Independent Research · Unvarnished Reviews
Unvarnished Reviews Research
This report synthesizes data from 1,900+ verified user reviews and practitioner community posts collected from G2, Capterra, TrustRadius, PeerSpot, Spiceworks, Reddit practitioner communities including r/netsec and r/sysadmin, and vendor community forums. Pricing data reflects enterprise procurement analysis and practitioner-reported contract data current as of June 2026. Full research methodology at unvarnishedreviews.com/methodology. Research Notes available on request at [email protected].
---
Palo Alto Networks Prisma SASE is the right platform for organizations already deeply invested in the Palo Alto ecosystem, and specifically the only vendor named a Leader in all three relevant Gartner Magic Quadrants simultaneously: SASE Platforms, SSE, and SD-WAN. Its Strata Cloud Manager is both its greatest strength (unified management across the full Palo Alto stack) and its most consistent complaint (complex, cumbersome, and designed for too many products at once). Licensing changes in 2025, including end-of-sale announcements that forced customer migrations, have added to the complexity burden.
Zscaler is the right platform for cloud-first organizations pursuing pure SSE without legacy on-premises infrastructure. It holds the highest PeerSpot and Gartner SSE ratings and the largest independent review base in its category. Its latency and performance issues are real, geographically variable, and well-documented across G2, Spiceworks, and Reddit practitioner communities, and are most severe for users in Asia, the Middle East, and restricted geographies where ZEN nodes are distant.
A notable market signal: both platforms are losing mindshare in the SASE category as of May 2026, Prisma Access from 16.8% to 10.4% and Zscaler from 11.3% to 8.9% year-over-year on PeerSpot. Cato Networks and other challengers are gaining ground. Neither incumbent should be evaluated without also assessing the emerging alternatives.
---
Both vendors prominently cite Gartner recognition in their marketing. The nuance buyers miss:
2025 Gartner Magic Quadrant for SASE Platforms:
2025 Gartner Magic Quadrant for Security Service Edge (SSE):
SASE Platforms covers integrated networking and security convergence, where Palo Alto's native SD-WAN integration gives it an architectural advantage. SSE covers security-only cloud delivery, where Zscaler's pure-cloud heritage gives it the edge. The right quadrant to weight depends on whether your requirement is integrated networking plus security (Palo Alto wins) or pure security service edge (Zscaler leads).
PeerSpot ratings further clarify the competitive picture: in the Web Secure Gateway category, Zscaler holds 8.5/10 vs. Palo Alto's 8.2/10. In SASE specifically, Zscaler is ranked #2 in SSE solutions while Prisma Access holds #1 in CASB solutions. Both platforms are credible, in different use cases.
---
| Platform | PeerSpot | G2 | TrustRadius Reviews |
|---|---|---|---|
| Zscaler Internet Access | 8.5 / 10 | 4.4 / 5 | 115+ |
| Prisma Access (Palo Alto) | 8.2 / 10 | 4.3 / 5 | 93+ |
Zscaler leads on independent practitioner review ratings across platforms. The gap is consistent and reflects genuine differences in user experience, particularly around deployment simplicity and day-to-day management, rather than security effectiveness.
---
All user traffic, internet-bound, SaaS, and private application, routes through Zscaler's global network of Zscaler Enforcement Nodes (ZENs). Inspection, policy enforcement, and threat detection happen in the cloud at the point of access without traffic touching a hardware appliance. The model eliminates VPN backhauling for users near a ZEN, a genuine performance advantage over legacy architectures.
The geographic dependency problem: Zscaler's backhauling architecture sends all traffic through ZEN nodes for inspection. For users near a ZEN, performance is good. For users in Asia, the Middle East, Africa, or anywhere distant from ZEN infrastructure, the backhauling adds round trips that are documented across Spiceworks, Reddit, and G2 as 10%-30% speed drops and significant latency during peak hours. Practitioners specifically call out China and restricted geographies as particularly problematic, where local network fragility compounds the backhauling penalty. This is not a fringe complaint: it is consistently the most cited operational issue in Zscaler communities.
Console sprawl from acquisition. Zscaler's product suite, ZIA, ZPA, ZDX, and multiple admin surfaces, was built through years of expansion rather than designed as a unified interface. Practitioners on Spiceworks and Reddit describe "console sprawl" as a consistent management friction point, requiring administrators to navigate multiple interfaces for comprehensive visibility.
Prisma SASE converges Prisma Access, Prisma SD-WAN, and Strata Cloud Manager into a unified platform, securing both user-to-application connections and network traffic flow. The model enables deep integration between firewall policy, network routing, and cloud-delivered security under single management.
The Strata Cloud Manager complexity problem. This is Palo Alto's defining operational liability in practitioner communities. PeerSpot and Gartner reviewers describe Strata Cloud Manager as "highly complex, cumbersome, and confusing because it attempts to present an interface for too many Palo Alto products in one place." The configuration push requirement, which takes a minimum of 2-5 minutes for every change, is a documented friction point. Global Protect connectivity issues, requiring users to click multiple times to launch the client, generate consistent end-user complaints.
