Technology

The Network You Are Still Paying For: A Strategic Case for SASE

The cost you have stopped seeing

If you run a multi-site organization, or one with a hybrid workforce, walk through your monthly technology spend and add up everything that exists to move a packet of data from a laptop to an application.

The MPLS lines connecting your branches back to headquarters. The firewalls at each location. The licensing on those firewalls. The separate DNS filtering subscription. The separate web gateway. The VPN solution for remote workers. The contracts with two or three different carriers. The time your IT team spends figuring out which of the five tools caused the last user-experience complaint.

For most mid-market organizations we look at, that number is meaningfully larger than they think — and most of it is being paid for an architecture that was designed for a workforce that does not exist anymore.

This piece is for the operations leader, the CFO, and the technology leader who suspect their network is more expensive and more brittle than it should be — and want to understand the modern alternative without wading through vendor-speak.

A short history of how we got here

For most of the last two decades, building a network for a multi-site organization looked the same.

You bought MPLS — Multi-Protocol Label Switching — circuits from a carrier like CenturyLink, AT&T, Comcast, or Verizon. MPLS was the reliable, predictable, performance-guaranteed pipe between your branch offices and your data center. It was also expensive: a 500 Mbps MPLS line between two locations in the same state runs around $2,000 a month, often more. Globally, it gets dramatically more expensive.

You bought firewalls — typically Cisco, Palo Alto, Fortinet, or Sonicwall — for every location. The enterprise-class versions ran $12,000 to $20,000 per appliance, plus $2,500 to $5,000 per year in licensing, refreshed every five years.

You bought a separate DNS filter, like Cisco Umbrella, to protect against malicious destinations. You bought a separate web gateway. You bought a VPN solution to give remote employees a way back into the corporate network. Each had its own console, its own contract, its own renewal cycle.

When something broke — and something always broke — your IT team had to figure out which of the five solutions was the actual culprit. They pulled firewall logs, then DNS logs, then antivirus logs, then waited for the user to reproduce the problem at a specific time. It was the standard model. It worked. It was also expensive, slow to change, and brittle to the realities of modern work.

Then the workforce moved. People started working from home, then from anywhere, then both. Offices closed, then re-opened in different locations, then opened branches where talent happened to live. The hub-and-spoke network — designed to push everyone back through a central data center — no longer made sense for an organization where half the workforce was never going to walk into the data center.

That is where SASE comes in.

What SASE actually is

SASE — Secure Access Service Edge, pronounced "sassy" — is the consolidation of the entire stack described above into a single, cloud-delivered service.

The components Gartner uses to define it are:

  • SD-WAN — software-defined wide-area networking, which intelligently routes traffic across whatever internet connections are available at each site
  • Secure Web Gateway — filtering and inspecting web traffic
  • Cloud Access Security Broker — controlling how employees use SaaS applications
  • Zero Trust Network Access — modern remote access that replaces the legacy VPN
  • Firewall as a Service — cloud-delivered firewall capabilities

The idea is simple. Instead of buying a firewall at each location, a DNS filter from another vendor, a VPN from a third vendor, an MPLS connection from a fourth, and gluing them together — you buy SASE from one vendor, plug a small appliance into commodity internet at each location, install an always-on agent on every laptop, and the entire stack is delivered as a single cloud service.

Gartner predicts that 60% of new SD-WAN purchases in 2026 will be part of a single-vendor SASE solution, up from 15% in 2022. The SASE market itself is projected to grow at a 26–29% compound annual growth rate through 2028, reaching $25–$28 billion. This is not a fringe trend.

The economics, made concrete

The strategic case for SASE is usually told in three categories. Cost is the easiest to model, so we will start there.

A representative mid-market customer we recently looked at — twelve locations, several hundred employees, a mix of office and warehouse sites — had the following spend profile:

  • MPLS lines at twelve sites: approximately $2,000–$2,500 per location per month → roughly $30,000 per month in connectivity alone
  • Enterprise firewalls at headquarters: $20,000 in CapEx every five years per device, plus $2,500–$5,000 per year per device in licensing
  • Separate DNS filter, separate VPN, separate web gateway, each with their own annual contracts

After moving to a single-vendor SASE platform, the same twelve sites are now running on commodity internet at $400–$500 per location per month, with the SD-WAN, firewall, DNS filtering, VPN, and web gateway delivered as part of the cloud service.

The per-site connectivity bill dropped to roughly one-fifth of its prior cost. The firewall refresh cycle went away. The licensing spread across DNS, VPN, and web gateway tools collapsed into a single subscription.

Real-world deployments commonly report 25–40% in total cost reduction once everything that gets displaced is accounted for. The exact number depends on starting state, but the direction of the savings is consistent.

What the cost story misses

If cost were the only argument for SASE, the case would still be strong. But the operational and strategic benefits are arguably more important, especially for organizations whose workforce is moving and whose technology stack is consolidating.

Operations: one pane of glass, fewer tickets. When the firewall, the DNS filter, the VPN, and the application controls live in one platform, troubleshooting collapses. Instead of pulling logs from three vendors and asking the user to reproduce the problem at a scheduled time, an IT analyst can see in one console exactly what the user experienced when they clicked the button. The "my VPN keeps dropping when I get in the elevator" ticket — the bane of every IT support team — largely disappears, because the always-on agent reconnects transparently.

