Anyone have experience with Cloudbrink?

Ok my post turned out to be longer than expected. I just recently discovered this product and have done some research and curious to hear if anyone has experience using the tool or their own opinions based on the little info available. I’ll probably request a demo, but would rather hear from community than a sales team.

I stumbled across https://cloudbrink.com/ and it claims to be a promising SASE solution with better performance than market leaders like Zscaler and Netskope. From what I’ve derived, reading multiple articles/headlines, they have a partnership with https://www.zayo.com/ to access faster fiber, which I believe might be the leading reason that an independent study showed orders of magnitude lower latency. Perhaps it also has to do with their proprietary (I assume) solution https://cloudbrink.com/solutions/ucaas/ for handling latency/jitter/packet loss. Potentially the largest differentiator could be their AMTD offering https://cloudbrink.com/technology/automated-moving-target-defense-security/ although it seems like it’s pretty nascent.

1. Any experience and thoughts on Cloudbrink? If not, any opinions from observation and/or experience with other SASE solutions like Cato, Netskope, Zscaler?
2. Less important and out of curiosity, does has anyone have experience with AMTD-specific tools like Morphisec?
3. And lastly, if anyone wants to share stories…Have any of your orgs with hybrid infra found a networking solution that you receive limited complaints from users about and also find relatively painless to maintain?

Thanks, all

Not familiar, but it is interesting to see them claim higher performance (presumably lower latency) and that they use their partnership with Zayo to evidence that. Zayo is nowhere near the leading Tier 1 provider. Optimizing access into public SaaS is about IX partnerships and what Tier 1’s your network (Cloud or otherwise) partners with. Cato, Netskope and Zscaler all have massive global footprints (PoPs) and tons of Tier 1 peer diversity distributed as well as extensive IX coverage.

Looking at PeeringDB I can’t even find Cloudbrink. It makes you wonder what their network really is. You can certainly find Cato, Netskope and Zscaler there and it gives you an idea of their footprint and capacity/scale.

From a security standpoint Netskope edges out the competition on Cloud App Sec, but has gaps in traditional network security when it comes to WANbound traffic, e.g. remote users accessing datacenter resources, branch to branch security, branch to DC security, etc. which means you’ll still have to keep your traditional edge Firewall in place in your public IaaS and/or private DC’s.

Cato has the more comprehensive overall security of the 3 mentioned (FWaaS, ATP, SWG, CASB/DLP, RBI, XDR, etc.). They don’t have quite the extensive Cloud App catalog or Cloud App controls as Netskope, but it tends to serve the majority of enterprise needs (especially as most enterprises are still trying to figure out what they need).

If Site connectivity is important in your project (e.g. SD-WAN use case) then Cato has a leg up on the mentioned competition, especially considering your mention of UCaaS (real-time internet applications). Neither of the other (2) suppliers can really offer you last mile optimization (SD-WAN) to public SaaS like Cato can. Again, the WAN use case for the other two leaves security gaps as well. Cato can replace your edge firewalls and in some cases, your large DC firewalls…because their security sits in line for all directions of traffic (Internet & WAN).

With Zscaler, I can’t really give them an edge anywhere on the technology side. They have good Cloud App Sec (not quite Netskope level) but with the same gaps as Netskope on the WAN protection side of things. They appear to have pretty rudimentary SD-WAN (I have not used it myself), but they really just started this journey in SD-WAN so adoption is pretty minimal at this point. You’re not likely to find too many customers using Zscaler “ZeroTrust” SDWAN (because everything has the word “ZeroTrust” in it with Zscaler).

From an operational point of view, Cato takes the cake, IMO. One management application/UI for everything. Zscaler has turned into a complicated management story. ZIA is one UI, ZPA is one UI, ZDX is one UI, etc (6 or 7 UI’s now?). Netskope acquired their SD-WAN technology (Infiot) a couple years back. I have not worked directly with it, but from what I understand it is its own separate solution with its own UI separate from the Netskope Internet Access & Private Access UI. To be validated by somehow who knows more about Netskope SD-WAN than I do…which might prove to be difficult to get input on since, like Zscaler’s SD-WAN, it doesn’t seem to be wildly adopted yet.

Pros & Cons to every story.

From the results they are showing - they may be reducing latency but the main thing they do is fix the last mile issues that SASE and ZTNA vendors suffer from. Interesting graph they show on this link - Latency isn’t the performance killer when compared to as little at a half percent of packet loss. (Easy on Wi-Fi and an oversubscribed ISP to get there)

https://cloudbrink.com/blog/why-do-i-need-a-packet-loss-tool/

Most SASE vendors claim to help with latency but keep a dirty secret they add latency with their PoPs ~100msec with Zscaler, and none fix the packet loss issue that can drop a 100Mb connection to less than 1Mb.

