A Secure Web Gateway (SWG) filters web traffic using URL categories, signatures, and policy rules, blocking known-bad destinations before the connection completes. Remote Browser Isolation (RBI) allows the connection but executes web content inside an isolated cloud container, delivering only a safe rendering to the endpoint. The two are complementary: SWGs reduce noise and enforce policy at scale; RBI handles the residual risk that signatures and categories miss — zero-days, encrypted threats, phishing pages on newly-registered or compromised domains.
What a Secure Web Gateway Does — and Where It Struggles
An SWG sits inline between users and the internet, inspecting outbound HTTP/HTTPS traffic. The core functions are URL filtering by category, SSL inspection, application control, anti-malware scanning, and data loss prevention for outbound content. Most enterprise-grade SWGs add cloud access security broker (CASB) capabilities and integration with endpoint detection platforms.
SWGs are mature, well-understood, and genuinely effective against the bulk of commodity web threats. The problem is their fundamental architecture: they make allow-or-block decisions based on what is known at inspection time. Several categories of threat consistently slip through:
- Zero-day and evasive malware delivered via HTTPS. By the time a signature exists, the payload has already landed on endpoints.
- Credential harvesting on uncategorised or freshly-registered domains. A phishing page spun up two hours ago is unlikely to appear in any category database yet.
- Legitimate compromised sites. A category filter classifies a site as “business software” correctly — it is — but the site was silently injected with a drive-by exploit this morning.
- Encrypted file types. Password-protected ZIP and Office files with macros are routinely used to bypass inline scanning because the SWG cannot inspect the payload without the password.
- Browser-delivered exploits. JavaScript-based exploits targeting browser engines do not necessarily look malicious until they execute. A signature may not exist yet.
None of this means SWGs are obsolete. They are still the right first control. But relying on an SWG alone and assuming it covers web-borne risk thoroughly is a miscalibrated assumption, especially for customers with elevated threat profiles.
What Remote Browser Isolation Does
RBI flips the security model from “detect and block” to “execute and isolate.” When a user navigates to a website, the request goes to a cloud-based isolation engine. That engine fetches and renders the page in a containerised browser, then streams a safe representation — a pixel rendering or reconstructed DOM — to the user’s local browser. No web code executes locally. It does not matter whether the page contains a zero-day exploit, an advanced phishing kit, or a drive-by download; none of it reaches the endpoint.
RBI also enables safer access to risky-but-necessary destinations: file-sharing services, webmail, partner extranets — things organisations need but would never fully trust. The traditional objections (latency, rendering fidelity, cost) have diminished substantially as cloud-native platforms have matured.
Content Disarm and Reconstruction: The File Download Problem
A critical gap in basic RBI is file downloads. If a user downloads a Word document or a PDF from an isolated browser session, that file still ends up on their endpoint. An isolated rendering does nothing to neutralise a malicious macro inside a downloaded document.
Content Disarm and Reconstruction (CDR) addresses this. CDR processes the file before it reaches the endpoint: it parses every structural element, strips anything that is not clean document content (macros, embedded objects, active links, potentially exploitable metadata), and reconstructs a clean version of the file. The user receives a functional document; the active threat never arrives.
CDR is not a new idea, but its integration directly into the browser isolation pipeline is a meaningful architectural advance. Menlo Security, for example, combines browser isolation with CDR so that both rendering risk and download risk are handled within a single platform without requiring a separate CDR appliance or a second vendor integration.
Where Each Technology Fits in the Stack
The question is not really “SWG or RBI” — it is “how do these work together?” Here is a practical framing:
SWG handles:
- Policy enforcement (acceptable use, category blocking, application control)
- High-volume threat filtering at the perimeter (commodity malware, known-bad URLs)
- DLP on outbound web traffic
- CASB integration for sanctioned SaaS
RBI handles:
- Residual web risk after SWG filtering (zero-days, evasive content, unknown sites)
- High-risk browsing categories (web-based email, uncategorised destinations, file sharing)
- Secure access to untrusted but necessary sites
- AI agent and automated browsing risk (increasingly relevant — more on this below)
CDR handles:
- File downloads from any source, whether isolated or not
- Active content in documents traversing email and web simultaneously
Many organisations deploy an SWG with RBI applied selectively to high-risk categories, rather than to all traffic. This is a reasonable architecture: isolation for everything adds cost and some latency overhead; isolation for risky categories or specific user groups targets the exposure where it matters most.
The AI Agent Browsing Risk Problem
A newer threat worth flagging: LLM agents that browse the web autonomously introduce prompt injection via web content. A malicious actor plants instructions in a web page; the agent reads them as legitimate and acts on them, potentially exfiltrating data. Browser isolation is one of the few existing controls that constrains this — an isolated session that strips active content limits the damage radius. Vendor implementations vary, but this belongs in evaluation criteria for any customer deploying AI-based tooling.
Practical Selection Guidance for the Channel
When helping a customer evaluate web security options, a few questions cut through the noise quickly:
- What is their current web filtering architecture? If they have no SWG, start there — it is still the foundational control. If they have a mature SWG deployment and are seeing browser-delivered threats or phishing landing successfully, RBI is the logical next layer.
- What are the high-risk browsing use cases? Finance teams accessing web-based portals, HR teams opening email attachments from external parties, and executive assistants browsing external communications all have elevated exposure.
- Do they have a file download problem? If endpoint detection is catching malicious documents that came via download rather than email, CDR is the gap to close.
- What is the performance tolerance? Modern cloud-native isolation has improved substantially, but latency-sensitive applications (real-time collaboration, video conferencing from a browser) may need selective bypass policies.
- Is the SWG vendor also the RBI vendor, or are these separate? Consolidated platforms simplify policy management; best-of-breed combinations may provide stronger controls in specific areas but add integration complexity.
For Lionet Networks channel partners working on web security deals, the architecture conversation usually starts with understanding the gap between what the existing SWG covers and what is actually reaching endpoints. That gap — not a feature checklist comparison — is what makes the case for isolation.
What to Evaluate in a Browser Isolation Platform
Any meaningful evaluation of an RBI platform should test the following:
- Isolation fidelity. Does the isolation genuinely prevent code execution, or are there bypass paths for certain content types?
- Rendering quality. Do web applications that users depend on work acceptably inside the isolated session?
- CDR capability. What file types are covered? What is the fidelity of the reconstructed document?
- Policy granularity. Can isolation be applied selectively by user group, URL category, or risk score?
- Logging and visibility. Does the platform produce actionable telemetry for the SOC, or just connection logs?
- Integration. How does it integrate with the existing SWG, SIEM, and identity provider?
Running a structured PoC against real browsing scenarios — including file downloads, web-based email, and uncategorised sites — will surface the answers faster than any vendor data sheet.