[wp_tech_share]

My first post-RSAC 2026 post argued that the more important story was not who could assemble the broadest category slide, but where security architecture was actually consolidating. This second blog goes deeper into the meetings themselves. Across 30+ conversations and events, from the largest platforms to early specialists, the same pattern kept recurring: the market is not collapsing into one monolithic control plane, but it is consolidating around a smaller number of them inside the existing pillars of identity, endpoint, network, cloud, application, data, and security operations. What stood out most was not only where those control planes are getting stronger, but how unevenly product maturity is catching up to the architecture being described.

 

Why the Meeting Set Mattered

The breadth of the meeting set mattered because it helped separate conference noise from patterns that repeated across very different vendors. The conversations ranged from companies such as Microsoft, Cisco, Google, Palo Alto Networks, Fortinet, Netskope, Cloudflare, and Broadcom to smaller and earlier companies with narrower starting points, such as AppGate, Cloudbrink, Helmet Security, Neon Cyber, and Zenarmor. That range made it easier to see which themes were structural rather than promotional. It also reinforced that the market still maps back to the existing taxonomy. Identity remains the trust plane. Endpoint remains the local execution plane. Network Security remains the distributed enforcement plane, with SASE increasingly the most ambitious effort to unify that plane across multiple edges. Cloud Security remains the workload and infrastructure context plane, with Cloud-Native Application Protection Platform (CNAPP) increasingly central to prioritization and remediation. Application Security remains the software assurance and remediation plane. Data Security is becoming more central in the policy and governance plane. Security Operations remains the operating layer that turns all of that into action.

That broader structure also helps make sense of another shift that surfaced repeatedly during the week. For much of the past two decades, enterprise security could increasingly assume a user-to-cloud model: users and endpoints on one side, centralized applications and data on the other, with the network in between. That assumption is weakening. Applications, data, and increasingly AI execution are becoming distributed again across endpoints, browsers, branches, private clouds, public clouds, and SaaS. That makes the control-plane problem less about how users reach centralized resources and more about how trust, telemetry, policy, and enforcement remain coherent as both actors and execution environments become more distributed.

 

AI Is Becoming a Force Multiplier for Action Governance

The most consistent message from the meetings was not that AI has created a wholly separate security universe. It was that AI is accelerating a broader move toward action governance. The market is spending less time asking how to secure a model in isolation and more time asking who or what is acting, what it can access, how it is observed, and what policy should govern that behavior.

Microsoft framed that shift through agent identity, registry, observability, and the extension of existing controls across Entra, Defender, Purview, Intune, and Sentinel into agentic environments. Cisco described AI Defense less as a point feature than as a trust layer that can sit behind multiple enforcement points. Even smaller specialists used the same logic, though from a much earlier starting point. In that sense, AI is not the only reason the architecture is shifting. It is an accelerant in both directions: it expands the threat surface enterprises need to govern, and it improves what security platforms can do in threat hunting, investigation, and response.

That distinction matters for vendors and market watchers. The real competitive question is not who can attach the term “AI security” to the most products. It is who can connect authorization, observability, policy, and control into an operating model that enterprises can actually use. The stronger vendors increasingly sounded less focused on treating AI as an isolated layer and more focused on absorbing it into broader control planes.

 

Data Security Is Becoming More Central

If one pillar moved closer to the center of gravity during the week, it was Data Security. That does not mean Data Security replaces the other pillars. It means it increasingly supplies the policy logic that the others enforce. The taxonomy already points in that direction by describing Data Security as the system of record for sensitive-data policy, exposure, and misuse, with enforcement or informed action extending into SSE, CNAPP, Email Security, and AI-related controls. The meetings reinforced exactly that point.

Cyera made the argument most directly by repeatedly framing AI security as fundamentally a data problem. Netskope extended its AI-security story from its existing cloud-security and SASE base into guardrails, red teaming, and posture. Zscaler treated inline AI governance as a natural extension of its control path because that is where traffic is already inspected. Skyhigh tried to widen the conversation from SSE into a broader, data-centric platform story anchored in hybrid enforcement, unified policy, and regulated-industry fit. Even where vendors differed on packaging or scope, the broader direction was similar: data security is becoming more central because the enterprise increasingly needs a policy that follows data consistently across the web, cloud, endpoints, email, and AI-related interaction points.

That is one of the clearest bridges between the control-plane discussion and the tracked markets. SASE increasingly intersects with Data Security because distributed enforcement without a coherent data policy does not scale well. CNAPP increasingly intersects with Data Security because workload and infrastructure context alone are insufficient if the policy layer around sensitive data is disconnected. Data Security is not becoming the control plane for everything, but it is becoming more central to how the others coordinate.

