This SASE glossary defines every major term used in Secure Access Service Edge architectures, from core components like SWG and ZTNA to underlying protocols like IPsec and QUIC. Each definition is written for practitioners who need precise, technical definitions rather than marketing language. Terms are organized alphabetically for quick reference.
A-B
BeyondCorpGoogle's internal implementation of zero trust architecture, documented in a series of papers published between 2014 and 2017. BeyondCorp eliminated Google's corporate VPN by shifting access controls from network perimeter to individual device and user identity verification. It is the most cited real-world proof that zero trust works at scale and directly influenced the design of commercial ZTNA products.BGP (Border Gateway Protocol)The routing protocol that controls how packets are routed between autonomous systems on the internet. BGP is relevant to SASE because SD-WAN overlays interact with BGP-routed underlay networks, and SASE PoP peering with ISPs and cloud providers uses BGP. BGP hijacking and route leaks can redirect traffic away from SASE inspection points, making BGP monitoring a component of comprehensive SASE security.C
CASB (Cloud Access Security Broker)A security service that sits between enterprise users and cloud applications to enforce data protection, threat prevention, and compliance policies. CASB operates in two modes: inline (forward proxy) for real-time traffic control, and API (out-of-band) for scanning data at rest in SaaS applications. In SASE architectures, CASB is integrated into the SWG inspection pipeline for inline mode and connects directly to SaaS APIs for out-of-band scanning.Certificate PinningA security technique where an application hardcodes or pins the expected TLS certificate or public key for a specific server, rejecting any other certificate even if it is signed by a trusted CA. Certificate-pinned applications break under SWG TLS inspection because the SWG presents its own re-signed certificate, which does not match the pinned value. These applications must be added to the SWG bypass list.D
Dark CloudAn architectural pattern used in ZTNA where protected applications have no inbound ports open to the internet. ZTNA connectors inside the network initiate outbound-only tunnels to the ZTNA broker. Users connect to the broker, never directly to the application. This makes protected applications invisible to port scanners, vulnerability scanners, and DDoS attacks because there is no attack surface to target.Data ExfiltrationThe unauthorized transfer of data from an organization's control to an external destination. Exfiltration can occur through web uploads, email attachments, SaaS file sharing, USB devices, DNS tunneling, steganography, or AI prompt submissions. DLP is the primary SASE control for detecting and preventing data exfiltration, operating across SWG, CASB, FWaaS, and ZTNA inspection points.DEM (Digital Experience Monitoring)A SASE component that measures end-to-end performance between users and applications, decomposing the path into measurable segments: endpoint, local network, ISP, SASE PoP, and application. DEM combines synthetic testing (automated probes) and real user monitoring (passive measurement of actual sessions) to identify performance degradation and isolate the responsible network segment.DLP (Data Loss Prevention)A security technology that identifies sensitive data in transit, at rest, and in use, then enforces policies to prevent unauthorized disclosure. DLP uses pattern matching (regex), exact data matching (fingerprinting), machine learning classification, and OCR to detect sensitive content. In SASE, DLP policies apply consistently across all inspection points: SWG, CASB inline, CASB API, FWaaS, and ZTNA tunnels.DPI (Deep Packet Inspection)A network analysis technique that examines the full payload of network packets, not just the header information. DPI enables application identification (classifying traffic by behavior rather than port number), intrusion prevention (matching payload content against attack signatures), and content filtering. In SASE, DPI is performed at the PoP after TLS decryption, enabling Layer 7 visibility into encrypted traffic.E-F
EDR (Endpoint Detection and Response)An endpoint security technology that continuously monitors endpoint activity, detects suspicious behavior, and provides investigation and remediation capabilities. EDR is not a SASE component, but it feeds critical posture signals into SASE policy decisions: ZTNA can require EDR agent presence and healthy status as a condition for granting application access, and DEM uses EDR telemetry for endpoint health assessment.FWaaS (Firewall as a Service)A cloud-delivered firewall that applies Layer 3 through Layer 7 inspection to all network traffic, not just web traffic. FWaaS handles protocols that the SWG cannot: SSH, RDP, database protocols, DNS, SMTP, and custom applications. In SASE, FWaaS replaces branch office firewall appliances and provides consistent network security policy for all users and locations from globally distributed cloud PoPs.Full TunnelA VPN or SASE agent configuration where all traffic from the endpoint, regardless of destination, is routed through the VPN concentrator or SASE PoP. Full tunnel provides complete traffic visibility and security inspection but adds latency to all connections, including local resources and latency-sensitive applications. Contrast with split tunnel.G-I
