When does building SD-WAN make sense?

Building makes sense for organizations with dedicated networking engineers who need full control over the routing policy and overlay. VyOS, pfSense, and ZeroTier are recognized self-deployment options, though the main cost savings in SD-WAN come from replacing MPLS with broadband regardless of which approach you take.

When does buying SD-WAN make sense?

Buying makes sense for most multi-site organizations replacing MPLS. Commercial platforms deliver traffic steering, link failover, and security functions without requiring in-house networking engineering expertise, and SASE vendors like Cato Networks converge SD-WAN and security policy in a single cloud-delivered service.

What are the main SD-WAN vendors?

Representative vendors include Cato Networks, Cisco Meraki / Viptela, Zscaler, Fortinet Secure SD-WAN. B4 Pro scores the full set.

What is SASE and how does it relate to SD-WAN?

SASE (Secure Access Service Edge) converges SD-WAN networking with cloud-delivered security (firewall, CASB, zero-trust access) into a single platform. Cato Networks and Zscaler deliver this model, which changes the SD-WAN evaluation from a standalone network overlay question into a broader network and security architecture decision.

IT Operations · Engineering, IT & AI

Should you build or buy SD-WAN?

SD-WAN (Software-Defined Wide Area Network) software provides a virtual overlay network that connects branch offices, data centers, and cloud resources using commodity broadband links — with centralized traffic policy management, application-aware routing, and link aggregation that eliminates dependence on expensive MPLS circuits.

The build-vs-buy decision for SD-WAN turns on whether your networking team has the expertise to operate a self-managed overlay and control plane, and whether the documented savings actually come from replacing MPLS with broadband or from building a better network platform; most of the economics here have been stable, with managed delivery winning for the majority of organizations.

Domain: IT Operations
Function: Engineering, IT & AI
Industries: Cross-industry

Last assessed June 2026 · re-scored quarterly via The Continuum.

Build it, buy it, or bridge?

	Build it	Buy it	Bridge (buy, then extend)
Cost shape	Open-source (VyOS, pfSense, ZeroTier) with in-house networking engineering; hidden expertise cost	Per-site or per-Mbps licensing; MPLS savings typically fund the platform cost	Managed SD-WAN service with self-configured policies; telco-delivered with operator oversight
Time to value	Months to deploy and tune across sites; requires networking expertise for control plane	Appliances or virtual edges deployed in days; centralized policy immediate	Managed service active faster than DIY; policy customization layered in over time
Differentiation captured	Full control of routing policy and overlay; no vendor lock-in on appliance lifecycle	Proven appliance ecosystem; SASE convergence (Cato, Zscaler) merges network and security policy	Vendor SASE platform with custom application steering policies
AI feasibility today	flexiWAN open-source SD-WAN/SASE exists; DIY recognized as one of three standard deployment models	Vendors adding AI-driven path selection and anomaly detection to traffic steering	Managed platform AI for traffic steering; internal tooling for policy customization
Who it fits	Organizations with strong in-house networking engineering and specific control plane requirements	Multi-site organizations replacing MPLS; companies converging network and security under SASE	Companies wanting managed delivery but retaining application policy control

The B4 call

B4 has a verdict for SD-WAN.

Build, Buy, Bridge, or Beware, with the five-dimension scorecard and the reasoning behind it. Unlock the call, and every other category, with B4 Pro.

Unlock the verdict in B4 Pro →

When building SD-WAN makes sense

Self-managed SD-WAN — deploying VyOS, pfSense, or ZeroTier as an overlay — is a recognized option for organizations with dedicated networking engineers who want full control over the routing policy and avoid appliance vendor lock-in. flexiWAN provides an open-source SD-WAN and SASE stack for self-deployment. The case works when your networking team is strong enough to operate the control plane, when your site topology is homogeneous enough that breadth of vendor appliance support isn't needed, and when the specific routing or security policy requirements exceed what commercial platforms configure cleanly. What's important to understand: the documented cost savings in SD-WAN generally come from replacing MPLS circuits with broadband transport, not from building a better overlay. The transport substitution payoff is available with any SD-WAN approach, including a fully managed vendor deployment.

