Why an SMB Technology Firm Walked Away From Sophos for Its SWG

The Sophos endpoint had its place. The Sophos web filter, less so. By the time this story starts, the IT lead had stopped trying to defend the web-filtering line item internally, and the security architect leading the eval had a tight brief and a tighter timeline. This Sophos alternative case study is the rest of the story.

The customer is an SMB technology firm in North America with a small but tightly-run engineering and operations team. They replaced the Sophos web filtering tier with dope.security and got dope.SWG running across the managed estate inside the first weeks of the project.

Quick read

• Industry: Technology
• Replaced: Sophos
• Deployed: dope.SWG

Where things stood

The Sophos endpoint had been quietly doing its job. The web-filtering component had been quietly doing less. Category coverage was thin. SSL inspection was a complaint magnet. The console was built for the endpoint product first, and the SWG functionality sat next to it as a feature, not a focus. For an SMB tech firm with customers asking real questions about how it controls web traffic, that wasn’t going to hold.

The Security Architect had a short list. Inspect HTTPS on every managed laptop, on or off the corporate network. Get out from under a web filter that was a feature of an endpoint product, not a real SWG. Keep the console simple enough that one IT lead could run it. And get the migration done without an enterprise services engagement.

Why a real SWG was overdue

SMB technology firms tend to underspend on the SWG line item because the endpoint product they’re already paying for offers something adjacent. That works until it doesn’t. The threshold tends to be a customer security questionnaire that asks specifically about HTTPS inspection and category-based policy, not just endpoint malware coverage.

That was the trigger here. The questionnaire came in. The honest answer was uncomfortable. The Security Architect went looking for a real SWG.

Why an on-device proxy fit the SMB shape

dope.security’s fly-direct architecture moves the proxy onto the endpoint. Web filtering, SSL inspection, and policy enforcement happen on the device. There’s no cloud PoP to route through, no backhaul, and no extra agent stack to manage on top of the endpoint product the firm was already running.

For an SMB technology firm with most of the workforce on the road or at home, that meant the SWG was wherever the laptop was, with the same policy in every location. The architect ran a pilot inside two weeks. Policy was authored in the dope.console and pushed in minutes. SSL inspection turned on without the help desk calls everyone had been bracing for. The Sophos web-filtering layer was decommissioned by org unit, and the endpoint product stayed in place for what it was actually good at.

“We weren’t going to replace the endpoint product. We just needed a real SWG, run from a console one of us could actually manage. dope.security gave us that in weeks, and the next customer security questionnaire came back as a different conversation.”

— Security Architect, an SMB technology organization

The non-technical reason

Architecture and price got dope.security shortlisted. The 24/7 white glove global support team is why the architect signed.

An SMB tech team runs lean. The architect was not going to win a hire-three-people fight. The deal came down to whether the vendor’s support team would actually pick up the phone when something needed an answer. With dope.security, the customer was on a first-name basis with the support engineers inside the first month, and the questions that used to live in a ticket queue came back as same-day answers.

What changed

Inside the first weeks, the team had SSL inspection running across every managed laptop, on or off the corporate network. The Sophos web-filtering tier was decommissioned. The Security Architect had a clean, instrumented answer for the customer security questionnaire that had triggered the project. And the renewal conversation on the endpoint product got cleaner, because the SWG was no longer baked into a single SKU with a feature that wasn’t earning its space.

The architect’s read on the project was simple. The firm got a real SWG, on a console one person could run, in weeks rather than quarters.

FAQ

Why do SMB technology firms replace the Sophos web filtering tier? The most common reasons we hear are thin category coverage, SSL inspection that’s a complaint magnet, a console built for the endpoint product first with the SWG sitting next to it as a secondary feature, and a customer security questionnaire that asks the SWG-specific question the endpoint product can’t answer.

Can an SMB technology firm deploy a real SWG without a dedicated security team? Yes. An on-device SWG like dope.SWG removes most of the infrastructure that drove the need for a dedicated security operations team. Policy lives in a single console, deployment is tied to the existing endpoint management tool, and there’s no PoP architecture to manage.

How fast is a Sophos-to-dope.security migration? Most migrations measure rollout in weeks. The dope.security agent deploys via the existing endpoint management tool, the policy moves into dope.console, and the Sophos web-filtering tier is decommissioned by org unit. The endpoint product itself can stay in place for the role it actually does well.

About dope.security

dope.security, the Distributed On-device Proxy Endpoint, is the preferred security vendor for security leaders across SMBs, midsize enterprises, Fortune 500 companies, and the world’s top VC and PE firms. Deployed in 83 countries, dope.security protects web, data, and AI traffic globally through its patented fly-direct architecture.