Amar Jeer

Cisco Umbrella to Endpoint SWG: A 30-Day Migration Playbook

June 3, 2026

MIN READ

Cisco Umbrella to Endpoint SWG: A 30-Day Migration Playbook

Migrating from Cisco Umbrella to dope.security is a 30-day project for most mid-market organizations. The plan: pilot in week 1, policy parity in week 2, broad rollout in week 3, cutover and decommission in week 4. The agent ships via MDM, the console is one place, and SWG, CASB, DLP, and AI governance are all in one product.

Most teams we talk to who want to move off Cisco Umbrella are stuck on two questions: how long will it take, and how do we keep DNS protection running during the cutover. The answer to both is shorter than the Cisco upgrade cycle that got you to SIG in the first place.

Below is the playbook we use with mid-market customers (500 to 5,000 devices). It moves fast because the dope.security agent does not require network-level changes per site.

Pre-flight

Inventory three things: current Umbrella tier (DNS Essentials, DNS Advantage, SIG Essentials, SIG Advantage), current policy categories and lists, and current device fleet by OS and MDM enrollment status. Pull the SIG license-end date so you know your hard cutoff. If you are on a multi-year Umbrella contract, the cutover does not have to align with renewal, but the financial story is cleanest at renewal.

Week 1: pilot

Pick a pilot cohort of 50 to 100 devices spanning your three highest-risk user types: typically IT/security itself, a mobile/traveling persona, and one engineering or design team that pushes the upload volume.

Deploy the dope.security agent via Intune or Jamf. The agent is under 100 MB of RAM. Confirm SSL inspection certificate trust on every device. Open the dope.console, push the baseline policy: URL filtering parity with your current Umbrella categories, Cloud Application Control on personal ChatGPT, Claude, Gemini, Copilot, and Dopamine DLP in Monitor mode.

Leave Umbrella on. Let both run for the pilot week. Collect baseline data on DLP detection and Shadow IT discovery.

Week 2: policy parity and AI policy hardening

Replicate your Umbrella URL category model in the dope.console. Most teams find their existing Umbrella allow/block list maps cleanly. Where it does not, the dope.security console categorization plus custom rules handle the gap.

Set Dopamine DLP to its operational mode (Monitor or Block based on data class). Configure CAC tenant control: corporate ChatGPT, Claude, Gemini, and Copilot tenants allowed, personal blocked.

Run a side-by-side detection test: a set of test prompts and file uploads against both Umbrella and dope.security. The DLP delta is usually the most visible argument for the cutover.

Week 3: broad rollout

Expand the agent push to the rest of the device fleet via MDM. Outreach Health hit 99% deployment within a week at thousands of devices. One Cisco Umbrella customer migrated 2,000 machines in two days.

Watch three metrics in the console: agent install success rate, policy push latency, and SSL inspection error rate. If install fails on a subset, almost always it is MDM-cert trust on those devices.

Week 4: cutover and decommission

Validate that every device in scope is reporting healthy in dope.console. Then disable Umbrella DNS forwarding on your network, or unenroll devices from the Umbrella agent if you used the Roaming Client. Keep Umbrella's reporting view open for a week as backstop.

Decommission the Umbrella tenant after the validation window. Cancel any SIG add-ons in your contract paperwork at renewal.

Migration matrix: what you actually replace

Umbrella feature	dope.security replacement	Notes
DNS Essentials category filtering	dope.SWG URL filtering on-device	Sees URL paths, not just domains
DNS Advantage block lists	Custom block lists in dope.console	Direct CSV import
SIG SWG and TLS inspection	On-device SSL inspection	No backhaul, no PoP
SIG Advantage DLP	Dopamine DLP on-device	Zero-retention, US Patent 12,464,023
Investigate threat intelligence	Built-in threat intelligence in dope.console	Plus per-device telemetry
Cloud-delivered firewall	Not required for endpoint SWG model	Keep your existing perimeter or NGFW
SecureX dashboarding	dope.console single pane	SIEM export available

The risk register, honestly

Three things can slow you down: MDM-cert trust on a long-tail of devices, a network team that wants to keep the Umbrella DNS forwarding in place because it is what they know, and a stakeholder who has a non-architectural attachment to Cisco. None of these are technical blockers, but they are calendar blockers. Plan around them.

