Battle Cards

Feature-by-feature. No marketing fluff.

Direct apples-to-apples comparisons against every major competitor. Where we win, where they win, and where we honestly draw.

CyForge vs HCI CyDusk vs VDI/PAM CyLens vs RBI CyMatrix vs Policy/DLP
Layer 1 + 2 · Infrastructure

CyForge + CyAxis

vs VMware vSphere · Nutanix AHV/NC2 · SUSE Harvester · Proxmox VE · Citrix Hypervisor · OpenStack

Multi-hypervisor VM orchestration without the VMware tax. A single, sovereignty-grade control plane for VMs across KubeVirt, libvirt, VMware, Hyper-V, AWS, Azure, GCP, Proxmox, Nutanix, and OpenStack.

Feature CyForge VMware vSphere
(Broadcom)		 Nutanix
AHV / NC2		 SUSE Harvester Proxmox VE Citrix Hypervisor OpenStack
Hypervisor coverage & deployment
Hypervisors under one consoleMore = lower per-vendor lock-in10 providers1 (ESXi)1 (AHV) + ext.1 (KubeVirt)1 (KVM)1 (XenServer)1 (KVM)
Coexists with vCenter during migration
Bare-metal installHelm on K8sESXi installerNutanix HCI nodesISO applianceDebian ISOXenServer ISODIY
Phone-home telemetry (mandatory)NoneYes (Broadcom)Yes (Pulse)OptionalNoneYesNone
Architecture supportx86_64 + ARM64x86_64x86_64 + ARMx86_64 + ARM64x86_64x86_64x86_64 + ARM64
VM lifecycle & operations
Cross-hypervisor migration with rollbackESX → KubeVirt validated
HA auto-restartLimitedLimited✓ Masakari
Auto-scaling policies✓ built-inAdd-on (vROps)Add-on (Calm)Add-onHeat (DIY)
vGPU (NVIDIA / partitioned)Partial✓ licensed✓ licensedPartialPartialPartial
Networking
Software-defined networkingOVN built-inNSX (separate $)Flow / AHVOVNLinux bridgeBasicNeutron / OVN
Per-VM micro-segmentation✓ Network Policies✓ NSX-T✓ FlowLimitedLimitedLimited✓ Neutron
Multi-tenant isolation at network layer✓ NSXPartialPartial
Live impossible-travel + geo policy on VMs✓ via CyMatrix
Multi-tenancy & access
Native multi-tenant modelTenant > Org > User✓ 3-tierCloud Director ($)Prism CentralPartial✓ Keystone
Built-in identity / SSOSAML, OIDC, internal IdPAD / LDAPAD / LDAPAD basicPAM / ADADKeystone
Bundled VDI + privileged access✓ CyDusk includedHorizon (separate $)Frame (separate $)Citrix DaaS
Bundled remote browser isolation✓ CyLens included
Operations & extensibility
Open Service Provider Interface (SPI)Add a hypervisor without forking✓ VmProvider Java SPIPartialPartial✓ drivers
AI-assisted troubleshooting copilot✓ CyPilot built-in
FTE estimate to operate1 platform engineer2-3 specialists1-2 specialists1 generalist0.5 generalist2 specialists5-10 specialists
Commercials
List price posture (relative)1.0×3-5× post-Broadcom2-3×0.6× open source0.4× open source2-4×0.5× + 4× ops
Bundled platform (VDI, RBI, DLP)✗ separate SKUsPartialCitrix bundle
Time-to-deploy first VM< 1 hour (Helm)Days (vCenter)Hours (HCI nodes)1-2 hours< 1 hourHoursDays-weeks
Layer 5 · Identity & Access

CyDusk

vs Citrix DaaS · VMware Horizon · Accops HySecure · Apache Guacamole · CyberArk PAM · AWS AppStream

VDI + privileged access where credentials never reach the endpoint. A single subscription replaces {VDI broker} + {credential vault} + {session recorder} + {MFA add-on}.

