CASB Deployment Guide 2026: Forward Proxy vs API Mode, Policy Configuration, and Netskope vs Microsoft Defender for Cloud Apps

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Cloud Access Security Brokers (CASBs) sit between users and cloud services to enforce data protection, access control, and threat protection policies. The deployment architecture question -- forward proxy, reverse proxy, or API mode -- determines what the CASB can and cannot see, control, and enforce. Most organizations deploy all three modes for different use cases, not one mode across the board. This guide covers what each mode does, when to use it, how to configure the most important policy use cases, and how to choose between the two platforms most commonly evaluated in M365-adjacent enterprises: Netskope and Microsoft Defender for Cloud Apps.
CASB Architecture Modes: What Each Intercepts and Enforces
CASB platforms operate in three distinct modes, each with different deployment requirements, traffic visibility, and enforcement capabilities. Understanding the boundaries of each mode prevents the most common CASB deployment failure: expecting real-time DLP enforcement in API mode or retroactive scanning capability from a forward proxy deployment.
Forward proxy mode routes all user traffic through the CASB cloud infrastructure before it reaches cloud services. The CASB becomes the security inspection point for every HTTP and HTTPS request -- decrypting TLS, inspecting content, applying DLP rules, and enforcing access policy in real time. Forward proxy requires either deploying a PAC file to endpoint browsers or routing traffic through an organization-managed gateway. This mode provides the deepest visibility and most real-time enforcement but introduces latency and requires endpoint configuration.
Reverse proxy mode positions the CASB between specific cloud applications and users, without routing all traffic or requiring endpoint configuration. Users authenticate to the cloud application through the CASB's identity proxy, and the CASB enforces session-level controls (blocking downloads, preventing clipboard paste, applying watermarks) for that application session. Reverse proxy is the appropriate deployment for managed users on unmanaged devices (BYOD) or for contractors who cannot have a PAC file deployed to their endpoints.
API mode connects directly to cloud application APIs (Microsoft 365 Graph API, Google Workspace Admin SDK, Salesforce REST API) to scan existing content in cloud storage, identify data that violates DLP policy, assess application configuration against security benchmarks, and discover OAuth app permissions. API mode does not intercept in-flight traffic -- it scans what is already stored and can take remediation actions (quarantine, label, notify) on discovered violations.
Forward Proxy vs. Reverse Proxy vs. API Mode: Decision Matrix
Each deployment mode addresses a distinct security requirement. The question is not which mode to use -- it is which modes to deploy and for which populations.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Netskope: Architecture and Deployment
Netskope was built around CASB before expanding to SWG and ZTNA, and its architecture reflects that heritage. The NewEdge network -- Netskope's 75-plus PoP global cloud infrastructure -- provides the forward proxy inspection plane, with PoPs co-located near major cloud provider infrastructure to minimize round-trip latency for SaaS application traffic.
The Netskope Client is the lightweight endpoint agent that steers traffic to Netskope's cloud for forward proxy inspection. The client supports Windows, macOS, iOS, and Android and integrates with existing MDM solutions for deployment. For environments that cannot deploy the agent universally, Netskope supports PAC file-based traffic steering and gateway-based interception.
Netskope's inline DLP is the platform's most differentiated capability: the policy engine supports regular expression patterns, data identifiers (PII, PCI, PHI), machine learning-based content classification, and document fingerprinting (detecting specific documents by content rather than filename). Policies can be applied at the application level (block upload to Dropbox specifically), the category level (block uploads to all personal storage), or at the data content level (block any upload containing credit card numbers regardless of destination).
The Cloud Confidence Index is Netskope's proprietary risk scoring database for cloud applications, covering 50,000-plus applications with scores based on security controls, compliance certifications, data handling practices, and incident history. Risk-based access policies (block access to applications with confidence scores below a threshold) require this database as the policy engine.
Microsoft Defender for Cloud Apps: Architecture and Deployment
Microsoft Defender for Cloud Apps (formerly MCAS -- Microsoft Cloud App Security) is the CASB component of the Microsoft Defender suite, tightly integrated with Entra ID, Microsoft Sentinel, and Microsoft Purview DLP. For organizations on Microsoft 365 E5 or Microsoft 365 E5 Security, Defender for Cloud Apps is included at no incremental licensing cost.
