VPNs are losing ground to zero trust network access fast.
More than half of organizations experienced at least one attack tied to VPN vulnerabilities in the past year, according to a survey of 632 IT and security professionals by Cybersecurity Insiders.
That number is accelerating the shift to zero trust network access.
The reason is straightforward. VPNs authenticate a user once and then grant broad network access. If credentials get compromised, attackers move laterally across systems with little resistance. For organizations running hybrid workforces, cloud applications, and multi-site operations, that model creates too much exposure.
ZTNA takes the opposite approach by verifying identity, device posture, and context for every access request, then connects users directly to specific applications rather than to the network itself. Unauthorized users never see the applications, and lateral movement is blocked by design.
Two platforms consistently appear on enterprise shortlists for ZTNA: Zscaler and Cato Networks. Both replace legacy VPNs and enforce identity-first access controls, but they take fundamentally different architectural approaches to get there, and those differences shape everything from deployment complexity to long-term cost.
The real decision comes down to architecture, device posture, digital experience monitoring, management overhead, and licensing. Zscaler ZPA and Cato ZTNA handle each of these differently, and the right fit depends on your environment.
What is ZTNA (and why does it matter for VPN replacement)?
Zscaler delivers ZTNA through Zscaler Private Access (ZPA), one component of a broader security service edge (SSE) platform. The other major component is Zscaler Internet Access (ZIA), which handles secure web gateway, CASB, and internet-bound traffic inspection. These are separate products that work together but are managed through different consoles.
ZPA’s architecture is built around a proxy-based, brokered connection model. Users never touch the corporate network. Instead, lightweight software called App Connectors is deployed inside data centers or cloud environments where applications live. These connectors establish outbound-only connections to the Zscaler cloud, which means no inbound firewall rules are needed, and application infrastructure stays invisible to the public internet.
When a user requests access, the Zscaler cloud brokers a one-to-one connection between that user and the specific application through a per-app microtunnel. No other applications are reachable during that session.
A few capabilities stand out in Zscaler’s ZTNA model:
- Agentless access: Zscaler supports browser-based access for unmanaged and BYOD devices without requiring a client install. This is a strong option for contractor and third-party access scenarios.
- Device posture depth: ZPA integrates with endpoint detection tools and can evaluate detailed compliance signals like registry keys, running processes, and file presence, not just OS version and antivirus status.
- Digital experience monitoring: Zscaler’s ZDX (Zscaler Digital Experience) monitors the full path from endpoint to application, covering device health, network latency, and app responsiveness. ZDX is a paid add-on, but it provides deeper telemetry than most built-in alternatives.
Zscaler’s approach is modular by design. Organizations can adopt ZPA for private app access without committing to ZIA or the full platform. That flexibility is useful for teams that want to layer ZTNA on top of existing network infrastructure rather than replacing it all at once.
Cato ZTNA (architecture and approach)
Cato Networks delivers ZTNA as part of a unified SASE platform where networking and security are built into the same codebase from the ground up. There is no separate product for ZTNA, SD-WAN, firewall, SWG, CASB, or DLP. Everything runs through a single cloud-native architecture and is managed from a single console.
Cato’s ZTNA model uses a broker-connector architecture within the Cato SASE Cloud. Similar to Zscaler, connectors are deployed where applications live and establish outbound connections to the Cato cloud. Users authenticate through SSO and MFA, and the Cato broker evaluates identity, device posture, location, and risk context before granting access to specific applications. By default, nothing is visible or accessible until a policy explicitly permits it.
The key difference is what surrounds ZTNA. Because Cato converges networking and security into one platform, ZTNA policies share the same engine as firewall rules, web filtering, and data protection. There is no integration between separate products. One policy applies everywhere, regardless of whether the user is remote, in the office, or at a branch site.
A few capabilities define Cato’s ZTNA model:
- Universal ZTNA: Cato enforces the same zero trust policies for all users in all locations. Remote and on-premises users get identical treatment, which eliminates the split policy model that many organizations deal with when running separate remote access and on-site security tools.
- Enterprise Browser: Cato launched a browser-based access option for BYOD and contractor access in April 2026. It extends the same zero trust policies to unmanaged devices without a separate product or license, and it is included under the existing UZTNA license.