What it costs vs Umbrella

dope.security is $60 per device per year, with SWG, CASB Neural, Dopamine DLP, and Cloud Application Control included. Most Umbrella customers run a SIG Essentials or SIG Advantage tier plus the seat allocation. The per-device math at 2,000 devices typically lands 2-3x cheaper, before counting the Umbrella add-ons.

Book a 20-minute demo or start a free instant trial.

The architecture choice in 2026

Most replacement evaluations end up comparing two architectures dressed in several vendor uniforms.

Architecture	Examples	HTTPS payload	Backhaul to vendor PoP	AI tool tenant control
Legacy cloud-proxy SWG	Forcepoint ONE, Zscaler ZIA, Netskope, Cisco Umbrella SIG, Symantec WSS	Yes (via PoP)	Yes	Partial
DNS-only filtering	Cisco Umbrella DNS, DNSFilter, TitanHQ, Cloudflare Gateway DNS	No	N/A	No
On-device SWG	dope.SWG	Yes (on endpoint)	No	Yes (out of the box)

Why the cloud-proxy lookalikes don't fix the architecture

Five structural facts every replacement buyer should weigh before signing with another cloud-proxy SSE vendor.

1. They are all cloud-proxy SWGs. Forcepoint ONE, Zscaler ZIA, Netskope Intelligent SSE, and Cisco Umbrella SIG all forward user traffic from the device to a vendor PoP, run inspection there, forward to the destination, then back. The data-plane architecture is the same; the marketing names differ. User-perceived performance is governed by PoP geography and capacity, not by anything the user controls.

2. The latency tax is per-request. Every page load, every API call, every SaaS interaction takes the PoP detour. Modern web pages chain dozens of HTTPS requests per render; the cost compounds. On a fiber-connected office user the round-trip is tolerable. On home wifi, hotel wifi, or international travel it isn't.

3. Renewal pricing tracks data center costs. Vendor infrastructure costs flow into renewal pricing. As power, cooling, and real estate costs rise, cloud-proxy SSE renewals climb with them. The macro trend applies regardless of vendor.

4. Geographic dead zones stay the same. China, sanctioned regions, and high-latency markets degrade the same way across all four vendors. Backhauling through the Great Firewall is brittle by design.

5. Trust transfer at decryption stays the same. Every cloud-proxy SWG decrypts your HTTPS payloads inside the vendor's data center. Audit and procurement teams in regulated industries face the same conversation with the new vendor as they did with the old one.

AI governance: ChatGPT, Claude, Gemini, and Copilot

The 2026 buyer leaving a legacy SWG is usually also trying to put real controls around the four AI tools their workforce uses every day. Cloud-proxy SSE vendors (Zscaler, Netskope, Cisco Umbrella SIG, Forcepoint ONE) ship partial tenant control and policy-based cloud DLP for AI. dope.SWG ships purpose-built Cloud Application Control (CAC) for all four AI tools out of the box, plus Dopamine DLP on the prompt content itself.

ChatGPT (OpenAI). Allow your enterprise ChatGPT Team or Enterprise tenant; block personal ChatGPT accounts. Detail: Blocking personal ChatGPT.

Claude (Anthropic). Allow your enterprise Claude Team or Enterprise tenant; block personal Claude.ai. Detail: Blocking personal Claude accounts.

Gemini (Google). Tenant-level control through Google Workspace. Allow your enterprise Workspace tenant; block personal Google accounts. The same CAC mechanism that controls personal Gmail and personal Google Drive extends to consumer Gemini.

Microsoft Copilot. Tenant-level control through Microsoft 365. Allow your enterprise M365 tenant; block personal Microsoft and Outlook accounts. The same mechanism extends across Copilot, OneDrive, and Outlook.

