Cato Networks has raised over $1 billion in total funding as of early 2026.

The most recent round was a Series G, initially closed at $359 million in June 2025, led by Vitruvian Partners with participation from ION Crossover Partners, Lightspeed Venture Partners, Adams Street Partners, SoftBank Vision Fund 2, and Singtel Innov8. The round was extended by an additional $50 million from Acrew Capital in September 2025, bringing the total Series G to approximately $409 million.

Before the Series G, Cato raised capital across multiple rounds from investors including Lightspeed Venture Partners and SoftBank Vision Fund 2.

Cato Networks offers a cloud-native platform designed to replace MPLS circuits, on-premise firewalls, VPN concentrators, and standalone security appliances that many enterprises still run today, consolidating these functions into a single globally distributed service.

For branch offices, the physical entry point is a small device called a Cato Socket, which connects to the site's existing internet links (fiber, cable, 5G, or a mix). The Socket forms an encrypted tunnel to the nearest of Cato's 85-plus Points of Presence worldwide and can bond multiple links for resilience and traffic prioritization. Remote employees connect through a lightweight Cato Client on a laptop or phone, or via a clientless browser session, and are routed through the same PoP infrastructure. Cloud workloads in AWS, Azure, or GCP connect via IPsec or a virtual socket.

After traffic reaches a PoP, it traverses Cato's private global backbone rather than the public internet. In practice, a user in London connecting to a workload in Singapore uses an SLA-backed network path rather than a best-effort public internet route.

Each PoP runs what Cato calls SPACE, Single-Pass Cloud Engine. SPACE decrypts traffic once, then applies security functions concurrently in a single pass, including next-generation firewall, secure web gateway, intrusion prevention, cloud access security broker, data loss prevention, zero-trust network access, remote browser isolation, and IoT/OT inspection. Cato states this design keeps added latency under 10 milliseconds even when every feature is active.

Event data processed through SPACE is written into an open data lake that feeds Cato's XDR layer. Security analysts can investigate threats via correlated storylines rather than raw logs, and the platform includes AI-driven detection that surfaces anomalies across network, endpoint, and cloud telemetry in a unified view.

Administration (network policy, security policy, user access rules, traffic shaping) is handled through a single web-based console called the Cato Management Application. Changes made in the console propagate to every PoP globally within minutes, without device OS upgrades or manual rule pushes. Sockets update automatically, and Cato states the service maintains five-nines availability through self-healing orchestration.

In September 2025, Cato acquired Aim Security, an AI-security startup, and said it intended to integrate AI Firewall and AI Security Posture Management capabilities into the core platform by early 2026, adding inline controls for enterprise AI tool usage, including guardrails for Microsoft Copilot and custom LLM deployments.

Cato sells to enterprises on a B2B subscription model, with multi-year contracts that bundle networking and security into a single recurring fee. Pricing is capacity-based rather than per-seat: customers pay according to the bandwidth of their sites, the number of remote users, and which security modules they activate, creating an expansion path as organizations grow headcount, add locations, or enable additional capabilities.

The business model is shaped by the underlying architecture. Because Cato owns and operates its own global backbone and PoP infrastructure, it is vertically integrated in a way that many competitors are not.

That vertical integration has cost implications. Cato carries meaningful infrastructure capex that pure software vendors avoid, but it also gives Cato control over the quality-of-service stack and the ability to deliver performance SLAs without relying on third-party carrier networks. Over time, as more traffic flows across the same backbone, the per-unit cost of that infrastructure declines while the revenue per customer grows, a favorable operating leverage dynamic.

The single-platform architecture also supports bundling. A customer that starts with SD-WAN and basic firewall replacement can later activate ZTNA, CASB, DLP, XDR, IoT/OT security, and AI policy controls without procuring new vendors or deploying new hardware. Each module activation increases ARR per customer without a proportional increase in sales cost, which aligns with average revenue per customer climbing steadily even as the customer count grows.

Go-to-market uses a mix of direct enterprise sales and a channel of managed service providers and telco partners. The 2024 launch of a managed SASE partner platform and the 2025 introduction of a Private PoP option, which lets service providers run Cato software on their own infrastructure, extends the company's reach into mid-market and government segments that direct sales teams rarely penetrate efficiently.

Sales cycles in enterprise networking are long, often 6 to 18 months, and involve procurement, IT, and security leadership simultaneously. This creates high switching costs once a customer is live: ripping out Cato means re-deploying physical hardware at every branch, rebuilding security policy from scratch, and retraining staff, a barrier that supports net revenue retention.

The SASE market has matured. Gartner now tracks 17 vendors in the single-vendor SASE category, up from 11 two years ago, and competition has shifted from early-mover advantage to platform depth, PoP footprint, and AI integration speed.

Palo Alto Networks is the most direct competitor at the high end. Its Prisma SASE platform sits within a broader security portfolio that includes Cortex XDR and next-generation firewalls, and the company uses its installed firewall base as a land-and-expand path into SASE. Next-generation security ARR at Palo Alto has grown to nearly $6 billion, which supports larger R&D and channel investment than Cato can currently match. A key structural difference is that Palo Alto relies partly on third-party carrier backbones for PoP coverage in some regions, which can introduce latency variability that Cato's owned backbone avoids.