When buying SD-WAN makes sense

Buying earns its keep for the majority of multi-site organizations. Cisco Meraki, Fortinet Secure SD-WAN, and Cato Networks deliver traffic steering, link aggregation, and security functions against well-understood pricing, with support and hardware that most networking teams prefer to owning the control plane. Cato and Zscaler are worth evaluating for organizations on a SASE path, where SD-WAN and security policy converge in a cloud-delivered service — that architecture changes the build question significantly. The engineering overhead of running a self-managed overlay, including failover testing, firmware management, and multisite policy consistency, tends to eat the apparent licensing savings faster than the headline numbers suggest for teams without dedicated WAN engineering capacity.

SD-WAN is commodity infrastructure, and the economics reflect that. The documented savings in this category come from replacing MPLS with broadband, not from building a better overlay controller. Cisco Meraki, Fortinet Secure SD-WAN, and Cato Networks all deliver traffic steering, security, and application-aware routing against well-understood pricing. A self-managed deployment using VyOS or pfSense with ZeroTier for overlay is a recognized option for networking teams with the expertise to run it, but the engineering overhead eats the licensing savings faster than it looks on a spreadsheet.

Zscaler and Cato Networks push SD-WAN toward a SASE model where network and security policy converge in a cloud-delivered service. That direction is worth watching because it changes the build-vs-buy question: you're not evaluating an appliance anymore, you're evaluating whether your networking team wants to own the control plane or outsource it. For most organizations without dedicated WAN engineering capacity, managed delivery is winning, and the cost advantage of DIY is narrower than the headline numbers suggest.

Representative vendors

ZscalerFortinet Secure SD-WAN and 3 more, scored in B4 Pro

B4 Pro

Get B4's actual call on SD-WAN

→ B4's call for SD-WAN: Build, Buy, Bridge, or Beware
→ The five-dimension scorecard and the scoring rationale
→ All 5 vendors with pricing and positioning
→ Quarterly re-scores that feed the MCP live, so your agents always query the current call
→ MCP server plus API and SDK access, and CSV/JSON export

Upgrade to B4 Pro

Prefer to read first? The book covers the framework end to end.

Frequently asked

What is SD-WAN?: SD-WAN (Software-Defined Wide Area Network) software provides a virtual overlay network that connects branch offices, data centers, and cloud resources using commodity broadband links — with centralized traffic policy management, application-aware routing, and link aggregation that eliminates dependence on expensive MPLS circuits.
When does building SD-WAN make sense?: Building makes sense for organizations with dedicated networking engineers who need full control over the routing policy and overlay. VyOS, pfSense, and ZeroTier are recognized self-deployment options, though the main cost savings in SD-WAN come from replacing MPLS with broadband regardless of which approach you take.
When does buying SD-WAN make sense?: Buying makes sense for most multi-site organizations replacing MPLS. Commercial platforms deliver traffic steering, link failover, and security functions without requiring in-house networking engineering expertise, and SASE vendors like Cato Networks converge SD-WAN and security policy in a single cloud-delivered service.
What are the main SD-WAN vendors?: Representative vendors include Cato Networks, Cisco Meraki / Viptela, Zscaler, Fortinet Secure SD-WAN. B4 Pro scores the full set.
What is SASE and how does it relate to SD-WAN?: SASE (Secure Access Service Edge) converges SD-WAN networking with cloud-delivered security (firewall, CASB, zero-trust access) into a single platform. Cato Networks and Zscaler deliver this model, which changes the SD-WAN evaluation from a standalone network overlay question into a broader network and security architecture decision.

The B4 Index scores every software category on two axes, strategic differentiation and AI feasibility, to classify it Build, Buy, Bridge, or Beware. See the full methodology.

More in IT Operations

Build or buy IT Service Management (ITSM)? Build or buy IT Asset Management (ITAM)? Build or buy Software Asset Management (SAM)? Build or buy Cloud Cost Management / FinOps? Build or buy SaaS Management? Build or buy Cloud Infrastructure (IaaS)? Build or buy Configuration Management Database (CMDB)? Build or buy Network Monitoring? Build or buy Unified Endpoint Management (UEM)? Build or buy Data Center Infrastructure Management (DCIM)? Build or buy Bare Metal Cloud / Dedicated Server Provisioning? Build or buy Certificate Lifecycle Management / PKI Automation?

The Build Report

Bi-weekly analysis of software categories through the B4 Framework. What to build, what to buy, and how to use AI to make better decisions for your company.