GRE (Generic Routing Encapsulation)A tunneling protocol that encapsulates network packets inside IP packets for transport across a network. GRE tunnels are used in SASE to steer traffic from branch office routers or SD-WAN appliances to the nearest SASE PoP. GRE provides no encryption on its own, so it is typically combined with IPsec for encrypted transport, or used inside already-encrypted SD-WAN overlay tunnels.IoC (Indicator of Compromise)A forensic artifact that indicates a security breach has occurred or is in progress. IoCs include malicious IP addresses, domain names, file hashes, registry modifications, and unusual network traffic patterns. SASE components consume IoC feeds from threat intelligence providers: the SWG blocks URLs matching malicious domain IoCs, FWaaS blocks traffic to malicious IP IoCs, and CASB flags file hashes matching known malware IoCs.IPsec (Internet Protocol Security)A suite of protocols that provides authentication and encryption for IP network traffic. IPsec operates in two modes: transport mode (encrypts payload only) and tunnel mode (encrypts entire packet). In SASE, IPsec tunnels connect branch office SD-WAN appliances and routers to SASE PoPs, providing encrypted transport for all site traffic. IKEv2 is the standard key exchange protocol used for IPsec tunnel establishment.L-M
Lateral MovementThe technique attackers use after gaining initial access to move through a network to reach higher-value targets. An attacker who compromises one workstation uses lateral movement to reach domain controllers, database servers, and file shares. ZTNA eliminates lateral movement by providing per-application access rather than network-level access: a compromised user session cannot discover or connect to any application beyond the specific one that was authorized.MDM (Mobile Device Management)A platform for managing and securing mobile devices and endpoints. MDM is relevant to SASE because it serves as a posture signal source: ZTNA policies can require that devices are MDM-enrolled and compliant before granting access. MDM also deploys the SASE endpoint agent and the root CA certificate required for SWG TLS inspection to managed mobile devices.MicrosegmentationA security technique that divides a network into isolated segments, each with its own access controls. In SASE, microsegmentation is achieved through ZTNA per-application access policies and FWaaS zone-based firewall rules rather than traditional VLAN-based segmentation. The key advantage is that segmentation follows the user and application identity rather than requiring network topology changes.MITRE ATT&CKA globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. MITRE ATT&CK provides a common language for describing attack behaviors. SASE vendors map their detection capabilities to ATT&CK techniques: IPS signatures in FWaaS map to specific technique IDs, DLP detections map to exfiltration techniques, and CASB behavioral analytics map to credential access and collection techniques.MPLS (Multiprotocol Label Switching)A WAN technology that routes traffic using short path labels rather than long network addresses, enabling efficient traffic engineering and quality-of-service guarantees. MPLS has been the backbone of enterprise WANs for two decades but is expensive and inflexible. SD-WAN in SASE architectures replaces or augments MPLS circuits with lower-cost broadband and LTE/5G connections while maintaining application performance through intelligent path selection.mTLS (Mutual TLS)An extension of standard TLS where both the client and server present certificates to authenticate each other, rather than only the server presenting a certificate to the client. mTLS is used in SASE for connector-to-broker authentication in ZTNA deployments and for API authentication between SASE components. It provides stronger authentication than one-way TLS by verifying both ends of the connection.MFA (Multi-Factor Authentication)An authentication method requiring two or more verification factors: something you know (password), something you have (hardware token, phone), or something you are (biometric). MFA is a foundational prerequisite for SASE and zero trust architectures. ZTNA policies should require MFA for all application access, and step-up MFA should trigger when posture changes or high-risk actions are detected mid-session.N-O
NBAR (Network-Based Application Recognition)A Cisco technology that classifies network traffic by application using deep packet inspection signatures. NBAR identifies applications by their actual traffic patterns rather than by port number. In Cisco's SASE architecture, NBAR (and its successor NBAR2) runs on Catalyst SD-WAN edge devices to classify traffic for application-aware routing and QoS policy enforcement.OIDC (OpenID Connect)An authentication protocol built on top of OAuth 2.0 that allows clients to verify user identity and obtain basic profile information. OIDC is used in SASE for user authentication against identity providers. When a user accesses a ZTNA-protected application, the ZTNA broker redirects them to the IdP for OIDC authentication, receives an ID token confirming their identity, and uses that token to authorize application access.P-Q
