Vendor framework
Zero trust vendor evaluation - vendor-neutral framework
A framework for evaluating zero trust platforms without falling into the vendor-marketing trap. This page does not list specific dollar pricing, those numbers are negotiated, regional, and rarely match list. Instead it covers vendor categories, what each is best at, deployment complexity, lock-in risk, and how to map vendors to your scenario. For pricing, request quotes.
Categories
Six vendor categories cover the zero trust market
Most platforms fall into one of six archetypes. Each is strong in one or two pillars and weaker in others. Recognising the archetype is the first step in evaluation.
Identity-centric platforms
Identity
PrimaryNetwork
SecondaryDevice
SecondaryWorkload
Not coreData
Not core- Deployment
- Moderate. Heavy on directory integration, SSO migration, conditional access rule design.
- Best for
- Heterogeneous estates not committed to a single productivity suite. Multi-cloud SaaS-heavy organisations.
- Lock-in risk
- High - identity is the deepest integration point in any zero trust stack. Switching IdPs is the most expensive vendor migration.
- FedRAMP
- Major identity vendors typically offer FedRAMP Moderate at minimum, FedRAMP High variants exist for federal estates.
Microsoft-suite platforms
Identity
PrimaryNetwork
SecondaryDevice
PrimaryWorkload
SecondaryData
Secondary- Deployment
- Lowest if already on M365. Bundle integration is largely click-through. Highest if migrating from non-Microsoft identity.
- Best for
- Microsoft 365-centric organisations. Mid-market and enterprise already paying for E3 / E5.
- Lock-in risk
- Very high - bundle economics make leaving expensive. M365 commercial dependence creates indirect identity lock-in even if technically portable.
- FedRAMP
- Multiple FedRAMP authorisations including High tiers for government estates.
Network-centric / SSE platforms
Identity
Not coreNetwork
PrimaryDevice
SecondaryWorkload
SecondaryData
Secondary- Deployment
- High. Network platform implementations require connector deployment in every private app environment, parallel VPN running, and policy migration from IP-based to identity-based rules.
- Best for
- Large enterprises replacing complex on-premise proxy and VPN infrastructure. Heavy private-app estates.
- Lock-in risk
- Moderate. ZTNA can be migrated more easily than identity, but SSE bundles (ZTNA + SWG + CASB + FWaaS) create platform-level lock-in once policy depth grows.
- FedRAMP
- Most major SSE platforms have FedRAMP Moderate authorisations; some have High.
Lightweight ZTNA platforms
Identity
Not coreNetwork
PrimaryDevice
Not coreWorkload
Not coreData
Not core- Deployment
- Lowest. Modern ZTNA-only platforms deploy in days for SMBs, weeks for mid-market.
- Best for
- SMBs and developer-centric organisations. ZTNA replacement of legacy VPN without need for full SSE.
- Lock-in risk
- Low. Standards-based, easy to swap. Pricing is transparent.
- FedRAMP
- Variable. Most consumer-focused ZTNA platforms do not pursue FedRAMP. Enterprise variants increasingly do.
Endpoint-centric platforms
Identity
SecondaryNetwork
Not coreDevice
PrimaryWorkload
SecondaryData
Not core- Deployment
- Moderate. EDR agent deployment, exclusion tuning, MDR onboarding for managed-response variants.
- Best for
- Estates where endpoint visibility is the priority concern. Organisations with mature SOC operations.
- Lock-in risk
- Moderate. Agent-based architecture creates operational dependency. Switching requires removing one agent and deploying another, with parallel-run period.
- FedRAMP
- Major endpoint vendors typically have FedRAMP Moderate; High tier available from select vendors.
Cloud-native / CNAPP platforms
Identity
Not coreNetwork
SecondaryDevice
Not coreWorkload
PrimaryData
Secondary- Deployment
- Moderate. API-based deployment, cloud account integration, IaC scanning hookups.
- Best for
- Cloud-native organisations. AWS / Azure / GCP-heavy estates with significant container or Kubernetes footprint.
- Lock-in risk
- Low to moderate. Most CNAPP platforms support all major clouds and standards-based output formats.
- FedRAMP
- Variable. CNAPP is a newer category, FedRAMP authorisations are still growing.
Scenario fit
Which category goes where
Map vendor categories to the scenarios most CISOs face. Multi-vendor combinations are normal and often optimal, single-vendor zero trust is rare outside the Microsoft ecosystem.
| Scenario | Identity | Network | Device | Workload | Data |
|---|---|---|---|---|---|
| 100-user SMB on M365 | Microsoft suite | Lightweight ZTNA | Microsoft suite (Defender) | Native cloud tooling | Microsoft suite (Purview) |
| 500-user mid-market, Google Workspace | Identity-centric platform | Lightweight ZTNA or SSE | Endpoint-centric platform | CNAPP | CASB layer |
| 2,000-user enterprise, Microsoft-centric | Microsoft suite | SSE platform or Microsoft Entra | Microsoft suite or endpoint specialist | CNAPP | Microsoft suite (E5) or specialist DLP |
| Federal contractor, CMMC L2 | FedRAMP-High identity platform | FedRAMP-authorised SSE | FedRAMP endpoint platform | FedRAMP CNAPP | FedRAMP DLP / classification |
| Cloud-native dev-led estate | Identity-centric platform | Lightweight ZTNA | Cloud-managed MDM | CNAPP (primary investment) | Cloud-native KMS + selective DLP |
| Heavy regulated data (healthcare, finance) | Identity-centric platform with PAM | SSE with microsegmentation | Endpoint-centric with MDR | CNAPP | Specialist DLP + classification (heavy investment) |
Decision framework
Eight dimensions to score every vendor
- Pillar coverage depth. For each of the five pillars, score primary / secondary / not core. Bolt-on modules count as secondary at best.
