Premium Security

premium-security-image.png

Premium Security provides advanced protection for traffic and user activity across the Cato Cloud. Most capabilities require Base Products, with certain capabilities, such as AI Security, available independently.

Licensing is based on the protected scope, which may include bandwidth (sites), users, or a combination of both.

  • In most cases, security coverage applies to the aggregated capacity of the deployment, including traffic across the Bandwidth Pool and activity of ZTNA Users
  • Some capabilities are licensed independently based on their scope

Premium Security is available either as predefined packages or as individual services, allowing customers to adopt bundled security coverage or select specific capabilities based on their requirements.

Advanced Threat Prevention

Advanced Threat Prevention (ATP) is a bundled security package that includes Threat Prevention (TP) and additional capabilities such as Remote Browser Isolation (RBI), Sandbox, and dynamic threat prevention. It provides enhanced protection against advanced, unknown, and evasive threats for traffic across the Cato Cloud, including traffic from sites, users, and cloud resources.

Capabilities

  • Includes all Threat Prevention (TP) capabilities.
  • Dynamic threat prevention
  • Sandbox - Performs deep inspection and analysis of suspicious and unknown files in a controlled environment to detect zero-day and advanced malware before it reaches users or systems.
  • Remote Browser Isolation (RBI) - Isolates web browsing sessions in a remote environment, preventing malicious content from reaching user devices and reducing exposure to web-based threats such as phishing and drive-by downloads.

Licensing

ATP is licensed based on Bandwidth Pool (sites) and ZTNA Users.

The licensed quantity must cover the total Bandwidth Pool and ZTNA Users across all region groups.

Threat Prevention can be licensed independently. RBI and Sandbox are included only as part of the ATP package.

Usage and fair use follow the measurement of the underlying Base Products.

Threat Prevention

Threat Prevention provides real-time, inline security inspection and enforcement for traffic across the Cato Cloud, including traffic from sites, remote users, and cloud resources. It enables detection and prevention of known, unknown, and evasive threats for traffic to internet, SaaS, and internal resources.

Threat Prevention includes multiple security engines, such as malware prevention, intrusion prevention (IPS), DNS security, threat intelligence, and AI/ML-based anti-phishing.

Threat Prevention applies to traffic that traverses the Cato Cloud.

Capabilities

  • Inspects traffic across sites, users, and cloud resources
  • Multiple security engines inspect for malicious content and threats, including:
    • Malware prevention
    • Intrusion prevention (IPS), including LAN IPS for Socket sites
    • DNS security
    • Threat intelligence
    • AI/ML-based anti-phishing

Licensing

TP is licensed based on Bandwidth Pool (sites) and ZTNA Users.

The licensed quantity must cover the total bandwidth and ZTNA Users across all region groups.

Usage and fair use follow the measurement of the underlying Base Products.

App & Data Security

App & Data Security provides application visibility and data protection across the Cato Cloud. It enables customers to monitor application usage and prevent unauthorized exposure of sensitive data across the internet, SaaS, and internal resources.

Capabilities

  • Cloud Access Security Broker (CASB) for application visibility and control, including inline and out-of-band inspection
  • Data Loss Prevention (DLP) for detection and prevention of sensitive data exposure, including inline and out-of-band inspection

Licensing

App & Data Security is licensed based on Bandwidth Pool (sites) and ZTNA Users.

The licensed quantity must cover the total bandwidth and ZTNA Users across all region groups.

CASB and DLP can be licensed individually or as part of the App & Data Security package.

Usage and fair use follow the measurement of the underlying Base Products.

CASB

Cloud Access Security Broker (CASB) provides visibility and control over the use of cloud and SaaS applications for Internet and SaaS traffic protected by Internet Security. It enables organizations to discover application usage, assess risk, and enforce policies to govern access and data usage.

Capabilities

  • Inline CASB for real-time visibility and policy enforcement
  • Out-of-band CASB using supported third-party integrations
  • Discover and classify cloud and SaaS applications
  • Policy enforcement for application usage and access control

Licensing

CASB is licensed based on Bandwidth Pool (sites) and ZTNA Users.

The licensed quantity must cover the total bandwidth and ZTNA Users across all region groups.

CASB can be licensed individually or as part of App & Data Security.

Usage and fair use follow the measurement of the underlying Base Products.

DLP

Data Loss Prevention (DLP) provides controls to detect and prevent unauthorized exposure of sensitive data across the Cato Cloud. It enables organizations to identify, monitor, and control the movement of sensitive data across applications and destinations.

