A Mid-Market Energy Services Team Moving Off Cisco Umbrella, One Field Crew at a Time

The crew lead pulls into a service yard at 6:40 a.m. The truck has a cellular hotspot bolted to the dashboard, two ruggedized laptops in the bed, and a printout of the day's work orders taped to the visor. By 7:15 they're at a customer site, by 7:40 they're connected to a substation controller through a hardened laptop, and by 8:05 the cellular bars have dropped to one and the laptop has quietly stopped enforcing the company's web policy. That moment, repeating across dozens of crews every week, was the reason this mid-market energy services organization in North America started moving off Cisco Umbrella.

The crews didn't notice. The Security Architect noticed.

The first sign was a log gap

The team ran an energy-as-a-service model, which is a polite way of saying their billable hours happened outdoors. Equipment installs, monitoring visits, emergency service calls. Most of the workday, for most of the workforce, was spent on a network somebody else owned. Cellular hotspots, customer guest Wi-Fi, the occasional satellite uplink at sites where the cellular map said one bar and meant zero.

Umbrella's roaming client was meant to follow those laptops. On paper it did. In the field, the logs kept telling a different story. Traffic from a crew laptop would show up for an hour, drop out for ninety minutes, then come back as a batch upload at the end of the day. Sometimes a device just stopped reporting until it returned to a stable link. For a security team trying to answer "what happened on that endpoint at 11 a.m." in an incident review, that gap was the whole problem.

The architect started writing it down. He had three weeks of field logs from a dozen crews and the same pattern showed up in all of them. Connectivity flapped, the roaming agent fell open or quietly suspended enforcement, and the security floor turned into a security suggestion. The team had been compensating with stricter endpoint baselines and a heavier EDR ruleset, but that wasn't a fix. That was a tax.

What he wanted instead

The architect's evaluation list was short. He wanted policy that didn't care about the network the laptop happened to be on. He wanted enforcement to keep running when the cloud was unreachable. He wanted HTTPS inspection on the device itself, not in a regional cloud the laptop might never reach on a marginal cellular link. And he wanted a vendor that would talk to him in plain English when something broke at 4 a.m. on a site in the middle of nowhere.

He found a pattern in the case for replacing Cisco Umbrella in 2026 that matched the architecture he'd been sketching on a whiteboard. Inspection on the endpoint. Policy cached locally. No hairpin to a data center. He spent a Friday afternoon reading a short-form replacement narrative from another buyer and put the dope.security team on the calendar for the following week.

The proof was a bad cellular signal

The proof of value didn't run in a lab. It ran on three crew trucks and one operations laptop at headquarters. The architect's only ask was that the trial laptops travel the same routes the production laptops traveled. Same cellular dead zones, same customer site Wi-Fi, same back-of-nowhere service calls.

What he saw, over a week, was that the on-device proxy kept enforcing through every handoff. Policy didn't fall open when LTE dropped to one bar. Telemetry queued locally and uploaded when the link came back. The pieces he'd been working around at Umbrella, hairpin routing, the roaming client's gap, the DNS-only blind spot on HTTPS, all stopped being daily concerns. He pulled additional context from the dope.security write-up on remote and hybrid workforce security when he briefed his director, because the architecture mapped almost one-for-one to what his field workforce actually needed.

The shift wasn't dramatic, which is what surprised me. A crew laptop on a cellular hotspot now enforces the same policy as a laptop in the office, because the enforcement happens on the device. That's it. That's the whole architecture conversation.

- Security Architect, a mid-market energy organization

Rolling out without a network change

The deployment itself happened crew by crew, not site by site. The dope.SWG agent went out through the standard endpoint management tooling the IT team already ran for software updates. There were no DNS reconfigurations to push, no forwarders to repoint, no per-site network changes to coordinate with the operations director. A crew showed up Monday morning, the agent was already on the laptop, and the work order was the same.

The support relationship took some getting used to, in a good way. There was no ticket queue to push into when something looked off. The architect had a dedicated channel with the 24/7 white glove global support team, and the engineers in it were the same engineers all the way through, regardless of time zone. When a generator-site laptop reported a categorization question at 2 a.m. local time, somebody who actually understood the product was already typing back by the time the architect woke up.

Quick read

·      Industry: Energy

·      Replaced: Cisco Umbrella

·      Deployed: dope.SWG

What looked different a quarter in

·      HTTPS inspection coverage on field endpoints went from partial to near-complete.

·      Policy enforcement held through every cellular handoff and intermittent link the team could throw at it.

·      Admin overhead on the roaming layer dropped substantially. Tickets from crew leads about "weird browser stuff" effectively stopped.

·      The three-year cost projection came in materially below Umbrella's renewal track.

·      Time to publish a global policy change shrank from a multi-day rollout to one afternoon.

FAQ

Q: Does dope.security keep enforcing web policy when a laptop's cellular connection drops?

Yes. Because dope.SWG is an on-device proxy, enforcement happens locally on the laptop. Policy stays applied through cellular handoffs, marginal LTE links, and brief disconnects. Telemetry queues on the device and uploads when the connection returns.

Q: How do field-heavy industries usually handle DNS filtering gaps when moving off Cisco Umbrella?

Most field-heavy buyers we talk to end up wanting two things at once: HTTPS inspection that actually runs on the endpoint, and policy that doesn't depend on the laptop reaching a regional cloud. dope.SWG covers both because the inspection happens on the device, not in a backhauled data center.

Q: What does cutover look like for a field workforce that's rarely in the office?

The dope.SWG agent installs through the same endpoint management tooling that already pushes software to those laptops. There's no DNS reconfiguration and no per-site network change. Crews keep working through the cutover because the swap happens silently on the device.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.