VPN Is Dead. Long Live VPN.
Coalition's Cyber Threat Index 2025 found that 58% of all ransomware incidents started with compromised VPNs or firewalls. Stolen credentials and software exploits in Fortinet, Cisco, SonicWall, and Palo Alto VPN appliances were the top initial access vectors. The case for replacing VPN has never been stronger.
Gartner predicted that by 2025, 70% of new remote access deployments would use ZTNA instead of VPN. That prediction was directionally correct, and with 63% of organizations now reporting at least partial zero trust adoption, ZTNA is clearly mainstream. But Gartner's prediction missed a crucial nuance: most enterprises did not replace their VPN. They added ZTNA alongside it.
The reason is simple. ZTNA vendors sell a vision of per-app, identity-aware, zero trust access. But the reality is messier. Engineers still need SSH. Legacy apps speak protocols that predate HTTP. Contractors need access without installing agents. Compliance teams demand session recordings. And IT teams cannot manually onboard 500 internal applications one at a time.
Gartner also predicts that 30% of organizations will abandon zero trust initiatives by 2028 due to complexity and integration challenges. The $1.34 billion ZTNA market (projected to hit $4.18B by 2030) is growing fast, but so is the frustration gap between vendor promises and deployment reality.
We tested 8 SASE vendors across 12 specific ZTNA scenarios that represent the real requirements enterprises face when attempting to retire their VPN. The results reveal that "ZTNA" means very different things depending on which vendor you choose.
The Scorecard
| Rank | Vendor | YES | PARTIAL | NO | Score |
|---|---|---|---|---|---|
| 1 | Palo Alto Networks | 12 | 0 | 0 | 100% |
| 2 | Zscaler | 11 | 1 | 0 | 92% |
| 3 | Cato Networks | 10 | 1 | 1 | 83% |
| 3 | Netskope | 10 | 2 | 0 | 83% |
| 3 | Cisco | 10 | 2 | 0 | 83% |
| 3 | Cloudflare | 10 | 2 | 0 | 83% |
| 7 | Check Point | 8 | 4 | 0 | 67% |
| 7 | Fortinet | 8 | 3 | 1 | 67% |
Palo Alto is the only vendor that passes all 12 checks. But before you stop reading: the interesting story is not who scored highest. It is where the gaps are and what they mean for your VPN retirement plan.
The 5 Checks Every Vendor Passes
Let's dispense with what is table stakes. All 8 vendors score YES on these capabilities:
- Agentless browser access for contractors and BYOD
- Agent-based ZTNA for SSH, RDP, and thick clients
- Device posture checks before granting access
- Per-app micro-segmentation (no network-level access)
- Browser-based RDP/SSH without a native client
If a vendor is marketing any of these as differentiators in 2026, they are selling you table stakes. Every SASE platform on the market can provide identity-aware, per-app access with device posture verification. This is the baseline.
The real differentiation starts with the next 7 checks.
Where the Market Splits: The 7 Checks That Matter
1. Private App Discovery: The Onboarding Wall
Can the platform automatically discover internal applications without manual configuration?
| Vendor | Score | Key Detail |
|---|---|---|
| Zscaler | YES | App Discovery auto-indexes apps via wildcard segments, AI recommends granular policies |
| Netskope | YES | App Discovery observes user traffic to find internal apps during rollout |
| Palo Alto | YES | Cloud Identity Engine + traffic-based + AWS target discovery |
| Cisco | YES | Private Resource Discovery monitors VPN/ZTA traffic, with bulk actions |
| Cato | PARTIAL | DPI classifies traffic, but focuses on classification rather than ZTNA onboarding |
| Cloudflare | PARTIAL | Shadow IT Discovery finds SaaS apps, not private/internal applications |
| Check Point | PARTIAL | Visibility into accessed apps, but manual configuration required |
| Fortinet | NO | All apps must be manually defined in ZTNA access proxy rules |
Why this matters: The average enterprise has hundreds of internal applications. If your ZTNA platform requires manual onboarding for each one, your VPN retirement will take years instead of months. The vendors scoring YES can scan your network traffic and automatically surface applications for policy creation. Fortinet's NO here is a significant operational burden for large deployments.
2. Continuous Authorization: Trust Beyond Login
Does the platform re-evaluate risk during a session, not just at login?
| Vendor | Score | Key Detail |
|---|---|---|
| Cato | YES | Dynamic User Risk Level via proprietary algorithm, mid-session termination |
| Zscaler | YES | Adaptive Access Policy with real-time User Risk Scores, immediate session termination |
| Netskope | YES | Evaluates identity, posture, behavior, and threat intel throughout session |
| Palo Alto | YES | ZTNA 2.0 continuous trust assessment with step-up MFA |
| Cisco | YES | Identity Intelligence with behavioral patterns and dynamic trust scoring |
| Fortinet | YES | Posture tag changes trigger mid-session re-verification |
| Cloudflare | YES | Re-checks posture with each HTTP request, per-app session timeouts |
| Check Point | PARTIAL | Continuous device posture, but lacks documented real-time risk scoring |
The takeaway: Seven vendors now do continuous authorization well. Check Point's gap here is notable since one-time authentication at login is not zero trust by any modern definition. If a device gets compromised mid-session, you need the platform to react in real time.
