Skip to content
Z Zendikt
Germany edition · 10 products ranked · Verified 2026-05-19

Top 10 CASB Software in Germany for 2026

Independent German CASB ranking: BSI C5, KRITIS, IT-Sicherheitsgesetz 2.0, DSGVO, Mitbestimmung, and EUR pricing from verified buyer disclosures.

← Global ranking · Category overview
Cloud Access Security Broker (CASB) Software by country
🌐 Global United States India United Kingdom France Germany Australia

Germany verdict (TL;DR)

Verified 2026-05-19

Germany's CASB market is the most data-sovereignty-conscious in Europe. Microsoft Defender for Cloud Apps leads by installed base at DAX 40 enterprises and German Mittelstand on Microsoft 365 E5. Netskope holds strong German enterprise positions at security-leading organizations wanting CASB and DLP depth beyond what Microsoft provides. BSI C5 (Cloud Computing Compliance Criteria Catalogue) attestation is the German equivalent of FedRAMP for cloud service procurement at German government and KRITIS (critical infrastructure) operators; Netskope and Microsoft both maintain BSI C5 Type 2 attestations. DSGVO enforcement by German state DPAs (BayLDA, Berliner Beauftragte, HmbBfDI) is the strictest in Europe for data processing in cloud security tools. Mitbestimmung (German works council co-determination) applies to CASB deployment as an employee monitoring technology; works council consultation is legally required before CASB that monitors employee cloud application activity can be deployed. There is no meaningful German-built pure-play CASB vendor; the market is served by global platforms with German BSI C5 attestation and EU data residency.

Picks for Germany

  • DAX 40 and German enterprise on Microsoft 365 E5: microsoft-defender-cloud-apps Dominant at DAX 40 by M365 E5 installed base. Frankfurt Azure datacenter for German/EU data residency. BSI C5 Type 2 attested. DSGVO DPA. Default CASB for German M365 E5 customers. Works council consultation templates available from Microsoft.
  • German enterprises needing CASB and DLP depth beyond Microsoft: netskope Strong German enterprise CASB reference base. Frankfurt NewEdge POP for Germany data residency. BSI C5 Type 2 attested. DSGVO DPA with EU data residency. KRITIS-relevant documentation. Best for German enterprise leading with CASB or DLP depth.
  • German enterprises on Cisco security stack: cisco-casb Cloudlock inside Cisco Secure Access. Default for German enterprises on Cisco network and security stack. Cisco has strong German Mittelstand and enterprise presence.
  • German Mittelstand wanting one-vendor SSE at accessible price: iboss CASB inside zero-trust cloud platform. EU data residency. DSGVO DPA available. BSI IT-Grundschutz-aligned documentation. Right for German Mittelstand (200-2,000 employees) wanting CASB, SWG, and ZTNA without enterprise-tier pricing.
Market context

How the cloud access security broker (casb) software market looks in Germany

Germany's CASB market reflects the broader German IT security procurement culture: strong preference for vendors with BSI (Bundesamt für Sicherheit in der Informationstechnik) attestations, EU data residency, German-language support, and explicit DSGVO documentation. Germany is the largest European cloud security market by enterprise count, but cloud-native CASB adoption has lagged the UK and US because German enterprises maintained larger on-premises SaaS deployments and were more cautious about US-cloud-based security monitoring tools.

Microsoft Defender for Cloud Apps has the largest German CASB installed base by default, driven by M365 E5 adoption at DAX 40 enterprises and German Mittelstand (Germany has one of the highest per-capita Microsoft enterprise licensing rates in Europe). Microsoft's Frankfurt Azure datacenter and BSI C5 Type 2 attestation satisfy the German data sovereignty requirements that previously blocked Microsoft cloud adoption at German enterprises. For the large majority of German organizations on M365 E5, Defender for Cloud Apps is the practical CASB starting point.

Mitbestimmung (German works council co-determination) is the most distinctive German CASB procurement variable not present in any other market. The BetrVG (Betriebsverfassungsgesetz, Works Constitution Act) Section 87(1)(6) requires works council (Betriebsrat) consultation and agreement before any technology is deployed that can monitor or evaluate employee behavior or performance. CASB deployment that monitors employee SaaS application usage, generates user risk scores, or inspects employee email and file content is explicitly within scope of BetrVG 87(1)(6). This means CASB procurement at German companies with works councils (all companies with 5+ employees) requires a formal Betriebsvereinbarung (works agreement) defining the scope of CASB monitoring, data retention limits, anonymization requirements, and employee access to their own monitoring data. Vendors who provide standard German Betriebsvereinbarung templates (Microsoft provides these; Netskope provides them via German partners) have a procurement acceleration advantage at German companies.

Compliance & local rules

DSGVO (German implementation of GDPR): CASB DLP scanning is automated processing of personal data; legal basis required (typically Article 6(1)(c) legal obligation or Article 6(1)(f) legitimate interest for security purposes); DPIA required under Article 35 for systematic employee monitoring; German DPAs (BayLDA, Berliner Beauftragte, HmbBfDI) are active enforcers; EU data residency required; short DLP log retention expected (30-90 days for personal content). BSI C5 (Cloud Computing Compliance Criteria Catalogue): BSI C5 Type 2 attestation is required for cloud services used by German federal government and KRITIS operators; Netskope and Microsoft Defender for Cloud Apps maintain BSI C5 Type 2 attestations; verify current attestation before government procurement. IT-Sicherheitsgesetz 2.0 (2021): KRITIS operators must implement IT security measures including cloud access governance; CASB satisfies the cloud monitoring and access control requirements; BSI can audit KRITIS cybersecurity measures including CASB configuration. KRITIS (Kritische Infrastrukturen): operators in energy, water, transport, health, finance, food, information technology, and media sectors must implement IT security baseline per BSI-KritisV; CASB is within scope for cloud-dependent KRITIS systems. BetrVG 87(1)(6) (Mitbestimmung): works council consultation and Betriebsvereinbarung required before CASB deployment that monitors employee cloud application behavior; agreement must define monitoring scope, retention, anonymization, and employee access rights. DSGVO Article 88 + BDSG (Bundesdatenschutzgesetz): employee data processing in employment context requires specific German data protection compliance including information notices, access rights, and purpose limitation; CASB monitoring of employee cloud activity is within scope of BDSG employee data protection rules.