 

Platform Claims Are Facing a Harder Test

The week also made the platform question more concrete. The real issue is no longer whether a vendor participates in several adjacent markets. The harder question is whether it has shared policy, telemetry, analytics, and workflows across multiple control points. That was already the pre-RSAC test, and the meetings gave it more substance.

Microsoft remains one of the clearer examples of a platform claim grounded in coordination across identity, data, endpoint, and SecOps. Cisco is trying to absorb more of its AI, browser, branch, firewall, and SSE logic into a more unified operating model. Broadcom is trying to refactor endpoint, network, and data controls into a tighter story around integration and lower-friction deployment. HPE is pursuing additive convergence by reusing enforcement and technology across its security and networking portfolio without forcing abrupt platform retirement. At the same time, other vendors were candid about what they are not. Akamai was more comfortable with “ecosystem” than “platform.” Cloudflare sounded stronger on composability and deployment simplification than on any claim to own every adjacent control plane. Those differences matter. The market is beginning to separate real cross-plane coordination from adjacency marketing.

This is also where SASE and CNAPP should be understood more precisely. SASE matters because it is emerging as the strongest effort to unify the distributed enforcement plane within Network Security. CNAPP matters because it is becoming the leading context and prioritization plane within Cloud Security. Neither has to become the entire security architecture to matter much.

 

The Architecture Is Moving Faster Than Adoption

If the direction of travel became clearer, the maturity gap also became harder to ignore. Repeated probing on general availability, product depth, and production readiness often produced a more cautious answer than the show-floor narrative suggested. F5 was unusually direct in stating that the market is behind the marketing and that many customers are still not ready. Skyhigh Security clearly distinguished the more stable employee-guardrail problem from the still-fluid agentic AI problem. Cloudflare was candid about the fact that some current controls are still fairly coarse. HPE described deeper prompt and file-level controls as still coming over the next several months. Broadcom made the point differently, arguing that customer readiness and trust, not missing technology alone, remain the gating issue.

That does not undercut the strategic importance of the shift. It clarifies the market’s near-term state. The more realistic progression remains discovery first, monitoring second, selective enforcement third, and only then broader operational trust. In other words, the architecture is moving faster than adoption. That matters not only for product planning, but for how investors and ecosystem participants judge which narratives are likely to monetize sooner and which remain further out on the curve.

 

What it Means for Vendors, Investors, and the Ecosystem

The most useful takeaway from RSAC 2026 is not that cybersecurity is collapsing into a single category, nor that enterprises will become fully autonomous next year. It is that the centers of gravity inside the existing pillars are becoming easier to identify. Identity is broadening. The endpoint is regaining weight as execution moves closer to the device. Network Security is converging toward distributed enforcement, with SASE as the most ambitious unifying model in that pillar. Cloud Security is converging around CNAPP as a context and prioritization plane. Data Security is becoming more central as the policy layer for the other planes. Security Operations remains the operating layer that determines whether those planes produce outcomes.

For vendors, that raises the standard. Participation in more adjacencies is not enough. What matters is whether a vendor can anchor a meaningful control plane, coordinate effectively with the others, and reduce operational burden rather than merely relocating it. For equity analysts and market watchers, it sharpens the filter between real platform progress and conference theater. For service providers, silicon suppliers, and hardware ecosystem participants, it suggests that distributed execution, hybrid placement, and enforcement locality are likely to matter more over time, not less. That is the clearer signal that emerged from the week. That is the clearer signal that emerged from the week.

The third and final installment in this RSAC 2026 series, written for current Dell’Oro clients, will take that one step further by examining what these signals mean for vendor positioning, market structure, and the watch items ahead.

 

Related RSAC 2026 blogs:

After RSAC 2026: Which Security Control Planes Are Taking Root

Beyond the Acronyms: What I Will Be Watching at RSAC 2026

[wp_tech_share]

Over the past several years, we have watched security spend migrate from hardware appliances toward cloud-delivered and subscription models. In this blog, I outline three predictions for 2026 that describe how that pattern solidifies into a durable template: security budgets increasingly split between cloud-delivered security services at the edge and an AI-infused, centralized SecOps layer that looks a lot like “next-gen SIEM.”

On the edge, SASE/Security Service Edge (Secure Access Service Edge/SSE) and cloud Web Application Firewalls (WAFs) become the default way to protect users and applications. In the middle, distributed cloud networking quietly supplies the connective tissue. At the center, next-generation Security Information and Event Management (SIEM) platforms fuse SIEM, Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), observability, and Cloud-Native Application Protection Platform (CNAPP)-style cloud visibility into a single, service-delivered control surface.