Cisco is the other incumbent with an installed base advantage. With over 340,000 SD-WAN sites running on Cisco infrastructure, the company is embedding SASE capabilities into its existing routing, switching, and Meraki stack. Its 2026 AI-aware SASE release adds post-quantum cryptography and AI traffic optimization integrated into hardware customers already own. A constraint for Cisco is that its SASE offering spans multiple consoles and product lines, which creates integration complexity that a single-platform vendor like Cato can use in competitive deals.

Zscaler built its business on the security side, specifically zero-trust internet access and private access, and has grown to nearly $2 billion in deferred revenue. Its Zero Trust Exchange is the dominant SSE platform for large enterprises, and it has been adding SD-WAN integrations through partnerships rather than building its own backbone. As a result, Zscaler customers often operate a two-vendor architecture for networking and security, which aligns with the complexity Cato's single-platform pitch targets. Zscaler's scale and brand in the security buyer community remain material, particularly in Fortune 500 accounts where security teams drive purchasing decisions.

Cloudflare has built a global network of over 300 PoPs, far more than Cato, and has been expanding its SASE and Zero Trust product suite. Cloudflare's network scale can translate into lower latency in some geographies, and its developer-oriented brand drives a different buyer motion than traditional enterprise security vendors. Competitive overlap with Cato is highest in mid-market accounts where Cloudflare's self-serve and channel model competes with Cato's managed SASE partner platform. VMware's VeloCloud SD-WAN, now under Broadcom, remains a factor in accounts with deep VMware infrastructure relationships, though its SASE integration trajectory has become more uncertain post-acquisition.

The acquisition of Aim Security in September 2025 gives Cato a first-mover position in AI security, specifically the ability to inspect, control, and govern enterprise AI tool usage inline, without adding a separate product. As organizations deploy Microsoft Copilot, custom LLMs, and AI agents across their infrastructure, they generate new categories of data exfiltration risk and compliance exposure that existing DLP and CASB tools were not designed to handle. Integrating AI Firewall and AI Security Posture Management into the core SASE platform lets Cato compete for budget that would otherwise go to standalone AI security point tools.

The December 2024 launch of SASE-native IoT/OT security opens a separate expansion vector into operational technology environments (factory floors, healthcare devices, building management systems), where legacy industrial firewalls and OT gateways are the incumbent. Pulling those workloads into the Cato platform lets the company compete for budget that has historically sat outside the IT security stack.

Post-quantum cryptography tunnels, LAN-side intrusion prevention, and Wi-Fi 6 Sockets released in early 2026 add compliance-driven upsell opportunities as NIS2 and NIST post-quantum mandates begin to take effect in regulated industries.

Cato has 4,000 enterprise customers against a SASE market that Gartner projects will reach $28–30 billion by 2028, indicating that most of the addressable market remains unconverted. The single-vendor pitch (one contract, one console, one support relationship replacing MPLS, firewall vendors, VPN, and SIEM) resonates most strongly with large enterprises that are actively rationalizing their security vendor count.

The 2024 managed SASE partner platform and the 2025 Private PoP option create a parallel channel into mid-market and government segments. Telcos and managed service providers can now white-label Cato's platform or run it on their own infrastructure for data-sovereignty use cases, extending Cato's reach into accounts where direct enterprise sales is inefficient or where local data residency requirements previously blocked adoption.

The upsell ladder within existing accounts is also a material expansion driver. A customer that starts with SD-WAN and NGFW can progressively activate ZTNA, XDR, IoT/OT security, DEM, and AI policy modules, each one increasing ARR per site without requiring a new sales cycle.

Cato has been systematically filling in PoP coverage in regions where latency gaps previously limited competitiveness. New PoPs in Oslo and Marseille, along with localized IP ranges in Kazakhstan and Chennai, open Nordic, Central Asian, and Tier-2 French markets where MPLS replacement cycles are still early. The February 2026 partnership with Expereo pairs Cato's platform with a global enterprise internet provider, accelerating last-mile reach in markets where Cato's direct sales presence is thin.

The Private PoP architecture introduced in 2025 is important for geographic expansion into markets with strict data-sovereignty requirements, government and regulated enterprise buyers in the EU, Middle East, and Asia-Pacific who need assurance that traffic does not leave national or regional boundaries.

Infrastructure concentration: Cato's owned global backbone is a competitive differentiator, but it also requires ongoing infrastructure investment that pure software competitors avoid. If PoP build-out costs accelerate faster than revenue, particularly as Cato expands into lower-density geographies to meet data-sovereignty requirements, the capital intensity of the model could compress margins and increase funding dependency while the IPO window remains uncertain.

Platform consolidation pressure: The SASE market is consolidating around a small number of very large platforms. Palo Alto Networks and Cisco both have installed hardware bases numbering in the hundreds of thousands of sites, giving them a structural land-and-expand advantage that Cato must counter with a greenfield sales motion. As incumbents deepen their SASE integration and bundle it into existing renewal cycles, Cato's ability to displace them in large enterprise accounts, where switching costs are highest and procurement cycles are longest, becomes the primary execution risk.

AI security commoditization: Cato's acquisition of Aim Security places it early in the AI security sub-segment, but this is a fast-moving area where Zscaler, Palo Alto, and cloud-native startups are building competing capabilities. If AI security features become table-stakes across the SASE category within 12 to 18 months, the differentiation Cato is betting on from the Aim integration may erode before it can be converted into durable pricing power or customer lock-in.