Netskope
Primary partner · Secure Service Edge

See everything. Control anything.

Your data lives in the cloud, moves over the web and now flows through AI. Netskope puts one intelligent checkpoint in that path, so you can see every interaction and control it in real time. Here is the whole story, in plain terms.

Why Netskope

Your users, data and apps left the building. Security has to meet them where they work.

The old model, backhaul everything to a data centre firewall, breaks the moment work moves to the cloud and the edge. Netskope inspects traffic inline, close to the user, on a private global network, then applies one set of zero-trust policies across web, SaaS, private apps, and now AI.

NewEdge network

A private global edge for low-latency inline inspection, not a public-cloud rental.

Zero Trust Engine

One real-time, adaptive policy engine across every traffic type and identity.

SkopeAI

AI woven through the platform, both to secure it and to secure your use of AI.

The NewEdge network

Security that runs on its own private cloud.

Everything Netskope does runs on NewEdge: a global private cloud with full compute in every region, directly peered with Microsoft, Google and thousands of networks. Traffic is inspected at a point of presence near the user, so you get security without a performance trade-off.

131
Data centres
Across 82 metros worldwide
75+
Regions
Low-latency on-ramps
220+
Localisation zones
Countries & territories
2K+
Network adjacencies
Extensively peered
99.999%
Uptime SLA
<10ms / <50ms processing
Mapping the global network…
Data plane (data centre) Directly peered with Microsoft & Google in every region possible.
First, the two foundations

SWG and CASB, in plain English.

Two letters-soup acronyms that do simple jobs. They are the engine the whole platform is built on.

The inspector for everything you browse.

A Secure Web Gateway sits between your people and the internet. Every web request runs through it first. It decrypts the traffic (yes, even HTTPS), checks the site and the content, blocks threats like malware and phishing, and stops sensitive data being uploaded where it shouldn’t. Think of it as a smart security desk every web request walks past, on or off the office network.

The controller for your cloud apps.

A Cloud Access Security Broker sits between your people and SaaS apps like Microsoft 365, Google, Salesforce and thousands more. It sees which apps are in use (including ones IT never approved), tells the corporate account apart from a personal one, and controls the actions inside, upload, download, share, so you can allow the app but govern what happens in it. It works two ways: inline (in real time) and via API (scanning data already sitting in the app).

The key idea

Older tools could only see a web address and say yes or no to the whole thing. Netskope decodes the traffic and understands the app, the instance and the action. That is the difference between "block Dropbox" and "let people use corporate Dropbox, but never upload a customer list to a personal one".

One engine, every kind of traffic

It doesn't just filter URLs. It understands what's inside the traffic.

Network
Inspects packets
Web
Inspects HTTP/S
SaaS
Decodes JSON
AI / MCP
Decodes MCP

Network traffic

Firewall-as-a-Service inspects packets across all ports and protocols, with IPS, DNS security, SOCKS5 proxy and DNSaaS. The branch and the remote worker get the same controls as head office, with no appliance to age out.

Web traffic

A next-gen Secure Web Gateway inspects HTTP/S with TLS decryption, URL filtering, threat protection and Remote Browser Isolation for risky sites, judging traffic on real-time risk rather than a static category list.

SaaS traffic

Inline and API CASB decode the JSON inside SaaS sessions, so policy can tell your sanctioned Microsoft 365 from a personal tenant, allow the read but block the upload, and reach data already at rest in connected apps.

AI & MCP traffic

The Agentic Broker and AI Gateway decode MCP, the protocol AI agents use to talk to tools and data. That means visibility and control over non-human AI interactions, not just the human-to-chatbot prompts.

One transaction, full context

It sees the whole story, not just the request.

Cloud XD decodes every transaction into the context that matters, the who, where, what, which app and which data, so one policy can be precise instead of blunt.

Encrypted traffic
0100110101000111010110100101110100101101001011010010
010 1101 0100 1011 0010 1101 0110
1100 0101 1010 0110 1001 0011
0101 1100 0011 1010 0101 1001
Cloud XD · SSL/TLS + API/JSON decode →
Cloud XD
Full context, real time
User
Simon, Sales
Location
Remote
Device
Personal laptop
App
HubSpot · SaaS
Activity
Download
Data
Customer data
One precise policy: personal device downloading customer data, so coach the user and block the upload, without blocking HubSpot for everyone.
Two halves of one platform

Data in motion, and data at rest. Same engine, both sides.

Most vendors do one or the other. Netskope inspects traffic inline as people work, and scans data at rest in your stores, using the same unified DLP classification across both, so a policy you build once protects data wherever it lives or travels.

Inline inspection

As data moves

Every web request, SaaS action, email and AI prompt routes through the NewEdge proxy, where it's decrypted, inspected for content and context, and allowed, coached or blocked in real time.

