With Cato Dynamic Prevention, SASE provider Cato Networks introduces an engine that evaluates attack patterns and automatically adjusts security policies.
Modern cyberattacks rarely leave a single, clear signal. Instead, attackers spread their activities over weeks or months, using legitimate tools such as remote management software or cloud services, and thus remain undetected by traditional security systems. It is precisely this tactic—known as “living off the land”—that is making isolated security solutions increasingly ineffective.
Network security provider Cato Networks is now addressing this gap with Cato Dynamic Prevention, a new component of its SASE (Secure Access Service Edge) platform. The engine continuously correlates network and security signals over a period of several months, detects behavior-based attack patterns, and automatically initiates countermeasures – even if individual events appear inconspicuous on their own.
Attacks develop unnoticed – classic defenses are too late
The fundamental problem lies in the architecture of conventional security products: they analyze events individually and in real time without linking activities across longer periods of time, different hosts, or network segments. Attackers have adapted to this. They carry out a series of low-visibility actions that are only recognizable as a chain of attacks when viewed as a whole.
According to a survey by market research company Gartner, 61 percent of companies lack specialized personnel for active threat hunting. As a result, security analysts often act reactively – and lose valuable time in which attackers have already established themselves in the network.
Swissport International, a ground handling and air freight service provider with more than 360 locations worldwide, uses the Cato SASE platform for over 26,000 users. For the company’s CISO, delayed detection is not an abstract risk: in airport operations, any disruption can have immediate operational consequences.
Behavior-based correlation instead of selective checks
Cato Dynamic Prevention is natively integrated into the existing SASE platform and accesses signals from all inline sensors, including data loss prevention (DLP), intrusion prevention system (IPS), and next-generation anti-malware (NGAM). These are supplemented by out-of-band analysis methods. The engine evaluates activities not in isolation, but in their overall context: It correlates events over months, building a continuously updated behavioral profile.
If the system identifies malicious behavior, the platform automatically adjusts its security policies and blocks risky actions in real time—including all related activities of the threat actor. No manual intervention by IT or SOC personnel is required.
AI-powered attacks increase the pressure to act
The introduction of Cato Dynamic Prevention comes at a time when attacks are becoming significantly more complex due to the use of AI tools and autonomous agents. Attackers automate attack chains, misuse legitimate login credentials, and deliberately operate below the detection thresholds of conventional security systems.
Through continuous context analysis, the engine should be able to predict an attacker’s next steps and intervene preventively—before a security breach has occurred. At the same time, the number of false alarms should decrease, as actions are only blocked if the behavior pattern clearly indicates a threat.
Classification: SASE as a consolidation approach
The SASE concept combines network and security functions in a single cloud-based platform. Cato Networks takes the approach of centrally bundling all security signals to create the depth of context necessary for behavior-based detection. Cato Dynamic Prevention shows where this approach is heading: away from manual analysis of individual events and toward automated, context-aware prevention.
This could be relevant for security teams in resource-poor environments: when adaptive rules take effect automatically, the operational effort required for routine investigations is reduced. Whether the engine delivers what it promises in practice will become clear in productive use.
Dr. Jakob Jung is Editor-in-Chief of Security Storage and Channel Germany. He has been working in IT journalism for more than 20 years. His career includes Computer Reseller News, Heise Resale, Informationweek, Techtarget (storage and data center) and ChannelBiz. He also freelances for numerous IT publications, including Computerwoche, Channelpartner, IT-Business, Storage-Insider and ZDnet. His main topics are channel, storage, security, data center, ERP and CRM.
Contact via Mail: jakob.jung@security-storage-und-channel-germany.de