Cato Networks brings adaptive threat defense to SASE

Cato Networks has introduced what it calls an auto-adaptive threat prevention engine, designed to stop multi-stage attacks before they cause damage or disruption. Cato Dynamic Prevention is integrated into the vendor’s secure access service edge (SASE) platform. It addresses attacks that unfold gradually and appear harmless when viewed as isolated events. Rather than relying solely on point-in-time inspection or static rules, the engine analyzes long-term behavioral patterns and correlates signals across multiple security controls to detect suspicious activity earlier in the attack chain, according to Cato Networks. “Threat actors abuse trusted tools and valid credentials, knowing most defenses still analyze isolated events and rely on humans to connect dots for more complex attack chains,” said Lior Cohen, vice president of product management, security and management at Cato Networks, in a statement. “Cato Dynamic Prevention changes the game by continuously understanding behavior in context, predicting the threat actor’s next move, and enforcing protection automatically that would only impact true positive threats. As a result, this stops potential threats before a breach ever takes shape.” Cato Dynamic Prevention monitors network and security activity across users, devices, and sites over extended periods. When it identifies patterns consistent with malicious behavior, it automatically applies adaptive controls to block or restrict high-risk actions, without requiring manual intervention from IT or security teams. According to the company, this approach targets threat actors who use legitimate credentials and trusted tools and spread activity across days or weeks. Individually, those actions may not trigger alerts. In environments built on disconnected point products, correlating those signals can be slow and resource-intensive, often delaying response until later stages of an attack, according to the company. “Legacy security tools are built to spot obvious, point-in-time indicators, signatures, known bad IPs, or isolated anomalies. But modern attacks are engineered to look routine: they use legitimate admin tools, spread activity ‘low and slow,’ and break intrusion into small steps that appear harmless individually,” wrote Makiko Yamada, product marketing manager at Cato Networks, in a company blog. “The result is a flood of weak alerts and delayed action, leaving teams to manually connect the dots after the attacker has already moved.” Because the capability operates within Cato’s cloud-native SASE architecture, it can also draw from telemetry generated by built-in services such as intrusion prevention, anti-malware, secure web gateway, and data loss prevention. The company says this unified visibility enables deeper context and more accurate correlation. Yamada explained: “The key is correlation: one internal scan might be an IT task; one remote execution command might be standard operations; one unusual authentication might be a user traveling. However, when these events occur in a suspicious sequence across multiple hosts and networks, the combined pattern becomes harder to dismiss.” Dynamic Prevention is generally available now as part of the Cato SASE Cloud Platform, which runs on a private global backbone of more than 90 points of presence (PoP) connected via multiple SLA-backed network providers.