Interestingly they just got awarded Cool Vendor with Gartner which only gets given to fast up-and-coming startups so that would be why many people haven’t heard of them yet.
https://cloudbrink.com/blog/gartner-cool-vendor-2024/

If you look at peer reviews on Gartner, Zscaler has a common complaint around performance so it looks like this is a fix for that.

If your goal is going as fast as possible with a SASE solution, the future is taking the middleman out of the equation at all and go direct to destination (private/public), using the internet as it was intended to be used. Focus on solutions built around that model, where they work around you, rather than asking you to bring everything to their networks.

All SDWAN solutions, a component of SASE, handle last mile risk. It’s table stakes by now. Not all solutions calling themselves SASE have SDWAN so really shouldn’t be calling themselves SASE. Not all SASE solutions with SDWAN handle last mile risk for Internet traffic. Here is my summary of what SASE handles last mile risk and with what traffic.

Cato Networks handles last mile (and middle mile) risk for ALL traffic directions. With 80+ markets covered they don’t add much or any latency to the round-trip time…unless you’re in the middle of Africa or Antarctica. Many examples of reducing latency, in fact, due to peering and IX partnerships.

VMware VeloCloud handles last mile risk for ALL traffic directions. Not as distributed of a network as Cato so higher risk of adding latency over just going direct.

Aryaka handles last mile and middle mile risk for all traffic directions. Again, not as distributed of a Network as Cato but still very distributed. Low to medium risk of adding latency to public internet apps.

Versa handles last mile risk for WAN traffic…maybe Internet as well now. I think they deploy their edge stack in Equinix DCs globally so low to medium risk of adding latency since a lot for public SaaS are in these same DCs.

PANW handles last mile risk for WAN. No real last mile protection for Internet. Internet would egress directly and add no latency…but no protection either. If you added their edge firewall then you have security but no last mile risk reduction. Only if you add Prisma Access for your internet egress will you encounter latency issies. Prisma Access is only as distributed as GCP and/or AWS. Medium to High risk of adding latency.

Fortinet handles last mile risk for WAN only. They want you to deploy your own PoPs backhaul your internet egress through them to reduce last mile risk. You kind of control your own latency story here…but YOU have to control and manage it. Their FortiSASE is super limited in what it serves. It’s mostly intended for mobile endpoints and as a VPN replacement.

Netskope handles last mile risk for WAN. I don’t think they send internet egress from their SDWAN to their Cloud but that’s a developing story. You could at least use their agent for Internet egress but no last mile loss mitigation. An agent approach can’t really offer much in the way of last mile loss mitigation. They have a highly distributed global network so no to low added latency. Again, examples of reducing latency due to IX and peering agreements.

Zscaler is new to the SDWAN arena. Not sure they have a great strategy for last mile risk reduction for WAN. I’m pretty sure they don’t for Internet.

I could go on and on.

As you can see, MANY SASE suppliers handle last mile risk for at least WAN traffic and some handle it for all directions of traffic. Some even go a step beyond because they have their own backbone and handle long haul/middle mile risk as well.

I object! And it depends.

Your statement is right…sometimes.
Your statement is wrong…sometimes.

The public internet (and your carrier) could care less about your application performance (it knows nothing of it). It cares mostly about handing your traffic off to another provider as quickly as possible. Using cloud services like Cato & Netskope provide a more predictable experience because they are strategically partnering with certain Tier 1 providers and Internet Exchanges (IX’s) to optimize access into public SaaS. It doesn’t mean they 100% get it better than direct access all the time to everything, but they do get it better sometimes (maybe even a lot of the time)… and for other times you’ll have to consider the full context of why you’re using that cloud “security” provider.

It wasn’t the last-mile risk I was noting - it was the impact on the performance of last-mile networking issues. As you note -it comes with the territory to deal with last-mile risk.

This page https://cloudbrink.com/show-me-the-test-results/ shows a chart where they are faster than a direct connect whereas all the other solutions have a considerable impact on the end users’ performance.

They don’t actually have Edge SD-WAN. They appear to simply have an endpoint agent. There appears to be no real in-line internet security as well, just access controls. No mention of Internet Security at all on their website.

My impression is that this is just a VPN / Remote Access solution that will allow you to adopt a ZTNA strategy. They appear to be going after the Zscaler Private Access business, perhaps?

No real technical content online available, e.g. no video demo’s on youtube or any other channels. Can anyone find any technical digital content on them?

I think their position on “performance improvement” is simply the result of them not touching your internet traffic? They talk about making UCaaS more reliable and state the problem but talk nothing about how they fix it. Again, my impression is that they aren’t doing anything with that traffic, so it must be better performing than solutions that do something with it, a.k.a. as good as having no solution at all.

Assuming you have a business that doesn’t care about internet security while users are remote, I guess that works. If you’re like most businesses, though, you probably care about securing your remote users and still have to address the problem with (most likely) a cloud security platform…which this doesn’t appear to be.