Prediction 1 – Edge security spend consolidates around SASE/SSE and cloud WAF

From a budget perspective, the branch and user edge is already moving decisively toward as-a-service delivery. SASE, particularly the SSE half of that equation, has been growing at a solid double-digit rate, while legacy access routing and on-premises secure web gateways have been shrinking. WAF has also emerged as one of the most dynamic parts of the network security landscape as more applications and APIs are exposed directly to the Internet.

Put simply, enterprises are standardizing around two cloud-delivered edge controls:

  • SASE/SSE for user and branch access, combining secure web gateway, CASB, ZTNA, and firewall-as-a-service capabilities delivered through globally distributed points of presence.
  • Cloud WAF for Internet-facing web and API traffic as part of secure application delivery platforms.

The immediate drivers are familiar: hybrid work, SaaS adoption, and a steady shift away from private WAN circuits and appliance-based security toward Internet-centric architectures. However, there is also a deeper architectural undertow. Underneath SSE and cloud WAF, distributed cloud networking and early WAN-as-a-service offerings are emerging to connect branches, clouds, and security service edges over a programmable fabric rather than static routers.

In 2026, we expect security and networking teams to budget less for discrete “boxes” at the branch and more for recurring spend on SASE/SSE, WAF, and the underlying cloud connectivity. Physical access routers and appliance SWGs will continue to shrink as a share of branch networking and security spend, reinforcing that the edge is now a service, not a rack of gear.

 

Prediction 2 – “Next‑gen SIEM” becomes the gravitational center of SecOps

If SASE/ SSE and WAF are where packets are inspected, next-gen SIEM is where evidence is assembled and acted upon. We use “next‑gen SIEM” here as a SecOps solution construct, not a product SKU. In this view, a next-gen SIEM is a SecOps solution that combines:

  • Classic SIEM for log and event aggregation.
  • SOAR or extended orchestration, automation, and response (XOAR) for workflow and playbook automation.
  • XDR for cross‑control point detection and response.
  • Observability and digital experience monitoring (DEM) for performance and user‑experience telemetry.
  • CNAPP for configuration, identity, and cloud workload context.

A reflection of enterprises’ pivot in this direction is the recent explosive growth of the CNAPP market. In our analysis, the CNAPP market grew nearly 40% in 2024. Cloud-native security tool consolidation, end-to-end coverage, and DevSecOps integration are the core buying drivers.

Architecturally, next-gen SIEMS are a response to the collision of two worlds:

  • Traditional SecOps built around monolithic apps, north-south traffic, and data center-centric logging.
  • Modern app environments built on containers, microservices, and hybrid cloud

In 2026, we expect more RFPs to converge on this next-gen SIEM pattern. Buyers will look for a single SaaS platform that can ingest logs, telemetry, and cloud data; power AI-assisted investigations; and orchestrate responses across SASE/SSE, WAF, endpoint, and on-premises and cloud controls.

 

Prediction 3 – Security budgeting finishes its shift from capex to opex

The common thread between cloud-delivered edge controls and next-gen SIEM is not just architecture—it is the commercial model. Both are overwhelmingly sold as subscription services.

Across SASE, CNAPP, and broader network security, vendors are leaning into subscription licensing because it lets them monetize more features, deliver updates continuously, and smooth revenue over time. Our forecasts assume a continued shift from perpetual licenses and hardware-heavy deals toward SaaS and virtual consumption, with subscription models explicitly called out as a structural assumption for both network security and distributed cloud networking.

For CIOs and CISOs, this shows up in the budget spreadsheet as:

  • Smaller, more targeted hardware refresh projects.
  • Growing multi-year SaaS commitments for SASE/SSE, WAF, CNAPP, and next-gen SIEM.
  • Increased financial scrutiny of overlapping subscriptions, driving consolidation toward integrated platforms (for example, single-vendor SASE or a single primary analytics plane for SecOps).

We believe 2026 is the year this shift becomes the default assumption rather than a trend to watch. New initiatives will start life in opex, and capex-heavy proposals will increasingly be the exception that must be justified.

 

Net‑net for 2026

Security budgets will increasingly organize around two SaaS pillars—cloud-delivered security at the edge (SASE/SSE and WAF) and a centralized, AI-infused next-gen SIEM that absorbs CNAPP and traditional SecOps functions. Everything else, from distributed cloud networking to legacy appliances, will be evaluated on how well it supports or can be subsumed into those two spend templates.

[wp_tech_share]

Today, Arista Networks closed its acquisition of the VeloCloud SD-WAN portfolio from Broadcom, turning a once-rumored transaction into a move that reshapes both companies’ positions in the enterprise SASE/SD-WAN arena. The deal is an asset-plus-talent carve-out: Arista receives the intellectual property and roughly half of VeloCloud’s ≈1,000 employees—primarily core engineering and technical staff—while most sales- and marketing-oriented roles were left behind. Although neither party disclosed financial terms, multiple press accounts still place the consideration “well under” $1 billion, in line with the May 2025 reporting from The Information that first surfaced the transaction.