At a glance

Quick comparison, ranked for Germany

Product Best for Starts at 10-emp/mo* Pricing G2 Geo
2 Microsoft Defender for Cloud Apps
Any Microsoft 365 E5 or Defender for Cloud Apps standalone buyer
 $0 + $0/emp $0 4.4 Global; Azure datacenters in 60+ regions
1 Netskope
Mid-market to enterprise consolidating CASB + SSE
 Quote - 4.4 Global; NewEdge POPs in 70+ regions; strongest in US, EU, UK, APAC
5 Cisco Cloudlock
Cisco-anchored customers consolidating onto Cisco Secure Access
 Quote - 4.2 Global; strongest in US, EU, UK, APAC; federal via FedRAMP
3 Forcepoint CASB
Existing Forcepoint multi-product customers, federal and regulated industries
 Quote - 3.8 Global; strongest in US federal, EU, UK
10 iboss
Mid-market to enterprise wanting one-vendor SSE below Zscaler scale
 Quote - 4.3 Global; strongest in US (especially education and federal), EU, UK
6 Lookout
BYOD-heavy or regulated industries with mobile workforce
 Quote - 4.1 Global; strongest in US, EU, UK; federal via FedRAMP
4 Trellix CASB
Existing Trellix XDR multi-product customers
 Quote - 3.9 Global; strongest in US, EU, UK
8 Trend Micro Cloud App Security
Existing Trend Vision One customers consolidating XDR + CASB
 $0 + $3/emp $30 4.3 Global; strongest in APAC (Japan, Australia), EU; growing US
9 CyberArk Cloud Access Security
Organizations anchoring on privileged access with CASB as complementary
 Quote - 4.4 Global; strongest in US, EU, Israel, UK; federal via FedRAMP
7 Forcepoint ONE (Bitglass)
Forcepoint ONE buyers preferring agentless reverse-proxy CASB
 Quote - 4.0 Global; strongest in US federal, EU, UK

*10-employee monthly cost = base fee + (per-employee × 10) using the lowest published tier. For opaque-pricing vendors, no value is shown.

Verified local pricing

What buyers in Germany actually pay

Median annual deal size by employee band, in EUR. Crowdsourced from anonymized buyer disclosures.

Product Employee band Median annual (EUR) Sample Notes
Microsoft Defender for Cloud Apps M365 E5 bundled (German DAX 40 or Mittelstand) €0 124 Included in M365 E5; Frankfurt Azure datacenter; BSI C5 Type 2
Microsoft Defender for Cloud Apps Standalone (500-5,000 employees) €75,600 31 $3.50/user/mo; EUR equivalent; Frankfurt datacenter
Netskope German enterprise (1,000-5,000 employees) €432,000 34 Core or Advanced SSE; per-user; EUR-billed; Frankfurt POP; BSI C5
Cisco Cloudlock Cisco-anchored German enterprise (1,000-10,000 employees) €360,000 18 Inside Cisco Secure Access bundle; EUR-billed
iboss German Mittelstand (200-2,000 employees) €108,000 16 Zero-trust cloud platform; EUR-billed; EU data residency
Excluded for Germany

Global picks that don't fit here

  • Forcepoint ONE (Bitglass)
    Bitglass technology was folded into Forcepoint ONE in 2023 and is no longer separately invoiced. German buyers evaluating Forcepoint should evaluate Forcepoint ONE CASB with explicit BSI C5 and DSGVO documentation review.
  • Trellix CASB
    Trellix CASB lacks BSI C5 attestation as of mid-2026 and carries private-equity consolidation risk under Symphony Technology Group. German enterprise buyers requiring BSI C5 should choose Netskope or Microsoft Defender for Cloud Apps instead.
The Germany ranking

All 10, ranked for Germany

Same intelligence as the global ranking, vendor trust, review patterns, verified pricing, compliance, reordered for the Germany market.

#2

Microsoft Defender for Cloud Apps

CASB bundled into Microsoft 365 E5; default for Microsoft-anchored buyers.

Founded 2015 · Redmond, WA · public · 100-200,000+ employees
G2 4.4 (410)
Capterra 4.5
From $0 + $0 /mo + /employee
● Transparent pricing
Visit Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security, originally the Adallom acquisition in September 2015 for ~$320M) is the Microsoft-native CASB, included in the Microsoft 365 E5 bundle and tightly integrated with Entra ID, Microsoft Purview (DLP and information protection), and Defender XDR. Best fit for any Microsoft 365 E5-licensed organization where the CASB is effectively pre-paid as part of the bundle, or for hybrid Microsoft-anchored shops standardizing on the Defender XDR stack. Trade-offs: outside the Microsoft licensing envelope the product is materially less compelling than Netskope on pure CASB depth and discovery quality; the deep Microsoft integration is a double-edged sword for non-Microsoft customers (Google Workspace, AWS-native, and Slack-first shops report inferior discovery and policy granularity); per-user pricing as a standalone SKU (outside E5) is high relative to feature parity; and the product roadmap has historically prioritized Microsoft-ecosystem use cases over multi-cloud breadth.

Best for

Microsoft 365 E5-licensed organizations (any size) where the CASB is effectively bundled, or Microsoft-anchored shops standardizing on Defender XDR.

Worst for

Google Workspace-anchored shops, AWS-native cloud-first organizations, Slack-first companies, or buyers needing deepest CASB feature depth (Netskope better).

Strengths

  • Included in Microsoft 365 E5 (effectively pre-paid for E5 customers)
  • Deepest integration with Entra ID conditional access
  • Tight integration with Microsoft Purview DLP and information protection
  • Defender XDR cross-signal correlation strong
  • Public company financial transparency (NASDAQ:MSFT)
  • Global hyperscale via Azure datacenters; no separate SASE POP network needed
  • 31,000+ apps catalogued in app catalog (largest in category)

Weaknesses

  • Less compelling outside Microsoft 365 E5 licensing envelope
  • Non-Microsoft buyers report inferior discovery for Google Workspace, AWS, Slack-first shops
  • Standalone SKU pricing high relative to feature parity
  • Roadmap historically prioritizes Microsoft-ecosystem use cases
  • Policy granularity less rich than Netskope for complex DLP scenarios
  • No standalone SSE bundle (CASB is one Defender feature, not an SSE platform)

Pricing tiers

public
  • Microsoft 365 E5 (bundled)
    Defender for Cloud Apps included; E5 list price ~$57/user/mo
    $0+$0 /mo +/emp
  • Defender for Cloud Apps standalone
    Per user; standalone SKU
    $0+$3.5 /mo +/emp
  • Microsoft 365 E5 Security (bundled)
    Per user; Defender suite add-on for E3 customers
    $0+$12 /mo +/emp
Watch for
  • · Standalone SKU pricing high vs Netskope for non-E5 buyers
  • · Microsoft Purview DLP licensing separate for advanced DLP scenarios
  • · API connectors for non-Microsoft SaaS have varying coverage

Key features

  • +Cloud-app discovery (31,000+ apps catalogued)
  • +API connectors to major SaaS (Microsoft 365, Salesforce, Google Workspace, Slack, AWS, Azure)
  • +Inline CASB via Conditional Access App Control
  • +Information protection integration (Microsoft Purview)
  • +Threat detection with Defender XDR cross-signal
  • +OAuth app governance
  • +SSPM (SaaS security posture management) for Microsoft 365
  • +File scanning and DLP
  • +Anomaly detection policies
400+ integrations
Microsoft Entra IDMicrosoft 365Microsoft PurviewDefender XDRMicrosoft SentinelSalesforceGoogle WorkspaceAWSSlack
Geography
Global; Azure datacenters in 60+ regions
View full Microsoft Defender for Cloud Apps intelligence profile → Compare Microsoft Defender for Cloud Apps →
#1

Netskope

Deepest CASB heritage with full SSE breadth and persistent IPO speculation.

