A Private Equity Firm's Cisco Umbrella Alternative, Built for an IT-of-One

Most private equity firms run security the way they run everything else: leverage one good operator across a portfolio that doesn't actually share infrastructure. The fund has a small central team, the portfolio companies have their own stacks, and the person responsible for "security" at the fund level is usually somewhere between an IT manager and the person who happens to know the most about it. Which means the security tool the fund picks is, by default, the tool that has to survive across travel, time zones, and a portfolio that doesn't agree on anything.

That's where this SMB-band global PE firm was when their CISO (a title that, in this fund, also covered most of IT) started looking for a Cisco Umbrella alternative.

Quick read

• Industry: VC/PE
• Replaced: Cisco Umbrella
• Deployed: dope.SWG + CASB Neural

Question one: how do we make policy travel with the partner, not the office?

The fund's partners worked across four time zones in any given week. Hotel Wi-Fi, airport lounges, the occasional shared office at a portfolio company's site. Umbrella's roaming client was supposed to keep policy on those endpoints. In practice, the CISO kept seeing coverage drop the moment a partner left the home network and stayed off it for more than a few days.

The architectural answer the CISO wanted was simple to describe: the policy needs to live on the laptop, not on the network. The on-device proxy model was the first eval criterion. The team also wanted to skip the "did the roaming agent check in today" anxiety that had become a habit. They started by walking through the complete guide to Cisco Umbrella alternatives, partly to confirm the team wasn't just chasing the newest thing.

The proof of value was small by design. A few partner laptops, a couple of weeks of real travel, no special-case configurations. The on-device proxy held policy through every network change. The CISO noticed something else too: the laptops behaved the same way on a hotel guest network as they did in the fund's own office. That consistency was the part Umbrella had never quite delivered.

Question two: what's actually happening inside our OneDrive tenant?

The second question came up almost by accident. The CISO had asked Umbrella for visibility into external sharing behavior in the fund's OneDrive tenant and gotten back, essentially, nothing useful. DNS resolution doesn't see what's inside a SaaS app. The fund had years of "shared with a banker," "shared with outside counsel," "shared with a portfolio CFO" actions stacked up in the tenant. Nobody had ever produced a single view of what was currently exposed externally.

CASB Neural surfaced that view in the first week. The team got a list of external shares, a categorization of who shared with whom, and a clear set of items to act on. The CISO described it later as the kind of finding that justifies the entire vendor swap on its own, even before counting the SWG improvements.

I budgeted for a better web filter. What I actually got was a Monday morning where I could finally answer the question "what's leaving our OneDrive" without making something up. That was the moment my partners stopped asking why we changed vendors.

- CISO, an SMB VC/PE organization

The CISO's framing on what CASB Neural actually does sat closely to the explainer in what makes CASB Neural different, which was useful when explaining the value to non-technical partners on the investment side. The OneDrive findings also fed into the broader SaaS-sprawl conversation the CISO had been trying to start; the patterns matched what a SaaS-sprawl assessment piece describes for funds of this size.

Question three: can we run this across a portfolio that doesn't share infrastructure?

This was the question the CISO worried about most. Portfolio companies at the fund ranged from a couple of dozen people to a few hundred, on different cloud stacks, with different MDMs, with security postures the fund could recommend but not mandate.

The on-device proxy turned out to be the answer here too. Because the security stack lives on the laptop and doesn't require shared network infrastructure, the fund could roll out the same baseline policy to portfolio companies one at a time without coordinating with each company's network team. Companies that wanted to layer additional policy could do so. The fund-level baseline stayed intact regardless.

The CISO didn't try to mandate dope.security across the portfolio overnight. Instead the rollout looked like a recommendation supported by working policy, with the fund running the cutover at its own offices first and offering the same setup to portfolio companies that wanted the baseline. Three portfolio companies adopted in the first quarter, two more in the second.

What the support team meant for a one-person shop

A CISO who's also IT does not have time for ticket purgatory. The 24/7 white glove global support team mattered less as a marketing claim and more as a structural reality: named dope.security engineers showed up directly in the fund's channel, the team running point on any given day actually answered, and the queue between "I have a question" and "the question is answered" was the channel itself. For a fund running across multiple time zones, having follow-the-sun coverage on a first-name basis is the version of support that small teams actually need.

What changed for the fund and its portfolio

• Policy enforcement on traveling partner laptops reached parity with home-office for the first time.
• External-share visibility in OneDrive moved from "nothing useful" to a clear, actionable inventory.
• The fund extended the same security baseline to three portfolio companies inside the first quarter.
• Operational time spent troubleshooting roaming-client behavior dropped to near zero.
• Renewal pricing landed materially below the Umbrella three-year projection.

FAQ

Q: How does dope.security work for a partner who travels constantly?

The secure web gateway runs on the laptop itself, so policy is enforced regardless of which network the partner is currently on. Hotel Wi-Fi, airport lounges, a portfolio company's guest network, the same policy applies. There's no separate roaming client to monitor.

Q: What does CASB Neural actually do for a small fund's OneDrive tenant?

CASB Neural inventories external and public shares in the cloud drive, surfaces which items are exposed and to whom, and gives the team a working list of what to remediate. For funds with years of accumulated sharing behavior, the first-week inventory is usually the most useful artifact in years.

Q: Can a fund extend the same security baseline to portfolio companies?

Yes. Because the architecture lives on the device rather than on shared network infrastructure, the same fund-level baseline can be rolled out to portfolio companies one at a time without requiring infrastructure changes. Companies that want to add their own layered policy can do so without breaking the baseline.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.