SWGInline CASBEmail DLPAI guardrails
At-rest inspection

Where data sits

DSPM discovers known and shadow data stores across cloud and on-prem, classifies what's inside, maps who can reach it, and scores exposure, then triggers remediation, no agents on the data.

DSPMAPI CASBSSPM
Jump to AI security →
What the API can reach in your sanctioned apps

Connected by API to OneDrive, SharePoint and Copilot (plus the rest of Microsoft 365, Google, Salesforce, Box and more), Netskope scans data that is already at rest and acts on it directly, with no proxy in the path.

See & search
File details
Name, size, type, sharing, who it is shared with, owners, 3rd-party apps, audit trail and version history.
Search
Locate files by name, owner, content, type, size, violation, date or external user.
Users
Files and violations per user and per external user, 3rd-party apps, location, storage use and anomalies.
Classify & control
Classification
DLP by proximity analysis, MIME and file type, size and custom regular expressions, on files up to 128 MB.
Restrict access
Remove public sharing on exposed files and folders.
Change ownership
Re-assign owners of files and folders to bring them back under control.
Remediate
Remediation
Manage ownership, sharing permissions, file encryption, end-user notification and automated policy.
Encryption
Encrypt a file on move to a quarantine folder, then review and allow or block it.
Quarantine
Hold files that trigger a policy violation for review before release.
Govern
Alerts
Notify users and admins the moment a policy is violated.
Email templates
Custom notifications for owners, admins, collaborators and users.
Legal hold
Preserve relevant information when litigation is anticipated.
Cloud Confidence Index

Not all cloud apps are equal. The CCI tells you which to trust.

Your staff use thousands of cloud apps, most never approved by IT. The Cloud Confidence Index is Netskope's research-backed rating of more than 75,000 apps, each scored against roughly 50 objective criteria modelled on the Cloud Security Alliance framework. Every app lands an enterprise-readiness score from 0 to 100, mapped to one of five confidence levels, and that rating becomes something you can write policy against.

What gets measured

Weights are indicative and illustrate how the model balances categories; Netskope tunes the live scoring continuously. Click a category to see what it checks.

From score to policy action
75 · ENTERPRISE READY
0–49
60–74
75–89
90+
Poor
0–49
Block sensitive uploads
Low
50–59
Coach users off
Medium
60–74
Allow with DLP
High
75–89
Allow
Excellent
90–100
Sanction freely
Five confidence levels

75+ is considered enterprise ready; below 60 is not. Apps not yet rated show as Under research, and PC marks pending changes.

Try a sample app

How it drives policy

Write rules against the rating, not the app name: allow sanctioned, high-confidence apps; coach users off low-confidence ones toward an approved equivalent; block uploads of sensitive data to anything below Medium. One policy covers the apps you have never even heard of.

Policy in practice
Excellent & High
75–100
Allow and monitor. Sanction confidently; keep activity logging on.
Medium
60–74
Allow with guardrails. Enforce DLP; block bulk download and external sharing.
Low & Poor
below 60
Block and coach. Stop sensitive uploads; steer to an approved equivalent.

One rule set, written against the rating, governs every app in the catalogue, including the thousands your team has never named.

Steering & deployment

First decide what reaches Netskope, and how.

"Steering" simply means whether traffic is sent to Netskope. What is steered gets inspected and controlled in real time; what is not can still be discovered or managed by other means. Every option falls into one of two modes.

Inline

Real-time, in the path

Steer cloud apps only, or all web traffic, to Netskope. Traffic is inspected and policy is applied in real time while data is still in motion — the basis for SWG, inline CASB, DLP and threat protection.

Out-of-band

API & log-based

CASB API integration reaches into sanctioned apps to govern data at rest; log-based discovery analyses traffic logs. Used where inline steering can't reach — data already at rest, or apps a SWG can't proxy.

Three ways to steer inline

Reverse proxy

Sits in front of sanctioned apps, routed via your identity provider (SSO). Brings DLP and real-time control to unmanaged and BYOD devices, with no agent installed.

How it works
Licence: Netskope Client

Netskope Client

A lightweight licensed agent for Windows, macOS, iOS and Android, the most comprehensive coverage on managed devices. Deploy by hand or via Intune / MDM; steer all or selected traffic.

How it works

Forward proxy

Sits in front of your users. Steers traffic from a managed endpoint (or the network) outbound to cloud and web, and inspects everything, including non-browser native apps.

How it works
Solution finder

Tell us what you're trying to solve. We'll show you how to buy it.

Pick an outcome and see the Netskope capability that delivers it, how it works, and the exact components and package to ask for in a quote. Think of it as an online solution architect, mapping your problem straight to a buildable answer.