To understand why this asset still matters—and how Arista might unlock its full potential—this blog traces VeloCloud’s journey in four parts. Section 1 reviews the company’s pre-SASE strengths, highlighting its rise from a 2012 start-up to capturing 16 percent of SD-WAN revenue by 2020. Section 2 explains how pandemic-era work-from-home trends and Broadcom’s extended VMware acquisition disrupted that growth. Section 3 evaluates what took place under Broadcom, where layoffs, partner resets, and price hikes diminished momentum and confidence. Finally, Section 4 explores the strategic upside and execution risks of VeloCloud’s next chapter under Arista.

  1. Pre-SASE Strength (Founding – 2020)

Launched in 2012, VeloCloud quickly distinguished itself as a cloud-delivered SD-WAN pioneer that could blend inexpensive broadband with MPLS-class reliability. Its Dynamic Multipath Optimization and active-active architecture delivered sub-second fail-over, a capability repeatedly validated in partner reference designs and field deployments. Leveraging a software-centric model, the company built more than 3,700 global gateways and rode the first wave of branch cloud adoption.

Go-to-market execution was equally strong. AT&T selected VeloCloud as its lead managed SD-WAN VNF on the FlexWare/x86 platform, giving the start-up access to thousands of enterprise sites without the expense of building a large direct sales force. Other carriers followed, cementing a robust service-provider (SP) channel that accounted for ~70% of bookings.

Market traction was tangible. Dell’Oro’s SD-WAN tracker projected VeloCloud’s revenue share to be in the mid- to high-teens by 2020, peaking around 16 percent, before the category began to broaden. VMware acquired the company in late 2017 for approximately $449 million, providing scale and an established enterprise brand while allowing VeloCloud to retain a degree of operational autonomy. By the eve of the pandemic, the platform was viewed as the de facto benchmark for “pure-play” SD-WAN.

  1. SASE Disruption and the Broadcom Transition (2020 – 2023)

COVID-19 radically reshaped network priorities. Instead of connecting thousands of branches, IT teams had to secure millions of remote workers. Buyers gravitated to software-only or cloud-native Secure Access Service Edge (SASE) offers that converged networking and security. Although VMware launched a work-from-home client and experimented with an OEM agreement with Menlo Security, the roadmap still revolved around appliance-centric SD-WAN. As a result, VeloCloud’s differentiation narrowed, while newcomers such as Palo Alto Networks set the pace in integrated SASE.

Strategic uncertainty intensified when Broadcom announced its intent to buy VMware in early 2022; the deal did not close until November 2023. Competitors exploited the 18-month limbo, and some enterprise buyers imposed vendor-selection moratoria until ownership was settled. During this window, VeloCloud’s share slipped steadily, moving from the teens toward single digits by late 2023.

  1. Post-Close Reality Inside Broadcom (4Q23 – Present)

Once the acquisition closed, Broadcom integrated VeloCloud into a newly formed Software-Defined Edge division and pivoted security to the Symantec portfolio, effectively scrapping the Menlo Security path. Broadcom also forced all VMware partners to re-qualify under its new program structure, alienating a historically loyal VAR base.

Cost-reduction took priority: VMware’s overall headcount was cut roughly in half within four months, and long-standing support teams were dispersed, triggering public complaints about ticket backlogs and inexperienced first-line engineers on public discussion forums. Customers already wary of double-digit price hikes on core VMware software (vSphere, vSAN, etc.) associated the same “Broadcom tax” with edge platforms.

The net effect was a visible erosion of business, lengthening release cycles, and a decline in Net Promoter Scores, according to channel feedback.

  1. A New Chapter at Arista – Opportunities & Risks

Strategic fit. Arista, renowned for its data-center franchise and burgeoning campus, lacks an enterprise-class WAN. In 2023, the “Arista WAN Routing System” entered limited trials but never reached broad availability. Acquiring VeloCloud instantly fills that gap with a production-proven SD-WAN architecture, 20,000-plus customers, and a seasoned SP channel. Cultural compatibility is high: both firms share a software-centric, telemetry-heavy design philosophy and emphasize deterministic performance.

Portfolio synergy. VeloCloud’s cloud gateways complement Arista’s EOS-based routing and CloudVision management, creating an end-to-end fabric that spans from the data center spine to the branch edge. In the near term, Arista can offer a best-of-breed SD-WAN overlay without re-platforming, while leveraging Untangle’s SMB firewall (acquired in 2022) to serve smaller sites and retail chains.

