A Secure Web Gateway (SWG) is a security solution that inspects and filters outbound web traffic to enforce acceptable-use policy, block malicious content, and prevent data from being transmitted to unauthorized destinations.

‍

Main takeaways

• SWGs were designed to govern web browsing on managed networks and devices. They have no visibility into traffic that doesn't pass through the proxy.
• The shift to remote work, personal devices, and direct SaaS access has significantly reduced the share of enterprise web traffic that flows through corporate SWG infrastructure.
• SWGs can block access to known malicious sites and some unsanctioned SaaS categories—but they cannot discover which specific applications employees use, or what OAuth grants those applications have accumulated.
• Like CASB, SWGs operate on a known-threats model: policy applies to what the security team has configured, not to what's unknown or unmanaged.
• In a modern SaaS environment, SWG provides one layer of web security for managed, on-network access—leaving unmanaged devices, personal accounts, and SaaS-to-SaaS integrations outside its scope.

What is a Secure Web Gateway?

Secure web gateways emerged when the web was the primary threat vector and enterprise browsing happened predominantly on managed devices, on corporate networks, routed through predictable infrastructure. The gateway sat inline—every request passed through it, policy was applied at the point of transit, and the IT team had a complete picture of what employees were accessing. That model worked well when the corporate network was effectively the boundary of work.

‍

The model works less well when employees are working from home on personal devices, accessing SaaS services directly over broadband, and using applications that connect to each other via API rather than through a browser at all. The inline inspection model requires a consistent, observable traffic path—and that path is increasingly absent from how work actually happens.

‍

How SWGs work

SWGs operate as a proxy layer between users and the internet:

• URL and category filtering—Blocking access to known malicious domains, inappropriate content categories, and potentially risky SaaS categories based on policy.
• SSL/TLS inspection—Decrypting and inspecting encrypted traffic to apply content policies. Requires certificate deployment on managed endpoints.
• Data Loss Prevention (DLP)—Inspecting outbound content for sensitive data patterns and blocking or flagging transmissions that violate policy.
• Malware detection—Scanning downloaded content for known malware signatures and behavioral indicators.

Where SWGs fall short in modern environments

Three structural limitations define SWG coverage in a distributed SaaS environment:

‍

Unmanaged devices—SWG coverage requires the proxy to be in the traffic path. Personal devices, contractor systems, and mobile devices that don't have SWG certificates installed send no traffic through the gateway.

‍

Personal accounts and shadow SaaS—Employees accessing SaaS through personal email addresses or direct signups may be doing so through browsers or devices that bypass corporate SWG entirely.

‍

SaaS-to-SaaS integrations—OAuth-connected applications communicate directly with each other via API. No browser, no user traffic, no SWG touchpoint—these connections are structurally invisible to SWG.

‍

See how Nudge Security discovers and governs SaaS usage that falls outside network-layer visibility →