Founded 2012 · Santa Clara, CA · private · 1,000-100,000+ employees
G2 4.4 (520)
Capterra 4.5
Custom quote
○ Sales call required
Visit Netskope

Netskope is the deepest pure-play CASB on the market and arguably the only credible CASB-heritage vendor still operating standalone, founded 2012 by Sanjay Beri (still CEO). The platform spans the full Secure Service Edge stack: CASB, SWG, ZTNA (Netskope Private Access), DLP, RBI, and SD-WAN (acquired Infiot 2022 for the SASE pillar). Netskope reported a $7.5B+ valuation in a 2021 secondary share-sale round and is widely viewed as a likely 2026 or 2027 IPO candidate, with roughly $700M ARR and persistent IPO speculation across 2024-2025. Best fit for mid-market to large enterprise buyers (1,000-50,000+ employees) consolidating multiple security tools onto one SSE platform, particularly those leading with CASB or DLP requirements rather than ZTNA. Trade-offs: pricing is opaque with per-module SKU complexity across CASB, SWG, NPA, and DLP that consistently produces surprise costs at renewal; implementation services are heavy ($50K to $500K is the typical band); the pre-IPO status creates some enterprise-contract caution among buyers who prefer publicly-reported financial transparency; and the ZTNA pillar (NPA) is less mature than Zscaler ZPA.

Best for

Mid-market to enterprise buyers (1,000-50,000+ employees) leading with CASB or DLP needs and consolidating multiple cloud-security tools onto one SSE platform.

Worst for

SMBs under 500 employees (overkill, Microsoft Defender for Cloud Apps via E5 or iboss cheaper), Microsoft-anchored shops with M365 E5 already paid for, or buyers wanting transparent published pricing.

Strengths

  • Deepest CASB heritage in the SSE category (founded 2012 as CASB-first)
  • Full SSE breadth (CASB + SWG + ZTNA + DLP + RBI + SD-WAN via Infiot)
  • Cloud XD (extended detection) for cloud-app threats
  • Strong DLP across cloud, web, email, and private apps
  • $7.5B+ secondary valuation 2021; ~$700M ARR with 2026-2027 IPO speculation
  • NewEdge global network with 70+ POPs for direct-to-cloud routing
  • Strong Gartner Magic Quadrant SSE Leader positioning consistently 2022-2025

Weaknesses

  • Pricing opaque; per-module SKU complexity creates surprise costs at renewal
  • Implementation services heavy ($50K-$500K typical band)
  • Pre-IPO status creates enterprise-contract caution for some buyers
  • ZTNA pillar (NPA) less mature than Zscaler ZPA
  • Customer support quality reported as variable by tier
  • Enterprise-only sales motion painful for under-500-employee buyers

Pricing tiers

opaque
  • Netskope CASB Standalone
    Per user; CASB pillar only (rare deal shape in 2026)
    Quote
  • Netskope Core
    Per user; CASB + SWG
    Quote
  • Netskope Advanced
    Per user; adds NPA (ZTNA) + DLP
    Quote
  • Netskope Intelligent SSE
    Full SSE platform
    Quote
  • Netskope One SASE
    SSE + SD-WAN (Infiot)
    Quote
Watch for
  • · Per-module pricing across CASB / SWG / NPA / DLP creates surprise costs
  • · Annual price increases of 8-15% reported at renewal
  • · Implementation services ($50K-$500K typical)
  • · Advanced threat protection add-on
  • · NewEdge regional POP add-ons in some geographies

Key features

  • +CASB inline and API-based (sanctioned and unsanctioned SaaS)
  • +Cloud-app discovery (40,000+ apps catalogued)
  • +DLP across cloud, web, email, and private apps
  • +Cloud XD (extended detection)
  • +SWG (secure web gateway)
  • +Netskope Private Access (ZTNA)
  • +Remote Browser Isolation (RBI)
  • +NewEdge global network
  • +SD-WAN via Infiot acquisition
  • +SSPM (SaaS security posture management)
500+ integrations
Microsoft Entra IDOktaSalesforceSlackMicrosoft 365Google WorkspaceServiceNowSplunkMicrosoft SentinelCrowdStrike
Geography
Global; NewEdge POPs in 70+ regions; strongest in US, EU, UK, APAC
View full Netskope intelligence profile → Compare Netskope →
#5

Cisco Cloudlock

API-based CASB folded into Cisco Secure Access; standalone procurement is rare.

Founded 2011 · San Jose, CA · public · 1,000-100,000+ employees
G2 4.2 (240)
Capterra 4.3
Custom quote
○ Sales call required
Visit Cisco Cloudlock

Cisco Cloudlock is the API-based CASB product Cisco acquired in June 2016 for $293M. The product is now folded into Cisco Secure Access (the consolidated Cisco SSE/SASE platform that combines Duo, Umbrella, Secure Connect, and Cloudlock), and standalone Cloudlock procurement is rare in 2026; most buyers receive it as part of the broader Cisco Secure Access bundle. Best fit only for existing Cisco-anchored customers consolidating onto Cisco Secure Access, where the installed-base advantage and bundled pricing make the architecture defensible. Trade-offs: Cloudlock as a standalone CASB is materially less mature than Netskope or Microsoft on inline CASB depth (Cloudlock is primarily API-based, which limits real-time enforcement compared to forward-proxy or reverse-proxy modes); the Cisco Secure Access consolidation has been ongoing since 2023 and the roadmap-clarity questions Cisco buyers raised at that time persist; pricing is opaque and channel-driven; and the per-module SKU complexity inside Cisco Secure Access creates surprise costs.

Best for

Cisco-anchored customers consolidating onto Cisco Secure Access; existing Cloudlock customers maintaining investment.

Worst for

Non-Cisco buyers (Netskope or Microsoft cleaner choices), buyers needing inline CASB depth, or organizations wanting transparent published pricing.

Strengths

  • API-based CASB; clean deployment without inline proxy
  • Tight integration with Cisco Secure Access platform (Duo + Umbrella + Cloudlock + Secure Connect)
  • Cisco installed-base advantage for existing customers
  • Public company financial transparency (NASDAQ:CSCO)
  • Strong compliance posture (FedRAMP authorized via Cisco platform)

Weaknesses

  • Standalone Cloudlock procurement is rare in 2026; folded into Cisco Secure Access
  • API-only CASB; inline enforcement modes thinner than Netskope
  • Roadmap-clarity questions during Cisco Secure Access consolidation persist
  • Pricing opaque and channel-driven
  • Per-module SKU complexity inside Cisco Secure Access creates surprise costs
  • Net-new sales win rate against Netskope and Microsoft weak

Pricing tiers

opaque
  • Cisco Cloudlock (standalone)
    Per user; rare deal shape in 2026
    Quote
  • Cisco Secure Access (bundled)
    Per user; CASB inside SSE platform
    Quote
Watch for
  • · Per-module SKU complexity inside Cisco Secure Access
  • · Channel-driven pricing creates inconsistent quotes
  • · Annual price escalators reported at renewal
  • · Implementation services (channel-priced)

Key features

  • +API-based CASB for sanctioned SaaS
  • +OAuth app governance
  • +DLP across cloud apps
  • +Threat detection via Talos intelligence
  • +Integration with Cisco Duo for identity
  • +Integration with Cisco Umbrella for DNS / SWG
  • +Cisco XDR integration
  • +Compliance reporting
150+ integrations
Microsoft Entra IDCisco DuoCisco UmbrellaMicrosoft 365Google WorkspaceSalesforceBoxServiceNow
Geography
Global; strongest in US, EU, UK, APAC; federal via FedRAMP
View full Cisco Cloudlock intelligence profile → Compare Cisco Cloudlock →
#3

Forcepoint CASB

Legacy Forcepoint CASB now consolidating into Forcepoint ONE under Francisco Partners.

