Cybersecurity & SASE
Sangfor Athena SASE replaces VPNs and MPLS with a cloud-native Zero Trust architecture. Secure access to internal applications via Zero Trust Guard (ZTG), protected web browsing via Secured Global Access (SGA) and endpoint security with ESA — all managed by a single agent.
Request a consultation
Features
- Zero Trust Guard (ZTG) — VPN/MPLS replacement
- Secured Global Access (SGA) — SWG, Cloud Firewall and IPS
- Endpoint Secure Access (ESA) — EDR and endpoint protection
- Identity-based application access (ZTNA)
- Adaptive authentication with MFA and SSO (IDaaS)
- Continuous Trust Assessment
- Full SSL/TLS inspection without performance degradation
- Real-time Threat Intelligence and 0-day protection
- Advanced DLP with data classification and watermarking
- 200+ global PoPs for cross-border acceleration
- All-in-One Agent: SASE + EDR in a single client
- Cloud-native hyperscale architecture
Technologies
Replace your VPN with Zero Trust Guard
The problem with traditional VPNs
SSL, L2TP and IPSec VPNs are complex, expensive and poorly scalable. Once authenticated, the user gains access to the entire network: the attack surface explodes and a compromised endpoint can move laterally without obstacles. Limited visibility, inadequate performance, compliance hard to demonstrate.
ZTG: application access, not network access
Zero Trust Guard publishes individual internal applications (web, TCP/UDP, RDP/SSH) instead of the whole network. Access is based on user identity, device posture and context. Applications are never exposed on the Internet, attack surface reduced to the minimum.
Continuous adaptive authentication
MFA, SSO and Continuous Trust Assessment via integrated IDaaS. Policies consider user, device (managed or BYOD), location and time. Trust is not granted once: it is re-evaluated at every request. If context changes, access is revoked.
No more expensive MPLS
For remote sites, SGA replaces MPLS links with enterprise-grade global connectivity at a fraction of the cost. Single-click installation, zero hardware maintenance, up to 10x performance for remote access compared to traditional VPN.
Sangfor Athena SASE Architecture
Secured Global Access (SGA)
Cloud gateway for Internet browsing and SaaS application access (Microsoft 365, Google Workspace, Salesforce, Dropbox). Integrates SWG, Cloud Firewall, IPS, CASB and DLP. Consistent security policies that follow users and devices everywhere, without on-premise appliances.
Zero Trust Guard (ZTG)
The heart of the Zero Trust model. Publishes internal applications — datacenter, private cloud, legacy apps — with identity-based access, adaptive authentication and continuous posture assessment. Available in agent-based or agentless mode (for BYOD and third-party contractors).
Endpoint Secure Access (ESA)
Endpoint agent combining ZTNA access, next-generation antivirus (NGAV), EDR and vulnerability management. A single client for secure access and protection: less complexity for IT, better experience for end users.
Unified cloud-native management
Single console for real-time provisioning, network and user visibility, centralised policy management. Hyperscale architecture with 200+ global PoPs. No hardware to maintain: automatic updates, over 1,000 security updates per day.
Complete end-to-end security
ZTNA — Internal App Protection
Identity-based application-level access, adaptive access control, MFA authentication, continuous trust assessment. Internal apps are no longer published on the Internet.
SWG + Cloud Firewall & IPS
User authentication, access control, audit, URL filtering and browsing behaviour management. Intrusion prevention, AI threat intelligence (ransomware, botnets, cryptomining), real-time malware detection.
Advanced DLP and Dual-Mode CASB
Data classification, flow tracing, leak traceability. Endpoint DLP with peripheral control, port control and watermarking. CASB for data governance on Microsoft 365, Google Workspace, AWS and other SaaS.
Integrated EDR + SD-WAN
Antivirus, endpoint vulnerability management, anti-popup and anti-illegal-software protection. Integrated SD-WAN for WAN optimisation, cross-border traffic acceleration and dynamic network drift management.
Threat Prevention: Global Threat Management
Consistent security policies everywhere
Security moves to the cloud and follows users and devices regardless of their location. Same level of protection in the office, at home, while travelling or at remote sites.
Uncompromised SSL/TLS inspection
Athena SASE performs full SSL/TLS inspection without limitations or performance degradation, detecting threats hidden in encrypted traffic that traditional solutions cannot see.
Automatic 0-day threat remediation
Over 1,000 security updates per day automatically block zero-day threats in real time, without requiring manual intervention from administrators. ML/AI-based Engine Zero.
