Zscaler Replacement Without Backhauling: The 2026 Endpoint SWG Case
.jpeg)
The short answer
The best Zscaler replacement that does not backhaul traffic in 2026 is dope.security. Zscaler inspects traffic by routing it through its global cloud, so every request from a remote laptop detours to a Zscaler enforcement node before reaching the internet. dope.security inspects TLS on the device itself and sends traffic Fly Direct to its destination. Same controls, no detour. The result is lower latency, better data residency, and consistent enforcement in geographies where backhauling struggles, like China.
What backhauling actually costs you
Backhauling is the defining feature of the cloud proxy model, and it is easy to underestimate until you measure it. Zscaler routes user traffic through its global cloud for inspection. A laptop in Singapore connecting to a service hosted nearby still sends its traffic to a Zscaler enforcement node first, then on to the destination, then the response comes back the same way. Multiply that round trip across every request, every user, every day, and the latency compounds.
For an office full of desktops a few milliseconds from a node, the tax is small. For a distributed, laptop-first workforce spread across regions, it is constant and noticeable. Users describe it as "the internet feels slow," and they are not wrong. The detour is the architecture working as designed. The design assumes your traffic should visit a hub before it goes anywhere.
There is a second cost that does not show up on a latency graph. When all traffic backhauls to a vendor cloud for decryption, your users' plaintext is inspected inside third-party infrastructure. For regulated industries and privacy-conscious organizations, that is a data-residency question worth taking seriously.
How Fly Direct removes the detour
dope.security takes the inspection point off the cloud node and puts it on the device. The agent decrypts TLS locally, applies your policy, and sends traffic straight to its destination. There is no enforcement node in the path because the enforcement happens on the laptop.
| Capability | dope.security (Endpoint SWG) | Zscaler |
|---|---|---|
| Inspection point | On the device | Zscaler cloud enforcement node |
| Traffic path | Direct to internet | Device to node to internet and back |
| Latency from inspection | Minimal, local | Round-trip to nearest node, per request |
| Plaintext during inspection | Stays on the device | Decrypted in vendor cloud |
| Performance | 4x legacy proxy SWGs | Subject to node proximity |
| Endpoint footprint | Under 100 MB RAM | Connector and forwarding components |
| Restricted geographies | Works where backhaul struggles | Backhaul through chokepoints |
| DLP and AI governance | Native, on-device | Add-on tiers, in cloud |
The same controls, without the trade
The worry about leaving a cloud proxy is losing inspection depth. You do not. dope.security decrypts and inspects SSL on the device, which gives you full URL filtering and decrypted content visibility, the same depth a cloud proxy provides. The difference is purely where it happens.
On top of that inspection, Dopamine DLP intercepts file uploads and AI prompts and classifies them with zero-retention APIs, so sensitive data does not leave on the way to a personal Drive or a chatbot. Cloud Application Control restricts SaaS access to corporate tenants, so you allow enterprise ChatGPT and Microsoft 365 while blocking personal logins. The three-layer AI governance model, shadow IT discovery, SWG policy, and tenant control, is native. All of it runs through one console, dope.console, and the agent runs in under 100 MB of RAM.
Where backhauling breaks, and Fly Direct does not
The clearest case for removing the detour is geography. Routing all traffic through a global cloud runs into trouble at network chokepoints. In restricted regions, China being the standout example, backhauled SWGs frequently fail or crawl because the traffic has to cross a controlled boundary to reach the inspection node and come back. Teams with staff in APAC or other restricted geographies feel this acutely.
Because dope.security inspects on the device and flies direct, it keeps working where the backhaul model breaks down. For organizations with employees in China or similar regions, that is often the single deciding factor, and it is a direct consequence of not depending on a distant enforcement node.
Better for privacy and data residency
On-device decryption is the cleaner privacy story. The plaintext is inspected where the data already lives, on the endpoint, and does not transit a vendor's cloud to be read. DLP classification uses zero-retention APIs with no training on customer data. For organizations reasoning about data residency and regulatory exposure, inspecting traffic on the device instead of routing it through a third-party data center is a meaningfully simpler position to defend.