Btw, that test-result graphic they have on their website? Super convincing. I don’t need any other context. I’m sold! (kidding, of course)

If you look closely at that graphic, they are saying that “direct access” for a 100MB file via HTTP/S takes ~150 seconds to complete an upload or download. Hmmm? Let me get my calculator out…

100MB over 150 seconds = a xfer rate of 5.33Mbps.

Good news is…I don’t need Cloudbrink, because I can get better download/upload speeds than 5.33Mbps. Whew!

I think we are talking about the difference in underlay vs overlay optimisation. You are referring to how SDWAN/overlays can optimise performance using FEC, and other techniques. OP (and Cloudbrink by extension), from what I understand, have peering relationships with local internet providers so that they can take the least amount of hops and lowest latency paths from the end user to their point of presence.

I downloaded that report and the more detailed logarithmic chart it shows the impact when using secure access solutions. The worst case on direct appears to be 150 msec but the more interesting spread is with secure access. If you always operate on a perfect network and your ISP doesn’t over-subscribe and you don’t need secure access then you wouldn’t need a solution like this.

On the peering - read about the service and look at all the CSPs and Telco’s they use. They are not tied to peerings - they say will use the fastest route on a per-session basis.

Thank you very much for exploring our website. We just wanted to see if we could double check your math in relation to upload/download speed? The graph from the report we provided clearly shows that 100mb files were both downloaded and uploaded in less than 10 seconds, which significantly exceeds 5 Mbps.

For a more direct comparison between “direct access” and Cloudbrink, can we recommend reviewing the “BroadBand Testing Labs” report. This document offers comprehensive testing results of the Cloudbrink product, available at ~https://cloudbrink.com/broadband-performance-tests~~.~

~Recently we were evaluated against other VPNs (for a top 3 global gaming/media company) that included a control PC without ANY VPN, Cloudbrink performed 30X faster in file and video tests.~

Cloudbrink offers a Personal-SASE/High-Performance ZTNA solution, positioned as an advanced replacement for traditional VPNs, ZTNAs, or other secure access services. What sets Cloudbrink apart is its unique capability to address and mitigate the challenges posed by the unreliability of remote networks and ISP connections, which often suffer from minor packet loss

I’m referring to both. Overlay optimization with SDWAN and optimized SaaS experience from the Cloud/PoP provider through Tier 1 peering and IX access. The two go together if you have both. Companies like Cato, Netskope and Zscaler have public facing evidence of the latter optimization with their own status pages and information available in peeringdb.com. There is no public evidence of a “network” with Cloudbrink. No status page. No mention in peeringdb.com

Ummm 150 ms or 150 secs? The number is either fiction (150 ms) or abysmal (150 secs). To your latter point, how does a solution like this fix last mile issues like your local provider oversubscribing? How does this solution somehow make your local provider NOT oversubscribe? If the capacity is not available in the last mile, it’s certainly not available beyond.

If they are hosting in CSPs then they are beholden to that CSPs peering. Like I mentioned before, no reference to them at all in peeringdb.com which means they likely have no network they manage or control at all. Sounds like they might just be partnering with CSPs…like Fortinet and Palo does. It doesn’t seem like there is much unique about them except that they really only address “part of the story” in terms of use cases where the competition covers more.

Ideally, it would be great if someone who has used their solution and knows it intimately could comment and clarify.

Wasn’t debating what you reported as Cloudbrinks’ test results. I was contesting what Cloudbrink was basing its performance improvement on. I admit, it seems to be a mystery. Maybe you should re-read my comment?

Direct internet access is being represented by Cloudbrink as only downloading at a rate of 5 Mbps for a 100MB file. So, if you’re basing your improvement on that rate…well, I guess you can say performance is like 16x direct internet access. The real question is who has direct internet that can ONLY achieve a 5 Mbps download rate? No offense to the remote wildnerness of Uganda, but is that where you tested from? This comparison is a bit nonsensical.

Let’s look at the Cloudbrink performance. 10 seconds to download a 100MB file (Cloudbrinks own reported performance) is not great, frankly. It’s at a rate of only 80Mbps. Are you saying that the best download rate performance you can get through Cloudbrink is 80Mbps? Cloudbrink is definitely NOT faster than my direct internet access. I would argue that it’s not faster than anyone else’s direct internet that can generally perform above 80Mbps (and that’s a lot of people)…at least based on your own reports.

As Cloud-based ZTNA solutions go, I’ve seen Cato, Netskope, Zscaler (just about any mainstream solution) perform well beyond 80Mbps, e.g. 100’s of Mbps for other solutions if you have the underlay capacity to support. Cloudbrink @ 80Mbps wouldn’t be much to boast compared to the mainstream alternatives out there, I’m afraid.