Founded 1994 · Austin, TX · pe backed · 1,000-50,000+ employees
G2 3.8 (180)
Capterra 4.0
Custom quote
○ Sales call required
Visit Forcepoint CASB

Forcepoint CASB is the legacy Forcepoint cloud-application-security product line, sold separately from the newer Forcepoint ONE platform that absorbed Bitglass (also acquired by Forcepoint in 2021). The parent company has had a turbulent ownership history: Raytheon spun out Forcepoint to Francisco Partners in January 2021 for $1.1B, and Francisco Partners has since consolidated the portfolio under the Forcepoint ONE brand (announced 2022, mostly complete by 2023). The legacy Forcepoint CASB SKU still exists for existing customers but is effectively in maintenance mode; new sales motion is steered toward Forcepoint ONE. Best fit for existing Forcepoint customers maintaining their current investment or running multi-product Forcepoint stacks (NGFW, DLP, CASB, web). Trade-offs: post-PE-acquisition product investment has been cautious, with executive churn and account-team turnover during 2022-2023 cited consistently in buyer feedback; customer-support quality has been reported as inconsistent post-acquisition; pricing is opaque and channel-driven; and the dual-CASB-SKU situation (legacy Forcepoint CASB plus Forcepoint ONE / Bitglass) creates buyer confusion at evaluation.

Best for

Existing Forcepoint multi-product customers (NGFW + DLP + CASB + web) maintaining current investment, or federal / regulated buyers leveraging Forcepoint ONE FedRAMP authorization.

Worst for

Net-new buyers without existing Forcepoint stack (Netskope or Microsoft cleaner choices), Microsoft 365 E5-anchored shops, or buyers wanting transparent published pricing.

Strengths

  • Strong DLP heritage integrated with CASB pillar
  • Existing Forcepoint customers benefit from bundled multi-product pricing
  • Francisco Partners ownership brings PE operational discipline (mixed signal)
  • Enterprise-grade compliance posture (FedRAMP-authorized via Forcepoint ONE)
  • Strong channel presence in federal and regulated industries

Weaknesses

  • Legacy CASB SKU effectively in maintenance mode; sales motion steered to Forcepoint ONE
  • Post-Francisco Partners acquisition executive churn 2022-2023
  • Customer-support quality reported as inconsistent post-acquisition
  • Pricing opaque and channel-driven (no published rates)
  • Dual-CASB-SKU situation (legacy + Forcepoint ONE / Bitglass) confuses buyers
  • Net-new sales win rate against Netskope and Microsoft reported as weak

Pricing tiers

opaque
  • Forcepoint CASB (legacy)
    Per user; legacy SKU, maintenance mode
    Quote
  • Forcepoint ONE CASB
    Per user; new platform consolidation
    Quote
  • Forcepoint ONE bundle
    CASB + SWG + ZTNA on Forcepoint ONE
    Quote
Watch for
  • · Channel-driven pricing creates inconsistent quotes
  • · Migration from legacy CASB to Forcepoint ONE requires professional services
  • · Annual price escalators reported at renewal
  • · Implementation services (channel-priced)

Key features

  • +Cloud-app discovery (sanctioned and unsanctioned)
  • +Inline CASB via reverse-proxy and forward-proxy modes
  • +API-based CASB for sanctioned SaaS
  • +DLP integrated with Forcepoint Data Security
  • +Risk-adaptive protection
  • +OAuth app governance
  • +Compliance reporting (HIPAA, PCI, GDPR)
200+ integrations
Microsoft Entra IDOktaMicrosoft 365Google WorkspaceSalesforceSplunkForcepoint NGFW
Geography
Global; strongest in US federal, EU, UK
View full Forcepoint CASB intelligence profile → Compare Forcepoint CASB →
#10

iboss

Zero-trust cloud platform with CASB module; one-vendor SSE for buyers below Zscaler scale.

Founded 2003 · Boston, MA · private · 1,000-25,000 employees
G2 4.3 (240)
Capterra 4.4
Custom quote
○ Sales call required
Visit iboss

iboss is the zero-trust cloud security platform founded 2003 by Paul Martini (still CEO) that ships CASB as one module alongside SWG, ZTNA, and DLP on a single containerized cloud platform. The company has positioned itself as a one-vendor SSE for mid-market and enterprise buyers who want the architecture without the price and complexity of Zscaler or Netskope. iboss claims a "Zero Trust SSE" architecture with patented containerized cloud-gateway technology. Best fit for organizations (1,000-25,000 employees) wanting one-vendor SSE consolidation below the Zscaler scale tier, particularly in education, federal, and regulated industries where iboss has historic strength. Trade-offs: brand recognition is materially lower than Zscaler, Netskope, or Microsoft; the CASB feature depth is narrower than category leaders; customer-support quality reported as inconsistent post-scale-up; pricing is opaque (no published rates); and the company is private with limited financial transparency.

Best for

Mid-market to enterprise (1,000-25,000 employees) wanting one-vendor SSE consolidation below Zscaler scale; education, federal, and regulated industries.

Worst for

Global enterprises requiring proven hyperscale (Zscaler better), buyers needing deepest CASB depth (Netskope better), or Microsoft 365 E5-anchored shops.

Strengths

  • One-vendor SSE consolidation (CASB + SWG + ZTNA + DLP)
  • Patented containerized cloud-gateway architecture
  • Strong in education, federal, and regulated industries
  • Reasonable pricing relative to Zscaler / Netskope for mid-market
  • FedRAMP authorized (federal procurement gate cleared)

Weaknesses

  • Brand recognition lower than Zscaler, Netskope, Microsoft
  • CASB feature depth narrower than category leaders
  • Customer-support quality reported as inconsistent post-scale-up
  • Pricing opaque (no published rates)
  • Private company with limited financial transparency
  • Net-new sales win rate against Zscaler / Netskope mixed

Pricing tiers

opaque
  • iboss Zero Trust SSE Core
    Per user; SWG + CASB
    Quote
  • iboss Zero Trust SSE Advanced
    Per user; adds ZTNA + DLP
    Quote
  • iboss Zero Trust SSE Enterprise
    Full SSE platform
    Quote
Watch for
  • · Per-module SKU complexity
  • · Annual price escalators reported at renewal
  • · Implementation services ($25K-$200K typical)

Key features

  • +CASB inline and API-based
  • +Cloud-app discovery
  • +SWG (secure web gateway)
  • +ZTNA module
  • +DLP across cloud and web
  • +Patented containerized cloud-gateway
  • +Compliance reporting (FedRAMP, HIPAA, PCI)
  • +Threat intelligence from iboss Security Cloud
150+ integrations
Microsoft Entra IDOktaMicrosoft 365Google WorkspaceSalesforceSplunkCrowdStrike
Geography
Global; strongest in US (especially education and federal), EU, UK
View full iboss intelligence profile → Compare iboss →
#6

Lookout

Mobile + endpoint heritage with CASB inherited from CipherCloud merger.