Go-to-market leverage. Arista primarily sells to Global 2000 cloud, financial services, and web-scale operators—audiences that increasingly request managed SD-WAN solutions to connect distributed workloads. Bundling VeloCloud with spine-leaf refresh cycles or campus upgrades could accelerate cross-sell velocity.

Path to full-stack SASE. The strategic decision is whether to remain an SD-WAN specialist or pursue the larger SASE total addressable market (TAM). Staying narrowly focused minimizes incremental R&D and integration risk but would leave Arista exposed as single-vendor SASE preferences harden. Conversely, expanding into Security Service Edge (SSE) would require investment—either organically or through the acquisition of a cloud-delivered network security pure play—but positions Arista to participate in a segment projected to exceed $10 billion by 2025.

Execution risks.

  • Marketing/enablement gap: The transaction excludes most of VeloCloud’s marketing, field enablement, and demand-generation personnel, so Arista must build these functions nearly from scratch, risking slower pipeline growth and weaker partner momentum in the first 12–18 months.
  • Integration complexity: Absorbing roughly 500 staff, migrating them to Arista’s lean HR and IT systems, and aligning development road maps across EOS, CloudVision, and VeloCloud’s orchestrator will be resource-intensive.
  • Channel dislocation: Broadcom’s partner reset created churn. Arista must quickly rebuild trust with top VARs and MSPs before rivals solidify their footholds.
  • Strategic focus tension: Arista’s DNA—and current market leadership—lies in data-center switching, particularly in the fast-paced AI data center networking race. Enterprise WAN and SASE target very different buying personas. As Arista pivots into these adjacent markets, it must avoid diluting resources or missing its core AI opportunity—a balancing act that will test execution discipline.

Upside bias.

  • Accelerated enterprise relevance: SD-WAN grants Arista a credible branch-to-cloud narrative, broadening its addressable opportunity beyond data-center switching.
  • Recurring revenue lift: VeloCloud’s SD-WAN revenue diversifies Arista’s P&L with software subscriptions and managed service attach.
  • Platform optionality: Possession of a mature edge stack enables Arista to choose the pace of SSE expansion through selective tuck-in deals or partnerships, while still harvesting SD-WAN growth today.

Bottom line. VeloCloud’s core technology remains well-regarded, and demand for high-performance SD-WAN remains intact. However, the platform languished under Broadcom’s cost-driven stewardship. Broadcom’s loss of VeloCloud—its only native SD-WAN pillar—means its Symantec/Carbon Black security unit can no longer claim single-vendor SASE. Still, because integration between the two portfolios was minimal, the security division can pivot to partnerships with other networking leaders without significant disruption.

The bigger story, however, is Arista’s gain: a culturally aligned, engineering-driven home that can reignite VeloCloud innovation, restore channel confidence, and extend Arista’s influence from the data-center spine to the branch edge. If Arista executes on integration and closes its marketing and enablement gap, the acquisition could transform a challenged asset into the catalyst for Arista’s next phase of growth and position the company for a broader SASE play.

For granular market-share data—including VeloCloud’s latest position—see Dell’Oro Group’s SASE & SD-WAN Quarterly Report, which tracks vendor performance each quarter.

[wp_tech_share]

I spent the past three days at Cisco Live 2025 and the adjunct Press & Analyst Conference in San Diego watching the company deliver a sweeping vision that fuses networking, security, observability, and silicon into one agent-ready platform. For example, Cisco framed its AI Canvas as a cross-domain cockpit and its Hypershield as distributed “micro-firewalls.” At the same time, programmable Cisco Silicon One and NVIDIA-aligned AI factories promised bandwidth without power blow-outs. Building on that, customers like Hilton and Steve Madden validated the strategy with million-device Meraki rollouts and 30 percent tool consolidation. Furthermore, a “One Cisco” sales overhaul simplifies buying and seeds outcome-based services. Collectively, these moves signal an ambitious pivot from box vendor to AI platform orchestrator—an evolution explored next with the key themes from Cisco Live 2025.

Cisco Live 2025 Key Themes

Secure Network Platformization Meets Agentic AI

Building on last year’s tentative integrations, Cisco leaders unveiled a cohesive platform that grafts identity, policy, and APIs across networking, security, and observability. Meanwhile, AI Canvas surfaced as the centerpiece UI where humans and software agents co-create dynamic troubleshooting boards, auto-generate interface widgets, and execute rollback-safe remediations. DJ Sampah, Vice President & GM, AI Software Platforms, likened the experience to a “collaborative cockpit” that turns cross-domain chaos into deterministic workflows. Consequently, the company bundles Canvas into existing subscriptions, delaying direct monetization yet accelerating adoption across its million-customer base.

