What SASE actually means for an Indian business buyer
I sat in on a review last month. A founder in Andheri, a new IT head from an ex-BFSI shop, and a Delhi CFO on Meet from home. The founder wanted a straight answer to a simple question. “What is this SASE thing you keep sending links about, and why should I sign a three-year contract for it?”
The IT head opened his laptop. He had a slide deck. The CFO groaned quietly, and I watched the founder’s eyes narrow.
I’m going to walk you through what we actually said in that room, because most SASE explainers online are written for people who already know what SD-WAN is. This one is for the founder and CFO who don’t, and shouldn’t have to.
What SASE India actually is, in one paragraph
SASE stands for Secure Access Service Edge. In practice it is a subscription that combines your branch networking (SD-WAN) with your cloud-delivered security (firewall, web filter, ZTNA, CASB, DLP) into one vendor, one console, one bill. Instead of buying a firewall box for each branch, a separate VPN concentrator for remote staff, and a separate web filter for head office, you rent all of that from a cloud that has data centres near your branches. In India, “near” means Mumbai, Chennai, Bengaluru, Hyderabad, and Delhi. The IT head calls this “convergence”. The CFO calls it “one bill”. Both are correct.
Where the founder got stuck
The founder’s actual question, when we peeled back the acronyms, was different. “What am I paying for that I already have?”
Fair question. Here is what he had:
- One firewall at the Andheri HQ, four years old, out of support next April.
- A VPN that most of the remote team hates and half of them route around with personal hotspots.
- MPLS lines to the Pune and Bengaluru offices, each ₹35,000 to ₹60,000 a month.
- A web filter licence he stopped renewing during COVID and never restarted.
- Three engineers in IT, one of whom is really more of a Salesforce admin.
If you are reading this and that list feels familiar, the SASE conversation is worth having. If your firewall is new, your remote team is small, and you have no branches, it is probably not worth having yet.
Where the CFO got stuck
The CFO’s question came out as a challenge. “So we swap a hardware bill for a subscription bill. Where is the saving?”
The saving is real, but it is not always in the line item you think.
Where the money actually moves
Three places, roughly.
One, the MPLS. Cato and its single-vendor SASE competitors do not need MPLS between branches. They use the public internet with their own private backbone. For an Indian business running 10 Mbps MPLS to six branches, that is a genuine six or seven-figure annual line item that shrinks when you cut over to broadband plus a 4G backup. Not everywhere. Tier-2 cities with unreliable fibre still want an MPLS or 4G safety net for the first year. But the trend line bends down.
Two, the branch firewalls. Once the SASE cloud is inspecting traffic, the box at the branch stops earning its AMC. You keep it for six months as belt-and-suspenders, then it goes on the shelf. Big-firm CIOs call this “consolidation”. Owner-CFOs call it “one less thing to renew”.
Three, the engineer’s calendar. This one never shows up on a spreadsheet, but it is real. A lean Indian IT team with three people cannot properly own a firewall vendor, a VPN vendor, a web filter vendor, and a CASB. Not while also running the ERP and the printer contract. Collapsing four dashboards into one is not glamour. It is oxygen.
What SASE does NOT do
This is where I earn my fee.
SASE does not replace your endpoint AV. Microsoft 365 licensing is a separate contract. A phishing email that lands in an inbox is still on your mail security, not on SASE. It does not audit your DPDP posture; that is a separate exercise. And it does not, on its own, solve a bad ISP. If your Pune branch has a 20 Mbps line that drops at 4 pm every day, no SASE will save you. You still need the second line.
The IT head wrote all of that down. Bas. The CFO relaxed by a visible half-inch.
How the pricing actually reads
Cato and the other single-vendor SASE platforms typically quote three things:
| Line item | What it is | How it scales |
|---|---|---|
| Socket / appliance | The small box at each branch that hands traffic to the SASE cloud | One-time per site, bandwidth-tiered |
| User licence | Per named user, per year, includes the security services | Grows with headcount |
| Site licence | Per branch, per year, usually with a user allowance | Grows with branch count |
Public benchmarks put comprehensive SASE at USD 15 to 40 per user per month. Indian buyers routinely land below the low end of that band once GST and INR contracting are factored in, especially on a three-year term. Get two quotes. Ask both vendors for a written per-user landed cost including GST. Read the small print on bandwidth overage; that is the number nobody talks about in the demo.
When SASE makes sense for you, and when it does not
I told the founder to think of it like this. You do this if:
- You have three or more branches, or a plan to open them in the next 18 months.
- You have a hybrid workforce that has outgrown your VPN.
- Your MPLS contract is up for renewal in the next 12 months.
- Your branch firewalls are aging into end-of-support.
- You want DPDP-safe log residency and cannot build a SIEM in-house.
You do not do this yet if:
- You are a single office under 25 users. Buy a decent firewall.
- You have no branches and no plans to grow. Fix the VPN instead.
- Your MPLS was just renewed for three years with a heavy termination fee.
The one thing that always gets missed
Indian PoPs. Ask the vendor which of their inspection PoPs are physically in India, and where the logs sit. Under the DPDP Act and CERT-In’s 180-day log directive, “logs stored in Singapore” is a conversation you do not want to have with your auditor. Cato has Mumbai, Chennai, and Hyderabad in production, with more Indian capacity being added. Zscaler, Palo Alto Prisma Access, Netskope, and Fortinet FortiSASE all have Indian presence too, in different shapes. Get it in writing, not on a slide.
What we actually recommended
We recommended a 60-day pilot. Two sites, not six. Andheri HQ and Bengaluru. Keep the existing firewalls live in parallel. Point 40 users through the SASE agent, watch the console for a full month-end close, then decide. If the CFO sees the console once, understands his own traffic, and does not hate the experience, the deal is 80 per cent done.
The founder signed off on the pilot before the CFO could ask another question. Chalo. That is a good day.
Where this fits at Sirius Star
We resell and deploy Cato Networks SASE in India, and we have sat on both sides of the buying decision. If you want the honest version of whether SASE fits your stage, or a written per-user landed cost against your current MPLS bill, start the conversation. The first read is free and takes about 40 minutes.
Read next: Cato Networks SASE deployment India: a Bengaluru SaaS bake-off against Fortinet covers what a pilot looked like at a different customer. For the compliance angle, DPDP audit Mumbai: a BFSI IT head’s story explains what “logs in India” actually buys you at audit time. If you are earlier in the buying journey, our cloud solutions hub maps the wider picture.
P.S. Anjali here. If your board meeting is next month and you need one clean slide on where SASE fits into your budget, I have written that slide seventeen times. It takes an hour on Meet. Reach us on WhatsApp at +91 91375 93228 during 10 to 7 IST, or hit the button above and we will set it up.






