Next-Gen Security Service Edge (NG-SSE)

The Internet-Access Layer for the AI Economy

As fleet-wide AI agents, CLIs, and autonomous processes bypass legacy cloud proxies, the enterprise perimeter is going dark. DAM moves security to the endpoint — the only place the context still exists.

Deploy via MDM (60s) Read the Thesis
dam-sensor --active-egress-log
The Core Thesis

Capture it at the Source, or it's Gone

Every enterprise already spends millions to secure its internet access. AI just broke it. The perimeter went multi-actor and multi-gateway. The legacy architecture didn't.

1
Local Process Initiated
PID 4108 · Parent: Python3 · Executable: `llama-index`
Identified by DAM
DAM
DAM Endpoint Intercept
Inspects credentials, process hierarchy, and exact data payload pre-encryption.
0ms Latency · No Decryption Needed
🔒
Local TLS Encrypted
Traffic payload is encrypted locally with pinned certificates.
Securely Guided
Cloud
Legacy Cloud Proxy (Zscaler / Netskope)
Sits upstream. Sees only raw ciphertext from IP `192.168.1.45`.
Context Blind (Bypassed by Design)

Why the Perimeter is Going Dark

Legacy Secure Web Gateways (SWGs) were built for the **Browser Era** — assuming one human clicking links in a browser tab.

We have entered the **AI Era**. Work is now driven by fleets of autonomous agents, CLI tools, SDKs, and native apps hitting the web directly. They generate **~450% more network traffic** than humans.

Upstream cloud proxies are blind to this traffic. They see only an encrypted stream. To avoid breaking applications, security teams write endless "bypass lists," creating massive, unmonitored security gaps.

The DAM solution is simple: move enforcement to the endpoint. By inspecting egress at the source, DAM captures process IDs, authenticating actors, and intent *before* encryption.

Enterprise Protection

What DAM Sees That Nothing Else Does

From unauthorized code leakage to poisoned prompt injections, DAM secures your workforce and your autonomous systems.

Safe, High-Velocity AI Adoption

CISOs are forced to block the very AI tools the business needs because they have zero visibility into what those apps do with sensitive corporate data. DAM provides 100% process-level visibility, turning security from a bottleneck into an enabler.

A typical Tuesday in the Enterprise
"Our engineering team wants to deploy a new AI coding agent to accelerate roadmap delivery, but security has it blocked because the network team can't inspect what the agent is uploading to third-party endpoints."
100% process-level visibility into AI scripts
Allow adoption with zero compliance risk

Stop Unvetted Model Exfiltration

A developer's autonomous coding assistant pulls a private code repository and sends a large block to an unvetted public model API for refactoring. Cloud proxies only see HTTPS traffic to a domain; DAM understands the context, maps the file reads, and blocks the exfiltration.

A typical Tuesday in the Enterprise
"An engineer runs an open-source CLI agent. The agent reads `config.json` containing AWS keys and attempts to POST them to a public helper API. DAM detects the process reading secrets and blocks the outbound socket."
Pre-encryption payload inspection
Map internal file reads to network egress

Curbing Prompt Injection & Hijacking

Indirect prompt injection is the #1 threat in the OWASP LLM Top 10. A support copilot reads a poisoned email or web page, hijacking the model to exfiltrate session tokens via background beacons (the zero-click EchoLeak pattern). DAM immediately flags anomalous background process behavior.

A typical Tuesday in the Enterprise
"A corporate assistant agent summarizes an external ticket. The ticket contains a malicious payload instructing the agent to execute a hidden curl command. DAM flags the untrusted execution path instantly."
Blocks anomalous shell spawning
Stops model-driven background exfiltration

Zero-Latency, Per-Process Governance

Legacy network tools apply a blunt hammer across an entire IP. If a doctor has an electronic health record (EHR) database open alongside Reddit, legacy systems degrade both or block both. DAM applies rules to the specific process: patient data stays strictly isolated, while Reddit runs completely unhindered.

A typical Tuesday in the Enterprise
"A user runs Slack, Chrome, and a native terminal. Chrome needs exceptions for certain SaaS tools. Zscaler bypasses the whole IP, leaving the terminal blind. DAM secures the terminal and leaves Chrome exceptions untouched."
No broad network-wide exceptions
Zero-latency, unthrottled human productivity
The Architectures

The Innovator's Dilemma

Why Zscaler can't copy us: their $20B valuation is built on hosting hundreds of cloud data centers. Moving enforcement to the device makes their entire infrastructure completely redundant.

Feature Legacy Cloud Proxy (Zscaler / Netskope) Next-Gen Device-Native (DAM)
Enforcement Point Upstream Cloud Point of Presence (PoP) On-Device Native Sensor (pre-encryption)
AI Agent / CLI Context Blind. Sees only ciphertext from an external IP address. Complete. Knows which PID, process name, and actor made the call.
Latency & Performance 50ms+ backhaul latency. Throttles apps and breaks connections. 0ms. Handled locally on modern CPU headroom. No backhaul.
Encryption Bypasses Required for pinned certs, mutual TLS, and ECH. Huge blind spots. Zero bypasses required. Context is captured prior to SSL/TLS wrapping.
Deployment Timeline Weeks of complex network routing, PAC files, and firewall configuration. 60-second fleet-wide deploy via a simple MDM push.
The Pedigree

Built by Operators Who Solved It at $100B Scale

This isn't a speculative bet. We've lived this bottleneck. Our team has built and deployed device-native network security across the largest infrastructures in the world.

BF

Barak Freiman

CTO & Co-Founder

Barak led the global infrastructure group at PayPal that built and deployed PayPal's internal Zscaler replacement for their entire $100B footprint. They retired the legacy proxy because it was too slow and too blind for modern web egress.

IL

Itai Leshem

CEO & Co-Founder

Itai led core infrastructure engineering inside IDF Unit 8200 and later directed enterprise networking at Axonius, managing deployments protecting seven-figure asset fleets for Disney, Rakuten, and Costco.

"In 2019, we realized that cloud proxies were starting to choke PayPal's core developer and data workflows. Every microservice and CLI needed exceptions. We didn't just 'think' about device-native enforcement; we built it, retired our legacy proxies, and proved it at massive scale. DAM is that battle-tested PayPal playbook, productized for the modern enterprise."

Barak Freiman

CTO, DAM (Former Principal Architect, PayPal)

7,851%
Agentic Growth
YoY growth in autonomous AI agent web traffic in 2025.
450%
More Egress
Traffic volume generated by a single agent compared to a human.
87.2%
Encrypted Attacks
Threats that leverage TLS channels to bypass cloud inspection.
60s
Deploy Time
To gain complete process-level visibility across your fleet via MDM.

Take Control of the Egress Layer

Stop guessing what your autonomous fleet is doing on the web. Gain complete, zero-latency visibility in minutes, not months. Schedule a 3-week PoV today.