3. Session Recording: The Compliance Requirement Nobody Plans For
Can privileged RDP/SSH sessions be recorded for audit and forensics?
| Vendor | Score | Key Detail |
|---|---|---|
| Zscaler | YES | PRA provides tamper-proof session recording with streaming playback |
| Palo Alto | YES | Prisma Access Browser records RDP/SSH for SOC 2, GDPR, PCI-DSS |
| Check Point | YES | Full RDP/SSH recording with SSH command trail and suspicious activity alerts |
| Cisco | PARTIAL | Recording available in Secure Equipment Access (OT), not mainstream SSE |
| Netskope | PARTIAL | Connection-level audit trails, not full video/keystroke session recording |
| Fortinet | PARTIAL | Requires separate FortiPAM product, not built into FortiSASE |
| Cloudflare | PARTIAL | Connection-level audit logs, full session recording announced but not GA |
| Cato | NO | No built-in session recording, requires separate PAM solution |
Why this matters: SOX, PCI-DSS, HIPAA, and SOC 2 all require audit trails for privileged access. If your ZTNA platform cannot record SSH and RDP sessions natively, you are buying a separate PAM tool. That is an extra vendor, extra budget, and extra integration to maintain. Zscaler, Palo Alto, and Check Point solve this out of the box.
This is also where Cato's single-vendor purity becomes a liability. Their "we build everything" philosophy means they have not yet built session recording, and you cannot plug in a third-party module to fill the gap.
4. Legacy Protocol Support: The VPN Killer (or Not)
Does ZTNA support non-TCP protocols like VoIP, ICMP, and SMB?
| Vendor | Score | Key Detail |
|---|---|---|
| Cato | YES | Full tunnel via DTLS carries all traffic types including UDP, ICMP, SMB |
| Palo Alto | YES | GlobalProtect tunnels TCP, UDP, ICMP, VoIP/SIP, and SMB |
| Fortinet | YES | QUIC tunneling for UDP (FortiClient 7.4.1+), plus ICMP and SMB |
| Cloudflare | YES | WARP supports TCP, UDP, ICMP, with dedicated VoIP/SIP proxy |
| Zscaler | PARTIAL | VoIP via secondary tunnel, SMB over TCP, but no ICMP support |
| Netskope | PARTIAL | TCP and UDP supported, but ICMP explicitly not supported |
| Cisco | PARTIAL | ICMP, client-to-client VoIP, and SMBv1 not supported via ZTA |
| Check Point | PARTIAL | UDP and VoIP supported, but ICMP explicitly not supported |
This is the check that determines whether you can actually kill your VPN. If your network engineers cannot ping internal servers (ICMP) or your call center runs VoIP, a PARTIAL score here means you are keeping the VPN running for these use cases. The vendors scoring YES have full-tunnel architectures that carry everything. The PARTIAL vendors force you into a split world: ZTNA for web apps, VPN for everything else.
Notably, Zscaler, the market leader in zero trust, cannot pass ICMP traffic. If your operations team relies on ping and traceroute for troubleshooting, that is a workflow disruption you need to plan for.
5. Multi-Cloud Connectors: Publishing Apps Across AWS, Azure, and GCP
Does the vendor provide lightweight connectors for multi-cloud private apps?
| Vendor | Score | Key Detail |
|---|---|---|
| Zscaler | YES | Lightweight App Connectors with dedicated guides for AWS, Azure, GCP |
| Netskope | YES | Publishers on AWS Marketplace, Azure, GCP, VMware, with Terraform support |
| Palo Alto | YES | ZTNA Connector on all cloud marketplaces, up to 2 Gbps per connector |
| Cisco | YES | Resource connectors for AWS, Azure, GCP, plus Docker and VMware |
| Cato | YES | vSocket virtual appliances with zero-touch deployment and BGP integration |
| Cloudflare | YES | cloudflared connector with multi-cloud networking and Workers VPC |
| Check Point | PARTIAL | Traditional IPsec tunnels rather than lightweight app connectors |
| Fortinet | PARTIAL | Requires full FortiGate VM as SPA hub, not a lightweight connector |
The gap: Check Point and Fortinet both require heavier infrastructure in each cloud environment. An IPsec tunnel or a full FortiGate VM is not the same as a lightweight, auto-updating connector. For organizations running apps across 3+ cloud providers, this deployment overhead adds up.
6. Identity Provider Integration: The SAML Question
Does ZTNA integrate with major IdPs via both SAML and OIDC?
