Netskope Alternative Case Study: How a Mid-Market SaaS Company Eliminated the Tunnel Throughput Bottleneck

A mid-market SaaS technology company replaced Netskope's cloud-proxy SWG with dope.security's on-device SWG. The tunnel-throughput ceiling that capped their distributed engineering team disappeared because the architecture itself eliminated the tunnels.

The TL;DR

• Industry: Technology (SaaS)
• Replaced: Netskope SWG
• Deployed: dope.SWG, Dopamine DLP

Where things stood

The team ran on Netskope. It worked, sort of, when most of the engineering org was in the office. As the company grew remote and added new regions, the cracks showed up in the same place: the tunnels.

IPsec tunnels barely reached 250 Mbps. GRE tunnels capped around a gig. The networking team was stitching together more and more tunnels to keep up, and the ops calendar started filling with "rebuild HA pair" tickets. No native SD-WAN support to lean on meant every HA decision was a custom build.

When the tunnels became the bottleneck

A reproducible symptom kept hitting: engineers pushing large container images and pulling big datasets would watch throughput collapse to the IPsec ceiling, then spend an hour blaming their laptops, their wifi, anything other than the security stack. Eventually someone in networking sent a Slack message that read like a confession: "It's the proxy."

The pain wasn't unique to this team. A widely shared Reddit thread on r/networking laid out the exact same complaint: IPsec hitting 250 Mbps, GRE topping out around 1 Gbps, multiple tunnels needing constant admin work, no native SD-WAN to lean on, proxy inspection limited to a handful of protocols, files getting skipped because of size caps and shallow archive recursion. Reading it felt like reading their own internal Jira board.

That last part hurt more than the throughput. Encrypted archives and large files were sailing past the proxy because the cloud inspector wouldn't unpack them. The "we have a SWG" claim turned out to mean "we have a SWG for the easy stuff."

Looking for a way out

The eval criteria were short and concrete. Scale without tunnel hacks. Cover all traffic types. Inspect files deeper than three levels of archive. Custom policy without a PhD in the policy engine. A console that doesn't make the senior engineer wince. The team scanned the usual Netskope alternatives (Zscaler, Cisco Umbrella, Forcepoint) and noticed something uncomfortable: all of them route traffic through the same kind of vendor PoP. The architecture that produced the bottleneck was the architecture they'd be buying again.

Why on-device SWG won the eval

dope.security's on-device approach changed the math because there were no tunnels to babysit. The dope.endpoint agent runs SSL inspection, URL filtering, anti-malware, and Dopamine DLP locally. Traffic flies direct from the device to its destination. No PoP detour. No IPsec cap. No GRE redesign at the network edge.

The throughput conversation evaporated because the architecture had nothing to throttle. The file inspection conversation evaporated because Dopamine DLP runs in the agent and reads file content directly on the endpoint, including encrypted archives that the proxy used to skip.

"We swapped a backhauled proxy for an on-device agent. The first day, the throughput tickets stopped. The first week, the tunnel HA calendar items disappeared. The first month, nobody on the networking team had touched a GRE config. That alone paid for the switch."
By a Principal Architect, mid-market SaaS technology organization.

The non-technical reason it stuck

The security team is lean, and the time difference between west coast engineering and a vendor that supports them on a real schedule mattered. dope.security's 24/7 white glove global support team got tagged in on Slack within minutes when a Mac kernel extension question came up during phased rollout. The response wasn't a ticket number. It was a human, on the right side of midnight, who'd seen the issue before.

What changed

• Throughput ceiling lifted. No tunnels to cap, so no per-tunnel Mbps wall.
• Ops calendar cleared. The "rebuild HA pair" tickets stopped showing up.
• File inspection got real. Dopamine DLP runs in the agent. No proxy-side size caps, no skipped large or encrypted files.
• Console UI stable. Single dope.console for SWG, CAC, and DLP. Policy pushes in seconds.
• Lower total cost. One SKU at $60 per device per year replaced a multi-module Netskope bundle.

FAQ

Why are Netskope tunnels capped at 250 Mbps for IPsec?

The cap is a function of the cloud-proxy architecture. Traffic forwards from the customer edge through an IPsec tunnel to a Netskope PoP, where inspection runs. The IPsec termination on the PoP side is the throughput limiter. Adding more tunnels is the only path to more throughput.

Does dope.security need tunnels?

No. dope.SWG runs SSL inspection, URL filtering, anti-malware, and Dopamine DLP on the endpoint. There are no tunnels to cap, no HA pairs to maintain, and no SD-WAN dependency.

What about file inspection?

Dopamine DLP inspects file content on the endpoint, including encrypted archives. There are no proxy-side file size caps because there is no proxy in the data path.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.