The hidden tax backhauling puts on your team
Latency is the cost users feel, but backhauling charges your IT team too. Making the cloud-proxy model work means owning the forwarding: PAC files, GRE or IPsec tunnels, the client connector, and the logic that decides which traffic goes where. Each of those is a thing that can break, a thing that needs tuning, and a thing a new engineer has to learn. The connector mesh becomes its own small infrastructure project, and the bypass list for apps that choke on the detour tends to grow over time.
An on-device model retires that entire category of work. There is no forwarding because there is no node to forward to. The agent inspects locally and traffic flies direct, so the operational surface area shrinks to one agent and one console. dope.console pushes policy in seconds, and the bypass list stays short by design. For teams that have spent years maintaining forwarding infrastructure, removing it is as meaningful as the latency win.
What the numbers look like in practice
The performance claim is concrete, not vague. The dope.security agent runs in under 100 MB of RAM and delivers 4x the performance of legacy proxy SWGs, because inspection happens on the device instead of at a distant node. Deployment is fast for the same architectural reason: there is nothing to forward and nothing to connect. A Fortune 100 customer runs the agent on 18,000-plus devices, Outreach Health secured 99% of its fleet within a week, and Greylock Partners went from first proposal to signed contract in 27 days. When the architecture is simple, both the runtime and the rollout get simpler with it.
When Zscaler's backhaul model is still fine
It is fair to name where the cloud proxy still works. If your users are concentrated near enforcement nodes, your workforce is not heavily distributed, and you are a large enterprise with the staff and network design built around Zscaler, the backhaul latency may be tolerable and the platform is mature. The case for a no-backhaul endpoint SWG gets strong when your workforce is distributed, when latency is a daily complaint, when you have staff in restricted geographies, or when you want corporate traffic inspected on the device rather than in a vendor cloud.
How to switch from Zscaler to dope.security
The migration runs side by side, not as a forklift.
- Deploy the dope.security agent through your MDM in monitor mode, with Zscaler still enforcing.
- Recreate your URL categories, custom rules, and DLP policies in dope.console.
- Enforce on a pilot group, compare logs side by side, then roll across the fleet in waves.
- Remove Zscaler forwarding and decommission the tenant.
Most teams cut over in weeks. There is no cloud forwarding to architect and no connector mesh to build, because the agent is the SWG. A Fortune 100 customer runs it on 18,000-plus devices, and Greylock Partners signed in 27 days from first proposal.
Frequently asked questions
Does Zscaler backhaul traffic? Yes. Zscaler inspects traffic by routing it through its global cloud, so requests detour to a Zscaler enforcement node before reaching their destination. That detour adds latency, especially for distributed and international users.
How does dope.security avoid backhauling? dope.security inspects TLS on the device itself and sends traffic Fly Direct to the internet. The enforcement happens on the laptop, so there is no enforcement node in the path and no detour.
Will removing backhaul actually reduce latency? Yes. Without the round trip to an enforcement node, traffic takes a direct path. The agent is 4x faster than legacy proxy SWGs and runs in under 100 MB of RAM.
Does dope.security work in China where Zscaler struggles? Yes. Because inspection is on the device and traffic flies direct, dope.security keeps working in restricted geographies like China where backhauling through chokepoints causes legacy SWGs to fail or slow down.
Is on-device inspection better for data residency? Yes. Traffic is decrypted and inspected on the endpoint and does not transit a vendor cloud, which is a cleaner data-residency position than routing all user traffic through a third-party data center for decryption.
Does removing backhaul mean losing centralized policy control? No. Policy is still centralized in dope.console and pushes to every agent in seconds. The decentralization is only in where inspection happens, on each device, not in how you manage it. You get one place to set and see policy, without the traffic detour.
What about users who travel between regions? They are covered automatically. Because enforcement lives on the device and traffic flies direct, a laptop gets the same policy and the same direct routing whether it is in New York, London, or Singapore, with no node proximity to worry about and no VPN to connect.
See it on your fleet
Run dope.security side by side with Zscaler for a week and watch the backhaul latency disappear while you keep full TLS inspection, DLP, and AI control on the device. Start a free trial or book a 20-minute demo at dope.security.
.jpeg)