Seven vendors score YES. Cato scores PARTIAL because they only support OIDC, not SAML. This sounds like a minor protocol detail until you realize that many enterprise IdP configurations, federation setups, and legacy applications are built on SAML. If your organization has a SAML-first identity architecture, Cato requires workarounds or reconfiguration.
7. Split DNS: Internal Resolution Without Breaking Everything
Can internal DNS names resolve without routing all DNS through the tunnel?
Seven vendors score YES. Fortinet scores PARTIAL because their split DNS only works on Windows. Android and mobile devices route all DNS to public servers. If you have a mobile workforce accessing internal apps by hostname (jira.internal, gitlab.corp), Fortinet's mobile users will hit resolution failures.
The Three ZTNA Tiers
Based on these 12 checks, the market falls into three distinct tiers:
Tier 1: Full VPN Replacement Ready
Palo Alto (100%) is the only vendor that passes every check. If your requirement is "replace VPN entirely with a single platform that handles every scenario," Palo Alto is the only option with zero documented gaps across our 12 checks.
Zscaler (92%) comes close, with only legacy protocol support (no ICMP) as a gap. For organizations without significant ICMP/ping requirements, Zscaler is functionally equivalent to a full replacement.
Tier 2: Strong ZTNA With Specific Gaps
Cato, Netskope, Cisco, and Cloudflare (all 83%) deliver strong ZTNA but each has 2 gaps you need to evaluate:
- Cato: No session recording (compliance risk) and OIDC-only IdP support
- Netskope: No ICMP support and connection-level logging instead of session recording
- Cisco: No ICMP/VoIP via ZTA (VPNaaS fallback exists) and limited session recording
- Cloudflare: Private app discovery only for SaaS and session recording not yet GA
Tier 3: ZTNA With Significant Gaps
Check Point and Fortinet (both 67%) have 4 gaps each that will likely keep your VPN running longer:
- Check Point: Lacks continuous risk scoring, private app auto-discovery, lightweight cloud connectors, and full legacy protocol support
- Fortinet: No private app discovery at all, split DNS broken on mobile, heavyweight cloud connectors, and session recording requires a separate product
What This Means for Your VPN Retirement
The uncomfortable truth
No vendor can replace VPN for 100% of use cases on day one. Even Palo Alto's perfect score reflects documented capabilities, not guaranteed operational simplicity. Migrating hundreds of applications, retraining users, and handling edge cases takes months regardless of the platform.
The realistic playbook
Phase 1 (Month 1-2): Deploy ZTNA for web applications. Every vendor handles this well. Start with contractor access and BYOD since agentless browser-based access is table stakes and delivers immediate value.
Phase 2 (Month 3-4): Migrate managed endpoints to agent-based ZTNA for SSH, RDP, and thick clients. Use app discovery (if your vendor supports it) to build your application inventory.
Phase 3 (Month 5-6): Address the long tail. Legacy protocols, VoIP, ICMP-dependent monitoring, and compliance requirements for session recording. This is where vendor selection actually matters.
Phase 4 (Month 6+): Decommission VPN for populations where all use cases are covered. Keep VPN as a break-glass fallback for the rest.
The 5 questions to ask your vendor
- 1."How do I discover my internal applications?" If the answer is "manually create policies for each one," multiply your app count by 15 minutes each and calculate the migration timeline.
- 1."Can I record SSH/RDP sessions without buying a separate PAM tool?" If no, budget for one. Your compliance team will ask.
- 1."What happens when I ping an internal server?" If ICMP is not supported, your network team will resist VPN retirement.
- 1."Show me legacy protocol support: VoIP, SMB, UDP." Ask for a live demo, not a slide. PARTIAL answers hide important caveats.
- 1."What does deployment look like in AWS, Azure, and GCP simultaneously?" Lightweight connectors vs. full VM appliances is a meaningful operational difference at scale.
The Bottom Line
ZTNA has matured dramatically. The basics (agentless access, device posture, per-app segmentation) are solved across the industry. The differentiation has moved to operational realities: can you discover apps automatically, record sessions for compliance, support legacy protocols, and deploy lightweight connectors across multi-cloud?
There is also a gap that no scorecard captures: ZTNA verifies who connects but most implementations do not inspect what comes through. A weaponized document travels the same ZTNA tunnel as a quarterly report. The vendors with inline threat inspection on ZTNA traffic (Palo Alto's ZTNA 2.0 explicitly addresses this) have an architectural advantage over those that treat the tunnel as a trusted pipe.
With 58% of ransomware starting at the VPN, the urgency to migrate is real. But with 30% of zero trust initiatives at risk of abandonment, the execution matters as much as the decision. These 12 checks are the difference between a ZTNA deployment that retires your VPN and one that sits alongside it indefinitely.
Explore the full data: ZTNA for Private Apps Comparison
Methodology: All findings based on SASECompare independent research across 12 capability checks. Vendor ratings reflect documented capabilities from official documentation, knowledge base articles, and verified public sources as of March 2026. See the [full comparison page](/compare/ztna-private-apps) for source citations per vendor per check.