Likewise, Hypershield extends this vision by embedding layer-4 firewall enforcement in smart switches, endpoints, and Kubernetes nodes. Tom Gillis, EVP & GM, Security & Networking, Cisco, argued that “east-west traffic is where attackers hide; distributed firewalls light it up.” The policy plane lives in Security Cloud Control, allowing enforcement to roam without forklift upgrades. Two large banks are already piloting the technology, and regulated enterprises are slated to enter production within a year. While we see its architectural elegance, we question timeline realism and third-party interoperability.

Programmable Silicon and AI-ready Fabrics

Meanwhile, surging inferencing workloads are rewiring data-center economics, and Cisco is positioning Silicon One as the programmable answer to hyperscale ASIC lock-in. Kevin Wollenweber, Cisco’s SVP & GM, Data Center, Internet & Cloud, emphasized that runtime programmability “avoids 24-month retape-outs while incurring no power penalty.” Building on that, Martin Lund, Cisco’s EVP, Common Hardware Group, revealed co-packaged-optics prototypes targeting 400 Gb/s per lane, promising reduced loss and improved energy efficiency. Consequently, Cisco’s secure AI factory reference design, co-engineered with NVIDIA, bundles front-end and GPU back-end networks, zero-trust segmentation, and AI Defense model guardrails.

Furthermore, executives argued that network bandwidth, not GPU scarcity, will become the gating factor. The roadmap scales port speeds from today’s 800 Gb/s to 3.2 Tb/s. Although the silicon story resonates, Cisco still lacks its GPU and must lean on allies like NVIDIA and AMD. Consequently, the company’s silicon agility will be scrutinized as enterprises demand latency budgets below 50 ms for interactive agents and sub-5 ms for robotics.

Go-to-Market Reinvention and Customer Momentum

Meanwhile, Cisco’s sales and marketing overhaul seeks to translate platform breadth into double-digit growth. Oliver Tuszik, Cisco’s EVP & Chief Revenue Officer, collapsed 14 specialist teams into a unified “One Cisco” motion, backed by 90,000 employees and AI-driven account intelligence. Building on that, Cisco’s Chief Marketing Officer, Carrie Palin, repositioned the brand around four outcome pillars: AI Infrastructure, Future-Proof Workplaces, Digital Resilience, and Secure Networking. We applaud the candor around perception gaps, yet caution that enablement depth and partner capacity will determine execution.

Customer narratives reinforce the pitch. Hilton has deployed 700,000 Meraki devices across 6,000 hotels, targeting 1 million by December. Steve Madden slashed standalone tools by 30 percent after standardizing on Meraki, Secure Access, and Splunk-fed XDR, while Grok jumped from 100 Gb/s to 800 Gb/s switching for inference clusters. These cases showcase simplified operations, supply-chain reliability, and AI-ready bandwidth—but also reveal remaining friction. Dan Wood, Hilton’s VP, Global Network Engineering, stated that full autonomy will follow only after “bringing the feeds together before trusting AI.” That cautious stance mirrors broader industry ambivalence toward agentic control.

Looking ahead, Cisco must prove that unified licensing and friction-free trials can convert marquee case studies into mainstream repeatability across partners and verticals.

Cisco’s New Vision in Today’s Market

Building on the thematic foundation, Cisco’s platformization strategy enters a contested arena where many others are vocalizing similar platformization and AI-first themes. These include security juggernauts like Palo Alto Networks, Fortinet, and Zscaler, other network vendors such as Arista, Juniper Networks, and HPE, public cloud giants like AWS, Google, and Microsoft, and lastly, AI silicon behemoth Nvidia.  Meanwhile, Cisco leans on three differentiators—security-infused networking, programmable silicon, and Splunk-fueled telemetry processing—to outflank suite rivals and point players.

On the security front, Hypershield seeks to upset the immense network security foothold that Palo Alto Networks, Fortinet, and Zscaler enjoy today. Embedding security into every switch port could rewrite networking firewall price-performance curves and unlock new security value, yet it risks cannibalizing Cisco’s firewall appliance revenue if adoption outpaces upsell. Curiously, Cisco also announced the latest data center-focused 6100 series firewall appliance. Conversely, Palo Alto Networks’ threat protection remains deeply respected by its customers, and Fortinet’s ASIC-accelerated FortiFabric still holds performance leadership in raw layer-4 deployments, forcing Cisco to convince that hypershield threat protection is sufficient to displace Palo Alto Networks or that smart-switch elasticity outweighs Fortinet’s raw layer-4 throughput.

On the programmable silicon front, Cisco’s Silicon One positions it against Juniper’s and Broadcom’s silicon. Dynamic tuning with no power penalty offers future-proofing, but network-OS diversity may complicate software consistency and partner certification. Meanwhile, NVIDIA’s Spectrum-X fabric magnetizes hyperscale interest, prompting Cisco to co-develop secure AI factories rather than compete head-on for GPU boards. The alliance may grant Cisco optical sockets in trillion-dollar TAMs, yet deepens dependency on NVIDIA’s supply chain during component shortages.