The three-layer model: Shadow AI discovery (which AI tools are users on?), SWG policy (block, warn, or allow at the URL layer), and CAC (restrict to enterprise tenant). Combined with Dopamine DLP on prompt content, this is what AI governance actually requires in 2026. Cloud-proxy and DNS-only SWGs ship partial pieces; on-device SWG ships the full stack.

AI tool	Legacy SWG (cloud proxy or DNS)	dope.SWG
ChatGPT personal vs enterprise tenant	Partial	Yes (out of the box)
Claude personal vs enterprise tenant	Limited	Yes (out of the box)
Gemini personal vs enterprise (Google Workspace)	Partial	Yes
Copilot personal vs enterprise (M365)	Partial	Yes
Endpoint DLP for AI prompt content	Limited	Yes (Dopamine DLP)
Single console for all four AI tools	No	Yes (dope.console)

The migration playbook to dope.SWG

Six concrete cutover steps. Real-world deployments have finished in days, not months.

Step 1: Inventory current SWG scope. SWG, DLP, CASB, and DNS layer products, plus any heritage on-prem appliances, PAC files, IPsec tunnels, or GRE configurations. The SKU map drives both the capability comparison and the renewal math.

Step 2: Map AI governance asks across ChatGPT, Claude, Gemini, and Copilot. For each AI tool, decide: allow only the enterprise tenant (recommended), block entirely, or allow with prompt-content DLP. dope.SWG ships out-of-the-box Cloud Application Control for all four, plus Dopamine DLP on the prompt content itself.

Step 3: Scope endpoint DLP channels. AI prompts, SaaS uploads, copy-paste, file movement to personal cloud. Meet Dopamine DLP walks through the three modes (Block, Monitor, Off).

Step 4: Plan MDM rollout. dope.endpoint deploys via Intune, Jamf, Kandji, or any standard MDM tooling. Pilot first (a single team), then expand by department, then full fleet.

Step 5: Phase the cutover. Pilot in parallel with the incumbent SWG to validate policy behavior, then expand. Decommission the legacy agent and remove PAC files, IPsec tunnels, or GRE configurations from the network edge.

Step 6: Reclaim the renewal. One SKU at $60 per device per year replaces multi-product legacy SSE bundles. The renewal conversation gets shorter, the SKU count drops, and the spend usually drops with it.

Customer evidence

Real-world references where the on-device SWG architecture delivered the migration outcome.

Greylock Partners. Iconic Silicon Valley VC. Replaced Cisco Umbrella for dope.security. 27 days from first proposal to signed contract. Deployment via Intune in a phased rollout.

Outreach Health. Healthcare organization, 5k-10k employees, 34 offices in TX, AZ, and MA. Replaced a legacy SWG. 99% of devices secured within one week. 70% reduction in web access-related IT tickets in 90 days. Policy changes moved from days to minutes.

City of Visalia. 700+ user government workforce. Expanded coverage when employees went mobile and perimeter-based policies stopped following users off-network. On-device SSL decryption with no data center backhaul.

A VC firm. 2,000 machines migrated off Cisco Umbrella in two days. The architectural case at scale, on a hybrid fleet.

Fortune 100 deployment. 18,000+ devices secured. The architectural case at enterprise scale.

"The eval comparisons looked different across the legacy vendors until we drew the data-plane diagrams. They all collapsed into the same shape. On-device SWG was the only one where the diagram had no remote PoP in it. That was the moment we picked dope.security."
By a Security Architect, mid-market organization.

The non-technical reason it sticks

Architecture wins the eval, but support wins the rollout. dope.security's 24/7 white glove global support team is the reason migrations finish on schedule. Phased rollout questions land on a human, not a ticket queue. Mac kernel extension edge cases, Windows agent install quirks, MDM policy push timing, every one of those questions has been answered for someone else first. For a lean security org that's already stretched, that's not a soft benefit. It's the practical reason the cutover sticks.