- Built-in DEM: Cato includes native digital experience monitoring at no additional cost. It covers endpoint health, network performance, and application responsiveness. The telemetry is not as deep as Zscaler’s ZDX, but it ships with the platform rather than requiring a paid add-on.
- Private backbone: Cato routes traffic across a global network of 80+ PoPs connected by SLA-backed private links. This is a networking advantage that ZTNA-only platforms do not provide, and it can improve performance for users connecting to applications across long distances.
Cato’s approach works best for organizations that want to consolidate vendors and manage networking and security from one place. The tradeoff is that adopting Cato ZTNA typically means adopting the broader platform, though Cato recently introduced a modular adoption model that allows organizations to start with ZTNA standalone and expand over time.
Zscaler vs. Cato ZTNA: Key differences
Both platforms deliver identity-based, least-privilege access to applications. The differences show up in how they are built, how they are managed, and what they cost over time.
Architecture and delivery model
Zscaler takes a modular approach. ZPA handles private application access, ZIA handles internet and SaaS security, and each operates as its own product with its own console. This separation gives organizations the flexibility to adopt ZTNA independently without committing to the full Zscaler stack. It also means that achieving full SASE functionality requires integrating multiple components.
Cato takes a converged approach. ZTNA, SD-WAN, NGFW, SWG, CASB, and DLP all run on the same platform with a single policy engine. That simplifies operations and eliminates integration gaps, but it also means organizations are buying into a broader platform even when they only need ZTNA to start.
For teams layering ZTNA on top of an existing network, Zscaler fits more naturally. For teams looking to consolidate networking and security into one platform, Cato’s model removes complexity.
Device posture and access controls
Both platforms evaluate device health before granting access, but the depth differs.
Zscaler offers more granular endpoint compliance checks. Through its Client Connector and integrations with EDR tools, ZPA can evaluate registry keys, running processes, file presence, and custom posture profiles built on PowerShell or shell scripts. This gives security teams fine-grained control over which devices qualify for access.
Cato covers the fundamentals well. It checks OS version, patch status, antivirus, disk encryption, firewall state, device certificates, and geographic location. If a posture check fails, Cato can terminate the session or restrict access to specific resources until the device becomes compliant. The checks run continuously, not just at login.
Zscaler has the edge for organizations with complex endpoint compliance requirements. Cato’s posture enforcement is strong enough for most environments and requires fewer moving parts to manage.
Digital experience monitoring
Monitoring the path between user and application matters when troubleshooting performance issues across distributed teams.
Zscaler leads here with ZDX (Zscaler Digital Experience), which provides end-to-end visibility across endpoint health, network latency, and application responsiveness. ZDX can pinpoint whether a performance issue lives on the device, the network, or the application itself. It is the most advanced DEM offering in this comparison, but it is a paid add-on that increases total cost.
Cato includes native DEM as part of the platform at no extra charge. It covers similar ground but with less telemetry depth. For most IT teams, Cato’s built-in monitoring provides enough visibility to identify and resolve issues without purchasing a separate tool.
The question is whether your team needs deep diagnostic data across complex environments (Zscaler) or whether built-in visibility with no added cost is enough (Cato).
Management and operations
This is where the architectural difference becomes most visible day to day.
Zscaler’s ZPA and ZIA are managed through separate admin portals. Policies for private app access and internet security are configured independently. For large security teams with specialized roles, that separation can be an advantage. For smaller IT teams managing both functions, it adds overhead.
Cato runs everything through a single management console. ZTNA policies, firewall rules, web filtering, and network configuration all live in the same interface with shared context. Changes propagate globally without syncing across products. Analyst reviews consistently note that Cato’s console is the cleanest in the category for day-to-day ZTNA administration.
Organizations with large, specialized security teams may prefer Zscaler’s depth and separation. Organizations with lean IT teams or a preference for operational simplicity will find Cato easier to manage.
Licensing and total cost of ownership
Zscaler uses modular pricing. Organizations pay per user for ZPA, and can add ZIA, ZDX, and other modules as needed. This gives flexibility to start small, but costs can scale up as capabilities are layered in. Field benchmarks suggest total costs for a mid-size deployment increase meaningfully once DLP, CASB, browser isolation, and ZDX are added.
