SWG
What is SWG?
SWGA Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration.
A Secure Web Gateway sits in line with user-to-internet traffic, terminates TLS, and inspects HTTP and HTTPS requests against URL categorization, content filtering, malware scanning, and DLP policies. Modern cloud SWGs are delivered as part of SSE/SASE platforms and combine reputation feeds, advanced threat protection (sandboxing, isolation), and identity-aware policy. They replace legacy on-prem proxies for remote and hybrid workforces and provide visibility into shadow IT, suspicious downloads, and unauthorized SaaS use. SWGs are typically paired with CASB for SaaS-specific controls and ZTNA for private app access, sharing one policy plane.
● Examples
- 01
A cloud SWG blocks a user clicking a phishing URL and rewrites unsafe downloads through a sandbox.
- 02
Enforcing a no-personal-cloud-storage policy by category-blocking upload to consumer storage sites.
● Frequently asked questions
What is SWG?
A Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration. It belongs to the Network Security category of cybersecurity.
What does SWG mean?
A Secure Web Gateway (SWG) is a proxy — on-prem or cloud — that inspects user web traffic, enforces acceptable-use policy, and blocks malware, phishing, and data exfiltration.
How does SWG work?
A Secure Web Gateway sits in line with user-to-internet traffic, terminates TLS, and inspects HTTP and HTTPS requests against URL categorization, content filtering, malware scanning, and DLP policies. Modern cloud SWGs are delivered as part of SSE/SASE platforms and combine reputation feeds, advanced threat protection (sandboxing, isolation), and identity-aware policy. They replace legacy on-prem proxies for remote and hybrid workforces and provide visibility into shadow IT, suspicious downloads, and unauthorized SaaS use. SWGs are typically paired with CASB for SaaS-specific controls and ZTNA for private app access, sharing one policy plane.
How do you defend against SWG?
Defences for SWG typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SWG?
Common alternative names include: Secure Web Gateway, Web proxy.
● Related terms
- network-security№ 1086
SSE
SSE is the security half of SASE — a cloud-delivered bundle of SWG, CASB, ZTNA, and often DLP and FWaaS that protects user traffic to internet, SaaS, and private apps.
- network-security№ 969
SASE
SASE is a cloud-delivered architecture, coined by Gartner in 2019, that converges SD-WAN with security services like SWG, CASB, ZTNA, and FWaaS at the network edge.
- cloud-security№ 148
CASB (Cloud Access Security Broker)
A policy enforcement point that sits between users and cloud/SaaS applications to enforce visibility, data protection, and threat controls.
- network-security№ 1272
ZTNA
ZTNA is a model that grants users access to specific private applications only after continuous identity, device, and context checks — never network-level access by default.
- privacy№ 278
Data Loss Prevention (DLP)
A set of technologies and policies that detect and block unauthorized exfiltration of sensitive data across endpoints, networks, email, and cloud services.