- Deployment complexity. Average rollout duration for organisations your size. Reference customers of comparable scale are essential here.
- Existing-stack fit. Native integration depth with your IdP, SIEM, ITSM, HR system. SCIM provisioning, SAML / OIDC SSO, OPA policy, OpenTelemetry export.
- Lock-in risk. Standards-based config export, contract-level data extract rights, switching cost as percentage of new platform first-year licensing.
- FedRAMP / compliance authorisation. FedRAMP Moderate or High, ISO 27001, SOC 2 Type II, HIPAA, PCI DSS. Required for regulated estates.
- 3-year total cost. Licensing + professional services + integration + tuning over 3 years. Year-one licensing is often the smallest line.
- Vendor stability. Financial position, product roadmap clarity, M&A risk, leadership turnover. Public companies disclose more; private vendors require careful diligence.
- Reference customer fit. Three references of comparable size, sector, and existing-stack composition. Phone calls, not case studies.
Frequently asked
Vendor evaluation questions
Why does this page not list specific vendor pricing?
Three reasons. First, vendor-disclosed list pricing is rarely the price organisations actually pay. Enterprise contracts negotiate 20-40% discounts off list, multi-year terms, and bundle adjustments that make published pricing misleading. Second, regional pricing varies meaningfully (US vs EU vs APAC) and any single number misrepresents the others. Third, this site is independent and explicitly avoids fabricating numbers we cannot stand behind. The vendor-neutral framework is more useful: it tells you which vendor categories fit which scenarios, and which dimensions to negotiate on. For specific pricing, request published rate cards or partner quotes.
How do we evaluate a zero trust platform vendor?
Eight dimensions matter. (1) Pillar coverage - which of the five pillars does the platform genuinely cover, and which is bolt-on? (2) Deployment complexity - how long is the average rollout for an organisation your size? (3) Existing-stack fit - does the platform integrate cleanly with your IdP, SIEM, ITSM, HR system? (4) Lock-in risk - is policy configuration extractable in standard formats? (5) FedRAMP / compliance authorisation if regulated. (6) Total cost (licensing + services + integration + tuning over 3 years), not just year-one licensing. (7) Vendor financial stability and product roadmap clarity. (8) Reference customer fit - request references from organisations of comparable size, sector, and existing-stack composition.
Is best-of-breed or single-vendor better?
Single-vendor (typically Microsoft-suite) is cheaper in licensing, faster to deploy, and easier to operate for organisations already committed to that vendor's productivity suite. Best-of-breed is more expensive in licensing and integration but gives you better-in-class capability per pillar and lower vendor lock-in. The practical answer for most mid-market: single-vendor for identity and device pillars (where bundle economics dominate), best-of-breed for network (where pure ZTNA platforms can be substantially cheaper than bundled SSE) and workload (where CNAPP specialists outperform generic security suites). Pure best-of-breed multi-vendor is best for organisations with mature security teams who can absorb the integration overhead.
How important is FedRAMP authorisation?
Mandatory if you are a federal contractor or process federal data. Important if you intend to bid on federal contracts within 2-3 years (the procurement cycle requires authorised tools to be already in place). Largely irrelevant for non-government estates. FedRAMP authorisations restrict the vendor pool to roughly the top 8-12 zero trust platforms in each category. FedRAMP Moderate is the minimum tier; FedRAMP High is required for higher-sensitivity federal data. Authorisation is a moving target, validate current status with each vendor.
Should we issue a formal RFP?
Yes for purchases above $250K annual licensing or any platform that will run for 3+ years. RFPs force vendors to commit in writing to the dimensions that matter (deployment time, integration depth, FedRAMP status, support response SLAs) and produce a comparable evaluation across vendors. The RFP should explicitly require: pillar-by-pillar coverage attestation, three reference customers of comparable size, deployment timeline guarantee, contract-level lock-in protections (data extract on exit), and total-cost-of-ownership pricing including services and integration. Skip RFPs for purchases under $50K annual or for tooling that will be replaced within 2 years.
What is the worst evaluation mistake?
Pillar conflation. Vendors that primarily address one pillar often claim coverage of all five through bolt-on modules. The bolt-ons are typically immature compared to dedicated platforms in those categories. The worst evaluation mistakes confuse breadth with depth. A network-centric SSE platform may technically include identity through an OEM SSO, but the identity capability will not match a dedicated identity platform. A Microsoft suite includes ZTNA via Entra Private Access, but the ZTNA capability is newer than dedicated ZTNA vendors. Evaluate each pillar separately and pick the right tool for each, even if it means multi-vendor.