The world traditional SWG was built for is gone

Five years ago, “outbound traffic” meant a human clicking a link. The Secure Web Gateway that intercepted that click, decrypted it, inspected it, and sent it on its way was a solid piece of engineering for that world.

That world is gone. Today, “outbound traffic” is a Copilot prompt your CFO sent, an autonomous agent calling six SaaS APIs to close a quarterly book, a browser extension scraping a vendor portal, and a background process syncing a folder to a personal cloud. All happening in parallel. Most of it is encrypted in ways your cloud proxy cannot inspect. Most of the meaningful risk lives inside the page rather than on the wire.

Agents are about to outnumber humans 100 to 1 in the enterprise. They move 100x faster than the network was designed to handle. And if you cannot see inside an AI session, you are not governing AI. You are guessing.

Island Secure Web Gateway was built around a different network architecture. A full enterprise-grade SWG with the added ability to enforce locally at the endpoint, for activity the network alone can't reach. It is built for a world with more traffic, more actions on the endpoint, and more agents.

The numbers:

• 90% of sessions skip the cloud backhaul
• 10x faster application access
• Zero SSL/TLS break-and-inspect for browser traffic
• 100% visibility into AI sessions, agent workflows, and data interactions

Three reasons the cloud-proxy-only model is breaking

The backhaul tax keeps getting more expensive. Every packet up to the cloud, decrypted, inspected, re-encrypted, sent on. Fine for occasional browsing. Painful for real-time collaboration, SaaS, and an AI workflow firing dozens of requests in parallel. As agentic patterns scale, the cost of “everything through the proxy” stops being a rounding error and starts being a line item.

Encryption is outpacing inspection. SSL pinning blocks decryption on the apps that matter most. Quantum-resistant ciphers and modern protocols are closing the visible window further every quarter. A cloud proxy that depends on break-and-inspect now sees less than it did last year, and will see less again next year.

Additional risk lives where the proxy cannot reach. When an employee copies a customer list from your CRM into an email on their personal Gmail, the network sees a TLS handshake to a known good domain. The proxy sees a packet without the context to make an effective decision. The risk lives in what the user does on the endpoint. Network-only inspection wasn’t designed to govern that, and bolting more inspection onto a network layer that cannot see the page won’t fix it.

Island Secure Web Gateway

Island SWG is a full network security solution, covering all web and application traffic that originates from the endpoint: Zoom, Slack desktop, Dropbox client, background services, and any other outbound connection. Island Desktop intercepts that traffic and routes it to Island SWG for full inline inspection: SSL inspection, URL filtering, DLP, malware scanning, and application access control. Full coverage, on par with any enterprise SWG in the market. That includes AI tools and agentic workflows. Every outbound connection an AI assistant or autonomous process generates is subject to the same inspection and policy enforcement as any other traffic.

Island goes further on the endpoint itself. For most web traffic, Island enforces locally at the endpoint by applying URL filtering, DLP, malware scanning, anti-phishing, and application controls inline, without routing traffic to a cloud proxy. That means less backhauling, no break-and-inspect overhead, and visibility into encrypted sessions, including modern protocols and encryption, that a traditional proxy-based SWG can't reach from the network layer alone.

All enforcement runs under the same policy framework, managed from a single console. Security teams define rules once, applied consistently, regardless of where traffic originates.

Island SWG uses our global network, which includes points-of-presence across the globe. This network is built on top of multiple major hyperscalers, giving us the ability to easily deploy new PoPs to many different locations while ensuring redundancy across multiple providers for maximum uptime.

How Island SWG works in practice

An employee pastes proprietary source code into an AI assistant to generate documentation. Island's DLP policy detects the sensitive content before it leaves the device and blocks the upload, displaying a coaching message. The AI tool remains accessible. The data doesn't leave.

A user clicks a link in a phishing email. Island evaluates the URL, and if it identifies a lookalike, the connection is blocked before a single packet is exchanged, so the page never loads. No network hop. No cloud round-trip. Stopped before it started.

A finance team member copies a column of Social Security Numbers from Google Sheets. Where a traditional SWG stops at the network layer, Island controls what users can do with data once it's on the device. It detects PII patterns, masks sensitive fields, and can prevent copy, uploads, or any other action inline, at the DOM layer. The data doesn't move.

