Home / Solutions / Secure Web Gateway
Powered by dope.security · Fly-Direct SWG
Secure Web Gateway

No Stopovers.
No Outages.
Fly Direct.

Legacy secure web gateways route your traffic through stopover data centres — adding latency, creating single points of failure and exposing your sensitive data to third-party infrastructure. dope.security eliminates the detour entirely. Security checks run directly on the endpoint, delivering up to 4x faster performance, stronger privacy and an architecture that simply cannot go down.

Request a Demo Explore Platform ↓
Legacy Stopover SWG
Traffic routed through a distant data centre — adding latency on every request
Data centre outages take down your entire organisation's web access
TLS decryption happens in the cloud — sensitive data leaves the device
Performance degrades for remote workers on home wifi or 5G
Captive portals (hotels, cafes) frequently break connectivity
Complex architecture requiring ongoing maintenance and exception lists
DLP based on regex and pattern matching — high false positive rates
vs
dope.security Fly-Direct SWG
All security checks run on the endpoint — traffic goes direct to destination
No data centre to fail — policies cached locally if dope.cloud is unreachable
Local TLS termination — decrypted data never leaves the device
Up to 4x faster performance — consistent everywhere, on any connection
Captive portals work exactly as expected — no middleman interference
Easy deployment, intuitive cloud console, policy changes pushed instantly
LLM-powered DLP understands content — minimal false positives, no tuning
Faster Than Legacy SWGs
<100MB
RAM — Lightweight On-Device Agent
0
Data Centres That Can Take You Down
$47.8B
SWG Market by 2030 — 23% CAGR
The Platform

The Trilogy.
One Console. Three Capabilities.

dope.security delivers a complete Security Service Edge stack in a single, beautifully designed platform. Deploy all three from one agent, manage everything from one cloud console.

01 — dope.swg
Fly-Direct Secure Web Gateway
The on-device proxy that eliminates the stopover. All web security checks run locally on the endpoint — URL filtering, anti-malware, SSL inspection and cloud application controls happen without routing traffic through a data centre.
  • URL filtering — define and enforce web access policies
  • Anti-malware detection and blocking in real time
  • SSL/TLS inspection on-device — data never leaves the endpoint
  • Cloud application controls — manage SaaS app usage
  • Shadow IT detection and monitoring
  • User and group-based policies — instant enforcement across all devices
  • Windows and Mac supported — identical features on both
02 — CASB Neural · DOPAMINE DLP
LLM-Powered Data Loss Prevention
DOPAMINE DLP is the industry's first LLM-powered endpoint data loss prevention solution. Unlike legacy DLP tools that rely on regex and pattern matching, it uses large language models to actually understand content — delivering precise classifications with near-zero false positives and no policy configuration required.
  • LLM understands content context — not just 16-digit sequences
  • Monitors and blocks sensitive uploads to the web — PII, PCI, PHI and IP
  • One-click activation — no complex policy tuning required
  • Scans Google Drive and Microsoft 365 for exposed sensitive files
  • Dramatic reduction in false positives compared to legacy DLP
  • Prevents data exfiltration via web uploads and cloud storage
03 — Private Access (ZTNA)
Zero Trust Network Access
Create point-to-point connections to your behind-the-firewall applications — without the complexity and performance overhead of legacy VPN. Private Access extends the Fly-Direct architecture to internal application access, delivering ZTNA from the same single agent and console.
  • Point-to-point connections to internal applications
  • No VPN hairpinning — direct access from endpoint to resource
  • Zero Trust principles — never trust, always verify
  • Same agent as dope.swg — no additional software to deploy
  • Single console management alongside SWG and DLP
  • Suitable for hybrid and fully remote workforces
How It Works

Three Components.
One Seamless Stack.

Unlike legacy SSE platforms that are "frankensteined" together through M&A, dope.security was built from scratch so every component works in concert under a single cloud console.

dope.cloud
Security Services & APIs
A set of security services and APIs that maintain a real-time connection between every endpoint and the admin console. Manages OIDC authorisation between users and their associated policies. Handles URL categorisation, malware analysis, policy distribution and auto-updates — with a cache pushed to each device so protection continues even when the cloud is unreachable.
dope.console
The Administrator's Cockpit
The single point of control for all connected endpoints at scale. Manage URL filtering policies, Cloud App Controls, analytics, CASB DLP and SSPM — all from one screen. Policy changes push instantly to every online device rather than waiting up to 60 minutes as with legacy cloud proxies. SSO via Microsoft 365 or Google Workspace — one-click user import and automatic deprovisioning.
dope.endpoint
The On-Device Proxy
The lightweight agent (<100MB RAM) that runs the full SWG stack directly on the device. Performs SSL inspection, URL filtering, anti-malware, Cloud App Controls and Dopamine DLP locally — with no traffic detour through a data centre. Autonomously enforces policy even without cloud connectivity. Optimised natively for Apple Silicon and Intel Windows, with identical features on both platforms.
Platform Capabilities

Enterprise Security.
Without the Complexity.

dope.security was built from the ground up to be simple to deploy, beautiful to use and architecturally superior to the incumbents. Named to Fast Company's Next Big Things in Tech.