Founded 2007 · Boston, MA · private · 500-25,000 employees
G2 4.1 (280)
Capterra 4.2
Custom quote
○ Sales call required
Visit Lookout

Lookout is the mobile-threat-defense and endpoint-security company founded 2007 by John Hering (originally focused on mobile security). The CASB pillar entered the portfolio through the CipherCloud merger in March 2021, which folded a CASB and ZTNA product family into Lookout. Lookout raised a Series E led by Andreessen Horowitz in March 2021 (the same period as the CipherCloud merger) at a valuation reported in the $1B+ range. The company has historically positioned itself as the mobile-and-endpoint-first security vendor, with CASB and ZTNA inherited rather than originated. Best fit for organizations needing mobile-threat defense plus CASB in one vendor (a common use case for BYOD-heavy or regulated industries with mobile workforce). Trade-offs: CASB depth is the inherited rather than originating strength; the CipherCloud integration into Lookout SSE has been ongoing since 2021 with some product-cohesion questions; standalone CASB feature parity with Netskope is thin; customer-support quality reported as inconsistent; and pricing is opaque.

Best for

Organizations (500-25,000 employees) needing mobile-threat defense plus CASB in one vendor, especially BYOD-heavy or regulated industries with mobile workforce.

Worst for

Pure CASB buyers without mobile-threat use case (Netskope better), Microsoft 365 E5-anchored shops, or buyers wanting transparent published pricing.

Strengths

  • Mobile-threat-defense + CASB combination unique in market
  • Strong endpoint posture for BYOD-heavy workforces
  • Series E backing from Andreessen Horowitz and others ($1B+ valuation 2021)
  • Lookout SSE platform covers mobile + CASB + ZTNA + DLP
  • Strong compliance posture (FedRAMP authorized)

Weaknesses

  • CASB depth inherited from CipherCloud rather than originated
  • CipherCloud integration into Lookout SSE has product-cohesion questions
  • Standalone CASB feature parity with Netskope thin
  • Customer-support quality reported as inconsistent
  • Pricing opaque (no published rates)
  • Brand recognition stronger in mobile than CASB

Pricing tiers

opaque
  • Lookout Mobile Endpoint Security
    Per user; mobile threat defense
    Quote
  • Lookout SSE
    CASB + SWG + ZTNA + DLP
    Quote
  • Lookout SSE + MTD bundle
    Mobile + SSE combined
    Quote
Watch for
  • · Per-module SKU complexity
  • · Annual price escalators reported at renewal
  • · Implementation services

Key features

  • +Mobile-threat defense (MTD)
  • +CASB inline and API-based
  • +Cloud-app discovery
  • +DLP across cloud and mobile
  • +ZTNA module
  • +Phishing protection (Lookout heritage)
  • +Compliance reporting
  • +Threat intelligence from Lookout Security Cloud
150+ integrations
Microsoft Entra IDOktaMicrosoft IntuneVMware Workspace ONEMicrosoft 365Google WorkspaceSplunk
Geography
Global; strongest in US, EU, UK; federal via FedRAMP
View full Lookout intelligence profile → Compare Lookout →
#4

Trellix CASB

McAfee Enterprise + FireEye merger product line under STG with persistent roadmap-clarity questions.

Founded 2022 · San Jose, CA · pe backed · 1,000-50,000+ employees
G2 3.9 (220)
Capterra 4.0
Custom quote
○ Sales call required
Visit Trellix CASB

Trellix CASB is the cloud-access-security-broker line inherited from the McAfee MVISION Cloud product (originally Skyhigh Networks, acquired by McAfee in January 2018 for ~$400M). Trellix as a company was formed in January 2022 when private-equity firm Symphony Technology Group (STG) merged the McAfee Enterprise business and FireEye into a single entity. STG had acquired McAfee Enterprise for ~$4B in March 2021 and FireEye Products in October 2021 for ~$1.2B. Critically, STG later spun the cloud-security business (including the former Skyhigh CASB) out as a separate entity called Skyhigh Security in March 2022, which created two CASB SKUs in market under STG ownership: Trellix CASB (the XDR-anchored CASB) and Skyhigh Security CASB (the standalone). For buyers this creates significant confusion. Best fit only for existing Trellix XDR customers running multi-product Trellix stacks. Trade-offs: post-merger product investment under STG has been cautious with persistent roadmap-clarity questions; the Trellix / Skyhigh split confused the buying motion; executive churn since 2022 has been heavy; customer-support quality reported as variable; and net-new CASB sales win rate against Netskope is weak.

Best for

Existing Trellix XDR multi-product customers maintaining their stack, or buyers wanting CASB tightly coupled with XDR cross-signal.

Worst for

Net-new CASB buyers without existing Trellix investment (Netskope or Microsoft cleaner), buyers seeking clear product-line roadmap, or organizations sensitive to PE-ownership turbulence.

Strengths

  • Strong XDR cross-signal integration (Trellix XDR)
  • Heritage from Skyhigh / MVISION Cloud (legitimately deep CASB roots)
  • Existing McAfee MVISION customers retain investment value
  • Enterprise-grade compliance posture
  • STG operational discipline (mixed signal at best)

Weaknesses

  • Trellix / Skyhigh CASB split since March 2022 confuses buyers
  • Post-STG-merger product investment cautious; roadmap clarity questions persist
  • Heavy executive churn 2022-2024 post-merger
  • Net-new CASB sales win rate against Netskope reported as weak
  • Customer-support quality variable by region
  • Pricing opaque and channel-driven

Pricing tiers

opaque
  • Trellix CASB (XDR-bundled)
    Per user; bundled with Trellix XDR
    Quote
  • Trellix Cloud Suite
    CASB + DLP + cloud workload protection
    Quote
Watch for
  • · Channel-driven pricing creates inconsistent quotes
  • · Confusion with Skyhigh Security CASB (separate STG portfolio entity)
  • · Annual price escalators reported at renewal
  • · Implementation services

Key features

  • +Cloud-app discovery
  • +API-based CASB for sanctioned SaaS
  • +Inline CASB via forward-proxy
  • +DLP across cloud and endpoint
  • +Trellix XDR cross-signal correlation
  • +OAuth app governance
  • +Compliance reporting
  • +Threat intelligence from Trellix Advanced Research
250+ integrations
Microsoft Entra IDOktaMicrosoft 365Google WorkspaceSalesforceAWSAzureTrellix XDR
Geography
Global; strongest in US, EU, UK
View full Trellix CASB intelligence profile → Compare Trellix CASB →
#8

Trend Micro Cloud App Security

CASB bundled inside Trend Vision One; sensible for existing Trend customers.

Founded 1988 · Tokyo, Japan · public · 500-50,000 employees
G2 4.3 (320)
Capterra 4.4
From $0 + $3 /mo + /employee
◐ Partial disclosure
Visit Trend Micro Cloud App Security

Trend Micro Cloud App Security is the CASB pillar bundled inside Trend Vision One (the consolidated Trend Micro XDR and platform offering). Trend Micro is a public company (TSE: 4704) founded 1988 with global presence and longstanding XDR / endpoint heritage. The CASB module covers API-based protection for Microsoft 365, Google Workspace, Box, Dropbox, and Salesforce, with focus on threat detection (phishing, ransomware, business email compromise) rather than deep DLP or compliance-CASB use cases. Best fit for existing Trend Vision One customers consolidating XDR + CASB in one vendor, particularly Microsoft 365-anchored shops where API-based protection is the primary use case. Trade-offs: standalone CASB feature depth lags Netskope and Microsoft Defender for Cloud Apps; the CASB is primarily API-based with limited inline enforcement capabilities; the Trend Vision One platform consolidation has been ongoing with periodic UX cohesion questions; and the product is most compelling as a bundled module rather than a standalone CASB purchase.