A background process on an endpoint attempts to connect to an external server. Island intercepts the outbound connection, routes it to Island SWG for inspection, and evaluates the request. The URL is flagged as a command-and-control destination. The connection is blocked before it's established, and the malware callback never completes.

A contractor's file sync client attempts to connect to an unapproved storage service. Island Desktop intercepts the traffic. Island SWG matches it against the application access policy, blocks the sync, and logs the event with the user's identity, device, and destination for the SecOps team.

A security team needs to conduct threat research or risk analysis on an uncategorized site. Island applies isolation automatically, rendering the session locally within a controlled process. If policy demands the absolute containment of Remote Browser Isolation (RBI), Island executes the session remotely on its secure infrastructure and streams it back via high-performance, vector-based graphics, keeping malicious code away from the endpoint without degrading the user experience.

One policy framework. One audit log.

All enforcement shares the same foundation: policies defined once in Island’s management console apply consistently across all traffic types.

A DLP rule for PCI data applies whether a user uploads through a whether a user uploads through the browser or a desktop application. A URL filtering policy for unsanctioned SaaS applies whether access is attempted through Chrome, an extension, or a file sync client. The SecOps team doesn't manage separate policy systems or reconcile separate audit trails.

Every connection, regardless of origin, is logged with user identity, destination, action, and outcome. HTTP, TLS, and DNS metadata are audited across all traffic, browser, non-browser, local and cloud-inspected, and forwarded in real time to SIEM platforms. When a compliance team needs to reconstruct what a specific user accessed during a security incident, the data is complete and in one place.

The Modern SWG

Enterprises have always needed a Secure Web Gateway. The network security requirement hasn’t changed. What’s changed is the architecture needed to meet it. Routing all traffic through a single cloud proxy made sense when the network perimeter was fixed. It’s a harder case to make when traffic is distributed, applications are cloud-delivered,  and agents are producing far more traffic than ever before.

Island Secure Web Gateway is a full network security solution built for that reality. Island SWG covers every outbound connection. With the added ability to enforce locally at the endpoint, Island covers what the network alone can't reach. One policy. One audit log. No gaps.

FAQs

What is a Secure Web Gateway (SWG)? A Secure Web Gateway filters and controls outbound web traffic, applying policies to block threats, prevent data exfiltration, and restrict access to unauthorized sites and applications. Traditional SWGs enforce those policies at the network layer via a cloud proxy. Island enforces them at the endpoint for local traffic, with no proxy hop, and via Island SWG for all other traffic.

How is Island SWG different from a traditional SWG? Traditional SWGs intercept all device traffic and route it through cloud proxies for inspection. Island covers all network traffic through Island SWG, with the added ability to enforce locally at the endpoint for activity the network alone can't reach. The result is full coverage, significantly less traffic requiring cloud routing, deeper last-mile enforcement, and a faster user experience.

Can Island SWG enforce DLP inside SaaS applications? Yes. This is where Island is meaningfully different. Because Island enforces at the endpoint and at the DOM, it can detect and block data actions that never cross a network boundary: copying PII within an application, pasting sensitive content between tools, or uploading a regulated file. A proxy-based SWG can only inspect traffic in transit; it cannot reach activity that happens entirely on the device.

Does Island SWG require SSL break-and-inspect for browser traffic? No. For browser traffic, Island applies policies before content is encrypted for transit. There’s no decrypt-and-re-inspect cycle for sessions handled on-device. For non-browser traffic through Island SWG, SSL inspection is performed using either the customer’s own CA certificate or an Island-provided CA, with TLS fingerprint preservation to avoid session breakage.

What deployment options does Island SWG support? 

Island SWG supports multiple enforcement methods, allowing organizations to match deployment to their environment:

• The Island Enterprise Browser and Island Extension: Inline policy enforcement for all browser-originated traffic on Mac and Windows, with no proxy routing required.
• Island Desktop: A lightweight agent that intercepts non-browser traffic on Mac and Windows and routes it to Island SWG for full inline inspection.
• Explicit Proxy (PAC file): Agentless deployment for managed environments that prefer no endpoint install with reduced contextual visibility compared to agent-based enforcement.
• IPsec Tunnel: Secure traffic redirection to Island Cloud for branch locations, without per-user endpoint changes or agent deployment.