Ready to scope it?

Send us the outcomes you selected and we'll book a consultation to turn them into a Netskope design sized to your environment, seat count and rollout.

Request a consultation
What it solves

Start with the problem, not the product.

Sensitive data is leaving

Stop data loss across web, SaaS, email and endpoint with one DLP engine, the same rules everywhere it moves.

Netskope DLP →

The VPN is the weak point

Replace the broad VPN tunnel with per-app Zero Trust access, so a compromised login can't roam the whole network.

Zero Trust →

Staff are feeding data to AI

See and control what goes into public AI tools, and govern the agents and MCP traffic behind the scenes.

AI security →

Shadow IT is invisible

Discover every cloud app in use and score its risk against an index of 85,000+ apps, then govern by risk, instance and activity.

BYOD & contractors need access

Give unmanaged devices safe, isolated access through the Enterprise Browser, with DLP applied and nothing left behind.

No idea why apps are slow

Digital Experience Management measures the real user-to-app path end to end, so you fix the cause instead of guessing.

The story, problem by problem

Seven problems. One platform.

Each step builds on the last, from seeing your apps, to controlling what people do, to replacing the VPN, to securing AI. Click through the story.

Securing the AI era

Five products in the live AI traffic path.

From shadow chatbots to autonomous agents, Netskope One AI Security gives one platform to see, understand and control your entire AI ecosystem. Each product maps to a real risk, and they share one console and policy engine.

What we do with it

We licence Netskope, and we make it work.

Cornerstone licenses Netskope and designs, builds, tunes and hands it over as a working part of your security, integrated with your identity and data controls, then leaves you in command of it.

Design

Reference architecture

SSE/SASE design mapped to your apps, sites and risk, not a template.

Deploy

Steered & tuned

Traffic steering, SSL inspection and policy rolled out without breaking the business.

Protect

DLP & AI guardrails

Data-loss and AI policy that reflects how your business actually works.

Hand over

You stay in control

Documented, governed and handed to your team. No lock-in.

Data security posture management

DSPM in the same platform that already controls your data.

Netskope One DSPM, powered by SkopeAI, finds and scores your data at rest with the same engine that inspects it in motion across the web, SaaS and AI. Posture and enforcement share one platform, so what you discover you can immediately act on, no second silo to wire up.

Discover & classify

Structured, semi- and unstructured data across SaaS, IaaS, PaaS and on-prem, including shadow data stores, with detection of PII, PHI, financial and regulated data.

A live risk score

Continuous, real-time scoring across data stores, user access and interactions, so exposure is ranked by what matters, not delivered as a flat list of findings.

Access governance

Maps who can actually reach sensitive data and right-sizes permissions toward least privilege, closing the over-sharing that AI tools would otherwise surface.

AI readiness

Stops sensitive or regulated data feeding public LLMs, whether by direct prompt, RAG or fine-tuning, and brings data context to AI risk and governance.

The Cornerstone view

Netskope DSPM fits when your data lives in cloud and SaaS and the driver is web, SaaS or AI data movement, because posture shares one engine with the DLP, CASB and ZTNA you may already run on Netskope. Where deep, dedicated multi-cloud and SaaS discovery is the priority we pair or compare it with Cyera; for runtime cloud workloads, with CrowdStrike. See how it fits in Data Protection and DLP.

See what’s really happening in your cloud and AI traffic.

Netskope SSE

What Netskope does, and where it fits.

SWG, CASB, DLP, ZTNA, AI security, one platform.

What is Netskope?

A Security Service Edge (SSE) platform that inspects user traffic to the internet, SaaS and AI tools, applying policy and data protection inline. It replaces aging web proxies and provides modern Zero Trust Network Access for private apps.

What does Netskope SSE include?

Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Data Loss Prevention (DLP), Zero Trust Network Access (NPA), AI security (Skope AI) and Enterprise Browser. One platform, one agent.

How is Netskope different to Microsoft Defender for Cloud Apps?

Defender for Cloud Apps does CASB across mostly-Microsoft scopes. Netskope sits in the data path for every web, SaaS and AI session with deeper DLP and broader app visibility. They complement; we map which job each does best.

What about VPN replacement?

Netskope NPA (Zero Trust Network Access) replaces broad VPN tunnels with per-application access, evaluated each connection. Better security posture, much better user experience. See our Zero Trust page.

Does Netskope cover BYOD?

Yes. Netskope Enterprise Browser gives full DLP and policy on personal devices without installing anything on the device. See the BYOD page.

How is AI traffic protected?

Skope AI applies DLP and policy to Copilot, ChatGPT, Gemini, Claude and other AI tools. Block or coach risky behaviour, stop sensitive data being pasted into public AI. See AI security.