Logo Teldat
boton
Contact us

• Cybersecurity Glossary

Managed SD-WAN vs Self managed: which to choose?

Managed SD-WAN is a deployment model where a service provider or vendor operates the SD-WAN platform on behalf of the customer, handling design, configuration, monitoring and ongoing changes. Self managed (DIY) SD-WAN is the opposite: the customer’s own IT team owns the platform end to end, from hardware to policy definition to day two operations. A third path, co managed SD-WAN, splits responsibility between the provider and the internal team. The right choice depends on in house expertise, budget, scale and how much operational control your business needs. Teldat supports all three models through the CNM SD-WAN Suite and its partner ecosystem.

1Managed vs self managed SD-WAN: definitions2The three deployment models in detail3Managed vs self managed: side by side4Pros and cons of each model5How to choose: the decision framework6Total cost of ownership considerations7Teldat support for every SD-WAN model8Frequently asked questions – (FAQ’s)

Managed SD-WAN vs Self managed SD-WAN

Managed SD-WAN is a service in which a managed service provider (MSP), telecom carrier or vendor takes operational responsibility for the customer’s SD-WAN infrastructure. The provider owns the design, deploys the edge devices, operates the controller, monitors network health 24×7 and handles every change request. The customer receives SD-WAN as a service governed by an SLA, paying a recurring fee per site or per managed device.

Self managed SD-WAN (sometimes called DIY SD-WAN) puts the customer in full control. The internal networking team procures the hardware, builds the overlay policies, integrates with security and identity systems and runs day two operations. The vendor provides the platform, software licences and support, but the customer operates it. This model is common in organizations with mature network and security teams, strict data sovereignty requirements or unique technical environments.

Co managed SD-WAN sits between the two. Responsibility is split by domain: the provider may run the underlying transport, monitoring and first line support, while the customer retains control over policy, segmentation and application routing. Co management is often the practical outcome of a negotiation between the appetite for outsourcing and the need to keep sensitive policy decisions in house.

The three deployment models in detail

The three SD-WAN deployment models differ in who holds the operational keys. The same Teldat CNM SD-WAN Suite runs underneath all of them; what changes is where the responsibility for design, change management and monitoring sits. The models below are the ones most commonly found in enterprise deployments.

1
Fully managed SD-WAN
The provider handles everything: initial design workshop, site survey, hardware procurement, Zero Touch Provisioning, overlay configuration, change management, monitoring, incident response and reporting. The customer interacts through service tickets and dashboards. This model is popular for organizations that view networking as a utility and want to redirect internal effort toward applications and business outcomes.
2
Partially managed (co managed)
The provider operates the platform and the monitoring stack; the customer retains a role in specific areas such as security policy, application classification or data sovereignty controls. Many enterprises use co management to keep their security team in charge of segmentation and ZTNA policy while outsourcing the undifferentiated operational work of link monitoring and hardware replacement.
3
Self managed (DIY)
The customer’s team owns the SD-WAN platform. They configure the controller, build templates, define policies, operate the NOC and handle incidents. The vendor provides the product, documentation, TAC support and professional services on request. This model maximizes control and is preferred by organizations with skilled network and security teams, regulated environments or highly customized architectures.
4
White label managed service
A service provider resells a vendor’s SD-WAN platform under its own brand, often combined with connectivity and security services. The end customer sees a single contract and a single point of responsibility. Teldat supports this model by allowing partners to operate the CNM SD-WAN Suite in multi tenant mode with per customer isolation.
5
Co sourced operations
Operational tasks are divided by shift or by domain. A common pattern: internal team covers business hours and strategic changes, while a partner provides after hours monitoring, incident response and patch management. Co sourcing reduces the need for a full 24×7 internal NOC without giving up architectural control.
6
Hybrid model per site or per region
Large enterprises frequently mix models. Critical sites (data centers, headquarters) are self managed by an internal team, while branch offices in regions without local expertise are delivered as a managed service through a partner. The Teldat CNM SD-WAN Suite supports role based access so that each team sees only the sites and policies it is responsible for.

