Skip to main content
SANDWORMSECURITY

Sandworm SASE

Secure access service edge — ZTNA, SWG, CASB, DLP, FWaaS, and RBI in one fabric.

What is Sandworm SASE?

Sandworm SASE is a Secure Access Service Edge (SASE) platform that converges zero-trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), data loss prevention (DLP), firewall-as-a-service (FWaaS), and remote browser isolation (RBI) into a single cloud-delivered fabric. It is designed for IT and security teams replacing legacy VPN infrastructure with identity-aware, device-posture-aware access controls for remote and hybrid workforces.

  • Users connect to applications, not the network — access is verified per-session against identity and device-posture policy.
  • SWG and CASB provide URL categorisation, TLS inspection, malware scanning, and shadow-IT discovery for outbound traffic.
  • Remote Browser Isolation streams risky web content as a pixel feed so malicious code never executes on the device.

Connect your identity provider

Sandworm SASE enforces access policy based on user identity and device posture. Start by connecting your IdP via SAML 2.0 or SCIM so Sandworm SASE can resolve users and groups.

  • SAML 2.0: configure Sandworm SASE as a Service Provider in your IdP (Okta, Entra ID, Google Workspace, etc.) and paste the metadata URL.
  • SCIM provisioning: enable SCIM on your IdP to push user/group changes to Sandworm SASE automatically.
  • Device posture: deploy the lightweight device agent for OS version, patch status, and disk-encryption checks.
  • DNS-over-HTTPS or PAC file configuration routes user traffic through Sandworm SASE for SWG and CASB inspection.
  1. 1
    Register Sandworm SASE as a SAML SP in your IdP.

    Download the Sandworm SASE SP metadata XML from Settings → Identity → SAML and upload it to your IdP. Paste the IdP metadata URL back into Sandworm SASE to complete the exchange.

  2. 2
    Deploy the device agent.

    Distribute the device agent (Windows MSI or macOS PKG) via your MDM. The agent reports OS version, patch level, and disk-encryption status to Sandworm SASE for posture evaluation.

  3. 3
    Configure DNS-over-HTTPS or PAC file.

    Point DNS-over-HTTPS at the Sandworm SASE resolver, or deploy the PAC file from Settings → Traffic Routing to route web traffic through the SWG.

Sandworm never writes to your environment. All integrations use the minimum read-only permissions required.

Key concepts

Sandworm SASE delivers SASE: a converged cloud-delivered security fabric combining network and security capabilities.

  • ZTNA: zero-trust network access — users connect to applications, not the network; access verified per-session.
  • SWG (Secure Web Gateway): URL categorisation, TLS inspection, and malware scanning for outbound web traffic.
  • CASB: cloud access security broker — visibility and control over SaaS usage; shadow IT discovery.
  • DLP: data loss prevention policies applied inline to web, SaaS, and private-app traffic.
  • FWaaS: firewall-as-a-service for branch-to-cloud and inter-app traffic.
  • RBI (Remote Browser Isolation): stream risky web content as a pixel feed — malicious code never reaches the device.

Publishing your first application

Navigate to Sandworm SASE → Applications → Add Application. Choose a private app (ZTNA) or a SaaS app (CASB). For ZTNA, provide the internal hostname and port; Sandworm SASE provisions a cloud-proxied endpoint your users reach without a VPN.

  • Assign an access policy (identity group + device-posture requirements) before publishing.
  • The Live Tunnel Dashboard shows active sessions and latency per user.
  • Enable DLP on an application to scan uploads and downloads for sensitive data patterns.

Integrations

Sandworm SASE integrates with your identity stack, endpoint posture tooling, and the broader Sandworm platform to share session and access telemetry.

  • Identity providers: Okta, Microsoft Entra ID, Google Workspace, Ping Identity via SAML 2.0 and SCIM.
  • MDM / device management: Jamf, Microsoft Intune, Workspace ONE for device-posture attestation data.
  • Sandworm SIEM: access events and DLP policy violations forwarded in OCSF format for correlation.
  • Truthsayer (anti-social-engineering): Sandworm SASE session anomalies (impossible travel, new device) feed Truthsayer for behavioural alerting.
  • Elm (SOAR): DLP violations and access-policy blocks can auto-create Elm cases for analyst review.
  • Stillsuit: Sandworm SASE covers cloud-delivered and remote-user access; Stillsuit handles on-premise and data-centre perimeters.

API and CLI

Manage Sandworm SASE applications, policies, and session data via the sandworm CLI or REST API.

  • `sandworm sietch apps list` — list published applications.
  • `sandworm sietch sessions list --active` — current active user sessions.
  • `sandworm sietch policy apply <policy-id>` — push an access policy update.
  • REST API: see the OpenAPI spec at /api/sietch/openapi.json on your deployment.
bash
sandworm sietch sessions list --active --format table
Book a demo← Back to Sandworm SASE
Sandworm SASE Docs | Sandworm Security