PAC File (Proxy Auto-Configuration)A JavaScript file that defines rules for how web browsers select a proxy server for a given URL. PAC files are used in SWG deployments to steer browser traffic to the cloud proxy without requiring an endpoint agent. PAC files only cover browser traffic (HTTP/HTTPS), cannot steer non-web protocols, and do not provide device posture data. They are a useful interim traffic steering method during SWG rollout before full agent deployment.PoP (Point of Presence)A physical location where a SASE vendor operates its cloud security and networking infrastructure. Each PoP contains the compute, storage, and network interconnection needed to run the full SASE inspection pipeline (SWG, CASB, DLP, FWaaS, ZTNA) at the network edge, close to users. PoP count and geographic distribution directly affect user experience latency: users connect to the nearest PoP, so gaps in PoP coverage create latency for users in those regions.Proxy ChainingThe configuration of routing traffic through multiple proxy servers in sequence, typically an on-premises proxy forwarding to a cloud SWG. Proxy chaining is common during SASE migration when organizations maintain existing on-prem proxies while transitioning to cloud-delivered SWG. It adds latency due to double inspection and introduces complexity in certificate handling, authentication forwarding, and log correlation.QUICA transport protocol developed by Google that runs on top of UDP and provides built-in encryption, multiplexed connections, and reduced connection setup latency compared to TCP+TLS. QUIC is used by HTTP/3 and increasingly by applications like Google services and Cloudflare-fronted websites. QUIC creates challenges for SASE inspection because it bypasses traditional TCP-based proxy interception. SASE vendors handle QUIC by either blocking it to force fallback to TCP/TLS (which they can inspect) or by developing native QUIC interception capabilities.S
SAML (Security Assertion Markup Language)An XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML is widely used in SASE for SSO integration: when a user accesses a ZTNA-protected application or authenticates to the SWG, SAML assertions from the IdP convey the user's identity, group membership, and authentication strength to the SASE platform for policy evaluation.SASE (Secure Access Service Edge)A cloud-delivered architecture defined by Gartner in 2019 that converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into a unified service. SASE moves security enforcement from the data center perimeter to the cloud edge, following the user rather than the network. The key principle is that security and networking policy are delivered as a service from globally distributed Points of Presence, applied consistently regardless of user location, device, or application.SD-WAN (Software-Defined Wide Area Network)A networking technology that virtualizes the WAN by decoupling the network control plane from the data plane, enabling application-aware routing across multiple transport links (MPLS, broadband, LTE/5G). SD-WAN selects the best path for each application based on real-time performance metrics. In SASE, SD-WAN is the networking half that complements the SSE security half, providing the transport fabric that connects branch offices and users to cloud-delivered security services.Shadow ITCloud applications and services used by employees without IT department knowledge or approval. Shadow IT creates uncontrolled data exposure because IT cannot apply security policies to applications it does not know exist. CASB shadow IT discovery is the primary SASE control for identifying shadow IT, cataloging every SaaS application in use across the organization and assigning risk scores based on security certifications, data handling practices, and compliance posture.SIEM (Security Information and Event Management)A platform that aggregates and correlates security event logs from across the IT environment to detect threats, support incident investigation, and satisfy compliance reporting requirements. SASE generates massive volumes of log data (SWG access logs, DLP incidents, CASB alerts, FWaaS flow logs) that should be forwarded to the SIEM for correlation with endpoint, identity, and application logs.SNI (Server Name Indication)A TLS extension that allows the client to indicate which hostname it is connecting to at the start of the TLS handshake, before encryption begins. SNI is critical for SASE SWG operation because it allows the SWG to determine the destination hostname and apply URL-based policies even before decrypting the traffic. Encrypted Client Hello (ECH) in TLS 1.3 encrypts the SNI field, which can blind the SWG to the destination