Managed SD-WAN vs Self managed SD-WAN: side by side

Managed and self managed SD-WAN address the same networking problem but distribute responsibility, risk and cost in very different ways. The table below contrasts the two models across the dimensions that matter most during a procurement decision. Co managed options generally fall somewhere between the two columns.

Dimension Managed SD-WAN Self managed SD-WAN
Responsibility Provider operates platform end to end; customer consumes service Customer owns every layer of operation
Time to deploy Weeks; provider brings repeatable process and pre built templates Months on first deployment; faster once templates are established
In house skills Minimal; customer needs strong vendor management, not SD-WAN expertise Substantial; requires a trained network and security engineering team
Cost model OPEX; predictable recurring fee per site, SLA backed CAPEX for hardware plus OPEX for licences and internal staff
Control over policy Indirect; changes go through the provider and its change window Direct; internal team applies policy changes in real time
Speed of change Governed by provider change management; hours to days Minutes, bounded by internal approvals
Customization Standardized catalog of services; deep custom work is chargeable Full flexibility; any supported feature can be used
Visibility Provider dashboards and periodic reports Raw telemetry and full integration with customer observability stack
Security ownership Shared; provider secures the platform, customer defines business policy Fully internal; aligns with existing security governance
Risk profile Vendor concentration risk and SLA dependency Operational risk concentrated in internal team capacity
Best fit Distributed retail, mid market, organizations without a dedicated NOC Regulated industries, large enterprises with mature network teams

No model is universally better. The right answer depends on the balance between control and overhead that your organization can realistically sustain over a five year horizon. Most enterprises end up in a co managed configuration: they outsource the parts they do not differentiate on and keep control over the parts that intersect with security, compliance or core applications. Teldat CNM SD-WAN Suite is designed to operate equally well in any of these configurations without platform lock in.

Pros and Cons of each model

Every deployment model has a clear upside and a matching downside. The six cards below summarize what each model typically delivers and what it typically demands in exchange. Read them as trade pairs, not isolated features.

1
Managed SD-WAN: what you gain
Predictable OPEX, a single SLA backed point of responsibility, 24×7 coverage without hiring a NOC, and fast rollout across geographies where local expertise is scarce. The provider absorbs the learning curve of a new platform and delivers operational maturity from day one.
2
Managed SD-WAN: what you give up
Change velocity is governed by the provider’s processes. Deep customization typically costs extra. You depend on the provider’s roadmap, monitoring tools and incident response quality. Exit costs are non trivial: contracts, device ownership and data migration all need planning before signing.
3
Self managed SD-WAN: what you gain
Full control over policy, segmentation, routing and integrations. Changes happen at the speed of your team, not at the speed of a ticket queue. No vendor between you and your network. Knowledge stays in house, which makes future platform migrations or multi vendor strategies much easier.
4
Self managed SD-WAN: what you give up
You carry the full operational burden. That means recruiting, training and retaining SD-WAN skilled engineers, building or buying 24×7 monitoring, and owning every incident. The first twelve months are the steepest: you pay the learning curve in outages and misconfigurations.
5
Co managed: what you gain
A pragmatic split. The provider absorbs the undifferentiated tasks (link monitoring, hardware RMA, Tier 1 incident response), while your team keeps the strategic work: policy, segmentation, integration with identity and security. Most mature SD-WAN deployments land here after a few years of operation.
6
Co managed: what you give up
Clear accountability. When responsibility is shared, it is easy for issues to fall between the cracks. A co managed contract only works if the split is documented at the task level, not at the slogan level: who owns what, who escalates to whom and how handoffs are measured.

How to choose?: the decision framework

Choosing between managed and self managed SD-WAN is less about technology and more about organizational fit. Run the following six questions before locking in a model. If your answers skew toward the first option in each pair, managed is the safer bet. If they skew toward the second, self management is within reach.