SSL Inspection — On Device
TLS decryption happens locally on the endpoint. Data never leaves the device — no third-party data centre handles your sensitive traffic. Provides full visibility across every web transaction, including categories that legacy SWGs routinely bypass such as healthcare and banking.
URL Filtering — 80+ Categories
A base policy deploys automatically on agent install, blocking the most common risk categories. Toggle any of 80+ pre-configured categories between Allow, Block and Warn — or create custom categories using domain and URL lists. Per-user and per-group exceptions supported. Policies push instantly — not in 60 minutes.
Cloud Application Controls (CAC)
Restrict which SaaS tenants and accounts users can access — block personal Google or Microsoft 365 logins while allowing corporate accounts. CAC Read Only lets employees browse personal apps but blocks file uploads and attachments to personal storage. Covers Microsoft 365, Google, Box, Salesforce, Dropbox, Slack, and more.
Anti-Malware
Every file download is inspected locally. The dope.endpoint computes each file hash and checks a local cache before serving the file. Unrecognised hashes are sent to dope.cloud for verdict. Results update the Analytics dashboard in real time — all without routing the file through an external proxy.
Fallback Mode — Always Protected
Legacy SWG fallback is binary: Fail Open (everything allowed) or Fail Closed (everything blocked). dope.security caches all policies on-device. In Fallback Mode, previously accessed sites continue per policy while new unknown requests are restricted — meaning users stay productive and secure even when the cloud is unreachable.
Single Sign-On (SSO)
OpenID Connect (OIDC) via Microsoft 365 or Google Workspace. Eliminates SAML and SCIM complexity. Integrates automatically with Okta, Microsoft Entra ID, Ping and OneLogin. Admins, users and groups sync automatically — user access is revoked the moment they leave the organisation. It really is one-click.
Shadow IT Analytics
Visualise Shadow IT across the entire organisation. See per-app data consumption, identify corporate vs personal account usage, view AWS account IDs and Slack workspaces, and surface unsanctioned SaaS adoption. Use the data to update Cloud App Controls and reduce exfiltration risk.
CrowdStrike Integration
Ingest dope.swg web security telemetry — HTTP/S transactions, malware alerts and policy violations — directly into CrowdStrike Falcon Next-Gen SIEM. Accelerates threat detection, reduces attacker dwell time and eliminates context switching between consoles.
Instant Trial — SSO Onboarding
The only SWG you can trial instantly on your own device without hardware, configuration or a complex proof of concept. Log in via Microsoft 365 or Google, install the agent, and traffic inspection begins immediately. No test environment to rebuild when moving to production — your trial tenant becomes your live tenant.
Dopamine DLP

LLM-Powered Data Loss Prevention.
Three Enforcement Modes.

Unlike legacy DLP tools that rely on regex and pattern matching — where a 16-digit number is assumed to be a credit card — Dopamine DLP uses large language models to comprehend the actual content of files. The result is far fewer false positives, with no policy tuning required. File inspection happens on-device; only the minimal extracted text needed for classification is sent to the cloud.

Off
No Inspection
DLP inspection is disabled for this policy. No scans are performed and no logs are generated. Use for trusted user groups or environments where DLP overhead is not required.
Block
Block & Log
Sensitive uploads are blocked in real time before they leave the device. The violation is logged to the dope.console with a Dopamine-generated human-readable summary explaining exactly why the upload was flagged — PII, PCI, PHI or IP detected.
Monitor
Observe & Alert
Uploads proceed uninterrupted — invisible to the user — but every event is logged to the console with a Dopamine explanation of risk. Use Monitor mode to baseline behaviour and understand exfiltration patterns before moving to Block.
CASB Neural — Cloud DLP & SSPM

Scan Your Entire SaaS Tenant.
One Click. Zero Configuration.

CASB Neural automatically crawls your Microsoft 365 or Google tenant the moment it is activated. It identifies all publicly and externally shared files containing PII, PCI, PHI and Intellectual Property — then monitors continuously for any file-sharing changes. No pre-configuration. No regex rules. No scheduled scans.

SaaS Security Posture Management (SSPM)
Uncover all third-party apps connected to your Microsoft 365 or Google tenant, organised by access type: global, limited or login. Review app access start dates, permission scopes, and user information. Identify unauthorised connections and revoke access directly from the console. Supports Google, Microsoft 365, GitHub, Slack, AWS, Box, Dropbox, Salesforce, Jive, ServiceNow, Workplace and Zoom.
One-Click Remediation
Each Dopamine hit delivers a precise human-readable summary of the sensitive file alongside the users who have access within and outside the organisation. Admins can make a file private, mark it as reviewed or reopen it — all from a single click in the console. Your data is never used to train the underlying LLM model. Data segregation between all clients is enforced.

"Dope was founded to modernise web security with beautiful design and fast performance. Dope's fly-direct architecture operates side-by-side on the device without the performance headaches of legacy SWGs."

Kunal Agarwal — Founder & CEO, dope.security
Get Started

Web Security That
Flies Direct.

Contact Endida to trial dope.security in your environment or request a demonstration of the Fly-Direct SWG and DOPAMINE DLP.

Request a Demo