What threat protection capabilities are included with Island Secure Web Gateway? Island SWG includes a full Advanced Threat Protection (ATP) stack. URL and category filtering operate across all ports and protocols, with categorization that’s continuously updated and overridable through custom policy. Domain Name System (DNS) Security catches threats earlier in the request chain, covering DNS over HTTPS (DoH) traffic that many gateways can’t inspect, DNS tunneling attempts, and Command and Control (C2) callbacks from compromised endpoints.

What Data Loss Prevention (DLP) capabilities does Island provide across web, Software as a Service (SaaS), and endpoint? DLP runs inline on all web, SaaS, and private application traffic that Island inspects, with detection that goes well beyond simple keyword matching. Exact Data Match (EDM) identifies specific records from a structured dataset, useful for protecting customer lists, employee records, or similar fixed datasets where the content itself is known. Indexed Document Match (IDM) identifies copies and derivatives of fingerprinted source documents. Optical Character Recognition (OCR) extends detection into images and screenshots, so a sensitive document can’t slip through because someone took a picture of it. Redaction can selectively mask sensitive content as it’s displayed, and watermarking can tag content with user identity to deter unauthorized sharing. Endpoint DLP extends the same engine to files, USB drives, network shares, and printing.

How does Island handle Shadow Information Technology (Shadow IT) and unauthorized AI tools? Shadow IT and Generative AI (GenAI) discovery happen continuously. Every web destination an endpoint reaches gets cataloged, classified, and risk-scored, so when a new SaaS app or AI tool starts spreading across the organization, Island surfaces it before it shows up in an incident report. From there, controls are graduated. An app can be blocked outright, allowed with restrictions, or allowed with DLP guardrails that prevent specific data categories from leaving the device toward it. For sanctioned SaaS, Cloud Access Security Broker (CASB) can identified over-shared documents and alert the end users that own them.

How does Island handle identity? Identity is built into everything Island does. It utilizes your existing identity provider, including all major providers as well as generic SAML integrations. MFA on sensitive destinations or actions is configurable and works with FIDO2 hardware keys, passwordless flows, and most existing multi-vendor MFA stacks. Device trust is evaluated continuously, not just at login: Operating System (OS) version, patch level, disk encryption status, Endpoint Detection and Response (EDR) signal, MFA state, and biometric capability all feed access policy in real time. For private application access, Zero Trust Network Access (ZTNA) is available as a related platform capability in both client-based and clientless or browser-based forms.

What platforms does the Island agent support, and how is it deployed and managed? Island Desktop runs on Windows and macOS. The background service is tamper-resistant, designed so users without administrative privileges can’t disable or work around it, and it updates seamlessly in the background without user disruption. Deployment integrates with Mobile Device Management (MDM) tooling, including silent push and any required Certificate Authority (CA) certificates.

How does Island integrate with Security Operations (SecOps) tools like Security Information and Event Management (SIEM) systems? Every request, action, and policy decision is logged with user identity, destination, action, outcome, and full context. That data stream is available the way SecOps teams actually need it: syslog forwarding for traditional SIEM ingestion, and open Application Programming Interfaces (APIs) for systems that prefer to pull rather than receive. Those same documented APIs support integration with Security Orchestration, Automation, and Response (SOAR) platforms, letting customers automate policy changes, lookups, and response actions from playbooks they already run. The full audit trail covers every enforcement point, which turns incident reconstruction and compliance reporting into a query rather than a scavenger hunt across multiple tools. Administrative access to the Island console is governed by Role-Based Access Control (RBAC) with granular permissions, so the team that runs DLP policy doesn’t need the same access as support staff. Policy management itself is unified across SWG, DLP, RBI, and CASB controls, which means a single rule applies cross-context rather than being maintained separately in each tool. End-to-end path visibility lets operators trace a single request from endpoint to destination through every enforcement step, useful when something doesn’t behave the way policy says it should.

What other capabilities are available on the Island platform alongside Secure Web Gateway? Island Enterprise Password Manager is part of the same platform. It uses zero local storage, meaning vault data isn’t kept on the endpoint. Biometric unlock is supported where the operating system provides it. Shared vaults handle teams that need to securely share credentials, and breach reporting flags exposed passwords. The password manager runs under the same identity model and admin console as the rest of the platform. Other capabilities customers commonly adopt alongside SWG include CASB, ZTNA, and RBI, all sharing the same console, the same policy engine where it makes sense, and the same audit trail.