In the fight for network and security telemetry processing, the Splunk federation underpins an “intelligent data fabric” that rivals Elastic and Datadog in observability. Offering no-charge log ingestion for Cisco firewalls shifts cost optics. The pricing gambit is a clever land grab, but deferred revenue recognition could pressure short-term financials if upsell velocity stalls. Meanwhile, Microsoft’s $20 billion security franchise looms as the benchmark; Cisco must match Microsoft’s cloud-native scale without forcing data migrations that customers resist.

Advantages dominate early momentum. Customers cite tool-chain consolidation, supply-chain agility, and cross-domain visibility as primary wins. Hilton’s million-device ambition underscores vertical scalability; Grok’s 800 Gb/s backbone attests to silicon headroom; and CVS Health’s multi-billion AI investment validates trust at regulated scale. Moreover, Cisco’s open-API narrative draws startups, leveraging a platform rather than smothering innovation—a contrast to so-called “rip-and-replace” incumbents.

Yet, disadvantages remain material. First, roadmap skepticism persists: Hypershield lacks complete layer-7 threat protection standard in standalone firewall appliances. Cisco did not share a specific timeline for adding complete threat protection to Hypershield. Second, licensing complexity still confounds partners juggling many licenses,  spanning the entire portfolio from networking, security, and observability. Third, the “grandfather’s Cisco” perception endures. Cisco has a perception problem, and it knows it. Fourth, agentic ops raise governance alarms; early adopters demand deterministic rollback and audit trails before surrendering root privileges to generative models. Finally, execution risk surrounds a nine-month idea-to-product cadence. Such sustained velocity could strain quality assurance and channel readiness, which, for decades, has worked with Cisco, which is much more conservative in shipping products.

Despite those cons, the trajectory remains favorable. Cisco’s willingness to cannibalize hardware for recurring software revenue demonstrates strategic maturity, aligning economic incentives with customer outcomes. Consequently, the blend of programmable silicon, AI-mediated operations, and federated data fabrics positions Cisco to capture incremental spend as enterprises refresh data centers for persistent inference traffic. Meanwhile, hyperscaler collaboration and sovereign-AI localization diversify addressable markets, foreshadowing competitive realignment over the next 18 months.

Conclusion and Looking Forward

Cisco Live 2025 underscored the company’s intent to become an AI-native orchestrator that fuses security, telemetry, and silicon. Yet even as the many innovations announced during Cisco Live 2025 promise agent-guided automation, a Reddit thread titled “Discouraged at Cisco Live (2025)” reminds us that practitioners still weigh hype against day-to-day realities. One attendee joked that the show echoed nothing but “AI, AI, AI,” sparking gallows humor about whether network engineers will soon automate themselves out of a job. Such grassroots skepticism tempers vendor optimism, underlining the need for tangible wins—latency cuts, tool reduction, and simpler licenses—before narrative momentum becomes mainstream trust.

On a tactical level, I have three litmus tests that I’ll be keeping my eye on as a barometer to Cisco’s journey over the next year:

  • Secure branch revenue velocity per my recent blog.
  • General-availability uptake of Hypershield and its impact on firewall appliance refresh revenue.
  • Customer conversion rates from free Splunk firewall-log ingestion to paid data-fabric expansions.

If Cisco translates roadmap ambitions into measurable adoption and incremental ARR, the company will emerge not just AI-ready but AI-native, reshaping how enterprises perceive the intersection of networking, security, and silicon.

[wp_tech_share]

Cisco intensified the secure branch battle today. During Cisco Live 2025, the company’s annual customer conference, it unveiled three new branch-focused elements: Secure Routers, Secure Firewalls, and the Mesh Policy Engine within Cisco Security Cloud Control. Rival vendors already consolidate routing and security in fewer product lines, so Cisco’s strategy warrants close review. This post explains what Cisco shipped, what competitive forces it faces, and why its three-product play emerged.

What Cisco Introduced at Cisco Live 2025

Cisco launched five Secure Router 8000-Series models—8100, 8200, 8300, 8400, 8500—positioned as successors to Catalyst 8000 Edge. Each appliance merges IOS XE routing, Catalyst SD-WAN, post-quantum MACsec, and an embedded Layer-7 firewall. From Cisco’s security business,  the new Secure Firewall 200-Series arrived in parallel, running Firepower Threat Defense with Snort 3, encrypted traffic analytics, file sandboxing, and boasting up to 1.5 Gbps throughput.