Cato uses a single-SKU model that bundles ZTNA, security services, and DEM into one license. Site-based pricing applies for branch connectivity. The result is a more predictable cost structure with fewer line items, though the per-user price may appear higher upfront compared to Zscaler’s base ZPA license alone.
When comparing costs, the important number is total cost of ownership across all the capabilities you actually need, not the starting price per user.
Zscaler vs. Cato ZTNA: a quick cheatsheet
How organizations typically start
The table below summarizes the key differences covered in this comparison. Use it as a quick reference when evaluating both platforms against your environment and requirements.
| Zscaler Model | Cato Networks Model | |
|---|---|---|
| Architecture | Modular SSE (ZPA + ZIA as separate products) | Unified SASE (single cloud-native platform) |
| ZTNA model | Per-app microtunnels brokered through Zscaler cloud | Broker-connector model within Cato SASE Cloud |
| Policy engine | Separate policies for ZPA and ZIA | Single policy engine across all security and networking functions |
| Device posture | Deep endpoint compliance with EDR integration, custom scripts, and granular checks | Continuous posture evaluation covering OS, patches, AV, encryption, certificates, and location |
| Agentless access | Browser-based access for unmanaged and BYOD devices | Enterprise Browser extension included under UZTNA license |
| DEM | ZDX provides end-to-end telemetry (paid add-on) | Native DEM included at no additional cost |
| Management console | Separate portals for ZPA and ZIA | Single console for all networking and security functions |
| SD-WAN included | No (Zscaler positions SD-WAN as optional via Zero Trust Branch) | Yes (built into the platform with private global backbone) |
| Licensing model | Modular per-user pricing with add-ons | Single-SKU bundled pricing |
| Gartner SASE MQ (2025) | Visionary | Leader |
How to choose between Zscaler and Cato for ZTNA
Both platforms are capable. The right choice depends less on feature checklists and more on how your organization is structured, what you already have in place, and what you are trying to consolidate. The easiest way to starts by answering these three questions:
1. Are you replacing just VPN, or are you rethinking your entire network and security stack?
If your goal is to retire VPN and add ZTNA without touching the rest of your infrastructure, Zscaler ZPA layers in cleanly. It sits on top of your existing SD-WAN, firewall, and security tools without requiring you to change them. You get ZTNA without a platform migration.
If you are already planning to consolidate SD-WAN, firewall, SWG, CASB, and ZTNA under one roof, Cato eliminates the need to integrate separate products. One deployment replaces multiple tools and vendors at once.
2. How large is the team managing this?
Large security teams with dedicated roles for endpoint, network, and application security often prefer Zscaler’s depth and modularity. Each function gets its own console and policy set, which maps well to specialized workflows.
Lean IT teams that handle networking and security together tend to operate faster on Cato’s single console. One policy engine, one set of logs, one place to troubleshoot. Less context-switching, fewer integration gaps to manage.
3. What does your current vendor landscape look like?
If you are running Cisco, Juniper, or another SD-WAN vendor and plan to keep that investment, Zscaler complements it. ZPA does not require you to rip and replace networking infrastructure.
If you are paying for multiple point products across SD-WAN, firewall, SWG, and remote access, and the operational overhead of managing all of them is the problem you are trying to solve, Cato’s converged model directly addresses that.
There is no wrong answer between these two platforms. The wrong answer is choosing based on a feature comparison alone without mapping the decision to your team, your infrastructure, and the operational model you actually want to run.
Choose the ZTNA platform that matches how your team operates
Zscaler and Cato both solve the core problem: replacing VPN with identity-first, application-level access that blocks lateral movement and reduces your attack surface. Where they differ is in how much of the stack they cover and how much operational complexity they add or remove.
Zscaler ZPA is the stronger fit for organizations that want modular ZTNA layered on top of existing infrastructure, with deep endpoint compliance and advanced digital experience monitoring.
Cato is the stronger fit for organizations that want ZTNA as part of a converged platform where networking, security, and access are managed from one place.