Feature CyDusk Citrix DaaS VMware Horizon Accops HySecure Apache Guacamole CyberArk PAM AWS AppStream
Architecture & deployment
Browser-only access (no client install)✓ HTML5Citrix Workspace requiredHorizon Client required✓ HTML5PSM client required
Protocols supportedRDP, SSH, VNC, K8s, TelnetHDX, RDP, SSHBlast, PCoIP, RDPRDP, SSH, VNC, webRDP, SSH, VNC, K8sRDP, SSH, web, mainframeDCV / streaming
On-prem / air-gap installDaaS = cloud-only✗ AWS only
Multi-tenancy✓ Tenant > Org > User✓ CSPPartial✗ DIYLimited
Credential & vault model
Built-in encrypted credential vault✓ AES-256-GCM envelope✗ separate PAM✗ separate PAMPartial✓ best-in-class
Zero-knowledge credential injectionUser and endpoint never see the password✗ SSO, not zero-knowledgePartial
HashiCorp Vault Transit / KMS✓ envelope readyAdd-onAdd-onPartialAWS KMS
Just-in-time credential checkoutPartial
Credential rotation on session end
Authentication & posture
MFA — Email OTP✓ SendGridAdd-onAdd-onAdd-on
MFA — WebAuthn / FIDO2Partial (Q3 roadmap)✓ Citrix Cloud✓ Workspace ONEAdd-on
Smart-card / PKCS#11 redirection✓ via CyLensPartialPartial
Device posture at session start✓ built-inAdd-on (Citrix EPA)Add-on (Workspace ONE)Limited
Geolocation + impossible travel✓ event-drivenLimitedLimited
Session governance
Session recording (video + keystroke)✓ built-inAdd-on (Advanced)Add-onAdd-on✗ DIYLimited
Segregation of Duties BLOCKMost products only LOG the violation✓ block at approval-timeLimitedLimitedPartial
Watermark on session✓ configurableLimitedPartial
User experience
Contractor self-service onboardingHoursDays-weeksDays-weeksHours-daysDIYDaysDays
Time-bound access (TTL)Add-onAdd-onLimited
BYOD-friendly (browser, posture-gated)Workspace app neededHorizon client neededLimitedPSM client needed
Commercials
License modelPer concurrent user / yearPer named-userPer named-userPer concurrent userFree + supportPer privileged userPer AWS user-hour
List price posture (relative)1.0×2-4× post-CSG2-3×0.8-1.2× regional0× + DIY ops3-5× PAM-onlyVariable hourly
Vault included in price✗ buy CyberArkPartialn/a is the vault
Mandatory infra beyond productJust K8sStoreFront, NetScalerConnection Server, UAGHySecure gatewayServers + reverse proxyVault HSM, PSM serversAWS account

Footnote: 'Per concurrent user' counts the peak simultaneous sessions, not the named-user roster — typically 30-50% of named users. WebAuthn/FIDO2 enrolment in product Q3 post-raise; redirection through CyLens already supported.

Layer 6 · Session / Browser

CyLens

vs Island Browser · Talon (Palo Alto) · AWS WorkSpaces SB · Menlo Security · Chrome Enterprise · Citrix Secure Browser

True remote browser isolation — a Chromium runs in an isolated pod and the user receives only WebRTC / H.264 pixels. The platform integrates DLP, CDR, watermarking, and device-posture policy out of the box.

Feature CyLens Island Browser Talon (Palo Alto) AWS WorkSpaces SB Menlo Security Chrome Enterprise Citrix Secure Browser
Isolation model
Architectural modelTrue RBI (server-side Chromium)Managed browser (endpoint)Managed browser (endpoint)Hosted Chromium streamingDOM-mirroring RBIEndpoint browser + policyHosted Chromium (Citrix Cloud)
Code execution stays off endpoint
Works on unmanaged BYOD without agent✗ deploys browser
Streaming protocolsWebRTC, H.264, CDP screencastn/a (local render)n/a (local render)ProprietaryDOM-mirrorn/aHDX over HTML5
DLP & content controls
Built-in DLP engine✓ Island DLP✗ use AWS MacieAdd-onLimited
DLP pattern coverage380+ patterns
PII, PHI, PCI, secrets		~150-200Comparablen/aComparablen/aLimited
CDR (Content Disarm & Reconstruct)✓ downloads sanitisedPartialPartial
Personalised watermarkLimited
Screenshot suppression✓ OS-level on podBest-effort (endpoint)Best-effort (endpoint)Limited✗ endpoint OS
Cross-origin iframe DLP (OCR)Stops widget popupsRoadmap Q3Partial
Identity & device controls
SAML 2.0 with signature validation✓ OpenSAML✓ IAM Identity Center
Smart-card / PKCS#11 redirectionPartialLimitedPartial
USB / IP device forwardingLimitedLimitedLimitedLimitedLimited
Device posture before session✓ via CyMatrixLimitedAdd-onLimited
Performance & footprint
Typical in-region latency40-80 ms (WebRTC)~Local~Local60-120 ms80-150 ms~Local60-120 ms
Works fully air-gapped on-prem✗ cloud-managed✗ AWS onlyPartial✗ Citrix Cloud
Commercials
License modelPer concurrent session / yearPer named-user / yearPer named-user / yearPer AWS user-hourPer concurrent sessionPer managed-user / yearPer concurrent session
List price posture (relative)1.0×1.5-2.5× full-fleetComparableVariable (AWS hourly)ComparableCheap, no isolation1.5-2× + Citrix Cloud
Bundled with platformPrisma SASE bundleAWS bundleWorkspace bundleCitrix bundle
Right-fit user tierContractors, BYOD, M&A, high-risk50K corp FTEs50K corp FTEsAWS-shop usersHigh-risk usersCorporate FTEsCitrix shop users

