The Field Engineer Test: One Renewable Energy Operator's Story of Moving Off Cisco Umbrella

A field engineer parks at a remote substation just before dawn, opens a laptop on the hood of a truck, and tethers to a cellular signal that drops in and out depending on which way the truck is facing. The laptop has to reach the site control system, pull telemetry, push a firmware change, and log the work. The security stack on that laptop has exactly one job: enforce policy, regardless of which network the laptop happens to be on at any given second.

For this enterprise renewable energy operator, the field engineer test is the test that mattered. And it was the test that finally pushed the team into moving off Cisco Umbrella.

Quick read

• Industry: Energy
• Replaced: Cisco Umbrella
• Deployed: dope.SWG

What field reality actually looked like

The fleet supporting site operations includes dozens of engineers who spend more time at remote sites than at any office. A typical workday cycles through corporate Wi-Fi at the field office, a personal hotspot at lunch, a customer-site guest network, and a cellular tether at the actual asset. Each handoff is a chance for security posture to slip.

With Umbrella's roaming client in the path, the team kept seeing the same pattern. The DNS-only filtering layer behaved one way on the corporate network and another way on cellular. SSL inspection on the SWG component was either inconsistent or absent depending on what the laptop had cached from its last check-in. The Principal Architect on this team had a folder of incident notes that all started the same way: "Engineer was off-network, policy didn't enforce, here's what we found in the logs."

That pattern had a cost the team was reluctant to put a number on, mostly because the number kept growing. The Principal Architect started the search for an alternative by reading the case for replacing Cisco Umbrella in 2026 and walking through the architectural argument with the network engineering lead.

What Umbrella did vs. what dope.security does

Side by side, the architectural difference is what made this an easy decision in hindsight. Here's how the two stacks actually compare on the work this team cares about.

With Umbrella in the path, the laptop sent DNS lookups to one of Cisco's resolvers. When the SWG tier was in scope, the encrypted session was supposed to hairpin through a regional Cisco data center for inspection. The roaming client mediated which traffic got which treatment. On a stable corporate link that worked acceptably. On cellular, on a customer-site guest network, on anything intermittent, the roaming client either fell off-policy or tried to reach a cloud it couldn't get to. The inspection that was supposed to happen, didn't.

With dope.security in the path, the secure web gateway runs on the laptop itself. There's no resolver to reach first and no regional cloud to hairpin through. Policy is cached locally, and enforcement happens in the same place the user is sitting, regardless of which network the device is currently on. If the cellular link drops for two minutes, the laptop keeps enforcing because the policy is already there. If the engineer joins a customer-site Wi-Fi that's never been seen before, the secure web gateway behaves the same way it did at the field office, because the SWG is on the device, not on the network.

The team also walked through the framing in a head-to-head look at protection speed across modern SWGs, partly to confirm that the on-device approach was holding up against other modern stacks the company might have considered.

What the rollout actually looked like in the field

The Principal Architect ran the cutover in two phases. Phase one was a pilot on the field engineering group most affected by the roaming-client problem. The pilot ran on real cellular conditions, real customer-site networks, real intermittent connectivity. The team measured policy enforcement consistency and round-trip time on inspected sessions.

Phase one produced the answer. Inspection consistency on cellular and customer-site networks reached a level the roaming client never produced. The team also paid attention to perceived latency from the field, because engineers will tell you about a slow link in about ninety seconds. The on-device model, by removing the round trip to a regional inspection cloud, was visibly faster on the kind of high-latency links the team works on every day. The patterns lined up with what the dope.security remote-work SWG framing describes.

Phase two was the rest of the workforce, which moved quickly once the field group signed off.

Why the support pattern mattered out in the field

The 24/7 white glove global support team was the other half of the win. The architect's team works odd hours by definition, and field issues don't respect time zones. Through the rollout and into steady state, named dope.security engineers stayed paired in the team's channel, answered questions in minutes regardless of when those questions got asked, and skipped the Tier 1 queue the team had grown used to with the incumbent. When a question came in from a field engineer at 2 AM local, the answer was on its way before the next site check.

The on-device proxy was the technical answer to a problem we had been working around for years. We stopped designing around the network we wished we had and started enforcing on the laptop we actually shipped to the engineer.

- Principal Architect, an enterprise energy organization

What changed for the field fleet

• Off-network policy enforcement reached parity with on-network for the first time.
• Perceived latency on high-latency links dropped because the regional inspection round trip went away.
• Site reliability incidents involving "policy didn't enforce" fell to near zero.
• Annual licensing landed materially below the incumbent's three-year projection.
• Field engineering laptops produced a single, clean log stream regardless of network.

FAQ

Q: Does dope.security keep policy enforced when a laptop's connectivity drops?

Yes. Policy is cached on the device, and enforcement happens locally. If the cellular link or the field network drops, the secure web gateway keeps enforcing the last known policy until the laptop reaches the management plane again. There's no window during which the device is unprotected.

Q: What happens to perceived latency on remote sites after moving off Cisco Umbrella?

Most field-heavy teams see a measurable improvement on high-latency links. Removing the hairpin to a regional inspection cloud takes a round trip out of every session, which matters most on cellular and degraded networks. The actual delta depends on geography, but the direction is consistent.

Q: How does the rollout work for a workforce that's mostly in the field?

The fastest path is a pilot on the field group first. That's the workforce slice where the architectural delta is the most visible, and it's the group that will tell the rest of the company whether the change is real. Once the field group signs off, the broader rollout typically follows MDM channels without per-site work.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world's top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.