Top 10 Cloud Access Security Broker (CASB) Software for 2026

Netskope is the deepest pure-play CASB on the market and arguably the only credible CASB-heritage vendor still operating standalone, founded 2012 by Sanjay Beri (still CEO). The platform spans the full Secure Service Edge stack: CASB, SWG, ZTNA (Netskope Private Access), DLP, RBI, and SD-WAN (acquired Infiot 2022 for the SASE pillar). Netskope reported a $7.5B+ valuation in a 2021 secondary share-sale round and is widely viewed as a likely 2026 or 2027 IPO candidate, with roughly $700M ARR and persistent IPO speculation across 2024-2025. Best fit for mid-market to large enterprise buyers (1,000-50,000+ employees) consolidating multiple security tools onto one SSE platform, particularly those leading with CASB or DLP requirements rather than ZTNA. Trade-offs: pricing is opaque with per-module SKU complexity across CASB, SWG, NPA, and DLP that consistently produces surprise costs at renewal; implementation services are heavy ($50K to $500K is the typical band); the pre-IPO status creates some enterprise-contract caution among buyers who prefer publicly-reported financial transparency; and the ZTNA pillar (NPA) is less mature than Zscaler ZPA.

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security, originally the Adallom acquisition in September 2015 for ~$320M) is the Microsoft-native CASB, included in the Microsoft 365 E5 bundle and tightly integrated with Entra ID, Microsoft Purview (DLP and information protection), and Defender XDR. Best fit for any Microsoft 365 E5-licensed organization where the CASB is effectively pre-paid as part of the bundle, or for hybrid Microsoft-anchored shops standardizing on the Defender XDR stack. Trade-offs: outside the Microsoft licensing envelope the product is materially less compelling than Netskope on pure CASB depth and discovery quality; the deep Microsoft integration is a double-edged sword for non-Microsoft customers (Google Workspace, AWS-native, and Slack-first shops report inferior discovery and policy granularity); per-user pricing as a standalone SKU (outside E5) is high relative to feature parity; and the product roadmap has historically prioritized Microsoft-ecosystem use cases over multi-cloud breadth.

Forcepoint CASB is the legacy Forcepoint cloud-application-security product line, sold separately from the newer Forcepoint ONE platform that absorbed Bitglass (also acquired by Forcepoint in 2021). The parent company has had a turbulent ownership history: Raytheon spun out Forcepoint to Francisco Partners in January 2021 for $1.1B, and Francisco Partners has since consolidated the portfolio under the Forcepoint ONE brand (announced 2022, mostly complete by 2023). The legacy Forcepoint CASB SKU still exists for existing customers but is effectively in maintenance mode; new sales motion is steered toward Forcepoint ONE. Best fit for existing Forcepoint customers maintaining their current investment or running multi-product Forcepoint stacks (NGFW, DLP, CASB, web). Trade-offs: post-PE-acquisition product investment has been cautious, with executive churn and account-team turnover during 2022-2023 cited consistently in buyer feedback; customer-support quality has been reported as inconsistent post-acquisition; pricing is opaque and channel-driven; and the dual-CASB-SKU situation (legacy Forcepoint CASB plus Forcepoint ONE / Bitglass) creates buyer confusion at evaluation.

Trellix CASB is the cloud-access-security-broker line inherited from the McAfee MVISION Cloud product (originally Skyhigh Networks, acquired by McAfee in January 2018 for ~$400M). Trellix as a company was formed in January 2022 when private-equity firm Symphony Technology Group (STG) merged the McAfee Enterprise business and FireEye into a single entity. STG had acquired McAfee Enterprise for ~$4B in March 2021 and FireEye Products in October 2021 for ~$1.2B. Critically, STG later spun the cloud-security business (including the former Skyhigh CASB) out as a separate entity called Skyhigh Security in March 2022, which created two CASB SKUs in market under STG ownership: Trellix CASB (the XDR-anchored CASB) and Skyhigh Security CASB (the standalone). For buyers this creates significant confusion. Best fit only for existing Trellix XDR customers running multi-product Trellix stacks. Trade-offs: post-merger product investment under STG has been cautious with persistent roadmap-clarity questions; the Trellix / Skyhigh split confused the buying motion; executive churn since 2022 has been heavy; customer-support quality reported as variable; and net-new CASB sales win rate against Netskope is weak.

Cisco Cloudlock is the API-based CASB product Cisco acquired in June 2016 for $293M. The product is now folded into Cisco Secure Access (the consolidated Cisco SSE/SASE platform that combines Duo, Umbrella, Secure Connect, and Cloudlock), and standalone Cloudlock procurement is rare in 2026; most buyers receive it as part of the broader Cisco Secure Access bundle. Best fit only for existing Cisco-anchored customers consolidating onto Cisco Secure Access, where the installed-base advantage and bundled pricing make the architecture defensible. Trade-offs: Cloudlock as a standalone CASB is materially less mature than Netskope or Microsoft on inline CASB depth (Cloudlock is primarily API-based, which limits real-time enforcement compared to forward-proxy or reverse-proxy modes); the Cisco Secure Access consolidation has been ongoing since 2023 and the roadmap-clarity questions Cisco buyers raised at that time persist; pricing is opaque and channel-driven; and the per-module SKU complexity inside Cisco Secure Access creates surprise costs.