The integration with Conditional Access is Defender for Cloud Apps' primary architectural advantage over Netskope for M365-centric organizations. Entra ID Conditional Access policies can route sessions for specific users, applications, or device states through the Defender for Cloud Apps reverse proxy -- applying session controls (block download, block print, step-up authentication) without requiring any additional client-side configuration beyond the Entra ID Conditional Access policy. For organizations already managing Conditional Access policy, adding CASB session controls requires only a configuration change in the existing policy, not a new client deployment.
The Microsoft Purview DLP integration extends the DLP label taxonomy (sensitivity labels created in Purview) into CASB DLP policies: a file labeled "Highly Confidential" in SharePoint can be blocked from upload to non-Microsoft storage applications using the same label-based policy, creating a consistent data protection framework across endpoint, cloud, and inline CASB controls.
Shadow IT discovery in Defender for Cloud Apps ingests log data from firewalls, SWGs, and proxies (Palo Alto, Check Point, Cisco, Zscaler, and others) and scores discovered applications against the 31,000-plus application risk database. The Cloud Discovery dashboard provides executive-level visibility into unsanctioned cloud application usage with risk-based categorization.
Head-to-Head: Netskope vs. Microsoft Defender for Cloud Apps
The evaluation between these two platforms reduces to a stack compatibility question: how deeply invested is the organization in the Microsoft security ecosystem? Here is how they separate across six dimensions.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Shadow IT Remediation Workflow
Shadow IT discovery is the starting point; remediation requires a structured workflow that converts application risk data into actionable access policy. Here is the standard remediation sequence.
Discovery: ingest firewall and proxy logs into CASB shadow IT module
Configure your firewall (Palo Alto, Check Point, Cisco), SWG (Zscaler, Netskope), or proxy to forward traffic logs to the CASB's Cloud Discovery module. Allow 30 days of log data to accumulate before drawing conclusions -- weekly access patterns for rarely-used applications are only visible with sufficient history.
Categorize discovered applications by risk tier
Use the CASB risk scoring database to segment discovered applications into three tiers: sanctioned (approved for use, integrated with SSO and DLP), tolerated (in-evaluation or low-risk personal use apps, monitored but not blocked), and blocked (high-risk, data exfiltration risk, or policy violations). This categorization becomes the foundation for access control policy.
Block high-risk applications and redirect users
For applications categorized as blocked, configure the forward proxy (or DNS-based blocking if forward proxy is not yet deployed) to display a custom block page that explains why access is restricted and provides a sanctioned alternative. Applications in the consumer storage, file sharing, and anonymous proxy categories are typical block targets for data protection programs.
Integrate tolerated applications into monitoring policy
For tolerated applications, configure upload DLP inspection rather than blanket blocking. This approach allows access while detecting and preventing sensitive data exfiltration. Applications that show DLP violations in the monitoring period move to the blocked tier.
Establish ongoing discovery review cadence
Shadow IT evolves monthly as users adopt new SaaS tools. Schedule a monthly Cloud Discovery review to identify newly appearing applications that exceed volume or risk thresholds, evaluate them against the risk tier criteria, and update policy accordingly. Assign this review to a specific team member rather than leaving it as a shared responsibility.
Common CASB Deployment Mistakes
These are the configuration and planning errors that result in either security gaps or excessive user friction in production CASB deployments.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
The bottom line
CASB deployment success depends on understanding that forward proxy, reverse proxy, and API mode are complementary modes, not alternatives. A complete CASB architecture uses all three for different populations and use cases. On platform selection: Microsoft Defender for Cloud Apps wins for M365 E5 organizations where it is included, where Conditional Access integration simplifies reverse proxy deployment, and where Purview DLP label alignment is a priority. Netskope wins for organizations with mature DLP requirements that need deeper content inspection policies, broader third-party SaaS API coverage, and a standalone SSE platform that does not require Microsoft ecosystem commitment. Deploy all DLP policies in audit mode first -- the organization's first view of what data is actually moving is rarely what anyone expects.
Sources & references
- Gartner Magic Quadrant for Security Service Edge 2025
- Microsoft Defender for Cloud Apps documentation
- Netskope Cloud and Threat Report 2025
- Gartner Critical Capabilities for SSE 2025
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
