Security Service Edge (SSE) Packages Comparison Guide From DNS-layer security to full SSE, Cisco has you covered.
Available Languages
With Cisco Secure Access–DNS Defense, you gain a robust layer of protection in minutes that rapidly evaluates DNS requests—blocking access to malicious domains, DNS exfiltration, and threats—before they reach your network and endpoints.
Cisco Secure Access is a cloud-delivered SSE solution, grounded in zero trust, that provides seamless, transparent, and secure access from anything (users or things) accessing applications and resources anywhere. It provides all core SSE components (ZTNA, SWG, CASB, and FWaaS) plus extended capabilities including VPN-as-a-Service (VPNaaS), DLP, AI Assistant, generative AI controls, reserved IP, RBI, and much more—in one license and management platform.
|
|
Umbrella |
Secure Access |
||||||||
| DNS |
SIG |
DNS Defense EDU packages; same functionality as DNS Defense |
Secure Internet Access (SIA) |
Secure Private Access (SPA) |
||||||
|
|
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
| Security, Access, and Control |
||||||||||
| Recursive DNS-Layer Security |
||||||||||
| Block access to domains with malware, phishing, and other threats |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
| Application discovery, monitoring, blocking, and risk scoring |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
| Filtering by domain or category |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
| Application and Network Access |
||||||||||
| All ports and protocols, leveraging VPN module or ZTNA module |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
| Client-less ZTNA (HTTP / HTTPS) |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
SPA Ess trial |
SPA Adv trial |
● |
● |
| Clientless ZTNA (SSH, RDP) |
|
|
|
|
|
SPA Adv trial |
|
SPA Adv trial |
|
● |
| SD-WAN tunnel automation; support of 3rd party SD-WAN |
|
|
● |
● |
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
| Use VPN-ID or ISE SGT for granular security policy (well suited for IOT) |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
| Hybrid Private Access - policy enforcement in cloud and/or on-premise |
|
|
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
| Monitoring |
||||||||||
| Experience Insights (DEM) of endpoint and SaaS performance (ThousandEyes based) |
|
|
|
|
|
|
● |
● |
● |
● |
| Policy verification, reactive and proactive |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
SPA Ess trial |
SPA Adv trial |
● |
● |
| Posture capabilities |
||||||||||
| Posture checks |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
| Secure Web Gateway (SWG) |
||||||||||
| Custom block/allow lists of domains |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
| Custom block/allow lists of URLs |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
| Proxy and inspect web traffic |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
| Secure Malware Analytics (sandbox/block suspious files, <500 samples/day) |
|
|
● |
● |
|
|
● |
● |
● |
● |
| Secure Malware Analytics (manual file submits, glove box, SMA console, unlimited samples/day) |
|
|
Add-on |
● |
|
|
Add-on |
● |
Add-on |
● |
| Roaming Security and Client Support |
||||||||||
| Roaming user protection for DNS & web traffic (via SWG) with Cisco Secure Client (* = DNS traffic only) |
●* |
●* |
● |
● |
●* |
●* |
● |
● |
|
|
| Roaming user protection of traffic over all ports and protocols (via FWaaS/tunnel), supporting Windows, MacOS, iOS, Android, ChromeOS, Linux |
|
|
|
|
|
|
● |
● |
|
|
| Roaming access to private apps via mobile device support for Apple and Android |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
SPA Ess trial |
SPA Adv trial |
● |
● |
| Cloud Access Security Broker (CASB) |
||||||||||
| User and Entity Behavior Analytics (UEBA) |
|
|
|
|
|
|
● |
● |
|
|
| Advanced visibility and control of cloud app usage (including gen AI, OAuth-approved apps, tenant controls). |
Limited |
Limited |
● |
● |
Limited |
Limited |
● |
● |
|
|
| Scan and remove malware from cloud-based file storage apps |
