Networks

What the Networks row covers today

The 2010s-era definition of network security — NGFW plus IPS plus network proxy — still applies but is now a subset. Modern Networks coverage spans SASE/SSE (Netskope, Zscaler, Palo Alto Prisma, Cato, Cloudflare One), ZTNA (zero-trust network access), micro-segmentation (Illumio, Guardicore/Akamai Segmentation, Cisco Secure Workload), DNS security (Cisco Umbrella, Infoblox, DNSFilter, Quad9 for consumer), NDR (ExtraHop, Corelight, Darktrace, Vectra, Stamus), and the NAC/NPS tooling that gates connection.

What used to be a single 'firewall' cell is now a layered set of controls. The matrix simplifies by grouping them under Networks, but a rationalization exercise must look cell-by-cell because the overlap patterns are vendor-specific.

SASE and the consolidation of network security

SASE (Secure Access Service Edge) is reshaping the Networks row. A single cloud-delivered platform (Zscaler, Netskope, Palo Alto Prisma, Cato Networks, Cloudflare One, Microsoft Entra Internet Access) provides SWG, CASB, ZTNA, FWaaS, and DNS security in one service. For organizations with distributed workforces this is a genuine consolidation — and a source of tool overlap during the migration window.

The common anti-pattern: SASE platform purchased and deployed for remote users, but the on-prem firewall, CASB, and SWG from the prior architecture were never retired. Stack audits frequently surface 18-month windows where two SASE equivalents are running concurrently. The rationalization path is sequencing the retirement of legacy controls as SASE usage ramps, not deferring the decision indefinitely.

NDR and where network detection earns its keep

Network Detection and Response (NDR) — ExtraHop, Corelight, Darktrace, Vectra — complements endpoint-focused detection by observing traffic that endpoints cannot see or where endpoint agents cannot be deployed (OT, guest networks, legacy systems, cloud east-west). NDR's value concentrates in two scenarios: lateral movement across segmented boundaries, and telemetry for asset classes where EDR is absent. Organizations without either condition often buy NDR and under-utilize it.

The honest placement of NDR in the matrix: DETECT × Networks primarily, with secondary coverage on DETECT × Devices for assets without EDR. Programs that already have strong EDR coverage should evaluate whether NDR closes detection gaps that EDR does not, rather than buying NDR as a reflex.

Coverage patterns specific to Networks

In mid-market organizations: PROTECT × Networks and DETECT × Networks are strong but overlapping; the rationalization opportunity is real. In regulated industries (financial services, healthcare) the overlap is often contractually mandated and harder to unwind. In cloud-native organizations the row is lighter — much of what used to be Networks coverage is absorbed by Cloud controls (security groups, service mesh, cloud-native ZTNA).

The common under-investment: DNS security. DNS monitoring catches a surprising fraction of C2 traffic, malware callbacks, and data exfiltration. Cisco Umbrella, DNSFilter, Infoblox BloxOne, or even open-source (Pi-hole for small shops) cover the cell at modest cost. Programs that leave it empty because the firewall 'does DNS' are usually missing the analytics value.

Frequently asked