Lookout is the mobile-threat-defense and endpoint-security company founded 2007 by John Hering (originally focused on mobile security). The CASB pillar entered the portfolio through the CipherCloud merger in March 2021, which folded a CASB and ZTNA product family into Lookout. Lookout raised a Series E led by Andreessen Horowitz in March 2021 (the same period as the CipherCloud merger) at a valuation reported in the $1B+ range. The company has historically positioned itself as the mobile-and-endpoint-first security vendor, with CASB and ZTNA inherited rather than originated. Best fit for organizations needing mobile-threat defense plus CASB in one vendor (a common use case for BYOD-heavy or regulated industries with mobile workforce). Trade-offs: CASB depth is the inherited rather than originating strength; the CipherCloud integration into Lookout SSE has been ongoing since 2021 with some product-cohesion questions; standalone CASB feature parity with Netskope is thin; customer-support quality reported as inconsistent; and pricing is opaque.

Bitglass was an independent CASB founded 2013 by Anurag Kahol that built a strong reputation for reverse-proxy-based agentless CASB deployments before being acquired by Forcepoint in October 2021. Forcepoint folded the Bitglass technology into the Forcepoint ONE SSE platform in 2022-2023, and today the modern Forcepoint CASB is effectively the Bitglass technology under the Forcepoint ONE brand. This creates a dual-SKU situation alongside legacy Forcepoint CASB. Forcepoint ONE delivers CASB, SWG, and ZTNA on a unified cloud platform with a single management plane. Best fit for net-new Forcepoint buyers preferring agentless reverse-proxy CASB or for existing Bitglass customers who migrated to Forcepoint ONE. Trade-offs: the Forcepoint ONE consolidation has been steady but not without friction; reverse-proxy CASB deployments have known compatibility issues with some SaaS vendors (Microsoft 365 modern auth and Google Workspace OAuth flows have historically required workarounds); post-Francisco Partners ownership has continued the cautious investment pattern; customer-support quality reported as inconsistent; and the dual-SKU situation with legacy Forcepoint CASB creates buyer confusion.

Trend Micro Cloud App Security is the CASB pillar bundled inside Trend Vision One (the consolidated Trend Micro XDR and platform offering). Trend Micro is a public company (TSE: 4704) founded 1988 with global presence and longstanding XDR / endpoint heritage. The CASB module covers API-based protection for Microsoft 365, Google Workspace, Box, Dropbox, and Salesforce, with focus on threat detection (phishing, ransomware, business email compromise) rather than deep DLP or compliance-CASB use cases. Best fit for existing Trend Vision One customers consolidating XDR + CASB in one vendor, particularly Microsoft 365-anchored shops where API-based protection is the primary use case. Trade-offs: standalone CASB feature depth lags Netskope and Microsoft Defender for Cloud Apps; the CASB is primarily API-based with limited inline enforcement capabilities; the Trend Vision One platform consolidation has been ongoing with periodic UX cohesion questions; and the product is most compelling as a bundled module rather than a standalone CASB purchase.

CyberArk Cloud Access Security is the cloud-application-access pillar in CyberArk's broader identity security platform, anchored on the privileged-access management (PAM) heritage that defined the company since 1999. The approach is different from traditional CASB: rather than discovery-and-control-first, CyberArk approaches cloud access from the identity-secrets and PAM angle, leveraging Conjur (secrets management) and CyberArk SecureWeb (the browser-based privileged access component). CyberArk is public on NASDAQ:CYBR and reported ~$960M revenue FY24 with strong growth. Best fit for organizations where privileged access is the anchor security control and CASB is a complementary pillar, not the primary procurement. Trade-offs: the CASB feature set is materially narrower than Netskope or Microsoft on traditional CASB use cases (sanctioned SaaS discovery, inline DLP, cloud-app threat protection); the product is most valuable when paired with the broader CyberArk identity platform (PAM + Conjur + Workforce Identity); standalone CASB procurement is rare; and the per-module SKU complexity inside the CyberArk Identity Security Platform creates surprise costs.

iboss is the zero-trust cloud security platform founded 2003 by Paul Martini (still CEO) that ships CASB as one module alongside SWG, ZTNA, and DLP on a single containerized cloud platform. The company has positioned itself as a one-vendor SSE for mid-market and enterprise buyers who want the architecture without the price and complexity of Zscaler or Netskope. iboss claims a "Zero Trust SSE" architecture with patented containerized cloud-gateway technology. Best fit for organizations (1,000-25,000 employees) wanting one-vendor SSE consolidation below the Zscaler scale tier, particularly in education, federal, and regulated industries where iboss has historic strength. Trade-offs: brand recognition is materially lower than Zscaler, Netskope, or Microsoft; the CASB feature depth is narrower than category leaders; customer-support quality reported as inconsistent post-scale-up; pricing is opaque (no published rates); and the company is private with limited financial transparency.