Footnote: 'True RBI' = no application code executes on the endpoint; only encoded pixels are streamed back. Latency figures observed in typical in-region deployments with hardware H.264 enabled. Cross-origin iframe DLP via OCR design-complete; roadmap Q3 post-raise — requires GPU on streaming nodes.

Layer 4 · Policy & Governance

CyMatrix

vs Zscaler ZIA/SSE · Netskope Intelligent SSE · Forcepoint DLP · Microsoft Purview · SailPoint IdentitySec · Symantec DLP

One policy console for VMs, sessions, browsers, and data. Complementary to network-edge SSE/SWG products, not a replacement.

Feature CyMatrix Zscaler ZIA / SSE Netskope SSE Forcepoint DLP Microsoft Purview SailPoint IdentitySec Symantec DLP
Where policy is enforced
Inside the workload (VM / session / browser)✗ network edge✗ network edgeEndpointM365 boundaryIdentity layerEndpoint
Network egress (forward proxy / SWG)✗ (coexist)✓ best-in-classLimitedLimited
Inside SaaS / API CASBLimited (browser-side DLP)✓ CASB leaderLimitedWithin MS onlyAdd-on
DLP coverage
DLP at browser path (RBI-native)✓ via CyLensNetwork onlyNetwork onlyEndpoint browserEdge browser onlyEndpoint
DLP at VDI session path✓ via CyDuskLimitedLimited
Pattern library out-of-box380+~250+~250+350+300+ (M365)n/a350+
Access governance
Entitlement cataloguePartial✓ best-in-class
Just-in-time access requestsPartial
SoD BLOCK at request-timeMost products only LOG✓ block, with reasonPartial
Time-bound entitlement (TTL)Limited
Access certification campaignsRoadmap Q4Limited✓ full IGA
Device & location
Impossible travel detection✓ event-driven✓ network telemetryLimited✓ Entra IDLimitedLimited
Auto session-revoke on impossible travel✓ CAE wiredLimitedPartialLimited
Operations & integration
Hierarchical merge (VM > Net > Tenant > System)Per-tenantPer-tenantPer-rulePer-tenantPer-orgPer-rule
One audit log across all enforcementWithin ZIA onlyWithin Netskope onlyWithin Forcepoint onlyWithin Purview onlyWithin IGA onlyWithin Symantec only
Coexists with edge SSE / SWG✓ designed ton/a (it IS SWG)n/aLimitedLimited
Commercials
Standalone SKU?Bundled with platform✓ per-user/yearBundled with E5
List price posture (relative)Included at basePremium per-user pricingPremium per-user pricingPremium per-user pricingBundled with E5Premium IGAPremium per-user pricing
Right-fit positioningWorkload-side policy planeEdge SSE / SWG kingCASB-leaning SSEEndpoint DLPMicrosoft estateFull IGAEndpoint DLP

Footnote: 'Coexist' means complementary — CyMatrix at the workload, SSE/SWG at the network edge. Microsoft Purview is excellent inside the M365 estate; coverage stops at non-MS workloads.

Honesty Principle

When CyMesh is not the right choice.

We tell you which categories we don't compete in. Buyers trust this far more than a checkbox matrix claiming everything.

CSPM / CNAPP
Use Wiz / Palo Alto Prisma. We run workloads; we don't audit cloud configurations.
SD-WAN / SASE
Use Cisco / Zscaler. We don't run a global PoP network.
EDR / XDR
Use CrowdStrike. Pixels-only architecture means nothing on endpoint to detect.
Identity store
Use Okta / Azure AD. We integrate via SCIM 2.0; we don't replace your IdP.
IGA / access certification
Use SailPoint / Saviynt. We handle JIT entitlements; we don't run quarterly reviews.
SOAR
Use Cortex XSOAR. We feed events via webhook; we don't orchestrate workflows.

30-Day POC, free.

Bring two idle servers. We bring the SE. Five success criteria, hard-coded TCO comparison vs your current renewal quote. Zero procurement, zero commitment.

Contact Us Browse products