Managed SASE: how outsourcing works and when it is the smart choice

What is managed SASE precisely?

Managed SASE is not the same as outsourcing your security. It is a service model where a specialised partner operates the SASE platform on your behalf, with operational responsibilities defined by SLA and policy ownership remaining clear.

The work the managed partner does varies by tier: 24/7 monitoring at minimum, proactive policy refinement and incident response at higher tiers. What stays with the customer: business policy decisions, compliance ownership, executive accountability. The partner runs the platform; the customer governs the policies.

The distinction matters because traditional outsourcing implied loss of control. Managed SASE explicitly preserves control where it should sit (with the business) while shifting operational toil where it can be done more efficiently (with the specialist).

The three operating models: self-managed, co-managed and fully managed

Self-managed. The customer operates the Cato platform end to end with the implementation partner providing initial training and on-demand support. Suitable for organisations with mature internal security and network operations teams and the bandwidth to take on additional platform responsibility.

Co-managed. The customer and the managed partner split responsibilities. Typical split: customer owns policy authoring and approvals, partner handles platform operations, monitoring and tier 2/3 incident response. Suitable for organisations with internal security expertise but constrained operational bandwidth.

Fully managed. The partner operates the platform end to end, with customer providing business inputs (acceptable use, application criticality, compliance constraints) and approving exceptional policy changes. Suitable for organisations that want a defined SLA outcome without internal operational overhead.

Most mid-market customers start in co-managed and either stay there or migrate to fully managed as the relationship matures. Pure self-managed is more common for larger enterprises with dedicated security operations centres.

When is managed SASE the smart choice? Three scenarios

Scenario 1: limited internal SOC capacity. The organisation has security expertise but not at SOC depth. Operating SASE platform alerts, tuning policies and responding to incidents requires sustained attention that the existing team cannot provide without trading off other priorities. Managed SASE fills the gap without expanding headcount.

Scenario 2: 24/7 detection and response requirement. Some industries (financial services, healthcare, regulated infrastructure) face genuine 24/7 threats. Building an internal 24/7 NOC is a significant investment; co-locating with a specialist partner is faster and often more cost-effective.

Scenario 3: compliance posture requires demonstrable operations. NIS2, ISO 27001 and similar frameworks expect operational evidence: monitored events, documented responses, refined policies. Managed SASE produces that evidence as a service deliverable. We unpack this in our article on NIS2 compliance with one platform.

What does a 24/7 NOC team do for your organisation?

The day-to-day work of a managed SASE NOC has more depth than the brochure typically suggests. Key activities include the following.

Proactive monitoring: not just watching alerts but watching baselines. Engineers identify anomalies before they cross alert thresholds. Latency creeping up at one site is a NOC observation before it becomes a user complaint.

Incident response: tier 1 triage on incoming alerts, tier 2 investigation with platform tools, tier 3 deep analysis and resolution. Escalation to customer for business decisions; remediation execution by NOC where authorised.

Policy refinement: quarterly reviews of policies against actual usage. Tightening where excess privilege exists, loosening where false positives create friction, adjusting as new applications and users come into scope.

Capacity planning: bandwidth consumption trends, site growth, module utilisation. The NOC flags capacity issues before they constrain operations.

The Momentum EMEA approach: underlay and overlay from one contract

Many managed SASE providers operate only the overlay (the Cato platform itself). The underlay, the actual internet connectivity at each site, is a separate contract with separate carriers, separate SLAs and separate accountability.

Momentum EMEA is unique in EMEA as the partner that delivers both: carrier-neutral underlay connectivity for all your sites and the Cato SASE overlay, from one contract, one SLA, one accountable team. When something is wrong, there is no finger-pointing between connectivity provider and security platform provider. One party owns the outcome.

The practical advantage in managed operations is incident triage. A user reporting slow access could be a security policy issue, a Cato platform issue, an internet connectivity issue or an application issue. Single-source ownership means the NOC investigates across the stack without inter-vendor escalation friction.

NIS2 and managed SASE: compliance as part of the service

For organisations in NIS2 scope, managed SASE produces the operational evidence supervisors expect. Quarterly compliance posture reviews are part of the standard service deliverable. Incident response aligns with the 24-hour and 72-hour NIS2 reporting deadlines. The managed partner contributes to the incident notification preparation, with the customer retaining the official reporting responsibility.

This is what we mean when we say compliance becomes part of the service rather than a separate workstream.

Financial logic: cost versus risk

Managed SASE pricing is typically a percentage uplift on the Cato platform licence, with tier-based pricing. The financial question is not whether managed costs more than self-managed (it does, on direct invoice), but whether the alternative (internal headcount or unmanaged risk) costs more.

The realistic comparison includes the cost of building a comparable internal 24/7 NOC (typically three to five FTE for a mid-market operation), the cost of not having one (delayed incident response, audit findings) and the opportunity cost of senior engineers spending their time on platform care instead of strategic projects.

For most mid-market organisations, managed SASE comes out ahead on TCO and significantly ahead on operational maturity.