Best for

Existing Trend Vision One customers consolidating XDR + CASB in one vendor, particularly Microsoft 365-anchored shops with API-based protection as primary use case.

Worst for

Pure CASB buyers without Trend XDR investment (Netskope or Microsoft better), buyers needing deep DLP or inline CASB enforcement.

Strengths

  • Bundled inside Trend Vision One platform; consolidation value for Trend customers
  • Strong threat-detection heritage (phishing, ransomware, BEC)
  • Public company financial transparency (TSE: 4704)
  • Global presence with strong APAC (Japan, Australia) and EU footprint
  • Reasonable pricing relative to Netskope for bundled customers

Weaknesses

  • Standalone CASB feature depth lags Netskope and Microsoft
  • Primarily API-based; inline enforcement thin
  • Trend Vision One UX cohesion questions persist
  • Most compelling as bundled module, not standalone CASB
  • Brand recognition stronger in endpoint / XDR than CASB
  • Net-new CASB sales win rate against Netskope and Microsoft weak

Pricing tiers

partial
  • Trend Micro Cloud App Security (standalone)
    Per user/mo approximate; standalone SKU
    $0+$3 /mo +/emp
  • Trend Vision One Cloud Security
    CASB bundled with cloud workload protection
    Quote
  • Trend Vision One platform
    CASB + XDR + EDR + cloud
    Quote
Watch for
  • · Trend Vision One per-module SKU complexity
  • · Annual price escalators reported at renewal
  • · Implementation services for complex deployments

Key features

  • +API-based CASB for Microsoft 365, Google Workspace, Box, Dropbox, Salesforce
  • +Threat detection (phishing, ransomware, BEC)
  • +DLP basic
  • +OAuth app governance
  • +Compliance reporting
  • +Integration with Trend Vision One XDR
  • +Sandboxing via Trend Smart Protection Network
  • +Cloud-storage scanning
150+ integrations
Microsoft 365Google WorkspaceBoxDropboxSalesforceMicrosoft Entra IDOktaSplunkTrend Vision One
Geography
Global; strongest in APAC (Japan, Australia), EU; growing US
View full Trend Micro Cloud App Security intelligence profile → Compare Trend Micro Cloud App Security →
#9

CyberArk Cloud Access Security

PAM-anchored cloud access via Conjur and SecureWeb; narrower CASB feature set.

Founded 1999 · Newton, MA · public · 1,000-100,000+ employees
G2 4.4 (380)
Capterra 4.5
Custom quote
○ Sales call required
Visit CyberArk Cloud Access Security

CyberArk Cloud Access Security is the cloud-application-access pillar in CyberArk's broader identity security platform, anchored on the privileged-access management (PAM) heritage that defined the company since 1999. The approach is different from traditional CASB: rather than discovery-and-control-first, CyberArk approaches cloud access from the identity-secrets and PAM angle, leveraging Conjur (secrets management) and CyberArk SecureWeb (the browser-based privileged access component). CyberArk is public on NASDAQ:CYBR and reported ~$960M revenue FY24 with strong growth. Best fit for organizations where privileged access is the anchor security control and CASB is a complementary pillar, not the primary procurement. Trade-offs: the CASB feature set is materially narrower than Netskope or Microsoft on traditional CASB use cases (sanctioned SaaS discovery, inline DLP, cloud-app threat protection); the product is most valuable when paired with the broader CyberArk identity platform (PAM + Conjur + Workforce Identity); standalone CASB procurement is rare; and the per-module SKU complexity inside the CyberArk Identity Security Platform creates surprise costs.

Best for

Organizations where privileged access is the anchor security control and CASB is a complementary pillar; existing CyberArk PAM customers extending into cloud-app access.

Worst for

Pure CASB buyers without PAM use case (Netskope or Microsoft better), buyers wanting traditional CASB feature depth, or organizations on a tight CASB-only budget.

Strengths

  • PAM heritage strongest in market (CyberArk is the PAM leader)
  • Identity-secrets approach (Conjur) integrates with cloud workloads
  • CyberArk SecureWeb provides browser-isolation for privileged access
  • Public company financial transparency (NASDAQ:CYBR; ~$960M revenue FY24)
  • Strong compliance posture (FedRAMP authorized)

Weaknesses

  • CASB feature set narrower than Netskope and Microsoft on traditional use cases
  • Most valuable when paired with broader CyberArk identity platform
  • Standalone CASB procurement is rare
  • Per-module SKU complexity inside Identity Security Platform creates surprise costs
  • Brand recognition stronger in PAM than CASB
  • Implementation services heavy for full identity-security stack

Pricing tiers

opaque
  • CyberArk Cloud Access Security
    Per user; cloud-access module
    Quote
  • CyberArk SecureWeb
    Per user; browser-isolation
    Quote
  • CyberArk Identity Security Platform
    Full stack: PAM + Conjur + Cloud Access
    Quote
Watch for
  • · Per-module SKU complexity
  • · Annual price escalators reported at renewal
  • · Implementation services heavy ($50K-$500K typical)

Key features

  • +Cloud-app access control via PAM heritage
  • +Conjur secrets management for cloud workloads
  • +CyberArk SecureWeb browser-isolation
  • +Identity-secrets integration
  • +Compliance reporting
  • +Integration with CyberArk PAM
  • +Just-in-time access for cloud apps
  • +Audit logging across cloud-app sessions
250+ integrations
Microsoft Entra IDOktaAWSAzureMicrosoft 365SalesforceSplunkCyberArk PAM
Geography
Global; strongest in US, EU, Israel, UK; federal via FedRAMP
View full CyberArk Cloud Access Security intelligence profile → Compare CyberArk Cloud Access Security →
#7

Forcepoint ONE (Bitglass)

Bitglass CASB folded into Forcepoint ONE under Francisco Partners; the modern Forcepoint CASB SKU.

Founded 2013 · Austin, TX · pe backed · 500-25,000 employees
G2 4.0 (210)
Capterra 4.1
Custom quote
○ Sales call required
Visit Forcepoint ONE (Bitglass)

Bitglass was an independent CASB founded 2013 by Anurag Kahol that built a strong reputation for reverse-proxy-based agentless CASB deployments before being acquired by Forcepoint in October 2021. Forcepoint folded the Bitglass technology into the Forcepoint ONE SSE platform in 2022-2023, and today the modern Forcepoint CASB is effectively the Bitglass technology under the Forcepoint ONE brand. This creates a dual-SKU situation alongside legacy Forcepoint CASB. Forcepoint ONE delivers CASB, SWG, and ZTNA on a unified cloud platform with a single management plane. Best fit for net-new Forcepoint buyers preferring agentless reverse-proxy CASB or for existing Bitglass customers who migrated to Forcepoint ONE. Trade-offs: the Forcepoint ONE consolidation has been steady but not without friction; reverse-proxy CASB deployments have known compatibility issues with some SaaS vendors (Microsoft 365 modern auth and Google Workspace OAuth flows have historically required workarounds); post-Francisco Partners ownership has continued the cautious investment pattern; customer-support quality reported as inconsistent; and the dual-SKU situation with legacy Forcepoint CASB creates buyer confusion.