1
Do you have SD-WAN skilled engineers in house?
Managed is the right default when the skill set is thin, scattered across geographies or actively being rebuilt. Self management becomes viable when you have at least two or three engineers who have operated SD-WAN at scale and a plan to keep them on staff.
2
How many sites, how distributed, how quickly growing?
A stable network of ten to fifty sites can be operated by a small internal team. A fast growing network of hundreds of sites across multiple regions almost always needs a managed or co managed model during the growth phase, because recruiting cannot keep up with rollout pace.
3
How sensitive are your policy and segmentation decisions?
If segmentation is core to your compliance story (PCI, HIPAA, NIS2, DORA), you probably want your own team in charge of those policies even if the rest of the operation is outsourced. Co management with a clear policy boundary is the typical answer.
4
What is your tolerance for OPEX vs CAPEX?
Managed SD-WAN converts most of the spend into a predictable recurring fee. Self management requires CAPEX for hardware and internal salaries, offset by lower licence costs. CFOs with a preference for OPEX and predictable budgets often push toward managed models.
5
How critical is change velocity to the business?
If application teams ship weekly and expect same day network changes, a managed service with a four hour change window is going to be a source of friction. Self management (or at least co management with policy authority retained in house) is the realistic answer.
6
What is your multi year platform strategy?
Organizations with a stated multi vendor or cloud first strategy benefit from keeping the operational knowledge in house, because platform portability matters. Organizations consolidating around a single trusted partner can lean on managed services without compromising that strategy.

Total cost of ownership considerations

A TCO comparison is the only honest way to compare managed and self managed SD-WAN. The sticker price of licences and hardware is rarely the decisive factor. The dimensions below are the ones that usually move the total by more than 20 percent in either direction, and they are the ones most commonly overlooked in initial proposals.

1
Hardware and software licences
In a self managed model, the customer pays directly for edge devices, controller licences and support contracts. In a managed model, those costs are bundled into the monthly fee; the provider absorbs the purchasing risk and passes on negotiated volume discounts, minus its margin.
2
Staffing and training
Self management requires a team that can design, operate and troubleshoot the platform. For a mid sized enterprise that typically means two to four full time engineers plus on call coverage. Training, certification and retention are recurring costs that do not appear on the vendor quote.
3
Monitoring and tooling
24×7 monitoring requires either a shared NOC or a set of tools and runbooks good enough that on call engineers can act quickly. Managed services include this stack in the fee. Self managed deployments have to build or buy it, and it often represents the largest hidden cost of the first year.
4
Change management overhead
Every network change carries a cost in engineering time and risk. Self management keeps that cost internal but visible. Managed services hide it behind a ticket queue and a change window. Both models have to pay it; the question is where it shows up in the budget.
5
Scale economics
Per site cost in a managed service is relatively flat: you pay more or less the same for site fifty as for site five hundred. Per site cost in a self managed deployment drops significantly after the initial investment in tooling and team. At very large scale, self management often wins on unit economics.
6
Exit and portability cost
Switching from a managed service to another provider, or bringing operations in house, has real migration costs: knowledge transfer, contract wind down, device re registration and policy re codification. Teldat CNM SD-WAN Suite mitigates this risk because the underlying platform is portable between customer and partner operations.

Teldat support for every SD-WAN model

Teldat is designed to operate across every deployment model without forcing a choice between control and convenience. The CNM SD-WAN Suite runs identically whether the operator is the customer’s own team, a Teldat partner or a hybrid of both. That portability is the main reason Teldat SD-WAN is used by service providers, enterprises and public sector organizations on the same underlying platform.

