Cato Dynamic Prevention, part of Cato Networks’ secure access service edge (SASE) platform, is designed to detect threats that develop slowly and may seem harmless when examined in isolation. Instead of relying only on point-in-time inspections or static rules, the system monitors long-term behavioral patterns and correlates signals across multiple security layers, enabling earlier detection of suspicious activity.

Figure 1. Adaptive Threat Defense Now Available in Cato SASE.

“Attackers often exploit trusted tools and valid credentials because most defenses focus on isolated events and depend on humans to piece together complex attack chains,” said Lior Cohen, vice president of product management, security and management at Cato Networks. “Cato Dynamic Prevention transforms this approach by continuously interpreting behavior in context, anticipating an attacker’s next move, and automatically enforcing protections that target only genuine threats. This allows potential attacks to be stopped before a breach occurs.” Figure 1 shows Adaptive Threat Defense Now Available in Cato SASE.

Cato Dynamic Prevention continuously monitors network and security activity across users, devices, and sites over time. When it detects patterns indicative of malicious behavior, it automatically enforces adaptive controls to block or limit high-risk actions—eliminating the need for manual intervention by IT or security teams.

According to Cato Networks, this approach specifically addresses attackers who exploit legitimate credentials and trusted tools, spreading their activity over days or weeks. Individually, these actions often do not trigger alerts. In environments built from disconnected point products, correlating such signals can be slow and resource-intensive, delaying responses until the later stages of an attack.

“Legacy security tools are designed to catch obvious, point-in-time indicators, such as signatures, known malicious IPs, or isolated anomalies,” wrote Makiko Yamada, product marketing manager at Cato Networks, in a company blog. “Modern attacks, however, are engineered to appear routine: they leverage legitimate admin tools, spread activity ‘low and slow,’ and break intrusions into small, seemingly harmless steps. The result is a flood of weak alerts and delayed responses, leaving teams to manually connect the dots after the attacker has already moved.”

Because Cato Dynamic Prevention operates within the company’s cloud-native SASE architecture, it can leverage telemetry from integrated services—including intrusion prevention, anti-malware, secure web gateway, and data loss prevention. This unified visibility provides deeper context and more precise correlation of events.

Yamada added, “Correlation is key: a single internal scan may be a routine IT task; a remote execution command may be standard operations; an unusual authentication may simply indicate a traveling user. But when these events occur in a suspicious sequence across multiple hosts and networks, the combined pattern is much harder to ignore.”

Cato Dynamic Prevention is now generally available as part of the Cato SASE Cloud Platform, which runs on a private global backbone of over 90 points of presence (PoPs) connected through multiple SLA-backed network providers.

Source: NETWORK WORLD

Cite this article:

Priyadharshini S (2025), Cato Networks Introduces Adaptive Threat Protection for SASE, AnaTechMaz, pp. 271