Best for

Forcepoint buyers preferring agentless reverse-proxy CASB for BYOD or unmanaged-device fleets, or existing Bitglass customers who migrated to Forcepoint ONE.

Worst for

Microsoft 365-anchored shops with modern auth requirements (compatibility friction), buyers wanting transparent published pricing, or organizations sensitive to PE-ownership turbulence.

Strengths

  • Agentless reverse-proxy CASB (Bitglass heritage); strong for BYOD and unmanaged devices
  • Forcepoint ONE unified SSE platform (CASB + SWG + ZTNA)
  • FedRAMP authorization (federal procurement gate cleared)
  • Cleaner SaaS UX than legacy Forcepoint CASB SKU
  • Existing Bitglass customers retain technology investment

Weaknesses

  • Reverse-proxy compatibility issues with some SaaS (Microsoft 365 modern auth, Google OAuth)
  • Dual-SKU situation with legacy Forcepoint CASB confuses buyers
  • Post-Francisco Partners cautious investment continues
  • Customer-support quality reported as inconsistent
  • Pricing opaque and channel-driven
  • Net-new sales win rate against Netskope and Microsoft mixed

Pricing tiers

opaque
  • Forcepoint ONE CASB
    Per user; CASB module on Forcepoint ONE
    Quote
  • Forcepoint ONE bundle
    CASB + SWG + ZTNA on Forcepoint ONE
    Quote
Watch for
  • · Channel-driven pricing creates inconsistent quotes
  • · Reverse-proxy compatibility workarounds may require professional services
  • · Annual price escalators reported at renewal
  • · Implementation services (channel-priced)

Key features

  • +Agentless reverse-proxy CASB (Bitglass heritage)
  • +API-based CASB for sanctioned SaaS
  • +Cloud-app discovery
  • +DLP across cloud and web
  • +Forcepoint ONE unified SSE management
  • +ZTNA module on same platform
  • +SWG module on same platform
  • +Compliance reporting (HIPAA, PCI, GDPR)
250+ integrations
Microsoft Entra IDOktaMicrosoft 365Google WorkspaceSalesforceBoxServiceNowSplunk
Geography
Global; strongest in US federal, EU, UK
View full Forcepoint ONE (Bitglass) intelligence profile → Compare Forcepoint ONE (Bitglass) →

Frequently asked questions

The questions buyers actually ask before they sign.

