Skip to content

7 Questions to Ask Before You Sign a NaaS Contract

"Network as a Service" has joined the list of terms that vendors use to mean whatever serves the moment: a hardware lease, a financing arrangement, a monitoring overlay on top of a traditional deployment, occasionally the real thing. Before you sign a multi-year NaaS contract, the language matters less than what you're actually getting.

The simplest test of whether a NaaS contract is real is whether the provider takes contractual responsibility for operating your network day over day, not just installing it and handing it back. These seven questions separate the real from the rebranded in a 30-minute conversation.

Who operates the network after go-live?

The single most important question, and the one most commonly dodged. In a real NaaS engagement, the provider designs, deploys, monitors, responds to incidents, manages configuration, patches the OS, and upgrades the hardware. If the contract says any of that falls back to your team after the first 30 days, you bought an installation, not a service.

Aegis NaaS covers design, deployment, 24x7x365 monitoring and incident response, configuration management, and lifecycle operations under a single subscription.

What platforms is it built on, and can you see the reference architecture?

Generic NaaS offerings tend to obscure the underlying platform because they run different gear per deployment, which creates operational debt for the provider and unpredictable performance for you. A defensible NaaS is built on a standardized, purpose-built stack.

For Aegis NaaS, that means Arista switches and Wi-Fi access points for the in-site infrastructure, and Cato Networks for SASE (SD-WAN, ZTNA, edge security, cloud optimization).

NaaS offerings that won't show you the underlying design are usually NaaS in marketing only. You can tell the difference in a 10-minute technical conversation.

How is security actually delivered at the edge?

Traditional branch networks backhaul traffic to a central data center for security inspection, which worked when users and apps lived there. They don't anymore. SASE pushes security and access control out to where users and data actually live, which means identity-based ZTNA, cloud-delivered threat prevention, and CASB controls travel with the user, not with the network.

If your NaaS vendor's answer to security is "we can install a firewall," you're buying a 2012 architecture in 2024 packaging.

How is access control enforced on the LAN?

The LAN is where the interesting attack surface lives: printers, IoT devices, contractors, guests, the random industrial sensor someone plugged in last year. A real NaaS includes Network Access Control integrated with your directory services, so every wired and wireless connection enforces user-and-device-specific policy automatically.

Without it, every port is effectively trusted, and Zero Trust at the perimeter is undermined by implicit trust in the closet.

What's included in the subscription, and what isn't?

A NaaS subscription should include, at minimum: hardware (switches, APs, SASE edge devices), all required software licensing, site surveys and design, turnkey deployment, 24x7x365 monitoring and incident response, configuration management, moves/adds/changes, and firmware upgrades.

Things that commonly get billed separately (and shouldn't) are routine change requests, ongoing tuning, and lifecycle refresh. If the answer to "what's extra?" takes more than a few lines, the total cost of ownership math will surprise you in year two.

What kind of operational visibility do you actually get?

This is the one that separates engineers from non-engineers at the vendor. A lot of managed network services treat their operational tooling as a black box, which makes troubleshooting a ticket-and-wait exercise.

A credible NaaS gives your team transparent access to dashboards, telemetry, and reporting in real time, covering performance, configuration state, security events, and application flows. You don't need to see every CLI command the provider runs, but you should see every material change, every KPI, and every incident, without asking.

If your NaaS provider's operational tooling looks like another opaque silo you can't query, they've just added a layer of friction to your environment and charged you a subscription for it. The whole point of this model is supposed to be less complexity for you, not more.

What happens at end-of-term?

The quiet question that decides the long-term relationship. Legitimate NaaS providers should be upfront about whether hardware can be purchased out at end of term, what the migration path looks like if you go a different direction, and whether the design and documentation are yours.

The goal of a good partnership is the customer continuing to renew because the service is working, not because the exit is painful. Any NaaS contract that relies on lock-in for retention has already told you something about the service quality.

A Different Approach

Why Aegis NaaS is built the way it is

We built Aegis NaaS because we've been on the buyer side of this contract, and we've seen what happens when NaaS is sold as marketing instead of engineered as a service. It's built on a standardized Arista-plus-Cato architecture, operated under a co-managed model (you keep strategic control, we handle the operational friction), delivered with full operational visibility into configuration, telemetry, and performance, and priced as a predictable per-site subscription that replaces the unpredictable capex and operational tail of traditional enterprise networking.

FAQ

How is NaaS priced compared to traditional network capex?

Aegis NaaS is a predictable per-site subscription that bundles hardware, licensing, design, deployment, and operations. For most mid-market and enterprise environments, total cost of ownership lands below traditional capex plus the operational tail, especially once you factor in staff time spent on commodity network work.

What happens if we want to exit the service?

The exit provisions are in the contract and we're direct about them before signing. Hardware can typically be purchased out at end of term at a defined residual. Configuration, design documentation, and runbooks are yours. We're not interested in retention that depends on exit being painful.

Can we bring our own security vendor or stay with an incumbent?

Yes, with caveats. The standardized Arista and Cato stack is what makes the operational economics work. We can accommodate an existing security platform (a Palo Alto estate, for example), but expect a conversation about which parts stay standardized.

Is Aegis NaaS suitable for a single-site office?

Real per-site economics start around three to five sites, though we have deployed single-site engagements where the operational model was the driver. If you're running one flagship office with a small IT team and need the coverage, the conversation is worth having.