Hardware innovation pairs with two software pillars. First, the Mesh Policy Engine unifies rule objects across routers, firewalls, and cloud enforcement points. Cisco positions it as part of the broader Hybrid Mesh Firewall framework. Second, Cisco Security Cloud Control became generally available in May 2025. The SaaS portal onboards devices, provides analytics, and houses the Mesh Policy Engine.

Cisco now addresses three branch personas. Secure Router serves WAN teams demanding rich routing and “good-enough” firewalling. Secure Firewall targets security teams that require full-featured firewalling (richer threat protection, encrypted traffic analytics). Meraki MX continues as a cloud-managed option for lean IT staff. The company argues that a shared SaaS policy plane offsets the complexity of sustaining three hardware families.

What Is Cisco Up Against?

Figure 1 shows branch solution revenue—access routers, SD-WAN, and low-end firewalls—across Cisco, Fortinet, and Palo Alto Networks during 2019-2024. Cisco’s branch revenue edges from about $2.5 B in 2020 to $2.6 B in 2024, representing just a 1% five-year compounded annual growth rate (CAGR). Fortinet rises from $345 M to $919M, delivering 22% five-year CAGR. Palo Alto Networks expands from about $82 M to $625 M, a 50% five-year CAGR.

Fortinet competes with one hardware family—every FortiGate appliance ships with FortiOS, integrating NGFW, SD-WAN, ZTNA, and LAN control. Cloud or on-prem control planes push identical policy because the code base (FortiOS) is uniform across the portfolio.

Palo Alto Networks employs two product lines. PA-Series Strata firewalls run PAN-OS and focus on deep inspection. ION-Series devices, which trace their history to the acquisition of CloudGenix in 2020, integrate SD-WAN, PoE switching, optional 5G, and secure about 1 Gbps of traffic. Both device classes appear in Strata Cloud Manager, a single SaaS console introduced in late 2024. This platform also manages Prisma Access points of presence, offering one policy model across physical and cloud edges.

Why Cisco Launched What It Did?

The revenue chart illustrates Cisco’s challenge. Its branch growth has not kept pace with the security-first Fortinet and Palo Alto drive in the branch. Cisco’s installed base remains large, yet procurement teams now evaluate converged platforms that collapse routing, security, and LAN control. Fortinet delivers that promise through one appliance. Palo Alto offers a unified policy across two tightly linked lines. Cisco’s trio of Secure Router, Secure Firewall, and Meraki must deliver differentiated value or risk revenue erosion.

Strategic logic explains the three-product play. Cisco cannot abandon IOS XE routing, a core competency that WAN engineers value. Hence, the Secure Router retains familiar CLI, BGP, voice DSP roadmaps, and high routed throughput. The embedded firewall is streamlined to avoid burdening routing silicon, matching most branch risk profiles. The Secure Firewall family preserves Snort feature depth demanded by SOC teams. Firepower Threat Defense offers machine-learning heuristics, encrypted-visibility analytics, and file trajectory inspection that the router cannot yet match. Keeping Firepower intact minimizes migration friction for customers with existing Firepower or ASA estates. Meraki MX remains critical for small IT shops and managed service providers. Its Dashboard UI orchestrates Wi-Fi, switching, cameras, and security from one tab. Removing MX would alienate a rapidly growing segment that values zero-touch deployment.

The Mesh Policy Engine and Security Cloud Control are Cisco’s unification layer. They promise consistent rule intent across three operating systems—IOS XE, FTD, and Meraki OS—while allowing personas to keep their native workflows. The approach avoids a forced rip-and-replace but introduces integration risk. Success hinges on seamless policy translation, co-termed licensing, and synchronized feature releases.

Cisco also needed throughput parity. The new Secure Router family closes performance gaps without sacrificing routing or security functions. The Firewall 200-Series secures 1.5 Gbps, aligning with branch attack profiles where deep analytics outweigh raw speed.

Licensing complexity remains a concern. Cisco still sells DNA Advantage for SD-WAN, Threat Defense subscriptions for firewalls, and Meraki Enterprise licenses. The firm announced a Networking Subscription model for late 2025 that should co-term renewals. Whether this resolves budget headaches is an open question.

Cisco launched three discrete hardware lines because each maps to an entrenched persona, and because immediate unification would disrupt large customer bases. The Mesh Policy Engine aspires to hide complexity while preserving product heritage. Market data suggest the bet must succeed quickly to reclaim growth momentum.

Conclusion

Cisco refreshed its branch portfolio to confront accelerating competition. Secure Routers safeguard routing heritage, Secure Firewalls protect security parity, and Meraki maintains cloud simplicity. Fortinet and Palo Alto Networks leverage fewer product lines and show faster revenue expansion. The outcome now depends on Cisco’s ability to translate cross-platform policy seamlessly, simplify licensing, and deliver promised throughput gains.