Capabilities

  • Inline DLP for real-time inspection and enforcement
  • Out-of-band DLP using supported third-party integrations
  • Detect and control of sensitive data movement across the internet, SaaS, and internal resources

Licensing

DLP is licensed based on Bandwidth Pool (Mbps) and ZTNA Users.

The licensed quantity must cover the total bandwidth and ZTNA Users across all region groups.

DLP must be purchased with CASB at the same quantity or as part of App & Data Security.

Usage and fair use follow the measurement of the underlying Base Products.

Assets Security

Assets Security provides visibility and security insights for connected devices across the Cato Cloud. It enables the identification and classification of devices and applies device-level context to enforce policies across WAN, Internet, and LAN environments. It also supports micro-segmentation to enforce granular access controls between devices and resources within LAN environments (via Sockets).

Capabilities

  • Device visibility and discovery, including device identification
  • Device classification and enforcement within policy rules
  • Enforce device-aware rules across all existing WAN, LAN, and Internet Firewall policies
  • Enforce LAN micro-segmentation for Socket sites
  • Integrate with third-party device management and discovery systems

Licensing

Assets Security is licensed by device blocks. Devices represent the total number of unique identified devices that send or receive traffic through the Cato Cloud or the local LAN environment.

Device measurement includes devices identified through inline traffic as well as devices discovered through supported out-of-band third-party providers that forward traffic through the Cato Cloud.

Assets Security is licensed independently of Bandwidth Pool and ZTNA Users.

AI Security for Users

AI Security for Users provides discovery, observability, and policy enforcement for user interactions with AI services. It enables organizations to understand, control, and govern how users interact with public AI services.

Capabilities

  • Provides visibility into user-to-AI activity with enforcement controls for acceptable use, data exposure, and policy violations
  • Available using Browser Plugin, Cato Client, Cato Enterprise Browser, and Proxy Chaining

Licensing

AI Security for Users is licensed per user. Users represent the total number of users protected with AI Security.

AI Security for Users can be deployed as a standalone capability and does not require Base Products.

AI Security for Applications

AI Security for Applications provides runtime security, governance, and compliance for homegrown AI applications and self-built agents. It enables organizations to protect AI workloads from security, compliance, and governance risks throughout the application lifecycle.

Capabilities

  • Runtime protection for AI applications and agents across development and production environments
  • Integration using out-of-band APIs, Model Proxy, and AI Gateway for visibility and enforcement
  • AI Security Posture Management capabilities, including model scanning, red-teaming, and AI asset management

Licensing

AI Security for Applications is licensed based on the total number of employees in the organization.

The licensed employee quantity must be equal to or greater than the number of licensed AI Security for Users.

Employees are used to size the overall scope of protection rather than for usage measurement. The licensed quantity is typically aligned with the number of business SaaS users in the organization, for example, Microsoft 365 users.

AI Security for Applications can be licensed independently and does not require Base Products.

EPP

Endpoint Protection Platform (EPP) provides endpoint-level threat prevention and malware protection for user devices. EPP extends security coverage beyond network traffic by protecting endpoints directly and centralizing endpoint security management within the Cato Management Application.

EPP protects endpoints independently of network connectivity and does not require the Cato Client for network access. Endpoint security policies, alerts, and events are managed centrally alongside network, access, and security policies.

Capabilities

  • Endpoint malware prevention and threat detection
  • Policy-based endpoint protection using centrally managed profiles
  • Behavioral analysis and signature-based threat detection
  • Centralized visibility and alerting integrated with network and security events
  • Unified management of endpoint, user, and network security from a single platform

Licensing

EPP is licensed by users. Users represent the total number of users protected by EPP across the customer environment.

The licensed user quantity is typically aligned with the number of business SaaS users in the organization (for example, Microsoft 365 users).

EPP can be licensed independently and does not require Base Products. EPP protection applies directly to endpoints and operates independently of network connectivity.

Due to regional restrictions, devices located in China cannot register with the Cato EPP service.

Premium Security Licensing Summary

Security License

Licensed by

Threat Prevention

Bandwidth Pool and ZTNA Users

Advanced Threat Prevention

Bandwidth Pool and ZTNA Users

App & Data Security

Bandwidth Pool and ZTNA Users

CASB

Bandwidth Pool and ZTNA Users

DLP

Bandwidth Pool and ZTNA Users

Assets Security

Device Blocks

EPP

Users

AI Security for Users

Users

AI Security for Applications

Employees

 


 

Was this article helpful?

0 out of 0 found this helpful

0 comments