The Zscaler Alternative for Law Firms: Speed, Privilege, and Why Backhauling Hurts Legal Work

The architecture problem law firms keep running into with Zscaler

A law firm is a deceptively hard environment to secure. The work product is privileged. The clients pay extreme attention to data handling. The user population is small but high-leverage. Partners travel. Associates work from coffee shops. Litigators upload terabytes of discovery. And almost every firm has at least one matter where the wrong screenshot in the wrong cloud drive becomes a multi-million-dollar problem.

Zscaler's pitch lands well on paper. "Internet Access" via ZIA. "Private Access" via ZPA. One platform, one vendor, secure everywhere. The reality of running Zscaler inside a 250-attorney firm tells a different story.

Zscaler is a cloud proxy. Every request from every device routes to a Zscaler Service Edge first, gets inspected there, and then heads out to the destination. For an attorney in New York reviewing documents hosted in iManage in the East region, the path is straightforward. For the same attorney on deposition in Houston using hotel Wi-Fi, the round trip detours through a Zscaler PoP and adds noticeable latency. Document review slows. Webex stutters. The partner blames IT.

Four pain points Zscaler creates inside a law firm

1. Privilege gets uncomfortable when traffic backhauls

Law firms have a vocabulary problem with the word "inspection." When a litigation associate is reviewing privileged material and that traffic is decrypted at a Zscaler PoP, partners ask uncomfortable questions about third-party access and data residency. The answer Zscaler gives is technical and reassuring. It is also exactly the kind of answer that ends up in front of a general counsel who would rather the inspection happen on the firm's own laptop, not in a cloud data center.

dope.security inspects on the device. The agent decrypts and re-encrypts traffic locally. No payload ever leaves the laptop in unencrypted form. For a privilege-conscious GC, that is not a marketing point. It is a posture change.

2. Document review and discovery hate cloud proxy latency

Modern litigation runs on Relativity, DISCO, Everlaw, iManage, NetDocuments. These are cloud-heavy tools that move large files and run complex queries. Every additional 30 to 80 ms of latency per request adds up across a workday. Associates running thousands of search-and-review iterations notice. Pricing partners, who measure realization against time on task, notice harder. dope.security routes direct. The 4x performance gap vs. legacy proxy SWGs is measurable on the same break-and-inspect tests Zscaler customers run internally.

3. Zscaler pricing does not match law firm shape

Zscaler's bill comes in modules. ZIA is one line. ZPA is another. Data Protection is a third. Cloud Browser Isolation is a fourth. The list expands across a renewal cycle. A 400-attorney firm with paralegals, staff, and contractors easily ends up on a per-user bill that runs into seven figures and grows every year. The Zscaler pricing math rarely improves at renewal. dope.security is one platform, one console, one transparent line item.

4. The two-console problem becomes a three- and four-console problem

Zscaler's portfolio grew through acquisition the same way Cisco's did. ZIA and ZPA do not share a single policy model the way the marketing implies. Add the Zscaler Data Protection module and you are working in a third pane of glass. For a law firm IT team that runs lean (often a director, a senior admin, and a couple of help desk staff), that operational tax is not abstract. It is the difference between policy that actually gets shipped and policy that sits in someone's queue.

What dope.security looks like for a law firm

The agent runs on the attorney's laptop. Mac or Windows. Under 100 MB of RAM. SSL inspection happens on-device. URL filtering happens on-device. Application control happens on-device. DLP happens on-device. The agent ships through Jamf, Intune, or whichever MDM the firm uses. Policy lives in a single cloud console.

A partner in Paris on a Tuesday morning hits the same enforcement as an associate in Chicago. Neither of their sessions travels through a Zscaler data center first. Both get the same protection. Neither feels the latency. Privilege stays at the device.

The dope.security platform that replaces a typical law firm's Zscaler bundle is three things in one:

dope.SWG covers the SWG layer: SSL inspection, URL filtering, anti-malware, application control. Dopamine DLP sits at the endpoint and catches sensitive content (client names, matter numbers, privileged terms) before it leaves on an upload or in a ChatGPT prompt. CASB Neural scans the firm's Microsoft 365 and Google Workspace tenants for documents shared externally, sensitive matter content sitting in OneDrive, and discovery material with the wrong sharing scope.

AI governance is where law firms feel the gap fastest

Most law firms have a written policy that says "do not paste client material into ChatGPT." Most firms have at least one associate who has done it anyway. The Zscaler answer is to block ChatGPT. That works until partners ask for a managed enterprise tenant, at which point the policy gets soft.

dope.security takes a different approach with three-layer AI governance: Shadow IT discovery shows you which AI apps the firm is using and on which accounts (corporate vs. personal). SWG policy controls allow/warn/block by app. Cloud Application Control restricts logins to the firm's enterprise tenant only, so an associate cannot sign into a personal ChatGPT or Claude and route a brief through it. Enterprise AI controls stop being a binary block-or-allow question.

What replacing Zscaler in a 250- to 2,000-attorney firm actually looks like

The migration runs side by side. Keep Zscaler in place. Deploy the dope.security agent through MDM. Pick a single office or practice group. Confirm policy enforcement. Expand. The same 30-day Zscaler migration playbook applies whether the customer is a SaaS company or a law firm.

The mid-market biotech research organization that walked away from Zscaler looked operationally similar to a mid-size firm: privilege-heavy data, traveling researchers, lean IT, frustration with cloud proxy latency, and a renewal bill they could not justify. The replacement pattern translates.

The bottom line for law firm IT leaders

Zscaler is a cloud proxy SWG that backhauls every request. That architecture made sense in 2018. It does not match the shape of a 2026 law firm where every attorney is mobile, every matter is cloud-heavy, and every partner wants to be sure privileged work product is not making an unnecessary stop in a third-party data center.

An agent-based endpoint SWG that inspects on the device, enforces policy in seconds, and lives under one console is the right architecture for legal. dope.security is the named replacement.

Pilot it on one practice group. Pick the most cloud-heavy team you have, deploy the agent through your MDM, and benchmark a workday against the Zscaler path. Start a free trial or book a 20-minute demo.