1
CNM SD-WAN Suite for self management
Customers that want to run SD-WAN internally use the CNM Controller, CNM Provisioner, CNM Visualizer and CNM Servicer directly. All four modules are operated through guided graphical interfaces with REST API integration, giving internal teams the automation they need without platform lock in.
2
Partner operated managed service
Teldat works with a European network of service providers that deliver SD-WAN as a fully managed offering. The partner operates the CNM SD-WAN Suite in multi tenant mode, bundles the service with connectivity, security and support, and presents it to the end customer under a single SLA.
3
Co management with role based access
The CNM SD-WAN Suite supports granular role based access control, so that a Teldat partner and the customer’s internal team can share the same platform with different scopes. Partner teams handle day two operations while the customer retains full authority over security policy, segmentation and sensitive routing decisions.
4
Proven at European scale
Teldat operates the largest SD-WAN and XDR deployment in Europe at the Junta de Andalucia, covering 2,700 branches with centralized management and AI powered threat detection. This reference shows that the platform scales under any operational model, from fully internal to fully outsourced.
5
Integrated security across models
Regardless of who operates SD-WAN day to day, Teldat integrates with the full be.Safe suite: embedded NGFW at each edge, be.Safe Pro SSE for cloud delivered SASE (SWG, CASB, ZTNA) and be.Safe XDR for AI powered threat detection. Security boundaries are defined once and enforced consistently.
6
European sovereignty without tradeoffs
As a European manufacturer with CPSTIC certification at ENS Alta level and the “Cybersecurity Made in Europe” label, Teldat delivers SD-WAN under EU jurisdiction. No extraterritorial legal exposure, no non EU parent company, and no foreign government access to management data, whether the platform is operated by the customer or a partner.

The Teldat model neutrality advantage: most SD-WAN vendors force customers into either a product only or a service only posture. Teldat manufactures the hardware, builds the CNM SD-WAN Suite and works with an ecosystem of partners that can operate it. A customer can start self managed and hand over operations to a partner two years later when the footprint outgrows the internal team, without changing the platform underneath. Policies, templates and integrations carry across every operational model, which is exactly where most SD-WAN migration budgets get spent.

Frequently asked questions about managed and self managed SD-WAN – (FAQ’s)

❯ What is the difference between managed and self managed SD-WAN?

Managed SD-WAN is a service in which a provider operates the SD-WAN platform on behalf of the customer under an SLA, handling design, configuration, monitoring and change management. Self managed SD-WAN (DIY) keeps full operational ownership inside the customer’s IT team. The vendor provides the platform and support, but the customer runs it. Managed trades control for less internal workload and predictable OPEX. Self managed demands more staff but gives you direct authority over every policy decision and usually wins on unit economics at large scale.

❯ When should a company choose managed SD-WAN?

Managed SD-WAN is the right choice when the organization lacks SD-WAN skilled engineers, needs fast rollout across many geographies, prefers OPEX over CAPEX and does not want to operate a 24×7 NOC. It is also a strong fit for mid market and distributed retail environments where the value of network operations is in consistency and uptime rather than deep customization.

❯ When is self managed SD-WAN the better option?

Self management makes sense when the organization already has a mature network engineering team, operates in a regulated industry that requires tight control over policy and segmentation, runs a stable or moderately growing footprint, and has the budget to invest in staff and monitoring tooling. At large scale, self management often has better unit economics than a fully managed service.

❯ What is co managed SD-WAN?

Co managed SD-WAN is a hybrid model in which the service provider and the customer share operational responsibility. A common split has the provider handling monitoring, hardware replacement and first line incident response, while the customer owns security policy, segmentation and application routing. Co management is the most common outcome for mature enterprise deployments because it balances control and overhead.

❯ Does Teldat offer both managed and self managed SD-WAN?

Yes. The Teldat CNM SD-WAN Suite is designed to operate identically under any model. Customers can run the platform themselves, consume it through a Teldat partner as a fully managed service, or share operations with a partner in a co managed configuration. Role based access control and multi tenant architecture support all three options on the same platform.

❯ Can I switch from managed to self managed SD-WAN later?

With Teldat, yes. Because the CNM SD-WAN Suite is the same platform whether operated by the customer or a partner, transitioning between models is a matter of transferring operational responsibility, role based access and runbooks, not a platform migration. Investment in policies, templates and integrations is preserved across model changes, which avoids the exit cost typical of pure managed service contracts.

Find the right SD-WAN model for your business

Managed, self managed or co managed, Teldat CNM SD-WAN Suite runs the same way on the same platform. Combined with be.Safe Pro SSE and be.Safe XDR, it delivers networking and security from a single European vendor, proven at scale across 2,700 branches.