Frost & Sullivan SASE 2023 recognition
Sangfor Access Secure recognised in the Frost Radar SASE 2023 for platform comprehensiveness and ML/AI use in AIOps and the Engine Zero malware detection engine.
Sangfor Athena EPP — Endpoint Protection
All-in-one endpoint security platform
Athena EPP combines NGAV, EDR and endpoint management in a single solution. Protects desktops, laptops and servers from malware, ransomware, phishing and zero-day attacks. Natively integrates with SASE: a single agent for everything.
Ransomware block in 3 seconds
Endpoint honeypots and behavioural monitoring block encryption activities within 3 seconds with 99.83% accuracy. Automatic file recovery via integrated backup and Windows VSS.
AI detection with Engine Zero
Engine Zero identifies unknown threats, fileless attacks and zero-day exploits through real-time behavioural analysis and MITRE ATT&CK mapping. Results validated in independent tests.
Centralised patching and visibility
Software inventory, vulnerability detection and proactive patching. Flexible deployment on-premises, cloud or hybrid. Concrete reduction of the attack surface without added complexity.
SOC 2 Type 2 Certification — Deloitte Audit
12-month independent audit
Athena SASE obtained SOC 2 Type 2 certification after a 12-month audit conducted by Deloitte, verifying design and consistent operational effectiveness of security controls.
Validated security, reliability and confidentiality
The audit covered Trust Services Criteria on security, reliability and confidentiality, confirming that data protection measures operate effectively over time.
Assurance for regulated industries
Concrete assurance for organisations in highly regulated sectors — banking, healthcare, government — where compliance and operational transparency are essential.
Beyond SOC 2 Type 1
Type 2 examines control effectiveness over time, not at a single point: proof of consistent, non-episodic security discipline.
Use cases
VPN replacement for hybrid work
Eliminate SSL/IPSec/L2TP VPNs. Employees securely and quickly access internal applications from anywhere, on any device — managed or BYOD — with the same experience as in the office.
Multi-site connectivity without MPLS
Connect branches and remote sites through 200+ global PoPs with enterprise-grade connectivity. Drastic bandwidth cost reduction, up to 10x performance for remote access.
Data protection on SaaS
CASB and DLP for Microsoft 365, Google Workspace, Salesforce, Box, Dropbox. Audit extended beyond the corporate file server, complete governance on who accesses data and where.
Secure access for contractors and BYOD
ZTG agentless mode: Zero Trust access to web applications via browser, without installing anything. Watermarking, MFA, time and role-based control. Ideal for third parties and unmanaged devices.
Frequently asked questions
A VPN grants access to the entire network after initial authentication: if the endpoint is compromised, the attacker can move laterally without obstacles. ZTG instead publishes individual applications and continuously verifies user identity, device posture and context. Apps are never exposed on the Internet, attack surface is drastically reduced and compliance is easier to demonstrate. Plus, up to 10x higher performance and much lower operational costs.
It means decommissioning SSL, L2TP, IPSec VPNs and MPLS links. Remote users install the All-in-One Agent (or access via browser for agentless scenarios), authenticate via IDaaS with MFA, and reach only authorised applications through ZTG. Remote sites connect via SGA to Sangfor's global PoPs. Migration can happen gradually, app by app, without disrupting operations.
SGA (Secured Global Access) handles Internet browsing and SaaS access with SWG, Cloud Firewall and CASB. ZTG (Zero Trust Guard) handles Zero Trust access to internal applications in the datacenter or private cloud. ESA (Endpoint Secure Access) integrates access and endpoint protection in a single agent. The three services are orchestrated by the Athena SASE platform with single console, centralised policies and end-to-end visibility.
For an Italian SMB the average cost ranges between €50,000 and €200,000 between operational downtime, recovery, possible ransoms and reputational damage. Athena EPP blocks ransomware encryption activities within 3 seconds with 99.83% accuracy and automatically restores files: the risk is drastically reduced.
Yes. The architecture is cloud-native and scalable, without significant hardware investments. SMBs also benefit from secure remote access, VPN replacement, SaaS protection and simplified management — often at lower costs than fragmented traditional solutions (separate firewall + VPN + antivirus + EDR).
ZTG supports agentless mode: Zero Trust access to web applications directly from browser, without installing anything on the device. MFA, SSO, watermarking, time and role-based policies and Layer 7 visibility on access logs still apply. Ideal for contractors, suppliers and personal devices.
You can be operational within one or two days: the architecture is cloud-native and requires no complex hardware installations. Full implementation can then take 2-4 weeks depending on the complexity of the existing infrastructure, migrating applications gradually — starting from the most critical cases like VPN replacement and SaaS access — in phases and without operational disruptions.