The best way to validate either option is to run a proof of concept in your own environment. Test policy creation, break something on purpose, call support, and see how each platform handles real operational scenarios. That will tell you more than any comparison blog can.
If Cato is on your shortlist, Momentum can help you move faster. Momentum is one of Cato’s most experienced global implementation partners.
Deploy Cato ZTNA with a team that manages it end-to-end. Momentum handles architecture design, policy configuration, rollout, and ongoing operations so your team stays focused on the business.
Book a meeting with a Cato expert today.
FAQs
Is Cato or Zscaler better for replacing a VPN?
Both platforms replace VPNs effectively. The deciding factor is scope. Zscaler ZPA replaces VPN for remote application access without requiring changes to existing network infrastructure. Cato replaces VPN as part of a broader platform migration that also covers SD-WAN, firewall, and web security. If VPN replacement is the only goal, Zscaler layers in faster. If VPN replacement is one piece of a larger consolidation effort, Cato handles more of the problem in a single deployment.
Can Zscaler and Cato ZTNA work with existing SD-WAN?
Zscaler is designed to sit alongside existing SD-WAN infrastructure. ZPA handles application access independently of how the network is built, which makes it compatible with Cisco, Juniper, Fortinet, and other SD-WAN vendors. Cato includes SD-WAN natively as part of its SASE platform, so organizations adopting Cato typically replace their existing SD-WAN rather than layering on top of it. If you plan to keep your current SD-WAN investment, Zscaler is the easier fit. If you are open to replacing it, Cato consolidates both functions.
What is the difference between ZTNA and SASE?
ZTNA is a single capability focused on providing secure, identity-based access to specific applications. SASE is a broader architecture that combines ZTNA with SD-WAN, SWG, CASB, NGFW, and DLP into one cloud-delivered platform. Cato delivers full SASE with ZTNA included. Zscaler delivers SSE, which covers the security components of SASE without the networking layer. Understanding this distinction matters because it determines how much of your stack each vendor actually replaces.
Does Zscaler or Cato have a lower total cost of ownership?
It depends on what you need. Zscaler’s base ZPA license can be cost-effective for organizations that only need ZTNA. But adding ZIA, ZDX, DLP, CASB, and browser isolation increases the total significantly. Cato bundles ZTNA, security services, and DEM into a single SKU, which makes costs more predictable but can appear higher upfront. The only accurate comparison is to price both platforms against the full set of capabilities your environment actually requires, not just the starting per-user rate.
How do Zscaler and Cato handle BYOD and contractor access?
Both platforms offer options for unmanaged devices. Zscaler provides agentless, browser-based access that lets third parties and BYOD users connect to specific applications without installing software. Cato recently launched its Enterprise Browser, which extends the same zero trust policies to unmanaged devices through a browser-native experience. The Cato Enterprise Browser is included under the existing UZTNA license at no additional cost. When evaluating this, check whether the vendor’s BYOD approach uses the same policy engine as managed device access or requires separate configuration.
Where do Zscaler and Cato stand in Gartner’s analyst rankings?
Cato Networks was named a Leader in the 2025 Gartner Magic Quadrant for SASE Platforms for the second consecutive year. Zscaler was positioned as a Visionary in the same report, reflecting its security depth and forward-looking architecture but noting its newer SD-WAN capabilities. In the separate Gartner Magic Quadrant for Security Service Edge, Zscaler holds a Leader position, which reflects its strength in SWG, CASB, and ZTNA as standalone security services. Both vendors are well-regarded. The difference in positioning comes down to how Gartner defines the SASE category versus SSE.
How do Zscaler and Cato handle multi-cloud and hybrid cloud environments?
Both platforms deploy connectors inside each cloud environment or data center where applications live, and both support AWS, Azure, GCP, and on-premises.
Zscaler brokers access through its cloud independently from the network layer. It layers on top of existing cloud networking without requiring changes, which makes it straightforward for multi-cloud environments.
Cato also brokers access through connectors, but routes traffic across its private backbone. Multi-cloud and hybrid traffic gets optimized routing in addition to security policy enforcement, which adds value for latency-sensitive workloads spread across providers.
