DEV Community

FirstPassLab
FirstPassLab

Posted on • Originally published at firstpasslab.com

GPU-Powered SASE Is Here: How $97B in Spending Is Reshaping Network Security Architecture

#devops #cloud #security #networking

Cumulative SASE spending across Security Service Edge (SSE) and SD-WAN will reach $97 billion over 2025–2030, according to Dell'Oro Group's February 2026 forecast — nearly 3x the total from the prior five-year period. That's not a forecast you can hand-wave away.

Two announcements in the last week made the shift tangible: Cato Networks deployed NVIDIA GPUs inside 85+ SASE PoPs for real-time AI threat inspection, and Versa Networks launched Inbound SSE — cloud-delivered security that sits in front of your internet-facing apps, not behind them.

Here's what's actually changing, with numbers.

Why Is SASE Spending Tripling?

Dell'Oro Group projects $97B cumulative SASE spend for 2025–2030, up from ~$33B in 2020–2024. Mauricio Sanchez (Sr. Director, Dell'Oro): "Security policy is no longer a downstream control that follows network design; it is becoming the architectural layer that dictates how access and connectivity are built."

Three forces are driving this:

Growth Driver Impact Timeframe
Hybrid cloud expansion Consistent security across on-prem, IaaS, SaaS 2025–2028
AI workload proliferation Real-time inspection at scale → GPU-accelerated security 2026–2030
Regulatory tightening (NIS2, DORA, NIST CSF) Unified audit trails across network + security 2025–2027

The numbers converge across independent analysts:

  • MarketsandMarkets: Annual SASE market → $44.68B by 2030 (23.6% CAGR)
  • Virtue Market Research: $15.5B in 2025 → $45B by 2030 (23.7% CAGR)
  • Dell'Oro: $97B cumulative through 2030

SASE Architecture Overview

Cato Networks: GPUs Inside the SASE Backbone

On March 17, 2026, Cato Networks deployed NVIDIA GPUs across its 85+ global PoPs — making it the first SASE vendor to embed GPU compute directly into enforcement infrastructure rather than offloading to hyperscaler environments.

Two new capabilities shipped:

Cato Neural Edge

  • Real-time AI traffic inspection — deep semantic analysis of encrypted traffic patterns without decryption performance penalties
  • Inline threat detection — ML models executing in the data path at wire speed
  • Policy enforcement at scale — AI classification and response at the enforcement point, not in a separate cloud

The architectural distinction matters: traditional SASE offloads AI inspection to external GPU clouds, adding latency variability and separating intelligence from enforcement. 650 Group confirmed this "appears to be the first SASE platform embedding GPU compute directly into its global infrastructure."

Cato AI Security

Beyond traffic inspection, Cato is tackling AI governance:

  1. Employee AI tool usage — monitoring/controlling access to ChatGPT, Copilot, etc.
  2. Homegrown AI app security — protecting internal AI models and APIs
  3. Autonomous agent guardrails — enforcing security policy on agentic AI workflows

Gartner predicts 75% of enterprises will use AI-amplified cybersecurity products by 2028, up from <25% in 2025.

Versa's Inbound SSE: Flipping the Traffic Model

On March 19, 2026, Versa Networks launched Inbound SSE — extending Security Service Edge from its traditional outbound focus to also inspect inbound internet traffic before it hits your apps.

Why this matters: traditional SSE protects users going out. But enterprise attack surfaces increasingly include:

  • Partner portals exposed for B2B integration
  • REST APIs serving mobile/IoT clients
  • Remote management interfaces
  • IoT data ingestion endpoints

How It Works

  1. External connection initiates to enterprise application
  2. DNS/routing redirects to nearest Versa SSE gateway
  3. Gateway applies full inspection: IP/geo ACLs, DDoS detection, bot filtering, IDS/IPS, malware blocking
  4. Only verified traffic reaches the application

This eliminates dedicated firewall + load balancer stacks at every application environment. Swisscom's CTO confirmed: "Customers can remove redundant on-premises firewalls without giving up the ability to host applications locally."

For anyone who's managed firewall sprawl across multiple DMZs — this is the architectural simplification you've been waiting for.

SASE Industry Impact

The 2026 SASE Vendor Landscape

Vendor Architecture Key Differentiator (2026)
Cato Networks Single-pass cloud-native, GPU-powered PoPs First GPU-embedded SASE backbone, native AI security
Versa Networks VersaONE Universal SASE Inbound SSE, service provider multi-tenancy
Palo Alto Prisma SASE (Prisma Access + SD-WAN) Largest enterprise install base
Zscaler Zero Trust Exchange SSE market leader by revenue, 150+ data centers
Cisco Unified SASE (Meraki SD-WAN + Umbrella SSE) Deepest campus/branch integration
Fortinet FortiSASE (FortiGate + FortiClient) ASIC-accelerated security, converged stack

Dell'Oro's take: the winners in 2030 will offer truly converged platforms — not stitched-together SD-WAN and SSE products.

SSE vs. SD-WAN: Where the Money Is Really Going

A critical insight from the Dell'Oro data: security risk, not routing, is driving SASE adoption. SSE (ZTNA, CASB, SWG, FWaaS) is growing faster than SD-WAN within the $97B envelope.

This has practical implications for where engineers invest their time:

Skill Category Priority Why
SSE architecture (ZTNA, CASB, SWG, FWaaS) Critical Largest growth segment, highest demand
SD-WAN overlay design High SASE foundation, but slower growth than SSE
AI/ML security operations High GPU-powered SASE creates new skill requirements
Traditional firewall admin Moderate Needed for hybrid, declining long-term
On-prem WAN routing (EIGRP/OSPF) Foundational Not a primary growth area

What Should You Do About This?

Here's a practical 90-day plan if you want to stay ahead of the curve:

  1. Deploy a SASE trial — Cato, Versa, and Zscaler all offer free trials. Route test traffic through their platforms to understand PoP-based inspection firsthand
  2. Build an SD-WAN lab — pair virtual SD-WAN controllers with cloud SSE integration to see convergence in action
  3. Study SSE component interactions — map how ZTNA, CASB, SWG, and FWaaS share policy context in a unified platform vs. disaggregated point products
  4. Track vendor roadmaps — Cato's GPU evolution, Versa's Inbound SSE expansion, and Cisco's Unified SASE convergence all signal where the market is heading

The $97 billion question isn't whether SASE will dominate — three independent analyst firms agree it will. The question is whether your skills portfolio matches the architecture enterprises are buying.

Originally published at FirstPassLab. More deep dives on network security architecture at firstpasslab.com.

🤖 AI Disclosure: This article was adapted from original research with AI assistance. All data points, analyst quotes, and vendor announcements have been sourced and verified. See the original article for full source citations.

Top comments (0)