From DNS-layer security to full SSE, Cisco has you covered.
● With Cisco Secure Access–DNS Defense, you gain a robust layer of protection in minutes that rapidly evaluates DNS requests—blocking access to malicious domains, DNS exfiltration, and threats—before they reach your network and endpoints.
● Cisco Secure Access is a cloud-delivered SSE solution, grounded in zero trust, that provides seamless, transparent, and secure access from anything (users or things) accessing applications and resources anywhere. It provides all core SSE components (ZTNA, SWG, CASB, and FWaaS) plus extended capabilities including VPN-as-a-Service (VPNaaS), DLP, AI Assistant, generative AI controls, reserved IP, RBI, and much more—in one license and management platform.
|
Umbrella |
Secure Access |
||||||||
DNS |
SIG |
DNS Defense |
Secure Internet Access (SIA) |
Secure Private Access (SPA) |
||||||
|
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Essentials |
Advantage |
Security, Access, and Control |
||||||||||
Recursive DNS-Layer Security |
||||||||||
Block access to domains with malware, phishing, and other threats |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
Application discovery, monitoring, blocking, and risk scoring |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
Filtering by domain or category |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
Application and Network Access |
||||||||||
All ports and protocols, leveraging VPN module or ZTNA module |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
Client-less ZTNA (HTTP / HTTPS) |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
|
|
● |
● |
Clientless ZTNA (SSH, RDP) |
|
|
|
|
|
SPA Adv trial |
|
|
|
● |
SD-WAN integration and 3rd party support |
|
|
● |
● |
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
Use VPN-ID or ISE SGT for granular security policy (well suited for IOT) |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
● |
● |
● |
● |
Hybrid Private Access - policy enforcement in cloud and/or on-premise |
|
|
|
|
|
|
|
|
● |
● |
Monitoring |
||||||||||
Experience Insights (DEM) of endpoint and SaaS performance (ThousandEyes based) |
|
|
|
|
|
|
● |
● |
● |
● |
Policy verification, reactive and proactive |
|
|
|
|
|
|
|
|
● |
● |
Secure Web Gateway (SWG) |
||||||||||
Custom block/allow lists of domains |
● |
● |
● |
● |
● |
● |
● |
● |
|
|
Custom block/allow lists of URLs |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
Proxy and inspect web traffic |
|
Partial |
● |
● |
|
Partial |
● |
● |
|
|
Secure Malware Analytics (sandbox/block suspicious files) |
|
|
500 samples/ day |
● |
SPA Ess trial |
SPA Adv trial |
500 samples/ day |
● |
500 samples/ day |
● |
Secure Malware Analytics - manual file submission, full glove box and full SMA console access |
|
|
|
● |
|
SPA Adv trial |
|
● |
|
● |
Roaming Security and Client Support |
||||||||||
Roaming user protection for DNS & web traffic (via SWG) with Cisco Secure Client (* = DNS traffic only) |
●* |
●* |
● |
● |
●* |
●* |
● |
● |
|
|
Roaming user protection of traffic over all ports and protocols (via FWaaS/tunnel), supporting Windows, MacOS, iOS, Android, ChromeOS, Linux |
|
|
|
|
|
|
● |
● |
|
|
Roaming access to private apps via mobile device support for Apple and Android |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
|
|
● |
● |
Cloud Access Security Broker (CASB) |
||||||||||
Advanced visibility and control of cloud app usage (including gen AI, OAuth-approved apps, tenant controls). |
Limited |
Limited |
● |
● |
Limited |
Limited |
● |
● |
|
|
Scan and remove malware from cloud-based file storage apps |
|
|
● up to 2 |
● |
|
● |
● up to 2 |
● |
|
|
SaaS security posture management (SSPM) + Advanced capability via partnership with AppOmni (+ = partnership) |
●+ |
●+ |
●+ |
●+ |
●+ |
●+ |
●+ |
●+ |
|
|
Data Loss Prevention (DLP) |
||||||||||
Integrated inline/SaaS API (cloud) data inspection and blocking to protect against sensitive data loss |
|
|
Add-on |
● |
|
● SaaS API (cloud) |
|
● |
|
● |
AI Access guardrails control use of supported third-party gen AI apps |
|
|
|
|
|
|
|
● |
|
|
Supply Chain Risk Management - Identify/block malicious code from AI repositories i.e. Hugging Face |
|
|
|
|
|
|
● |
● |
|
|
Firewall as a Service (FWaaS) |
||||||||||
Layer 3 and 4 control of IPs, ports, and protocols |
|
|
● |
● |
|
|
● |
● |
|
|
Layer 7 control |
|
|
Add-on |
● |
|
|
|
● |
|
|
Intrusion Prevention System (IPS) with decryption |
|
|
|
limited no decryption |
|
|
|
● |
|
● |
Remote Browser Isolation (RBI) |
||||||||||
Isolated browsing (virtual air-gap) enables safe use of known/potentially risky sites |
|
|
Add-on |
Add-on |
|
|
Risky sites only |
● |
|
|
Enterprise Browser |
||||||||||
Integration with Enterprise Chrome browser for more secure clientless access to private apps |
|
|
|
|
SPA Ess trial |
SPA Adv trial |
|
|
● |
● |
Identity and Threat Intelligence |
||||||||||
Identity behavioral risk levels visible in Secure Access |
|
|
|
|
|
|
● |
● |
● |
● |
Continuously updated threat intelligence from Cisco Talos |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Deep domain, IP, and Autonomous System Number (ASN) data for rapid investigations (via Investigate API) |
|
● |
● |
● |
● |
● |
● |
● |
● |
● |
SIEM and XDR Interoperability |
||||||||||
Integrations with multiple tools, includ. Cisco Splunk and XDR |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Management, Reporting, and Support |
||||||||||
Management |
||||||||||
Single management interface |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Customize block page and warn page options |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Reporting and Logging |
||||||||||
Real-time activity search, plus API to extract key events |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Choose North America or Europe log storage |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Cisco-managed S3 buckets or customer AWS S3 buckets |
● |
● |
● |
● |
● |
● |
● |
● |
● |
● |
Support |
||||||||||
24x7 Enhanced Software Support Service via email and phone (Premium upgrade available) |
Add-on |
Add-on |
Add-on |
Add-on |
Required |
Required |
Required |
Required |
Required |
Required |
● Features marked as trial are not part of the licensed subscription package. You may use such unlicensed trial features until the end of the subscription package you have purchased. Cisco reserves the right to terminate access and/or usage rights to unlicensed features at any time with or without notice.
● Certain Secure Access packages may not include Data Loss Prevention (DLP), layer 7 firewall, Remote Browser Isolation (RBI), Experience Insights (DEM based on Thousand Eyes), and other features. Check with your Cisco representative.