|
|
● up to 2 |
● |
|
● |
● up to 2 |
● |
|
|
| SaaS Security Posture Management (SSPM) + advanced capability via partnership with AppOmni |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
| Data Loss Prevention (DLP) including protection of AI usage |
||||||||||
| DLP - Data inspection/blocking to protect against sensitive data loss. Real time, SaaS API, endpoint, and email (requires Email Threat Defense) |
|
|
Add-on (Real time / SaaS API only) |
● (Real time / SaaS API only) |
|
● SaaS API |
Add-on |
● |
Add-on |
● |
| AI Access guardrails control use of supported third-party gen AI apps |
|
|
|
|
|
|
Add-on |
● |
|
|
| Supply Chain Risk Management - Identify/block malicious code from AI repositories i.e. Hugging Face |
|
|
|
|
|
|
● |
● |
|
|
| Firewall as a Service (FWaaS) |
||||||||||
| Layer 3 and 4 control of IPs, ports, and protocols |
|
|
● |
● |
|
|
● |
● |
|
|
| Firewall layer 7 / IPS |
|
|
Add-on |
● No IPS decryp |
|
|
Add-on |
● |
Add-on |
● |
| Remote Browser Isolation (RBI) |
||||||||||
| RBI: Isolated browsing (Advanced for Secure Access; All for Umbrella) |
|
|
Add-on |
Add-on |
|
|
Add-on |
● |
|
|
| RBI: Isolated browsing (Risky) |
|
|
Add-on |
Add-on |
|
|
Add-o |
|
|
|
| Enterprise Browser |
||||||||||
| Integration with Enterprise Chrome browser for more secure clientless access to private apps |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
SPA Ess trial |
SPA Adv trial |
● |
● |
| Identity (CII) and threat intelligence integrations |
||||||||||
| Identity behavioral risk levels visible in Secure Access |
|
|
|
|
|
|
● |
● |
● |
● |
| Use trust level in policy for ZTA private traffic |
|
|
|
|
|
|
|
|
● |
● |
| Duo Identity for Cisco Apps (limited use Duo licenses entitlement) |
|
|
|
|
● |
● |
● |
● |
● |
● |
| Deep domain, IP, and Autonomous System Number (ASN) data for rapid investigations |
|
● |
● |
● |
● |
● |
● |
● |
● |
● |
| SIEM and XDR Interoperability |
||||||||||
| Investigate console for additional users (1 user is entitled, except Umbrella DNS Essentials) |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
Add-on |
| Integrations with multiple tools, includ. Cisco Splunk and XDR |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Management, Reporting, and Support |
||||||||||
| Security Cloud Control (SCC) unified management interface |
||||||||||
| Integrated dashboard for cross-Cisco security product management (i.e. Secure Access, ISE, AI Defense, SD-WAN, and more). |
|
|
|
|
● |
● |
● |
● |
● |
● |
| Management |
||||||||||
| MultiOrg support (for enterprises) |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Single management interface |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Customize block page and warn pages (# = customized block pages only) |
●# |
●# |
● |
● |
●# |
●# |
● |
● |
● |
● |
| Reporting and Logging |
||||||||||
| Real-time activity search, plus API to extract key events |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Choose North America or Europe log storage |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Cisco-managed S3 buckets or customer AWS S3 buckets |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
| Support |
||||||||||
| 24x7 Enhanced Software Support Service via email and phone (Premium upgrade available) |
Add-on |
Add-on |
Add-on |
Add-on |
Required |
Required |
Required |
Required |
Required |
Required |
Notes:
Features marked as trial are not part of the licensed subscription package. You may use such unlicensed trial features until Cisco either requires you to upgrade to the appropriate subscription package or, at its sole discretion, terminates your access or usage, with or without notice. For more information regarding the limitations of your trial use, please refer to the Secure Access Offer Description.
Certain Secure Access packages may not include Data Loss Prevention (DLP), layer 7 firewall, Remote Browser Isolation (RBI), Experience Insights (DEM based on Thousand Eyes), and other features. Check with your Cisco representative.
Feedback