Versa extends SASE platform with Inbound SSE and Secure Enterprise Browser

SASE is headed in a new direction, literally.

According to Versa CEO Kelly Ahuja, security service edge (SSE) platforms have historically focused on one direction: outbound traffic from users and devices to the internet. Protecting internet-facing applications from inbound threats has required deploying dedicated firewall infrastructure in front of each application environment, whether in a data center, branch or cloud instance. As enterprise application footprints grow and AI workloads introduce new traffic patterns, that model is becoming harder to sustain.

To that end, Versa is adding two new capabilities to its VersaONE Universal SASE platform: a browser-native security layer that enforces access and data protection policies directly within browser sessions, and Inbound SSE, which routes internet traffic through Versa’s cloud gateways to inspect and filter threats before they reach enterprise applications.

“Up until now, all the traffic flows were you and I talking to applications in the cloud,” Ahuja told Network World. “But now applications in the cloud are wanting to talk to applications on prem.”

Extending SSE to cover inbound traffic

VersaONE’s SSE has always focused on outbound traffic. Users and devices connect through Versa’s cloud gateways to reach the internet, SaaS applications and private resources. Inbound traffic, connections originating from the internet and destined for enterprise applications, has sat outside that framework. Protecting those applications has meant deploying separate firewall and load balancer infrastructure in front of each environment.

Inbound SSE changes that by pulling inbound connections into the same inspection path. Rather than traffic reaching an application directly, it is first routed to the nearest Versa cloud gateway where policy enforcement is applied, covering IP- and location-based access control, denial-of-service mitigation, bot filtering, intrusion detection and prevention, and malware blocking. Only traffic that clears those checks reaches the application.

Versa’s platform combines networking and security in the same software stack, which allows it to attract and inspect traffic in both directions. The implementation is patent pending.

“You don’t need a firewall at these locations,” Ahuja said. “You can actually elevate the firewall right into the SSE and look at the traffic in both directions.”

Inbound SSE is included in Versa’s standard SASE licensing, priced by capacity covering both directions. No deployment changes are required for existing VersaONE customers. Swisscom is already running the capability in production, inspecting inbound traffic within its own SSE points of presence rather than deploying firewalls at customer premises.

Agentic AI and the inbound traffic problem

Agentic AI is also changing the inbound traffic equation. External MCP servers calling into enterprise environments are generating connection patterns that outbound-focused SSE was never built to handle.

Versa already has a zero-trust MCP server in production that requires human validation before allowing agentic commands, and a generative AI firewall for controlling which users and agents can access models. Ahuja indicated more is coming.

He described the need for a centralized policy enforcement point where all MCP traffic is funneled, with controls defining what each server is permitted to do. That layer would also include sandboxing capabilities and a WAF-like function to protect hosted models from unauthorized access by users, agents or external MCP servers

“There’s going to have to be more things, and that actually becomes more critical and important, because you can’t hairpin those into a cloud infrastructure and come back,” Ahuja said. “You have to do them in line.”

Secure Enterprise Browser: Adding a third browser security option

Inbound traffic is not the only blind spot Versa is addressing. As more enterprise work moves into browser-based applications, the browser session itself has become a gap in security coverage.

Versa already offers two methods for controlling browser-based application access within VersaONE: an application portal and remote browser isolation. The new Secure Enterprise Browser is a third option, built on Chromium and centrally managed through the same platform, extending existing VersaONE policy controls into the browser session itself.

When users access SaaS applications through native apps rather than a browser, certificate pinning and HTTP proxy behavior can limit enterprise visibility into those sessions. Moving users to a controlled browser keeps that activity within an inspectable path and under the same policy framework already running in VersaONE.

Which of the three methods an organization deploys depends on its regulatory environment and the applications involved. Ahuja pointed to financial services as an early vertical moving toward enterprise browsers.

Overall, both the Inbound SSE and Secure Enterprise Browser announcements sit within a broader pattern at Versa. The company has been building toward a platform that handles security and networking from a single software stack, and Ahuja framed Inbound SSE and the Secure Enterprise Browser as the next steps in that progression rather than standalone additions.

“The platform-based approach is absolutely fundamental,” Ahuja said. “Whether it’s SASE, SSE, SD-WAN, a router or a firewall, it’s all coming from the same software stack, the same principles.”