2025 licensing changes added complexity. Palo Alto announced May 8, 2025 as the end-of-sale date for AIOps for NGFW Premium, AI-Powered ADEM, and Strata Logging Service with sized storage. Existing customers were migrated automatically, but the disruption added to the licensing complexity narrative that practitioners and Gartner both consistently flag.
---
TrustRadius, G2, and Capterra practitioners consistently praise Zscaler's core security effectiveness, threat detection, URL filtering, SSL inspection, and policy enforcement, as genuinely strong. TrustRadius enterprise reviewers at large organizations (Marathon Petroleum, among others) specifically describe improved latency over legacy VPN for users near ZEN nodes, and reduced internal infrastructure burden.
Centralized policy enforcement across all users regardless of location is praised as a genuine operational advantage for distributed workforces. The elimination of VPN backhauling, for users in supported geographies, delivers measurable performance improvement over legacy architectures.
Latency is the defining complaint and it is geography-dependent. G2's negative tag summary for Zscaler Internet Access: Slow Performance (27 mentions), Complex Implementation (24), Connection Issues (22), Complex Configuration (22). Reddit practitioners document 10%-30% speed drops for corporate network traffic. Spiceworks community threads specifically identify renewal pricing surprise and performance in restricted geographies as the two most common reasons organizations evaluate Zscaler alternatives.
False positive blocking at initial deployment is documented across Capterra, with one reviewer noting that "many false positives and access blocked when Zscaler was first introduced" required approximately 9 months of tuning before most issues resolved. For organizations with complex SaaS environments, the tuning burden at deployment is significant.
Renewal pricing surprise. Zscaler's per-user pricing combined with add-on modules creates renewal sticker shock that is a consistent theme across Reddit and Spiceworks threads. The gap between year-one pricing and year-three costs after module additions is documented as a frequent procurement surprise.
Organizations already running Palo Alto NGFWs consistently report genuine value in policy consistency between on-premises and cloud-delivered security. PeerSpot reviewers in financial services, the largest segment researching Prisma Access at 12% of views, describe the platform's ZTNA implementation as strong for granular application-level access control.
The integration value for existing Palo Alto customers is real and documented. Cortex XDR, NGFW, and Prisma Access sharing policy and telemetry under Strata Cloud Manager, when the organization has invested in the full platform, delivers a depth of security convergence that Zscaler's point-product architecture does not match.
Strata Cloud Manager is the most documented complaint across all independent review platforms. The pattern is consistent from PeerSpot, Gartner, and TrustRadius: the interface attempts to serve too many products at once, configuration pushes are slow, and end-user client connectivity generates complaints that create IT help desk burden.
Licensing complexity and changes. PeerSpot reviewers note that Prisma Cloud, the broader platform, carries "high costs and complex licensing" with "hidden and variable costs challenging" for procurement teams. The 2025 end-of-sale announcements for multiple license types, while handled at no additional cost via automatic migration, added administrative burden and reinforced the complexity narrative.
Mindshare declining. Prisma Access fell from 16.8% to 10.4% PeerSpot SASE mindshare year-over-year as of May 2026. In a growing market, declining mindshare indicates competitive displacement, organizations researching SASE solutions are increasingly considering alternatives including Cato Networks and Netskope.
---
Both platforms use quote-based enterprise pricing with no published rates.
The real-world cost: One documented 6,550-user enterprise deployment came in at $1,404,049 in Year 1 across 12 line items, an effective $214/user/year, well above headline per-user rates. Spiceworks and Reddit threads consistently document renewal sticker shock as add-on modules accumulate. Multi-year commitments achieve 15%-30% lower per-user pricing. Running a competitive evaluation against Palo Alto, Netskope, or Cato Networks drives better pricing from Zscaler.
The principle for both: The three-year TCO, not the year-one quote, is the number that matters. Get it in writing before signing either contract.
---
Both Prisma Access and Zscaler are losing PeerSpot mindshare to alternatives, and Cato Networks is the most commonly cited emerging alternative in practitioner communities. Cato's single-vendor SASE platform, which converges SD-WAN, SSE, and management into a truly unified architecture rather than a consolidated bundle of acquired products, is drawing evaluation activity from organizations frustrated with both Zscaler's console sprawl and Palo Alto's Strata Cloud Manager complexity. This report covers the two market leaders, but any serious 2026 SASE evaluation should include Cato Networks in the shortlist.
---
---
Zscaler and Palo Alto Prisma Access dominate enterprise SASE and Zero Trust evaluations. Both are credible market leaders. Both are losing ground to challengers in practitioner mindshare data, a signal worth tracking.
Zscaler wins for cloud-first organizations with users concentrated in geographies near ZEN infrastructure. Its latency and console sprawl complaints are real, plan for them, deploy ZDX from day one for performance monitoring, and lock renewal uplift in the initial contract.
Palo Alto Prisma Access wins for organizations with existing Palo Alto NGFW investment seeking unified platform management. Its licensing complexity and Strata Cloud Manager friction are real, budget the implementation timeline, staff accordingly, and monitor the mindshare decline as a leading indicator of competitive pressure.
For both: the three-year TCO in writing before signing is non-negotiable. And for any organization starting without existing vendor investment: include at least one challenger in the evaluation before choosing between the two incumbents.
---
---