Real estate flexibility. Opening a new branch becomes plug-and-play. Order an internet circuit, ship a pre-configured edge device, plug it in. Closing a location is just as easy. Moving across the street is just as easy. This matters more than it used to, because the average mid-market organization is making more real-estate decisions per year than it was five years ago.

Hybrid workforce equivalence. A SASE agent on a laptop gives that employee the same security posture they would have inside the four walls of the office — same web filtering, same threat protection, same application access. The legacy model where a remote employee is a second-class citizen on the network goes away.

Vendor consolidation as a strategic posture. When the next AI-driven capability emerges — and they are emerging constantly — a single-platform vendor can roll it out as a software update. Some SASE platforms are now offering AI inspection to detect when employees are pasting confidential information into ChatGPT, Claude, or other public AI tools. Two years ago that capability did not exist. A multi-vendor stack with point solutions cannot keep up with that rate of change.

What the cost story also misses (the honest version)

We are vendor-agnostic, which means we are also honest about the friction.

Co-termination is the hidden tax. Your firewalls renewed last year on a three-year. Your DNS filter renewed six months later on a two-year. Your MPLS contracts each have their own terms. Migrating to SASE means buying the new platform while you are still paying for the old contracts. The best SASE vendors will aggressively credit you for displaced contracts during year one to make the math work; some will not. This is a negotiation conversation, and it is one you should have before you sign.

Re-platforming touches more than the network. Some applications depend on specific routing assumptions, IP whitelists, or VPN behavior. A migration plan that does not inventory these dependencies in advance ends up with surprise outages.

The vendor landscape is consolidating fast. Cato Networks, Fortinet, Palo Alto Networks, Cloudflare, Versa, Netskope, Check Point — the major players each have meaningfully different strengths. A pure cloud-native architecture (Cato) is operationally different from a platform built by extending an existing firewall product (Fortinet, Palo Alto). A SASE platform built for global enterprises is different from one built for distributed mid-market organizations. Picking the wrong one is an expensive mistake.

How to think about the decision

Strip away the acronyms and the strategic question is straightforward: is your current network architecture serving your business, or is your business now adapting to your network?

If you are managing four different vendors to handle one packet of data. If a new office location takes weeks to bring online. If your support team can't tell which tool caused the last outage. If your renewal calendar looks like a patchwork quilt. If your CFO cannot give you a predictable monthly run rate. Then your architecture is constraining your business, and the consolidation case is strong.

The right time to evaluate is twelve to eighteen months before your largest network contract renewal. That gives you time to model the options, run a pilot, and structure the new platform's contract to absorb your old contracts as they roll off — instead of double-paying for nine months because you reacted late.

How Prism Advisors approaches this

SASE is exactly the kind of decision Prism Advisors was built to help with. It is a network architecture and platform-evaluation question, with major financial and operational implications, that lives across multiple vendor relationships. It is also a marketplace navigation problem — there are dozens of viable platforms, and only a handful are the right fit for any given environment.

We are vendor-agnostic. We have no products to sell. We bring marketplace expertise the way a commercial insurance broker brings carrier expertise — knowing which platforms have flexibility on which terms, which contracts have hidden traps, which migration paths work cleanly, and which vendors will play ball on absorbing your existing contracts.

For an organization evaluating SASE, our typical engagement looks like this:

  1. Current-state inventory. Connectivity costs, firewall costs, licensing spread across point solutions, contract renewal dates, real-world ticket volume, and the dependencies that need to come along.
  2. Strategic option modeling. Given the workforce model, application portfolio, and growth direction, which two or three platforms genuinely fit — and what does the five-year economic model look like for each?
  3. Vendor evaluation and sourcing. We run the evaluation across the platforms that fit, sit on your side of the table during the negotiation, and structure the contract terms to protect you on the back end — including co-termination credits, performance guarantees, and exit terms that don't trap you the next time the industry shifts.

The companies winning on network modernization are the ones treating it as a strategic infrastructure decision, not a procurement event. That is the table we sit at.

The decision that pays itself off

For most mid-market organizations, the network is the most expensive piece of technology infrastructure that has changed the least in the last fifteen years. The consolidation is happening, the economics are real, and the workforce model has already moved.

If you are uncertain whether your current architecture still fits, that is the conversation worth having now — well before the renewal calendar forces it for you.

Prism Advisors is an AI-native, vendor-agnostic advisory firm helping mid-market companies navigate the most consequential technology transition in a generation. We sit at the intersection of business strategy, data, technology, and AI — on the client's side of the table, every time.

ad@prismadvisors.ai | prismadvisors.ai | 732-228-2488

Share this
Technology
Insights

More from our thinking

Explore what we're learning about transformation
Technology
8
 min read
The VMware Renewal Cliff: A Strategic Framework for What Comes Next
Broadcom’s VMware acquisition has fundamentally changed the economics of virtualization for mid-market organizations. This article breaks down what changed, the four realistic paths forward, and how leaders should evaluate infrastructure strategy, cost, risk, and long-term flexibility before the next renewal arrives.
AI
6
 min read
Every company wants AI. Almost none are ready.
The gap between ambition and execution isn’t an AI problem. It’s a strategy, data, and technology problem.