and geopolitical pressures. As vendors expand into broader platforms, Gartner warns that only those with a strong, focused foundation in SASE will remain competitive. Netskope’s purpose-built approach, grounded in performance, visibility, and control, aligns directly with these recommendations.
SASE is a journey. Architecture & implementation are the foundation
For organizations evaluating SASE vendors today, remember these key points:
- Architecture matters. Performance, security, and scalability all depend on a provider that owns its edge, routing, and peering.
- Don’t accept trade-offs. The right architecture delivers both protection and a seamless user experience.
- Be ready for complexity. Even with a single-vendor plan, dual-vendor realities happen, particularly during the transition from the legacy environment to SASE. Prioritize open integration and demand performance data that tells the full story.
SASE isn’t a product you buy, it’s an architecture you commit to, and when done right, it delivers both the security your organization needs and the performance your users demand.
📍 Watch the full session:
Built for What’s Next: Architecting Secure, Agile Networks in the AI Era
Read the blog