hostname and complicate policy enforcement.SOAR (Security Orchestration, Automation, and Response)A platform that automates incident response workflows by integrating security tools and executing predefined playbooks. SASE feeds into SOAR through API integrations: a DLP incident can trigger a SOAR playbook that creates a ticket, notifies the user's manager, quarantines the endpoint via EDR, and revokes ZTNA access. SOAR amplifies the value of SASE alerts by automating the response actions that would otherwise require manual analyst intervention.SOC (Security Operations Center)The team and facility responsible for monitoring, detecting, analyzing, and responding to security incidents. The SOC is the primary consumer of SASE telemetry: SWG logs reveal web-based threats, CASB alerts surface cloud data risks, DLP incidents flag exfiltration attempts, and DEM data helps distinguish performance issues from security events. A well-integrated SASE platform reduces SOC alert fatigue by correlating events across components before surfacing incidents.Split TunnelA VPN or SASE agent configuration where only specific traffic (typically destined for corporate resources) is routed through the VPN concentrator or SASE PoP, while all other traffic goes directly to the internet from the endpoint. Split tunnel reduces latency for non-corporate traffic but creates a security gap for unproxied internet access. Most SASE deployments use a selective split tunnel: corporate apps through ZTNA, web traffic through SWG, and only latency-sensitive traffic like video conferencing goes direct.SSE (Security Service Edge)The security-only subset of SASE, defined by Gartner in 2021, consisting of SWG, CASB, and ZTNA delivered as a cloud service. SSE provides all the security components of SASE without the SD-WAN networking component. Organizations that already have functioning SD-WAN infrastructure typically deploy SSE first for immediate security value, then evaluate whether to add the SASE vendor's SD-WAN or keep their existing WAN.SWG (Secure Web Gateway)A cloud-delivered web proxy that intercepts, decrypts, inspects, and re-encrypts HTTP and HTTPS traffic. The SWG applies URL categorization, malware scanning, content filtering, and acceptable use policies to all web traffic. SWG operates as a TLS termination point using a custom root CA certificate deployed to endpoints, enabling inspection of encrypted traffic. In SASE, the SWG is typically the first component deployed because it provides the broadest security coverage with the least architectural change.T
TLS (Transport Layer Security)The cryptographic protocol that provides privacy and data integrity between two communicating applications. TLS 1.2 and 1.3 encrypt over 90% of internet traffic. SWG TLS inspection works by terminating the client-side TLS session, decrypting the traffic for inspection, then establishing a new TLS session to the destination. TLS 1.3's Encrypted Client Hello (ECH) extension encrypts the SNI field, which can complicate SWG policy enforcement that relies on reading the destination hostname from the SNI.TTPs (Tactics, Techniques, and Procedures)The behavioral patterns that describe how adversaries conduct attacks, organized by the MITRE ATT&CK framework. Tactics describe the adversary's objective (e.g., initial access, lateral movement, exfiltration), techniques describe how they achieve it (e.g., phishing, pass-the-hash, DNS tunneling), and procedures describe the specific implementation. SASE detection capabilities should map to specific TTPs to validate that the platform detects real-world attack behaviors, not just known signatures.X-Z
XDR (Extended Detection and Response)A security platform that correlates threat data across multiple security layers: endpoint, network, cloud, email, and identity. XDR is the evolution of EDR, extending detection and response from the endpoint to the entire attack surface. Some SASE vendors integrate their platform telemetry into their own XDR offering (e.g., Palo Alto Cortex XSIAM, Cisco XDR) to provide cross-layer threat correlation and automated response.Zero TrustA security architecture philosophy based on the principle of 'never trust, always verify.' Zero Trust eliminates implicit trust based on network location and instead requires continuous verification of identity, device posture, and behavior for every access request. Zero Trust is not a product; it is a design philosophy implemented through technologies like ZTNA, microsegmentation, MFA, and continuous authentication. NIST SP 800-207 provides the authoritative framework definition.ZTNA (Zero Trust Network Access)A SASE component that brokers individual, authenticated connections between a user and a specific application based on verified identity and real-time device posture. ZTNA replaces VPN by providing per-application micro-tunnels rather than network-level access. Applications are hidden behind ZTNA connectors with no inbound ports (dark cloud model), making them invisible to the internet. ZTNA 2.0 adds continuous posture verification and post-connect traffic inspection throughout the session.Sources & further reading