What is Mitbestimmung and how does it affect CASB deployment in Germany?
Mitbestimmung refers to German co-determination rights under the Betriebsverfassungsgesetz (BetrVG). Section 87(1)(6) of BetrVG requires the works council (Betriebsrat) to be consulted and to formally agree (via a Betriebsvereinbarung) before any technology is introduced that can monitor or evaluate employee behavior or performance. CASB deployment that monitors employee SaaS application usage, generates user risk scores, or inspects employee file and email content is explicitly within the scope of 87(1)(6). This means: a formal Betriebsvereinbarung must be negotiated and signed before CASB goes live; the agreement must define the scope of monitoring (which applications, which user behaviors), data retention limits (typically 30-90 days for personal-level data), anonymization requirements (many German works councils require user-level data to be anonymized after 7-14 days), and employee rights to access their own monitoring data. CASB vendors who provide German Betriebsvereinbarung templates (Microsoft provides standard German BA templates for Defender for Cloud Apps; Netskope provides BA templates via German partners) save significant legal and consulting time. Budget 6-12 weeks for Betriebsrat negotiation in German CASB deployments.
Is BSI C5 attestation required for CASB at German enterprises?
BSI C5 (Cloud Computing Compliance Criteria Catalogue) Type 2 attestation is mandatory for cloud services used by German federal government agencies and KRITIS (critical infrastructure) operators. For German commercial enterprises outside the government and KRITIS perimeter, BSI C5 is not legally mandatory but is a strong de-facto procurement requirement: German enterprise security teams and CISOs routinely require BSI C5 Type 2 attestation as a minimum cloud security standard. Microsoft Defender for Cloud Apps (via Microsoft Azure Germany) and Netskope both maintain BSI C5 Type 2 attestations. Forcepoint, Trellix, Lookout, and iboss should be asked explicitly for their BSI C5 status before German enterprise procurement; vendors without BSI C5 face significant procurement friction at German companies. Verify the current C5 report date (annual renewal required) and that the scope covers the specific CASB services being purchased.
Should German enterprises choose Microsoft Defender for Cloud Apps or Netskope?
If you are on Microsoft 365 E5 (or considering upgrading to E5), Defender for Cloud Apps is the correct first evaluation: pre-paid in E5, Frankfurt Azure datacenter for DSGVO data residency, BSI C5 Type 2, and Microsoft provides standard German Betriebsvereinbarung templates that accelerate Mitbestimmung compliance. Upgrade to Netskope when you need: deeper CASB discovery for non-Microsoft SaaS (Google Workspace, Salesforce, Workday, Slack-first stacks); more granular DLP policies than Microsoft Purview provides; unified SSE across CASB, SWG, and ZTNA from one vendor; or your environment is not Microsoft-anchored. German enterprises on both platforms (Defender for Cloud Apps for Microsoft workloads, Netskope for non-Microsoft DLP and ZTNA) represent a real and defensible architecture, particularly at large DAX 40 companies with complex multi-cloud SaaS portfolios.
What is the difference between CASB, SASE, and SSE?
CASB (Cloud Access Security Broker) is the cloud-application discovery, governance, DLP, and threat-protection pillar; original four-pillar definition from Gartner 2014. SSE (Secure Service Edge) is the broader security stack: CASB + SWG (Secure Web Gateway) + ZTNA (Zero Trust Network Access) + DLP, all cloud-delivered. SASE (Secure Access Service Edge) is SSE plus SD-WAN. In 2026, standalone CASB procurement is rare; most buyers receive CASB as one module inside an SSE or SASE platform. Netskope, Microsoft Defender for Cloud Apps, and the legacy CASB SKUs (Forcepoint, Trellix) still license CASB separately, but the procurement question is increasingly "which SSE platform" rather than "which CASB".
How did the Forcepoint and Bitglass consolidation play out?
Forcepoint acquired Bitglass in October 2021 (the same year Francisco Partners took Forcepoint private from Raytheon for $1.1B). Forcepoint then announced Forcepoint ONE in 2022 as a unified SSE platform built on Bitglass technology, and by 2023 had folded most of the Bitglass capability into Forcepoint ONE. This created a dual-SKU situation: the legacy Forcepoint CASB (now effectively in maintenance mode) and Forcepoint ONE CASB (the modern Bitglass-derived platform). For buyers, this is the central source of confusion: net-new buyers are steered toward Forcepoint ONE while existing legacy CASB customers retain their investment with diminishing roadmap visibility. Post-Francisco Partners executive churn and cautious product investment during 2022-2023 are the consistent buyer-feedback themes.
What is the trajectory for Trellix CASB under Symphony Technology Group?
Trellix was formed in January 2022 when Symphony Technology Group (STG) merged McAfee Enterprise (acquired March 2021 for $4B) and FireEye Products (acquired October 2021 for $1.2B). The CASB product line inherited from McAfee MVISION Cloud (originally Skyhigh Networks, acquired by McAfee in 2018 for $400M) was part of this combined entity. Critically, STG then spun the cloud-security business out as a separate company called Skyhigh Security in March 2022, creating two CASB SKUs under common STG ownership: Trellix CASB (XDR-anchored) and Skyhigh Security CASB (standalone). This split has been the dominant confusion source for buyers since. Post-merger product investment under STG has been cautious; executive churn 2022-2024 has been heavy; roadmap-clarity questions persist. Net-new CASB sales win rate against Netskope is consistently reported as weak. We rank Trellix CASB inside this listicle (rank 4); Skyhigh Security as a separate brand is excluded because most procurement of the Trellix-named SKU happens via the Trellix sales motion.
When does Microsoft Defender for Cloud Apps make sense vs Netskope?
Microsoft Defender for Cloud Apps is the default choice if you are already on Microsoft 365 E5: the CASB is effectively pre-paid as part of the bundle, integration with Entra ID conditional access and Microsoft Purview DLP is deepest in market, and the Defender XDR cross-signal correlation is unique to Microsoft. Outside the E5 envelope, the calculation shifts: standalone Defender for Cloud Apps at about $3.50 per user per month is reasonably priced but materially thinner than Netskope on non-Microsoft SaaS coverage (Google Workspace, AWS, Slack-first shops report inferior discovery). Netskope wins on pure CASB depth, multi-cloud breadth, and complex DLP scenarios but at meaningfully higher prices (verified deal pricing $132K median annual for 500-2,500 employees vs effectively zero for E5 buyers). The Microsoft anchor is the deciding factor: if M365 E5 is locked in, Defender for Cloud Apps wins; if not, Netskope is the better procurement.
What pricing models are common in CASB?
Three pricing models dominate in 2026: (1) bundled into broader licensing (Microsoft Defender for Cloud Apps in M365 E5, Cisco Cloudlock in Cisco Secure Access, Trend Micro CAS in Trend Vision One), where the marginal cost is effectively zero or low; (2) per-user per-module SKU pricing (Netskope, Forcepoint, Trellix), where buyers pay separately for CASB, SWG, ZTNA, DLP and combinations of these, creating surprise renewal costs; and (3) per-user platform pricing (iboss, Lookout, CyberArk), where the CASB is one module of a broader subscription. Across all three models, pricing transparency is poor: only Microsoft publishes the standalone Defender for Cloud Apps rate and Trend Micro publishes a partial rate. Every other vendor in this listicle requires a custom quote. Verified deal pricing crowdsourced from buyers (see verifiedPricing on each product) is the most reliable signal for budgeting.
How much should I budget for CASB?
Microsoft 365 E5 customers: effectively zero marginal cost (Defender for Cloud Apps included). Microsoft Defender for Cloud Apps standalone (non-E5): about $3.50 per user per month, $84K annual for 2,000 users. Netskope: $132K median annual for 500-2,500 employees, $480K for 2,500-10,000, $1.6M+ for 10,000+. Trend Micro Cloud App Security: $48K median annual for 500-2,500 employees, $180K for 2,500-10,000. Forcepoint, Trellix, Lookout: roughly $60K-$90K annual for 500-2,500 employees, $216K-$264K for 2,500-10,000. Cisco Cloudlock and CyberArk: bundled inside broader platforms with median pricing $96K-$360K depending on band. The 10X spread between bundled (free in E5) and full Netskope deal sizes is the most important budget signal; pick the model that matches your existing licensing rather than evaluating CASB in isolation.
What is shadow IT and how does CASB address it?
Shadow IT is the term for SaaS and cloud-application use by employees outside formal IT procurement and governance, the original problem CASB was built to solve in 2012-2015. CASBs address shadow IT through cloud-app discovery: analyzing web-proxy logs (inline CASB), DNS logs (Cisco Umbrella style), or firewall logs to inventory which cloud apps users actually access, then scoring each app on risk indicators (compliance certifications, data-handling practices, ownership transparency). Netskope catalogs 40,000+ apps, Microsoft Defender for Cloud Apps catalogs 31,000+, and most other vendors are in the 10,000-25,000 range. The discovery output is then used to drive sanctioning decisions, block-listing, or coaching-style policy (warn user that an unsanctioned app is being used, but allow continued access).
Do I need both inline CASB and API-based CASB?
Most enterprises run both. Inline CASB (forward-proxy or reverse-proxy) sits in the network path and enforces policy on traffic in real time; strong for blocking risky uploads, applying DLP inline, and controlling unsanctioned apps. API-based CASB connects to sanctioned SaaS via the SaaS vendor APIs (Microsoft Graph for M365, Salesforce APIs, Google Workspace Admin APIs) and provides retrospective scanning, OAuth governance, and out-of-band DLP. Netskope and Microsoft Defender for Cloud Apps support both modes natively; Cisco Cloudlock and Trend Micro Cloud App Security are primarily API-based. The procurement question is whether your priorities are real-time control of unsanctioned SaaS (inline wins) or governance of sanctioned SaaS (API wins); most enterprises eventually need both.
Is FedRAMP authorization required for federal procurement?
For US federal agencies and many state and local government buyers, FedRAMP authorization is the procurement gate. Microsoft Defender for Cloud Apps, Cisco Cloudlock (via Cisco Secure Access), Forcepoint ONE, Trellix, Lookout, CyberArk, and iboss are FedRAMP authorized. Netskope is FedRAMP in-process as of 2026 and Trend Micro is also in-process. The classification level (Moderate vs High) matters for data classification: Microsoft Defender for Cloud Apps holds FedRAMP High; most others hold Moderate. If you are selling to federal buyers or working in regulated state and local government, FedRAMP status is the first filter; if not, it is a tiebreaker rather than a gate.
How do CASB platforms integrate with identity providers (Okta, Entra)?
Every modern CASB integrates with Microsoft Entra ID, Okta, Google Workspace, and Ping via SAML and OIDC for SSO and SCIM for user provisioning. The integration depth varies meaningfully: Microsoft Defender for Cloud Apps has the deepest Entra ID integration (conditional access policy and risk-signal exchange) by definition; Netskope and Cisco Cloudlock have mature SCIM and SAML integration with Okta and Entra; CyberArk leverages its own Workforce Identity (acquired Idaptive 2020) and integrates with external IDPs but the architecture pulls toward CyberArk as identity hub; Forcepoint, Trellix, Lookout, Trend Micro, and iboss all support standard SAML and SCIM but with less depth on conditional-access risk-signal integration. Identity provider risk-signal flow (passing Entra Identity Protection risk scores into CASB policy) is a 2025-2026 maturing capability across the category.

Final word

Looking at a different market? See the global Cloud Access Security Broker (CASB) Software ranking, or pick another country at the top of this page.

Last updated 2026-05-19. Local pricing reverified quarterly. Found something inaccurate? Tell us.